sssd-users September 2015

sssd-users@lists.fedorahosted.org

25 participants
29 discussions

SSSD Full Cache Refresh
by Yogesh Sharma 23 Sep '15

23 Sep '15

Hi Team, We are using sssd with FreeIPA. Whenever we add a new server in FreeIPA, it does not get reflected to clients. We have implemented the cache refresh intervals as well. However, in some use cases , the issue only get resolved we we delete /var/lib/sssd/db/* and restart the sssd service. Is there any config settings for the same which do full refresh of DB. Currently, below is the sssd config: enumerate = False entry_cache_timeout = 60 refresh_expired_interval = 30 entry_cache_sudo_timeout = 60 entry_cache_netgroup_timeout = 60 ldap_enumeration_refresh_timeout = 60 ldap_purge_cache_timeout = 60 ldap_sudo_smart_refresh_interval = 60 cache_credentials = false *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0000(a)gmail.com <yks0000(a)gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks0000> <http://in.linkedin.com/in/yks0000> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus>

3 12

Odd issue with AD domain authentication (PTR records)
by John Beranek 23 Sep '15

23 Sep '15

Hi, Where I work I've just spent a fair amount of time tracing down an issue we were having with Linux servers (CentOS 6) which authenticate against the company Active Directory domain. We found that SSSD 1.12.4-46.el6 clients were failing to work correctly against a particular DC in one of our sites. Looking in the SSSD logs I discovered it was a Kerberos "TGS-REQ" issue, whereby it would do a request and get back "Principal unknown". I captured the conversation with tcpdump, and compared it with a conversation with a working DC, and found that the "Prinical unknown" response came back with the Kerberos server listed as: domaindnszones.example.com and in the working case was instead the name of the DC, let's say: site-a-dc01.example.com Looking further at the DNS records for the affected DC, I found that the DC's IP had 4 PTR records: site-a-dc01.example.com forestdnszones.example.com domaindnszones.com gc._msdcs.example.com Given we didn't believe the 3 extra PTRs were performing any useful function, we deleted them, and started SSSD again. SSSD now happily connected to the DC, and is functional. So, is there any reason why these PTRs would have upset SSSD like they appear to have? I can supply SSSD logs and/or pcap files off-list if helpful... Cheers, John -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake

3 4

Race condition when /var/lib/sssd in on NFSv4
by Ondrej Valousek 23 Sep '15

23 Sep '15

Hi list, I have just discovered that there is a race condition when we put /var/lib/sssd on NFSv4 volume (such as in diskless boot scenario). System tends to hang randomly. Is there any solution to this? Only cure seems to me at the moment to mount it via NFSv3 which does not require idmapper. Thanks, Ondrej ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.

5 7

ldap_user_certificate
by Michael Ströder 22 Sep '15

22 Sep '15

HI! What's the option ldap_user_certificate used for in IPA? Is it used for a separate map? Or is it used e.g. for emulation of signed SSH authorized keys? Ciao, Michael.

3 4

sssd-ad + ldap mapping uid issue
by Guillaume Polaert 22 Sep '15

22 Sep '15

Hi everyone, I'm using sssd-ad and I have unexpected behaviour with the ldap_mapping_id module. I'll try to be clear as possible :) The unexpected behaviour concerned Group ID, they are inconsistency. For any reason, at any moment GIDs can be changed. The AD contains about 10 domains, and 200 000 users. Domain RIDs can be very large. I override the min, max, and slice values to extend the available window. I've also set a default domain sid in order to be sure one (the main) domain will be consistency. But it doesn't work. What can be the origin of GIDs overwriting? Maybe, I have a problem with my configuration file. /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam, sudo domains = LDAP, domain.ad [nss] filter_groups = root,ldap,named,avahi,haldaemon,dbus,... filter_users = root,ldap,named,avahi,haldaemon,dbus, ... [pam] [sudo] [domain/LDAP] id_provider = ldap sudo_provider = ldap auth_provider = ldap cache_credentials = True ldap_uri = ldaps://ldap1:636 ldap_tls_cacert = /etc/openldap/cacerts/ldap_rootca.pem ldap_tls_reqcert = hard ldap_default_bind_dn = ... ldap_default_authtok_type = obfuscated_password ldap_default_authtok = ... ldap_search_base = base_dn enumerate = True ldap_referrals = False ldap_schema = rfc2307 ldap_sudo_search_base = base_dn [domain/domain.ad] id_provider = ldap access_provider = ad auth_provider = ad cache_credentials = True enumerate = False debug_level = 9 ## Override attributes override_gid = 513 override_homedir = /data/users/%u default_shell = /bin/bash ## LDAP config ldap_uri = ldaps://ad-server:3269 ldap_tls_cacert = /etc/openldap/cacerts/bundle-certificates.pem ldap_tls_reqcert = hard ldap_search_base = base_dn ldap_group_search_base = group_dn ldap_schema = ad ## Mapping confiugration ldap_id_mapping = True ldap_idmap_default_domain_sid = S-1-5-21-...932 # Allow 2000 domains, and 1 million entries per domain # Min uid for AD account (100000) ldap_idmap_range_min = 100000 ldap_idmap_range_max = 2000100000 ldap_idmap_range_size = 1000000 I've just found this in the log file. (Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_get_primary_name] (0x0400): Processing object grp_cluster1_developer (Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_get_primary_name] (0x0400): Processing object grp_audit_cluster1_developer (Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_get_primary_name] (0x0400): Processing object grp_audit_cluster1_user (Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_add_incomplete_groups] (0x1000): Mapping group [grp_audit_cluster1_user] objectSID to unix ID (Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_add_incomplete_groups] (0x2000): Group [grp_audit_cluster1_user] has objectSID [S-1-5-21-3095416536-3097367016-2845470932-840751] (Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_add_incomplete_groups] (0x2000): Group [grp_audit_cluster1_user] has mapped gid [940751] (Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_add_incomplete_groups] (0x2000): Adding fake group grp_audit_cluster1_user to sysdb (Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1ee6fc0 [ ...] (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_get_primary_name] (0x0400): Processing object grp_audit_cluster1_user (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_save_group] (0x0400): Processing group grp_audit_cluster1_user (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_save_group] (0x4000): AD group [grp_audit_cluster1_user] has type flags 0x80000004. (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_save_group] (0x1000): Mapping group [grp_audit_cluster1_user] objectSID [S-1-5-21-3095416536-3097367016-2845470932-840751] to unix ID (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=grp_audit_cluster1_user,....] to attributes of [grp_audit_cluster1_user]. (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20150717152801.0Z] to attributes of [grp_audit_cluster1_user]. (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_process_ghost_members] (0x0400): The group has 3 members (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_process_ghost_members] (0x0400): Group has 3 members (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [N5218058] (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [O3049031] (Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_save_group] (0x0400): Storing info for group grp_audit_cluster1_user Guillaume Polaert | Ingensi | @gpolaert - https://twitter.com/gpolaert

2 3

cache-credentials
by mathias dufresne 21 Sep '15

21 Sep '15

Hi all, Does "cache-credentials" option need a LDAPS connection or can we set it up over LDAP too? Cheers

3 2

auth-only domain in sssd.conf
by Michael Ströder 21 Sep '15

21 Sep '15

HI! Is it possible to have a auth-only domain in sssd.conf? Something like this: [domain/LDAP-ID] id_provider = ldap ldap_search_base = ou=stuff,dc=mydomain,dc=org ... [domain/LDAP-AUTHC] auth_provider = ldap ldap_search_base = ou=virtual,dc=mydomain,dc=org ... The idea is to let sssd search the map data beneath naming context ou=stuff,dc=mydomain,dc=org but use ou=authc-virtual,dc=mydomain,dc=org only for authentication via LDAP simple bind with a hard-coded pattern like: bind DN: uid=$user,ou=virtual,dc=mydomain,dc=org Note that user name would be the same in both naming contexts. So sssd would not have to search in ou=virtual,dc=mydomain,dc=org to make use of it. Ciao, Michael.

2 1

Tokengroups usage
by Ondrej Valousek 18 Sep '15

18 Sep '15

Hi List, Man sssd-ldap says: " If ldap_group_nesting_level is set to 0 then no nested groups are processed at all. However, when connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of Token-Groups by setting ldap_use_tokengroups to false. " Why is usage of tokengroups not possible with Windows server 2008 or newer? Can someone clarify? Thanks, Ondrej ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.

3 7

kerberized nfs4 with sssd id mapping
by Isaiah Houston 18 Sep '15

18 Sep '15

I’ve run into an interesting problem that I’ve narrowed down to the interaction between rpcidmapd and sssd. My sssd.conf is using AD as it’s id provider. When the setting use_fully_qualified_names = True is enabled in sssd.conf, rpcidmapds append the domain name to user lookup requests. This results in having user lookup requests that include an extra @domain.name in them, for example: rpc.idmapd: Server : (group) id "1002200513" -> name "user@domain.com@domain.com” This results in users not being able to access folders that use any kind of group permissions because they are not recognized as being members. Also if a user creates a file, it is listed as being owned by nfsnobody since the user isn’t mapped to an ID correctly. When I adjust sssd.conf to be use_fully_qualified_names = False, the lookup request looks right: rpc.idmapd: Server : (group) id "1002200513" -> name "user(a)domain.xn--com-9o0a However, if I then mount the nfs share from a different machine, and use a domain account with a valid Kerberos ticket, I still get permission denied when trying to access files, presumably because even though rpcidmapd is displaying my name as “user(a)domain.xn--com-9o0a the server is looking for the unqualified name “user” which still fails to match. Has anyone else experienced this? I saw there was some effort at an sssd plugin for rpcidmapd, but that doesn’t seem complete yet. Is there a viable workaround so I can get kerberized nfs mounts up? Isaiah Houston

3 5

Loon restrictions via GPO and groups in Security Filtering for GPO
by Davor Vusir 16 Sep '15

16 Sep '15

Hi! I'm laborating with using GPO to restrict logon. Nothing fancy, no modifications made to GPO-parts of sssd.conf but just out-of-the-box. The GPO is set to be enforced. The idea is to let at least two categories of user accounts to be able to login via ssh; category 1 must use public/private key authentication and category 2 uses Kerberos. The groups "pubKeyUsers" and "KerberosUsers" are both added to "Allow log on through Terminal Services" GPO-setting. The "Authenticated Users"-group is being added by default when creating a GPO and logon is working as intended; "pubKeyUsers" must use key logon and "KerberosUsers" uses Kerberospassword. Users with no membership in either group are denied logon. When replacing "Authenticated users"-group with groups containing the server account and groups "pubKeyUsers" and "KerberosUsers" to the GPO's Security Filtering it breaks. Members of "pubKeyUsers" needs to authenticate through Kerberospassword (the public/private key authentication is ignored), "KerberosUsers" are allowed as well as any other domain user. I have also tried "loopback processing" as no user account have any GPO's applied, but servers only. It seems that SSSD doesn't honor Security Filtering but for "Authenticed Users"-group only. Is that true? How is SSSD handling Security Filtering? Regards Davor Vusir

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users September 2015