10:20 a.m.
[re-sent after subscribing with my sender address]
All,
I am working on deploying sssd to a number of Debian Linux
workstations, and it's slow-going... and I could use some help.
The workstations mount users' homes and a few public shares over NFS,
using automount. User information, automounter maps etc are shared
through NIS. Besides caching, easy switching of backends (say, to
Kerberos and LDAP) is why I want to move to sssd. But it looks like NIS
support is a bit under-documented.
The installed ssd version ("wheezy-backports") is
# dpkg-query -l sssd
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii sssd 1.11.7.3-3~b amd64 System Security Services
Daemon -
#
Debian updates pam.d/common-*
# fgrep sss /etc/pam.d/*
/etc/pam.d/common-account:account [default=bad success=ok
user_unknown=ignore] pam_sss.so
/etc/pam.d/common-auth:auth [success=1
default=ignore] pam_sss.so use_first_pass
/etc/pam.d/common-password:password
sufficient pam_sss.so
/etc/pam.d/common-session:session
optional pam_sss.so
#
and nsswitch.conf, funny enough by appending the sss modules
# fgrep sss /etc/nsswitch.conf
passwd: files nis sss
group: files nis sss
shadow: files nis sss
netgroup: nis sss
sudoers: files sss
#
and does not install any /etc/sssd/sssd.conf, so the system is broken
after installing sssd and friends.
My sssd.conf is
[sssd]
config_file_version = 2
reconnection_retries = 3
debug_level = 0x0070
services = nss, pam
domains = spgnts
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 0x0070
[pam]
reconnection_retries = 3
pam_verbosity = 3
debug_level = 0x0070
[domain/spgnts]
debug_level = 0x0070
enumerate = true
id_provider = proxy
proxy_lib_name = nis
min_id = 500
auth_provider = proxy
proxy_pam_target = none
-- if there is any further configuration detail you consider relevant
to the issue, please let me know.
When I start all this, things work until I take out the 'nis' entries
from nsswitch.conf. To my understanding, as long as they are in,
queries never go to the nss_sss module.
Once I take out the 'nis' entries, I can log in as root on the console,
I can log in as a regular user over ssh (public key auth), but all
other login attempts time out. kdm mutters about pam_setcred() problems
on the console.
The /var/log/sssd/* logs are voluminous, but virtually free of any
helpful information. Upon login, sssd appears to start a bunch of
proxy_child processes, which hang there until timeout, at which point
they get killed. I tried copying a commandline from ps, and strace a
proxy_child invocation, but the trace didn't speak to me.
I have searched the web far and wide, but there is little more than lip
service to using the proxymodule, much less NIS. As of now, my hunch is
the problem lies with PAM - how do you configure the domain's
auth_provider for NIS? I came across "#proxy_auth_target =
nis_pam_proxy", but it wasn't documented.
Thanks for reading this far; any comments are most welcome!
Cheerio,
Hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344
11:26 a.m.
Why you need NIS?
It does not make any sense to me.
There are only 2 scenarios makings sense:
- you go for SSSD (no need for NIS)
- you stick with NIS (no need for SSSD)
Ondrej
________________________________________
From: Hauke Fath [hf(a)spg.tu-darmstadt.de]
Sent: Friday, March 04, 2016 4:20 PM
To: sssd-users(a)lists.fedorahosted.org
Cc: Hauke Fath
Subject: [SSSD-users] sssd and NIS?
[re-sent after subscribing with my sender address]
All,
I am working on deploying sssd to a number of Debian Linux
workstations, and it's slow-going... and I could use some help.
The workstations mount users' homes and a few public shares over NFS,
using automount. User information, automounter maps etc are shared
through NIS. Besides caching, easy switching of backends (say, to
Kerberos and LDAP) is why I want to move to sssd. But it looks like NIS
support is a bit under-documented.
The installed ssd version ("wheezy-backports") is
# dpkg-query -l sssd
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii sssd 1.11.7.3-3~b amd64 System Security Services
Daemon -
#
Debian updates pam.d/common-*
# fgrep sss /etc/pam.d/*
/etc/pam.d/common-account:account [default=bad success=ok
user_unknown=ignore] pam_sss.so
/etc/pam.d/common-auth:auth [success=1
default=ignore] pam_sss.so use_first_pass
/etc/pam.d/common-password:password
sufficient pam_sss.so
/etc/pam.d/common-session:session
optional pam_sss.so
#
and nsswitch.conf, funny enough by appending the sss modules
# fgrep sss /etc/nsswitch.conf
passwd: files nis sss
group: files nis sss
shadow: files nis sss
netgroup: nis sss
sudoers: files sss
#
and does not install any /etc/sssd/sssd.conf, so the system is broken
after installing sssd and friends.
My sssd.conf is
[sssd]
config_file_version = 2
reconnection_retries = 3
debug_level = 0x0070
services = nss, pam
domains = spgnts
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 0x0070
[pam]
reconnection_retries = 3
pam_verbosity = 3
debug_level = 0x0070
[domain/spgnts]
debug_level = 0x0070
enumerate = true
id_provider = proxy
proxy_lib_name = nis
min_id = 500
auth_provider = proxy
proxy_pam_target = none
-- if there is any further configuration detail you consider relevant
to the issue, please let me know.
When I start all this, things work until I take out the 'nis' entries
from nsswitch.conf. To my understanding, as long as they are in,
queries never go to the nss_sss module.
Once I take out the 'nis' entries, I can log in as root on the console,
I can log in as a regular user over ssh (public key auth), but all
other login attempts time out. kdm mutters about pam_setcred() problems
on the console.
The /var/log/sssd/* logs are voluminous, but virtually free of any
helpful information. Upon login, sssd appears to start a bunch of
proxy_child processes, which hang there until timeout, at which point
they get killed. I tried copying a commandline from ps, and strace a
proxy_child invocation, but the trace didn't speak to me.
I have searched the web far and wide, but there is little more than lip
service to using the proxymodule, much less NIS. As of now, my hunch is
the problem lies with PAM - how do you configure the domain's
auth_provider for NIS? I came across "#proxy_auth_target =
nis_pam_proxy", but it wasn't documented.
Thanks for reading this far; any comments are most welcome!
Cheerio,
Hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
=
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
1:59 p.m.
On Sat, 5 Mar 2016 17:26:50 +0000, Ondrej Valousek wrote:
Why you need NIS?
It stores data for identifying and authorizing users(*) centrally, and
distributes them to clients.
It does not make any sense to me.
There are only 2 scenarios makings sense:
- you go for SSSD (no need for NIS)
SSSD is a caching proxy for (mainly) identification and authorization
data. It has to get this data from one or more backends - like NIS.
- you stick with NIS (no need for SSSD)
And no client-side caching, which is what I want.
Cheerio,
Hauke
* discounting automounter maps for now
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344
9:30 a.m.
On Fri, Mar 04, 2016 at 05:20:00PM +0100, Hauke Fath wrote:
[re-sent after subscribing with my sender address]
All,
I am working on deploying sssd to a number of Debian Linux
workstations, and it's slow-going... and I could use some help.
The workstations mount users' homes and a few public shares over NFS,
using automount. User information, automounter maps etc are shared
through NIS. Besides caching, easy switching of backends (say, to
Kerberos and LDAP) is why I want to move to sssd. But it looks like NIS
support is a bit under-documented.
The installed ssd version ("wheezy-backports") is
# dpkg-query -l sssd
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii sssd 1.11.7.3-3~b amd64 System Security Services
Daemon -
#
Debian updates pam.d/common-*
# fgrep sss /etc/pam.d/*
/etc/pam.d/common-account:account [default=bad success=ok
user_unknown=ignore] pam_sss.so
/etc/pam.d/common-auth:auth [success=1
default=ignore] pam_sss.so use_first_pass
/etc/pam.d/common-password:password
sufficient pam_sss.so
/etc/pam.d/common-session:session
optional pam_sss.so
#
and nsswitch.conf, funny enough by appending the sss modules
# fgrep sss /etc/nsswitch.conf
passwd: files nis sss
group: files nis sss
shadow: files nis sss
netgroup: nis sss
sudoers: files sss
#
and does not install any /etc/sssd/sssd.conf, so the system is broken
after installing sssd and friends.
My sssd.conf is
[sssd]
config_file_version = 2
reconnection_retries = 3
debug_level = 0x0070
services = nss, pam
domains = spgnts
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 0x0070
[pam]
reconnection_retries = 3
pam_verbosity = 3
debug_level = 0x0070
[domain/spgnts]
debug_level = 0x0070
enumerate = true
id_provider = proxy
proxy_lib_name = nis
min_id = 500
auth_provider = proxy
proxy_pam_target = none
-- if there is any further configuration detail you consider relevant
to the issue, please let me know.
When I start all this, things work until I take out the 'nis' entries
from nsswitch.conf. To my understanding, as long as they are in,
queries never go to the nss_sss module.
Once I take out the 'nis' entries, I can log in as root on the console,
I can log in as a regular user over ssh (public key auth), but all
other login attempts time out. kdm mutters about pam_setcred() problems
on the console.
The /var/log/sssd/* logs are voluminous, but virtually free of any
helpful information. Upon login, sssd appears to start a bunch of
proxy_child processes, which hang there until timeout, at which point
they get killed. I tried copying a commandline from ps, and strace a
proxy_child invocation, but the trace didn't speak to me.
I have searched the web far and wide, but there is little more than lip
service to using the proxymodule, much less NIS. As of now, my hunch is
the problem lies with PAM - how do you configure the domain's
auth_provider for NIS? I came across "#proxy_auth_target =
nis_pam_proxy", but it wasn't documented.
Thanks for reading this far; any comments are most welcome!
Cheerio,
Hauke
I haven't configured NIS myself for a very long time, but before logins
start working, sssd must be able to retrieve user information. I presume
"getent passwd -s sss $nisuser" doesn't return anything using this
configuration? It might be interesting to see the logs when you request
the user..
If you want to start testing just identity w/o authentication, you can
start with:
auth_provider = none
4:31 a.m.
On Sun, 6 Mar 2016 16:30:22 +0100, Jakub Hrozek wrote:
I haven't configured NIS myself for a very long time, but before
logins
start working, sssd must be able to retrieve user information. I presume
"getent passwd -s sss $nisuser" doesn't return anything using this
configuration?
Yes, it does:
# getent passwd -s sss wtestman
wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh
# getent shadow -s sss wtestman
# getent shadow -s nis wtestman
wtestman:$TOPSECRET:10779:0:99999:7:::
#
The "identification" part of the setup appears to work.
If you want to start testing just identity w/o authentication, you
can
start with:
auth_provider = none
Interesting enough, this doesn't make a difference. I suspect PAM plays
a role here, but my PAM fu is not up to the challenge...
FTR, I got the
auth_provider = proxy
proxy_pam_target = none
from <https://fedorahosted.org/sssd/ticket/1339>; I also followed the
example in <https://bugzilla.redhat.com/show_bug.cgi?id=578463>;,
setting nsswitch.conf up like
passwd files sss
group files sss
shadow files nis
all of which do not make a difference for authentication.
A typical cycle in the logs is
### sssd.log
(Mon Mar 7 11:22:00 2016) [sssd] [ping_check] (0x0020): A service PING
timed out on [spgnts]. Attempt [1]
(Mon Mar 7 11:22:10 2016) [sssd] [ping_check] (0x0020): A service PING
timed out on [spgnts]. Attempt [2]
(Mon Mar 7 11:22:20 2016) [sssd] [tasks_check_handler] (0x0020):
Killing service [spgnts], not responding to pings!
(Mon Mar 7 11:22:20 2016) [sssd] [ping_check] (0x0020): A service PING
timed out on [spgnts]. Attempt [3]
(Mon Mar 7 11:22:20 2016) [sssd] [mt_svc_exit_handler] (0x0040): Child
[spgnts] exited with code [0]
### sssd_nss.log
(Mon Mar 7 11:22:20 2016) [sssd[nss]] [sbus_dispatch] (0x0020):
Performing auto-reconnect
(Mon Mar 7 11:22:21 2016) [sssd[nss]] [nss_dp_reconnect_init]
(0x0020): Reconnected to the Data Provider.
(Mon Mar 7 11:22:34 2016) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0040): No results for getpwnam call
### sssd_pam.log
(Mon Mar 7 11:22:20 2016) [sssd[pam]] [sbus_dispatch] (0x0020):
Performing auto-reconnect
(Mon Mar 7 11:22:21 2016) [sssd[pam]] [pam_dp_reconnect_init]
(0x0020): Reconnected to the Data Provider.
(Mon Mar 7 11:22:21 2016) [sssd[pam]] [pam_check_user_dp_callback]
(0x0040): Unable to get information from Data Provider
Error: 3, 5, (null)
### sssd_spgnts
(Mon Mar 7 11:16:40 2016) [sssd[be[spgnts]]]
[get_initgr_groups_process] (0x0040): proxy -> initgroups_dyn failed
(0)[Success]
(Mon Mar 7 11:16:40 2016) [sssd[be[spgnts]]] [get_initgr] (0x0040):
Could not process initgroups
(Mon Mar 7 11:16:40 2016) [sssd[be[spgnts]]] [be_process_init]
(0x0020): No selinux module provided for [spgnts] !!
(Mon Mar 7 11:16:40 2016) [sssd[be[spgnts]]] [be_process_init]
(0x0020): No host info module provided for [spgnts] !!
(Mon Mar 7 11:16:40 2016) [sssd[be[spgnts]]] [be_process_init]
(0x0020): Subdomains are not supported for [spgnts] !!
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [pc_init_sig_handler]
(0x0020): waitpid did not find a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [pc_init_sig_handler]
(0x0020): waitpid did not find a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid did not found a child with changed status.
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid failed [10][No child processes].
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid failed [10][No child processes].
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid failed [10][No child processes].
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid failed [10][No child processes].
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid failed [10][No child processes].
(Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler]
(0x0020): waitpid failed [10][No child processes].
### proxy_child_spgnts.log
(Mon Mar 7 11:08:11 2016) [sssd[proxy_child[spgnts]]] [main] (0x0020):
Proxy child for domain [spgnts] started!
Cheerio,
Hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344
5:14 a.m.
On (07/03/16 11:31), Hauke Fath wrote:
On Sun, 6 Mar 2016 16:30:22 +0100, Jakub Hrozek wrote:
> I haven't configured NIS myself for a very long time, but before logins
> start working, sssd must be able to retrieve user information. I presume
> "getent passwd -s sss $nisuser" doesn't return anything using this
> configuration?
Yes, it does:
# getent passwd -s sss wtestman
wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh
# getent shadow -s sss wtestman
# getent shadow -s nis wtestman
wtestman:$TOPSECRET:10779:0:99999:7:::
That's correct.
sssd does not provide shadow maps.
Therefore you will need to have nis for shadow in /etc/nsswitch.conf
and then I cannot see a benefit of using sssd if you cannot get rid of nis.
in nsswitch.conf.
#
The "identification" part of the setup appears to work.
> If you want to start testing just identity w/o authentication, you can
> start with:
> auth_provider = none
Interesting enough, this doesn't make a difference. I suspect PAM plays
a role here, but my PAM fu is not up to the challenge...
FTR, I got the
auth_provider = proxy
proxy_pam_target = none
You set pam target to "none"
What is a content of file /etc/pam.d/none ?
from <https://fedorahosted.org/sssd/ticket/1339>; I also followed the
example in <https://bugzilla.redhat.com/show_bug.cgi?id=578463>;,
setting nsswitch.conf up like
BZ578463 is for winbind and you can see pam_winbind.so
in /etc/pam.d/winbind
But I assume it should be handled by pam_unix.
BTW why do you need/want to use NIS. You can achieve the same with LDAP/FreeIPA
...
LS
5:30 a.m.
On Mon, 7 Mar 2016 12:14:17 +0100, Lukas Slebodnik wrote:
On (07/03/16 11:31), Hauke Fath wrote:
> # getent passwd -s sss wtestman
> wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh
> # getent shadow -s sss wtestman
> # getent shadow -s nis wtestman
> wtestman:$TOPSECRET:10779:0:99999:7:::
That's correct.
sssd does not provide shadow maps.
That's why I followed the NIS example in
<https://bugzilla.redhat.com/show_bug.cgi?id=578463> and configured
nsswitch.conf like
passwd files sss
group files sss
shadow files nis
as mentioned.
Therefore you will need to have nis for shadow in /etc/nsswitch.conf
and then I cannot see a benefit of using sssd if you cannot get rid of nis.
in nsswitch.conf.
Well, it would still cache user and group information, which is
probably accessed more frequently than the password.
> FTR, I got the
>
> auth_provider = proxy
> proxy_pam_target = none
You set pam target to "none"
What is a content of file /etc/pam.d/none ?
Ah.
I was under the impression that 'none' had special meaning, like for
auth_provider? Certainly the logs do not mention a file not found...
BTW why do you need/want to use NIS. You can achieve the same with
LDAP/FreeIPA
We use NIS here, and I figured sssd might help with a transition
towards LDAP. But it has to work with NIS first.
Cheerio,
Hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344
6:09 a.m.
On (07/03/16 12:30), Hauke Fath wrote:
On Mon, 7 Mar 2016 12:14:17 +0100, Lukas Slebodnik wrote:
> On (07/03/16 11:31), Hauke Fath wrote:
>> # getent passwd -s sss wtestman
>> wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh
>> # getent shadow -s sss wtestman
>> # getent shadow -s nis wtestman
>> wtestman:$TOPSECRET:10779:0:99999:7:::
> That's correct.
> sssd does not provide shadow maps.
That's why I followed the NIS example in
<https://bugzilla.redhat.com/show_bug.cgi?id=578463> and configured
nsswitch.conf like
yes, but in NIS example there is used "auth_provider = krb5"
and you want to use "auth_provider = proxy".
I do not have and experience with NIS
But it might be related to following output.
# getent passwd -s sss wtestman
wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh
^
IIRC If you want to check password with pam_unix then there shoudl be
"x" instead of "*"
Btw is there a difference beween:
getent passwd -s sss wtestman
and
getent passwd -s nis wtestman
(you might temporary add "nis" for passwd in nsswitch.conf)
passwd files sss
group files sss
shadow files nis
as mentioned.
> Therefore you will need to have nis for shadow in /etc/nsswitch.conf
> and then I cannot see a benefit of using sssd if you cannot get rid of nis.
> in nsswitch.conf.
Well, it would still cache user and group information, which is
probably accessed more frequently than the password.
>> FTR, I got the
>>
>> auth_provider = proxy
>> proxy_pam_target = none
>
> You set pam target to "none"
> What is a content of file /etc/pam.d/none ?
Ah.
I would also recommend to look into /var/log/secure
and not only into sssd logs.
I was under the impression that 'none' had special meaning,
like for
auth_provider? Certainly the logs do not mention a file not found...
> BTW why do you need/want to use NIS. You can achieve the same with
> LDAP/FreeIPA
We use NIS here, and I figured sssd might help with a transition
towards LDAP. But it has to work with NIS first.
I hope it will be jsut transition and not final state :-)
LS
9:28 a.m.
On Mon, 7 Mar 2016 13:09:35 +0100, Lukas Slebodnik wrote:
>
> We use NIS here, and I figured sssd might help with a transition
> towards LDAP. But it has to work with NIS first.
>
I hope it will be jsut transition and not final state :-)
Thanks for all the helpful comments.
As I have run out of round tuits for experimenting, I have decided to
stick with nscd for now.
Cheerio,
Hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344
5:57 a.m.
New subject: Tickets with and without REALM
Hello everyone
I see a strange behaviour in the ticket listing of my users:
I always have a ticket with the REALM and without the realm. This could fit to other
problem I have like nonworking kerberos login via ssh and access issues.
Any ideas where this could come from?
my klist output:
Ticket cache: FILE:/tmp/krb5cc_59123
Default principal: User1(a)DOMAIN.NET
Valid starting Expires Service principal
03/09/16 14:39:41 03/12/16 14:39:41 krbtgt/DOMAIN.NET(a)DOMAIN.NET
renew until 04/06/16 15:39:41
03/09/16 14:39:50 03/10/16 00:39:50 host/anotherserver.domain.net@
renew until 04/06/16 15:39:41
03/09/16 14:39:50 03/10/16 00:39:50 host/anotherserver.domain.net(a)DOMAIN.NET
renew until 04/06/16 15:39:41
03/10/16 12:31:52 03/10/16 22:31:52 nfs/fileserver.domain.net@
renew until 04/06/16 15:39:41
03/10/16 12:31:52 03/10/16 22:31:52 nfs/fileserver.domain.net(a)DOMAIN.NET
renew until 04/06/16 15:39:41
My keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 10/30/15 18:47:15 host/thisserver.domain.net(a)DOMAIN.NET (des-cbc-crc)
2 10/30/15 18:47:15 host/thisserver.domain.net(a)DOMAIN.NET (des-cbc-md5)
2 10/30/15 18:47:15 host/thisserver.domain.net(a)DOMAIN.NET (aes128-cts-hmac-sha1-96)
2 10/30/15 18:47:15 host/thisserver.domain.net(a)DOMAIN.NET (aes256-cts-hmac-sha1-96)
2 10/30/15 18:47:15 host/thisserver.domain.net(a)DOMAIN.NET (arcfour-hmac)
2 10/30/15 18:47:15 host/THISSERVER(a)DOMAIN.NET (des-cbc-crc)
2 10/30/15 18:47:15 host/THISSERVER(a)DOMAIN.NET (des-cbc-md5)
2 10/30/15 18:47:15 host/THISSERVER(a)DOMAIN.NET (aes128-cts-hmac-sha1-96)
2 10/30/15 18:47:15 host/THISSERVER(a)DOMAIN.NET (aes256-cts-hmac-sha1-96)
2 10/30/15 18:47:15 host/THISSERVER(a)DOMAIN.NET (arcfour-hmac)
2 10/30/15 18:47:15 THISSERVER$(a)DOMAIN.NET (des-cbc-crc)
2 10/30/15 18:47:15 THISSERVER$(a)DOMAIN.NET (des-cbc-md5)
2 10/30/15 18:47:15 THISSERVER$(a)DOMAIN.NET (aes128-cts-hmac-sha1-96)
2 10/30/15 18:47:15 THISSERVER$(a)DOMAIN.NET (aes256-cts-hmac-sha1-96)
2 10/30/15 18:47:15 THISSERVER$(a)DOMAIN.NET (arcfour-hmac)
2 10/30/15 18:47:15 nfs/thisserver.domain.net(a)DOMAIN.NET (des-cbc-crc)
2 10/30/15 18:47:15 nfs/thisserver.domain.net(a)DOMAIN.NET (des-cbc-md5)
2 10/30/15 18:47:15 nfs/thisserver.domain.net(a)DOMAIN.NET (aes128-cts-hmac-sha1-96)
2 10/30/15 18:47:15 nfs/thisserver.domain.net(a)DOMAIN.NET (aes256-cts-hmac-sha1-96)
2 10/30/15 18:47:15 nfs/thisserver.domain.net(a)DOMAIN.NET (arcfour-hmac)
2 10/30/15 18:47:15 nfs/THISSERVER(a)DOMAIN.NET (des-cbc-crc)
2 10/30/15 18:47:15 nfs/THISSERVER(a)DOMAIN.NET (des-cbc-md5)
2 10/30/15 18:47:15 nfs/THISSERVER(a)DOMAIN.NET (aes128-cts-hmac-sha1-96)
2 10/30/15 18:47:15 nfs/THISSERVER(a)DOMAIN.NET (aes256-cts-hmac-sha1-96)
2 10/30/15 18:47:15 nfs/THISSERVER(a)DOMAIN.NET (arcfour-hmac)
3 12/18/15 16:04:42 nfs/thisserver.domain.net(a)DOMAIN.NET (des-cbc-crc)
3 12/18/15 16:04:42 nfs/thisserver.domain.net(a)DOMAIN.NET (des-cbc-md5)
3 12/18/15 16:04:42 nfs/thisserver.domain.net(a)DOMAIN.NET (aes128-cts-hmac-sha1-96)
3 12/18/15 16:04:42 nfs/thisserver.domain.net(a)DOMAIN.NET (aes256-cts-hmac-sha1-96)
3 12/18/15 16:04:42 nfs/thisserver.domain.net(a)DOMAIN.NET (arcfour-hmac)
3 12/18/15 16:04:42 nfs/THISSERVER(a)DOMAIN.NET (des-cbc-crc)
3 12/18/15 16:04:42 nfs/THISSERVER(a)DOMAIN.NET (des-cbc-md5)
3 12/18/15 16:04:42 nfs/THISSERVER(a)DOMAIN.NET (aes128-cts-hmac-sha1-96)
3 12/18/15 16:04:42 nfs/THISSERVER(a)DOMAIN.NET (aes256-cts-hmac-sha1-96)
3 12/18/15 16:04:42 nfs/THISSERVER(a)DOMAIN.NET (arcfour-hmac)
3 12/18/15 16:04:41 host/thisserver.domain.net(a)DOMAIN.NET (des-cbc-crc)
3 12/18/15 16:04:41 host/thisserver.domain.net(a)DOMAIN.NET (des-cbc-md5)
3 12/18/15 16:04:41 host/thisserver.domain.net(a)DOMAIN.NET (aes128-cts-hmac-sha1-96)
3 12/18/15 16:04:41 host/thisserver.domain.net(a)DOMAIN.NET (aes256-cts-hmac-sha1-96)
3 12/18/15 16:04:41 host/thisserver.domain.net(a)DOMAIN.NET (arcfour-hmac)
3 12/18/15 16:04:41 host/THISSERVER(a)DOMAIN.NET (des-cbc-crc)
3 12/18/15 16:04:41 host/THISSERVER(a)DOMAIN.NET (des-cbc-md5)
3 12/18/15 16:04:41 host/THISSERVER(a)DOMAIN.NET (aes128-cts-hmac-sha1-96)
3 12/18/15 16:04:41 host/THISSERVER(a)DOMAIN.NET (aes256-cts-hmac-sha1-96)
3 12/18/15 16:04:41 host/THISSERVER(a)DOMAIN.NET (arcfour-hmac)
3 12/18/15 16:04:41 THISSERVER$(a)DOMAIN.NET (des-cbc-crc)
3 12/18/15 16:04:41 THISSERVER$(a)DOMAIN.NET (des-cbc-md5)
3 12/18/15 16:04:41 THISSERVER$(a)DOMAIN.NET (aes128-cts-hmac-sha1-96)
3 12/18/15 16:04:41 THISSERVER$(a)DOMAIN.NET (aes256-cts-hmac-sha1-96)
3 12/18/15 16:04:41 THISSERVER$(a)DOMAIN.NET (arcfour-hmac)
My krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
default_realm = DOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 4d
renew_lifetime = 28d
forwardable = true
rdns = false
default_ccache_name = /tmp/krb5cc_%{uid}
canonicalize = yes
allow_weak_crypto = true
[realms]
DOMAIN.NET = {
kdc = LINDC2.DOMAIN.NET
master_kdc = LINDC2.DOMAIN.NET
admin_server = LINDC2.DOMAIN.NET
}
[domain_realm]
.DOMAIN.NET = DOMAIN.NET
DOMAIN.NET = DOMAIN.NET
my sssd.conf:
[sssd]
config_file_version = 2
domains = DOMAIN.NET
services = nss, pam, ssh
[ssh]
[domain/DOMAIN.NET]
id_provider = ad
auth_provider = ad
access_provider = ad
ad_server = dc2.roseninspection.net
# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
ldap_id_mapping = False
# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/bash
fallback_homedir = /home/DOMAIN/%u
krb5_renewable_lifetime = 3d
krb5_renew_interval = 3600
krb5_lifetime = 28d
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U
canonicalize = yes
debug_level = 3
#case_sensitive = preserving
case_sensitive = false
ad_gpo_access_control = permissive
#krb5_realm = DOMAIN.NET
2992
days inactive
2998
days old
sssd-users@lists.fedorahosted.org
9 comments
5 participants
participants (5)
-
Hauke Fath -
Jakub Hrozek -
Lukas Slebodnik -
Ondrej Valousek -
Peter Tulpen