(Fri May 23 00:30:33 2014) [sssd] [service_send_ping] (4): Pinging LDAP
(Fri May 23 00:30:33 2014) [sssd] [service_send_ping] (4): Pinging nss
(Fri May 23 00:30:33 2014) [sssd] [service_send_ping] (4): Pinging pam
(Fri May 23 00:30:33 2014) [sssd] [ping_check] (4): Service LDAP replied to
ping
(Fri May 23 00:30:33 2014) [sssd] [ping_check] (4): Service pam replied to
ping
(Fri May 23 00:30:33 2014) [sssd] [ping_check] (4): Service nss replied to
ping
I see that based on timeout setting, there is 10 secs timeout setting. What
exactly does Pinging LDAP do? because i dont see any packets coming thru
the line using tcpdump from the hosts listed in the URI.
Thanks
Hi
We've exhausted all the possibilities over on the samba list and think
we have a bug with the Lubuntu version of 1.11.5 against a Samba4 DC. We
have 1.11.5 ddns working perfectly against the same DC and nsupdate
works fine from the failing lubuntu laptop. I hope you don't mind in me
quoting from the samba lists below. Any help would be most gratefully
received:
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = hh3.site
[nss]
[pam]
[domain/hh3.site]
ad_server = hh16.hh3.site
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
log:
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server not found in Kerberos
database.
(Wed May 21 11:33:50 2014) [sssd[be[hh3.site]]] [child_sig_handler]
(0x0020): child [6460] failed with status [1].
(Wed May 21 11:33:50 2014) [sssd[be[hh3.site]]] [nsupdate_child_handler]
(0x0040): Dynamic DNS child failed with status [256]
(Wed May 21 11:33:50 2014) [sssd[be[hh3.site]]] [be_nsupdate_done]
(0x0040): nsupdate child execution failed [1432158228]: Dynamic DNS
update failed
(Wed May 21 11:33:50 2014) [sssd[be[hh3.site]]]
[sdap_dyndns_update_done] (0x0080): nsupdate failed, retrying with
server name
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server not found in Kerberos
database.
(Wed May 21 11:33:51 2014) [sssd[be[hh3.site]]] [child_sig_handler]
(0x0020): child [6464] failed with status [1].
(Wed May 21 11:33:51 2014) [sssd[be[hh3.site]]] [nsupdate_child_handler]
(0x0040): Dynamic DNS child failed with status [256]
(Wed May 21 11:33:51 2014) [sssd[be[hh3.site]]] [be_nsupdate_done]
(0x0040): nsupdate child execution failed [1432158228]: Dynamic DNS
update failed
(Wed May 21 11:33:51 2014) [sssd[be[hh3.site]]]
[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed
[1432158228]: Dynamic DNS update failed
(Wed May 21 11:33:51 2014) [sssd[be[hh3.site]]]
[ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed
[1432158228]: Dynamic DNS update failed
On 21/05/14 10:07, steve wrote:
> On 20/05/14 15:35, Rowland Penny wrote:
>> On 20/05/14 14:12, steve wrote:
>>> Hi
>>> I'm trying to get an Ubuntu 14.04 client to update its rr to a working
>>> bind dns DC with Samba 4.1.7. The setup is the same as with our
>>> openSUSE clients with sssd 1.11.15
>>> /etc/hosts
>>> 127.0.0.1 lubuntu-laptop.hh3.site lubuntu-laptop
>>> 127.0.1.1 localhost
DC log:
>>> Kerberos: ENC-TS Pre-authentication succeeded --
>>> LUBUNTU-LAPTOP$(a)HH3.SITE using arcfour-hmac-md5
>>> Kerberos: AS-REQ authtime: 2014-05-20T14:01:35 starttime: unset
>>> endtime: 2014-05-21T00:01:35 renew till: 2014-05-21T14:01:35
>>> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>>> aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26,
>>> using arcfour-hmac-md5/arcfour-hmac-md5
>>> Kerberos: Requested flags: renewable-ok
>>> Kerberos: TGS-REQ LUBUNTU-LAPTOP$(a)HH3.SITE from
>>> ipv4:192.168.1.22:40240 for ldap/hh16.hh3.site(a)HH3.SITE [canonicalize,
>>> renewable]
>>> Kerberos: TGS-REQ authtime: 2014-05-20T14:01:35 starttime:
>>> 2014-05-20T14:01:35 endtime: 2014-05-21T00:01:35 renew till:
>>> 2014-05-21T14:01:35
>>> Terminating connection - 'kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>> single_terminate: reason[kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>>> Kerberos: TGS-REQ LUBUNTU-LAPTOP$(a)HH3.SITE from
>>> ipv4:192.168.1.22:40241 for DNS/a.root-servers.net(a)HH3.SITE
>>> [canonicalize, renewable]
>>> Kerberos: Searching referral for a.root-servers.net
>>> Kerberos: Returning a referral to realm ROOT-SERVERS.NET for server
>>> DNS/a.root-servers.net(a)HH3.SITE that was not found
>>> Failed find a single entry for
>>>
(&(objectClass=trustedDomain)(|(flatname=ROOT-SERVERS.NET)(trustPartner=ROOT-SERVERS.NET))):
>>> got 0
>>> Kerberos: samba_kdc_fetch: could not find principal in DB
>>> Kerberos: Server not found in database:
>>> krbtgt/ROOT-SERVERS.NET(a)HH3.SITE: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:40241
>>> Terminating connection - 'kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>> single_terminate: reason[kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>>> Kerberos: TGS-REQ LUBUNTU-LAPTOP$(a)HH3.SITE from
>>> ipv4:192.168.1.22:40242 for DNS/a.root-servers.net(a)HH3.SITE [renewable]
>>> Kerberos: Server not found in database:
>>> DNS/a.root-servers.net(a)HH3.SITE: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:40242
>>> Terminating connection - 'kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>> single_terminate: reason[kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>>> Kerberos: TGS-REQ LUBUNTU-LAPTOP$(a)HH3.SITE from
>>> ipv4:192.168.1.22:40243 for DNS/a.root-servers.net(a)HH3.SITE
>>> [canonicalize, renewable]
>>> Kerberos: Searching referral for a.root-servers.net
>>> Kerberos: Returning a referral to realm ROOT-SERVERS.NET for server
>>> DNS/a.root-servers.net(a)HH3.SITE that was not found
>>> Failed find a single entry for
>>>
(&(objectClass=trustedDomain)(|(flatname=ROOT-SERVERS.NET)(trustPartner=ROOT-SERVERS.NET))):
>>> got 0
>>> Kerberos: samba_kdc_fetch: could not find principal in DB
>>> Kerberos: Server not found in database:
>>> krbtgt/ROOT-SERVERS.NET(a)HH3.SITE: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:40243
>>> Terminating connection - 'kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>> single_terminate: reason[kdc_tcp_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>>> Kerberos: TGS-REQ LUBUNTU-LAPTOP$(a)HH3.SITE from
>>> ipv4:192.168.1.22:40244 for DNS/a.root-servers.net(a)HH3.SITE [renewable]
>>> Kerberos: Server not found in database:
>>> DNS/a.root-servers.net(a)HH3.SITE: no such entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:40244
>>>
>>> The worrying thing is that we can still get tickets even though it has
>>> the wrong A record in DNS.
>>> What is this, 'a.root-servers.net' business? Why not our domain?
>>> What have we overlooked?
>>> Thanks,
>>> Steve
>>>
>>
> OK
> It works fine with nsupdate on the Administrator's tgt:
>
> Kerberos: AS-REQ Administrator(a)HH3.SITE from ipv4:192.168.1.22:35207
for krbtgt/HH3.SITE(a)HH3.SITE
> Kerberos: Client sent patypes: 149
> Kerberos: Looking for PKINIT pa-data -- Administrator(a)HH3.SITE
> Kerberos: Looking for ENC-TS pa-data -- Administrator(a)HH3.SITE
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
Administrator(a)HH3.SITE
> Kerberos: AS-REQ Administrator(a)HH3.SITE from ipv4:192.168.1.22:60295
for krbtgt/HH3.SITE(a)HH3.SITE
> Kerberos: Client sent patypes: encrypted-timestamp, 149
> Kerberos: Looking for PKINIT pa-data -- Administrator(a)HH3.SITE
> Kerberos: Looking for ENC-TS pa-data -- Administrator(a)HH3.SITE
> Kerberos: ENC-TS Pre-authentication succeeded --
Administrator(a)HH3.SITE using arcfour-hmac-md5
> Kerberos: AS-REQ authtime: 2014-05-21T10:51:46 starttime: unset
endtime: 2014-05-21T20:51:46 renew till: 2014-05-22T10:51:42
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using
arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: renewable-ok
> Kerberos: TGS-REQ Administrator(a)HH3.SITE from ipv4:192.168.1.22:57157
for DNS/hh16.hh3.site(a)HH3.SITE [canonicalize, renewable]
> Kerberos: TGS-REQ authtime: 2014-05-21T10:51:46 starttime:
2014-05-21T10:52:50 endtime: 2014-05-21T20:51:46 renew till:
2014-05-22T10:51:42
>
> and named responds:
> R
> 2014-05-21T10:52:50.315641+02:00 hh16 named[1965]: samba_dlz:
starting transaction on zone hh3.site
> 2014-05-21T10:52:50.319042+02:00 hh16 named[1965]: samba_dlz:
allowing update of signer=Administrator\(a)HH3.SITE
name=lubuntu-laptop.hh3.site tcpaddr=192.168.1.22 type=A
key=3111087606.sig-hh16.hh3.site/160/0
> 2014-05-21T10:52:50.321707+02:00 hh16 named[1965]: samba_dlz:
allowing update of signer=Administrator\(a)HH3.SITE
name=lubuntu-laptop.hh3.site tcpaddr=192.168.1.22 type=A
key=3111087606.sig-hh16.hh3.site/160/0
> 2014-05-21T10:52:50.322267+02:00 hh16 named[1965]: client
192.168.1.22#48170/key Administrator\(a)HH3.SITE: updating zone
'hh3.site/NONE': deleting rrset at 'lubuntu-laptop.hh3.site' A
> 2014-05-21T10:52:50.325538+02:00 hh16 named[1965]: samba_dlz:
subtracted rdataset lubuntu-laptop.hh3.site
'lubuntu-laptop.hh3.site.#0113600#011IN#011A#011192.168.1.22'
> 2014-05-21T10:52:50.326263+02:00 hh16 named[1965]: client
192.168.1.22#48170/key Administrator\(a)HH3.SITE: updating zone
'hh3.site/NONE': adding an RR at 'lubuntu-laptop.hh3.site' A
> 2014-05-21T10:52:50.329767+02:00 hh16 named[1965]: samba_dlz: added
rdataset lubuntu-laptop.hh3.site
'lubuntu-laptop.hh3.site.#0113600#011IN#011A#011192.168.1.22'
> 2014-05-21T10:52:50.644113+02:00 hh16 named[1965]: samba_dlz:
committed transaction on zone hh3.site
>
> Note, that via sssd, nothing is logged by bind, I suppose because the
KDC throws it out before it gets there.
>
> So, can we now point the blame at whatever Ubuntu have done with sssd
1.11.5? The sssd guys tell me that all they do is call out to nsupdate
for the ddns. As a 1.11.5 build from source on openSUSE works OK, do I
have enough information to narrow it down to the Ubuntu package? Do I
now have to build sssd on the laptop to prove my point?
>
> @Rowland. Do you have a 'debianified' build method for 1.11.5?
Sorry, but no, Ubuntu 14.04 comes with 1.11.3 and I am using this. It
must be possible though, Timo Aaltonen builds it for the Ubuntu 12.04
PPA here: https://launchpad.net/~sssd/+archive/updates
Perhaps you need to move this post to the sssd mailing list, you seem to
have tried everything possible, so could it be a problem with the Ubuntu
sssd package itself ?
Rowland
>
> Thanks everyone for their patience.
> Steve
Hi,
our current HOWTO[1] on connecting SSSD to an AD DC is outdated,
mostly because the page still only introduces the LDAP provider. Recently, me,
Sumit and Jeremy Agee wrote a new page that specifically advises to use
the AD provider and also use realmd for setup:
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
We started a new page and kept the old one around mostly because pre-1.9
versions still need the LDAP provider info.
I'd like to get some review and feedback from our community so we can
link the wiki page from the front page or the documentation section. In
addition to the lists, I also CC-ed the individual contributors to the
original page directly..I hope that's fine.
Thank you for your comments.
[1]
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%2…
>On Wed, Apr 23, 2014 at 08:10:47AM +0200, Paul Liljenberg wrote:
>>* Notice: I sent this email to the list using another mail address, which i
*>>* believe whas not verified properly. If this emali is properly sent to the
*>>* list you can disregard moderating the message.
*>> >>* Hello
*>> >>* Im setting up a single signon solution for about 1200 servers. The
*>>* situation as it seems is that we are setting up all users in a windows 2008
*>>* r2 active directory, adding proper unix permissions. A user with proper
*>>* priveliges to read active directory is being used by sssd to read which
*>>* users is allowed in and not. If the users does not have a home directory
*>>* they are being created automatically. So whats the issue here? Access to
*>>* the system does not happen instantanely and i believe its because sssd is
*>>* polling active directory every 120 seconds. It seems as if it has issues
*>>* remaining its state and it is just as if it would loose its local database.
*>>* I would like to be able to have users being logged directly after a user is
*>>* being added to active directory. Is this possible and how could this be
*>>* achieved?
*
>I would encourage you to turn enumeration off. Enumeration is a background
>task that periodically downloads and saves all users from the server,
>which can be very intensitve especially for large environments.
>Also, is there a reason to use a bind user and a password and not a
>keytab and then leverage GSSAPI?
>We have some howtos on enrolling a client with AD for pre-1.9 clients:
>https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%2…
>And also for 1.9 and later (recommended):
>https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
Ive edit the configuration to not use enumeration. The goal is to use
GSSAPI to. For some reason it refuses logins. It does not give me any
helpful ouput to fix it.
conf:
[sssd]
config_file_version = 2
domains = INT.HOME.LAN
services = nss, pam
debug_level = 0
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/INT.HOME.LAN]
# Unless you know you need referrals, turn them off
ldap_referrals = false
# Uncomment if you need offline logins
cache_credentials = true
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
# Uncomment if service discovery is not working
ldap_uri = ldap://vagrant-2008r2.int.home.lan
# Comment out if not using SASL/GSSAPI to bind
ldap_sasl_mech = GSSAPI
# Uncomment and adjust if the default principal host/fqdn at REALM is not
available
#ldap_sasl_authid = nfs/client.ad.example.com at
AD.EXAMPLE.COM<http://ad.example.com/>
# Define these only if anonymous binds are not allowed and no keytab is
available
# Enabling use_start_tls is very important, otherwise the bind password is
transmitted
# over the network in the clear
#ldap_id_use_start_tls = True
#ldap_default_bind_dn = CN=test,CN=Users,DC=int,DC=home,DC=local
#ldap_default_authtok_type = password
#ldap_default_authtok = secretpassword
ldap_schema = rfc2307bis
ldap_user_search_base = CN=Users,DC=int,DC=home,DC=lan
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_search_base = CN=linuxadmins,DC=int,DC=home,DC=lan
ldap_group_object_class = group
#ldap_access_filter = memberOf=cn=linuxadmins,dc=int,dc=home,dc=lan
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
#ldap_krb5_init_creds = true
# Uncomment if dns discovery of your AD servers isn't working.
#krb5_server = 192.168.3.11
krb5_realm = INT.HOME.LAN
#krb5_keytab = /etc/krb5.keytab
# Probably required with sssd 1.8.x and newer
krb5_canonicalize = false
# Perhaps you need to redirect to certain attributes?
#ldap_user_object_class = user
#ldap_user_name = sAMAccountName
#ldap_user_uid_number = msSFU30UidNumber
#ldap_user_gid_number = msSFU30GidNumber
#ldap_user_gecos = displayName
#ldap_user_home_directory = msSFU30HomeDirectory
#ldap_user_shell = msSFU30LoginShell
#ldap_user_principal = userPrincipalName
#ldap_group_object_class = group
#ldap_group_name = cn
#ldap_group_gid_number = msSFU30GidNumber
error output:
(Fri May 2 08:45:01 2014) [sssd[nss]] [nss_cmd_getpwnam] (0x0100):
Requesting info for [paul1] from [<ALL>]
(Fri May 2 08:45:01 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [paul1(a)INT.HOME.LAN]
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [be_get_account_info]
(0x0100): Got request for [4097][1][name=paul1]
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of
'vagrant-2008r2.int.home.lan' in files
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[set_server_common_status] (0x0100): Marking server
'vagrant-2008r2.int.home.lan' as 'resolving name'
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record
of 'vagrant-2008r2.int.home.lan' in files
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[resolv_gethostbyname_next] (0x0200): No more address families to retry
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of
'vagrant-2008r2.int.home.lan' in DNS
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[set_server_common_status] (0x0100): Marking server
'vagrant-2008r2.int.home.lan' as 'name resolved'
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[be_resolve_server_done] (0x0200): Found address for server
vagrant-2008r2.int.home.lan: [192.168.3.2] TTL 3600
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [get_naming_context]
(0x0200): Using value from [defaultNamingContext] as naming context.
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [sdap_set_search_base]
(0x0100): Setting option [ldap_search_base] to [DC=int,DC=home,DC=lan].
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[common_parse_search_base] (0x0100): Search base added:
[DEFAULT][DC=int,DC=home,DC=lan][SUBTREE][]
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [sdap_set_search_base]
(0x0100): Setting option [ldap_netgroup_search_base] to
[DC=int,DC=home,DC=lan].
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[common_parse_search_base] (0x0100): Search base added:
[NETGROUP][DC=int,DC=home,DC=lan][SUBTREE][]
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [sdap_set_search_base]
(0x0100): Setting option [ldap_sudo_search_base] to [DC=int,DC=home,DC=lan].
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[common_parse_search_base] (0x0100): Search base added:
[SUDO][DC=int,DC=home,DC=lan][SUBTREE][]
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [sdap_set_search_base]
(0x0100): Setting option [ldap_service_search_base] to
[DC=int,DC=home,DC=lan].
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[common_parse_search_base] (0x0100): Search base added:
[SERVICE][DC=int,DC=home,DC=lan][SUBTREE][]
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [sdap_set_search_base]
(0x0100): Setting option [ldap_autofs_search_base] to
[DC=int,DC=home,DC=lan].
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[common_parse_search_base] (0x0100): Search base added:
[AUTOFS][DC=int,DC=home,DC=lan][SUBTREE][]
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS'
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of
'client' in files
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [resolve_srv_cont]
(0x0100): Searching for servers via SRV query '_KERBEROS._udp.int.home.lan'
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [resolv_getsrv_send]
(0x0100): Trying to resolve SRV record of '_KERBEROS._udp.int.home.lan'
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [set_srv_data_status]
(0x0100): Marking SRV lookup of service 'KERBEROS' as 'resolved'
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[be_resolve_server_done] (0x0200): Found address for server
vagrant-2008r2.int.home.lan: [192.168.3.2] TTL 3600
(Fri May 2 08:45:01 2014) [[sssd[ldap_child[5745]]]]
[select_principal_from_keytab] (0x0200): trying to select the most
appropriate principal from keytab
(Fri May 2 08:45:01 2014) [[sssd[ldap_child[5745]]]]
[select_principal_from_keytab] (0x0200): Selected principal:
CLIENT$(a)INT.HOME.LAN
(Fri May 2 08:45:01 2014) [[sssd[ldap_child[5745]]]]
[ldap_child_get_tgt_sync] (0x0100): Principal name is:
[CLIENT$(a)INT.HOME.LAN]
(Fri May 2 08:45:01 2014) [[sssd[ldap_child[5745]]]]
[ldap_child_get_tgt_sync] (0x0200): Loaded 4 enctypes from keytab for
CLIENT$(a)INT.HOME.LAN
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [sasl_bind_send]
(0x0100): Executing sasl bind mech: GSSAPI, user: (null)
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [child_sig_handler]
(0x0100): child [5745] finished successfully.
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [fo_set_port_status]
(0x0100): Marking port 389 of server 'vagrant-2008r2.int.home.lan' as
'working'
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]]
[set_server_common_status] (0x0100): Marking server
'vagrant-2008r2.int.home.lan' as 'working'
(Fri May 2 08:45:01 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [paul1(a)INT.HOME.LAN]
(Fri May 2 08:45:01 2014) [sssd[be[INT.HOME.LAN]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Fri May 2 08:45:04 2014) [sssd] [service_send_ping] (0x0100): Pinging
INT.HOME.LAN
(Fri May 2 08:45:04 2014) [sssd] [service_send_ping] (0x0100): Pinging nss
(Fri May 2 08:45:04 2014) [sssd] [service_send_ping] (0x0100): Pinging pam
--
Vänliga Hälsningar / Best Regards
Paul Liljenberg
Hello,
Is it possible to set constant value for authorized_service in the domain
configuration?
Like :
[domain/sshd]
...
ldap_access_order = authorized_service
authorized_services = sshd
...
Thanks!
---
Best regards,
Eugene Istomin
HI!
I'm seeing searches like this sent by sssd to the LDAP server:
(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))
Likely this is because some of the server admins set in sssd.conf:
enumerate = true
While it's debatable to disable enumeration I wonder how one can avoid that
sssd uses the filter above.
Since all three attributes are mandantory in objectClass posixAccount anyway
it would be sufficient to do a user numeration search just with filter
(objectClass=posixAccount) because there cannot be an entry without any of
these attributes.
I'm asking because it turned out that the LDAP server's processing of
(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*)) is two times
slower than just (objectClass=posixAccount).
Ciao, Michael.
HI!
How does sssd decide whether to send searches with filter
(objectClass=ipService) or not?
Does it depend on "services: sss" set in /etc/nsswitch.conf?
Ciao, Michael.
Hello,
Is there a proper way in sudo rules to allow any command and exclude only
some groups?
Something like:
%test_group ALL= (ALL) ALL, !SU, !SHELLS
If I try to do this (gui/cli) I get an error:
ipa: ERROR: commands cannot be added when command category='all'
Non proper way (bug ?) is to first add deny groups and after that add allow
all :)
It should be fixed in this, but it seems to still work (
freeipa-server-3.3.4-3)
https://fedorahosted.org/freeipa/ticket/1440
Thanks
Szymon