sssd-users September 2019

sssd-users@lists.fedorahosted.org

18 participants
21 discussions

Offline caching of group names and memberships?
by Spike White 27 Sep '19

27 Sep '19

All, Our cybersecurity team doesn’t allow Linux sysadmins to directly log in as root. (violates accountability, auditability and traceability). We log in with an ADM account, which is then eligible to become root via ‘sudo su –‘. That is, all members of a particular group are allowed to sudo to root. This is preferred because with modern sudo versions all sudo sessions are session-logged. Anyway, if I log in with my ADM account and someone shuts down sssd, it no longer knows what groups I’m in. That is, the session is still there – but it cannot look up the group names. [admspike_white@zzzdmsdev06 ~]$ id uid=2025431 gid=1002 groups=1002,2284295 Because the sudo privs are based on group name, it doesn’t allow Linux sysadmins to become root and thus start sssd. Is there a way to cache those group names and memberships? Say with nscd? So that if sssd is (temporarily) shut down, we can become root and start up? Obviously, we can go look up the root password for the particular server – but that’s a painful portal. It’d be better if we could cache group names and memberships, if sssd is temporarily down or offline. (We have other AD integration products that have this “offline caching” feature that can enabled or disabled.) Spike

4 15

autofs with samba AD
by wipe＠mailbox.org 27 Sep '19

27 Sep '19

Hello list, I'm trying to setup sssd to access automounter rules stored on an AD (samba 4.7.6). I followed the instructions on this site, however it doesn't work for me. https://ovalousek.wordpress.com/2015/08/03/autofs/ In the sssd_logfile I see, that the "auto.master" map is found by sssd within the ldap search path. However, the reference to the auto.home and the corresponding user mounts does not seem to be found. Using sssd to authenticate against Active Directory works well. Any ideas what's going wrong here? Thanks for looking in this issue! OS: Ubuntu 18.04.3 LTS sssd 1.16.1-1ubuntu1.4 sssd-ad 1.16.1-1ubuntu1.4 sssd-ad-common 1.16.1-1ubuntu1.4 sssd-common 1.16.1-1ubuntu1.4 sssd-dbus 1.16.1-1ubuntu1.4 sssd-ipa 1.16.1-1ubuntu1.4 sssd-krb5 1.16.1-1ubuntu1.4 sssd-krb5-common 1.16.1-1ubuntu1.4 sssd-ldap 1.16.1-1ubuntu1.4 sssd-proxy 1.16.1-1ubuntu1.4 sssd-tools 1.16.1-1ubuntu1.4 Here is the configuration. Additionally, I attached logfiles with log_level 9 ****sssd.conf**** [sssd] domains = info.privat config_file_version = 2 services = nss, pam, autofs [pam] [nss] [autofs] [domain/info.privat] debug_level = 5 ad_server = tfaddc2.info.privat access_provider = ad auth_provider = ad krb5_realm = INFO.PRIVAT cache_credentials = True id_provider = ad autofs_provider = ad ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap ldap_autofs_search_base = ou=automount,dc=info,dc=privat nsswitch.conf automount: files sss ****AD**** dn: OU=automount,DC=info,DC=privat objectClass: top objectClass: organizationalUnit ou: automount name: automount dn: CN=auto.master,OU=automount,DC=info,DC=privat objectClass: top objectClass: nisMap cn: auto.master name: auto.master objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=info,DC=privat nisMapName: auto.master dn: CN=auto.home,OU=automount,DC=info,DC=privat objectClass: top objectClass: nisMap cn: auto.home name: auto.home objectCategory: CN=NisMap,CN=Schema,CN=Configuration,DC=info,DC=privat nisMapName: auto.home dn: CN=/home/,CN=auto.master,OU=automount,DC=info,DC=privat objectClass: top objectClass: nisObject objectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=info,DC=privat nisMapName: auto.master cn: /home/ name: /home/ nisMapEntry: auto.home dn: CN=user1,CN=auto.home,OU=automount,DC=info,DC=privat objectClass: top objectClass: nisObject objectCategory: CN=NisObject,CN=Schema,CN=Configuration,DC=info,DC=privat nisMapName: auto.home nisMapEntry: -fstype=nfsv4,nosuid,rw,dir_index,user_xattr,proto=tcp,port=2049 server:/export/lra/user/user1 cn: user1 name: user1

3 8

How do new LDAP security recommendations from MS affect sssd clients?
by Spike White 26 Sep '19

26 Sep '19

All, Microsoft has announced a new vulnerability in its AD domain controllers. They are promising a fix by mid-Jan 2020, but in the meantime they have offered LDAP hardening recommendations so that these controllers are not vulnerable. Those recommendations are: - enable LDAP channel binding and - LDAP signing on Active Directory Domain Controllers. (I don't pretend to know what that is.) My question is -- if our AD admins implement these recommended hardenings, what impact will that have on our sssd clients? Spike

3 2

sssd_be core dumping when ‘realm permit’ command run under puppet control…
by Spike White 26 Sep '19

26 Sep '19

All, This is a strange one. When we exec this command under puppet control: /usr/sbin/realm permit -R AMER.COMPANY.COM processehcprofiler(a)AMER.COMPANY.COM Then sssd_be core dumps (segfault). When we run that ‘realm permit’ command natively on the command line, it executes flawlessly. No core dump. Naturally, our first thought was that it’s something different in the environment. So we dumped the environment under which puppet exec resource runs. Yes, quite minimal. LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.m4a=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.oga=01;36:*.opus=01;36:*.spx=01;36:*.xspf=01;36: LD_LIBRARY_PATH= LANG=en_US.UTF-8 HISTCONTROL=ignoredups HOSTNAME=austgcore25.us.company.com S_COLORS=auto PWD=/root APT_LISTCHANGES_FRONTEND=none DEBIAN_FRONTEND=noninteractive APT_LISTBUGS_FRONTEND=none MAIL=/var/spool/mail/root SHELL=/bin/bash TERM=xterm SHLVL=2 MANPATH=:/opt/puppetlabs/puppet/share/man PATH=/bin:/usr/bin:/sbin:/usr/sbin HISTSIZE=1000 LESSOPEN=||/usr/bin/lesspipe.sh %s _=/bin/env But when we create a bash session with no environment, then add this puppet-supplied environment and run the above realm permit– all is still well. We can reproduce this easily in puppet. Just delete our breadcrumb file (so that puppet re-executes this ‘realm permit’ command). And execute another puppet agent run. Doing this, we obtained a core dump from sssd_be. And it points to some code in ad_id.c: [root@austgcore25 tmp]# gdb -c core-sssd_be.15405.austgcore25.us.company.com.1563210863 GNU gdb (GDB) Red Hat Enterprise Linux 8.2-5.el8 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html > This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word". [New LWP 15405] Reading symbols from /usr/libexec/sssd/sssd_be...Reading symbols from /usr/lib/debug/usr/libexec/sssd/sssd_be-2.0.0-43.el8.x86_64.debug...done. done. warning: Ignoring non-absolute filename: <linux-vdso.so.1> Missing separate debuginfo for linux-vdso.so.1 Try: dnf --enablerepo='*debug*' install /usr/lib/debug/.build-id/06/44254f9cbaa826db070a796046026adba58266 warning: .dynamic section for "/usr/lib64/libndr-nbt.so.0.0.1" is not at the expected address (wrong library or version mismatch?) [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/libexec/sssd/sssd_be --domain AMER.COMPANY.COM --uid 0 --gid 0 --logger=files'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f79444f53c0 in ad_get_account_domain_search (req=req@entry=0x5557b6fd45b0) at src/providers/ad/ad_id.c:1276 1276 state->filter = sdap_combine_filters(state, state->base_filter, (gdb) This is in RHEL8. What we suspect is that the shell in which puppet executes this ‘realm permit’ is not supplying something that this executable needs. If we know what it is, we can preface our puppet exec resource code snippet with the missing piece. Spike PS This ‘realm permit’ does seem to perform the correct actions eventually. It adds the expected user to the simple_allow_users line of the appropriate AD domain in /etc/sssd/sssd.conf file. But because it segfaults and then has to start up again, it takes a very long time to complete the puppet run. (There’s about 20 – 30 users + groups allowed; it has to segfault on each of them).

4 9

Re: Questions about the PAC responder
by Jim Burwell 21 Sep '19

21 Sep '19

Thanks again for the reply. I think this explains the random slowness. The users in question and the AD server had LOTS and LOTS of groups, and group memberships among users are many and complex. It sounds like I could also attack some of the slowness by increasing the cache timeouts perhaps, if that can be controlled to the level needed by the conf file. Thanks for helping me understand the issue and the role of PAC in it. -Jim On 2019-09-19 23:52, Jakub Hrozek wrote: > On Thu, Sep 19, 2019 at 05:41:00PM -0700, Jim Burwell wrote: >> Thanks for the response. Will respond inline. >> >> On 2019-09-19 00:07, Jakub Hrozek wrote: >>> On Wed, Sep 18, 2019 at 06:25:31PM -0700, Jim Burwell wrote: >>>> Hi, >>>> >>>> I recently encountered issues where logins on Linux clients using SSSD >>>> and the AD provider, pointed directly to an AD server were randomly >>>> slow. Randomly meaning, some clients experienced no slowness at all, >>>> other clients consistently had slow logins (30+ seconds sometimes), and >>>> yet other clients had random normal/fast logins, and frequent slow logins. >>>> >>>> Through troubleshooting, log analysis and experimentation, it appears >>>> the fix for this issue is to turn off the PAC service. Once "pac" was >>>> removed from the "services =" line in sssd.conf, the problem client >>>> boxes were suddenly consistently fast in terms of user logins. >>>> >>>> This deployment has the clients talking directly to AD servers it looks >>>> up via the normal AD DNS entries, and uses Unix POSIX attributes in AD >>>> for uidnumber and gidnumber etc (e.g. it's not doing any SID -> unix ID >>>> translations, it's just pulling them directly from LDAP attributes). >>>> >>>> I guess my questions are: >>>> >>>> 1. What does PAC actually do? I've read that it lists a users group as >>>> part of a KRB5 response, but also that it might be involved in >>>> cross-domain trusts. >>> There is a lot of information about PAC in the PFD linked here: >>> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/166d806… >>> and a more readable version e.g. here: >>> https://www.freeipa.org/page/Howto/Inspecting_the_PAC >>> >>> In general, Windows gives you the authoritative set of groups the user >>> is a member of only after login, so parsing the groups out of the PAC is >>> the most reliable way. And in older versions of SSSD, especially with >>> IPA-AD trusts, it was even the only way, IOW 'id' would only display >>> groups after you log in. Newer versions try to approximate the groups >>> with other means, mostly the tokenGroups attribute. >> I'll take a look at these links to increase my understanding. >>>> 2. When is PAC needed. Is it only needed for deployments using IPA? >>> It was strictly needed with some quite old IPA provider versions and >>> recommeded at some point for AD provider also, but in the meantime, we >>> improved the tokenGroups codepath,so the PAC provider is no longer used >>> for AD provider, at least by default. >> OK. Good to know. I based my "services =" line on many example configs >> I've seen similar to our particular architecture, which is why I >> included "pac". It seemed to be recommended to use with the AD provider >> from my memory, but now when I do a cursory search, I see most of the >> example configs no longer include "pac". I thought I was going crazy. >> >>>> 3. Is there any impact in turning off PAC if the architecture doesn't >>>> involve IPA in the mix? >>> As said above, it is the most reliable way, but if sssd is giving you >>> the group membership you expect also w/o using the PAC, then feel free >>> to not use it. >> So far I've only removed it from services on problem hosts to fix the >> "slow logins" problem. >>>> 4. Why would PAC slow down such a architecture seemingly randomly? >>> I guess you might be using an older version of SSSD? In the older >>> versions, the PAC was processed as part of the krb5_child process, so if >>> the PAC processing was taking too long, the krb5_child was timing out. >>> In newer versions, the PAC handling was reworked and is now evaluated >>> differently. >>> >>> The PAC data is cached iirc, so when the slowdown occured, I guess it >>> was when the PAC data was out of date in the cache. >> This makes sense, because in some cases these systems would not >> successfully complete a login until I increased various timeouts in >> sssd.conf. Then they'd take from 20-30s to login. >> >> But it was quite random, which is what has me confused. These systems >> were running identical OS, package sets, and were on the same network, >> in many cases connected to the same set of switches (blade servers). >> Most have no issue, and login is fast (2-3s). Others took 20-30s! >> Suspecting networking issues, we moved one to a different network whose >> clients weren't having slow-login problems to see if it changed >> anything, and it didn't. > The slow part is parsing the PAC locally. The PAC includes a list of > SIDs and for each SID, the PAC responder would ask sssd_be if the > corresponding SID is known and to refresh it if the corresponding cache > entry is stale. > > So the flow used to go like this: > sssd_pam -> sssd_be -> krb5_child -> sssd_pac -> sssd_be (for each > SID) -> (for each expired SID) AD LDAP > this was too slow. And about why it was random, I guess if some users > had overlapping group memberships, many of the groups could have been > updated when another user with similar group memberships logged in and > then at some point more than a critical mass of groups would go stale in > the cache and sssd_be ended up updating them all.. > >> What ultimately fixed it was disabling the PAC service. But near >> identical systems except for the IP address, sitting right beside the >> problem systems have no issues with pac enabled! Very strange! >> >> Disabling pac made these problem clients behave like the ones that >> weren't having issues, and logins take 2-3s. >> >> These are all ubuntu 16.04 LTS systems which are running sssd 1.13-4-1 >> (or higher if there are patches, right now I don't have access to look >> at them). So I'm not sure if this is using the older code, or the newer >> code. Do you remember? > git log remembers :-) > > and tells me that the "new" PAC approach was implemented in 1.14. > >> I guess this version is "old" since it came out in early 2017, and the >> latest 1.x is 1.16.4 (I presume 1.x development has stopped except for >> bug fixes?). Latest of course is 2.2.2! So it seems way behind when >> looking at it that way. :-) > Yes and no. The 1.16.x branch is stable, or long-term support and we'll > be supporting it until RHEL-7 is supported. It's true that the 1.16 > branch no longer receives many new features and that most of the > development happens with the 2.x branch, but bug fixes and selected new > features are still backported to 1.16.x as well. This is not to say the > 2.x branch is not stable, it is used in RHEL-8 after all, but the large > amount of chances increases the chance that something would break by > accident.

1 0

Questions about the PAC responder
by Jim Burwell 19 Sep '19

19 Sep '19

Hi, I recently encountered issues where logins on Linux clients using SSSD and the AD provider, pointed directly to an AD server were randomly slow. Randomly meaning, some clients experienced no slowness at all, other clients consistently had slow logins (30+ seconds sometimes), and yet other clients had random normal/fast logins, and frequent slow logins. Through troubleshooting, log analysis and experimentation, it appears the fix for this issue is to turn off the PAC service. Once "pac" was removed from the "services =" line in sssd.conf, the problem client boxes were suddenly consistently fast in terms of user logins. This deployment has the clients talking directly to AD servers it looks up via the normal AD DNS entries, and uses Unix POSIX attributes in AD for uidnumber and gidnumber etc (e.g. it's not doing any SID -> unix ID translations, it's just pulling them directly from LDAP attributes). I guess my questions are: 1. What does PAC actually do? I've read that it lists a users group as part of a KRB5 response, but also that it might be involved in cross-domain trusts. 2. When is PAC needed. Is it only needed for deployments using IPA? 3. Is there any impact in turning off PAC if the architecture doesn't involve IPA in the mix? 4. Why would PAC slow down such a architecture seemingly randomly? I've done a bit of searching and have only found sparse information on sssd_pac, some in Jakob's blog! I'm trying to understand its role. Thanks, - Jim

2 1

[AD] Filter out disabled users
by Hinrikus Wolf 19 Sep '19

19 Sep '19

Hi, we are currently running a Samba AD DC Server with sssd on clients. Now we want to run sssd also on our mail server with postfix + dovecot. Postfix and dovecot get their users from NSS i.e. from sssd. In our Domain there are several disabled users (via User Account Control Bit). Any of these users are listed in NSS. Unfortunately, they can receive emails, because they are existing in the user database of NSS. But they cannot login to read mails or even answer. We would like to filter out disables users from NSS s.t. postfix will not accept emails for disabled users. We searched in man 5 sssd-ad but did not find a config option for this use case. Do you have any idea what we could do to achieve the desired behaviour? Thanks a lot. Best regards Rikus

5 13

Announcing SSSD 2.2.2
by Michal Židek 16 Sep '19

16 Sep '19

== SSSD 2.2.2 === The SSSD team is proud to announce the release of version 2.2.2 of the System Security Services Daemon. The tarball can be downloaded from: https://releases.pagure.org/SSSD/sssd/ RPM packages will be made available for Fedora shortly. Feedback -------- Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users SSSD 2.2.2 (I have included SSSD 2.2.1 at the end as well) ========== Highlights ---------- New features ^^^^^^^^^^^^ None Notable bug fixes ^^^^^^^^^^^^^^^^^ * Removing domain from ad_enabled_domain was not reflected in SSSD's cache. This has been fixed. * Because of a race condition SSSD could crash during shutdown. The race condition was fixed. * Fixed a bug that limited number of external groups fetched by SSSD to 2000. * pam_sss now properly creates gnome keyring during login. * SSSD with KCM could wrongly pick older ccache instead of the latest one after login. This was fixed. Packaging Changes ----------------- None Documentation Changes --------------------- None Tickets Fixed ------------- * `3932 <https://pagure.io/SSSD/sssd/issue/3932>`_ - MAN: Document that PAM stack contains the systemd-user service in the account phase in recent distributions * `4009 <https://pagure.io/SSSD/sssd/issue/4009>`_ - Removing domain from ad_enabled_domains is not reflected in cache * `4058 <https://pagure.io/SSSD/sssd/issue/4058>`_ - Paging not enabled when fetching external groups, limits the number of external groups to 2000 * `4063 <https://pagure.io/SSSD/sssd/issue/4063>`_ - sssd-kcm: type confusion on KDC offset * `4067 <https://pagure.io/SSSD/sssd/issue/4067>`_ - pam_sss with smartcard auth does not create gnome keyring * `4068 <https://pagure.io/SSSD/sssd/issue/4068>`_ - pam_sss: empty smart card pin registers as authentication attempt * `4069 <https://pagure.io/SSSD/sssd/issue/4069>`_ - pam_sss should reset PAM_USER based on use_fully_qualified_names option in sssd.conf * `3996 <https://pagure.io/SSSD/sssd/issue/3996>`_ - sudo: do not update last usn when updating expired rules * `4065 <https://pagure.io/SSSD/sssd/issue/4065>`_ - IFP: GetUserAttr does not search by UPN * `4074 <https://pagure.io/SSSD/sssd/issue/4074>`_ - Integration tests use python2 unconditionally Detailed changelog ------------------ Jakub Hrozek (6): MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8 IPA: Allow paging when fetching external groups MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8 IPA: Allow paging when fetching external groups KCM: Use int32_t type conversion in DEBUG message for int32_t variable KCM: Add a forgotten return KCM: Allow modifications of ccache's principal KCM: Fill empty cache, do not initialize a new one Lukas Slebodnik (18): BUILD: Add macro for checking python3 modules BUILD: Fix typo of detecting python module for intgcheck BUILD: Move checking of python2 modules for intgcheck BUILD: Add macro for checking pytest for intgcheck BUILD: Change value of variable HAVE_PYTHON2/3_BINDINGS BUILD: Move python checks for intgcheck to macro INTG: Do hot hardcode version of python/pytest in intgcheck BUILD: Prefer python3 for intgcheck intg: Install python3 dependencies for intgcheck on new distros pyhbac: Fix warning Wdiscarded-qualifiers test_pam_responder: Fix unicore error SSSDConfig: Add minimal test for parse method SSSDConfig: Fix SyntaxWarning "is not" with a literal TESTS: Add minimal test for pysss encrypt pysss: Fix DeprecationWarning PY_SSIZE_T_CLEAN pysss_murmur: Fix DeprecationWarning PY_SSIZE_T_CLEAN test_pam_responder: Fix DeprecationWarning invalid escape sequence testlib: Fix SyntaxWarning "is" with a literal Michal Židek (2): Bumping the version to track the 2.2.2 development Update the translations for the 2.2.2 release Pavel Březina (12): ad: remove subdomain that has been disabled through ad_enabled_domains from sysdb sysdb: add sysdb_domain_set_enabled() ad: set enabled=false attribute for subdomains that no longer exists sysdb: read and interpret domain's enabled attribute sysdb: add sysdb_list_subdomains() ad: remove all subdomains if only master domain is enabled ad: make ad_enabled_domains case insensitive ci: use python2 version of pytest ci: pep8 was renamed to pycodestyle in Fedora 31 ci: remove left overs from previous rebase sudo: do not update last usn value on rules refresh ifp: let cache_req parse input name so it can fallback to upn search Sumit Bose (5): pam: keep pin on the PAM stack for forward_pass pam: do not accept empty PIN pam: user PAM return codes where expected pam: set PAM_USER properly with allow_missing_name Revert "SERVER: Receving SIGSEGV process on shutdown" Tomas Halman (3): SERVER: Receving SIGSEGV process on shutdown BE: Invalid oprator used in condition SERVER: Receving SIGSEGV process on shutdown SSSD 2.2.1 ========== Highlights ---------- New features ^^^^^^^^^^^^ * New options were added which allow sssd-kcm to handle bigger data. See manual pages for ``max_ccaches``, ``max_uid_caches`` and ``max_ccache_size``. * SSSD can now automatically refresh cached user data from subdomains in IPA/AD trust. Notable bug fixes ^^^^^^^^^^^^^^^^^ * Fixed issue with SSSD hanging when connecting to non-responsive server with ldaps:// * SSSD is now restarted by systemd after crashes. * Fixed refression when dyndns_update was set to True and dyndns_refresh_interval was not set or set to 0 then DNS records were not updated at all. * Fixed issue when ``default_domain_suffix`` was used with ``id_provider = files`` and caused all results from files domain to be fully qualified. * Fixed issue with sudo rules not being visible on OpenLDAP servers * Fixed crash with ``auth_provider = proxy`` that prevented logins Packaging Changes ----------------- None Documentation Changes --------------------- A new option ``dns_resolver_server_timeout`` was added A new option ``max_ccaches`` was added A new option ``max_uid_ccaches`` was added A new option ``max_ccache_size`` was added A new option ``ocsp_dgst`` was added Tickets Fixed ------------- * `2878 <https://pagure.io/SSSD/sssd/issue/2878>`_ - sssd failover does not work on connecting to non-responsive ldaps:// server * `3217 <https://pagure.io/SSSD/sssd/issue/3217>`_ - Conflicting default timeout values * `3386 <https://pagure.io/SSSD/sssd/issue/3386>`_ - sssd-kcm cannot handle big tickets * `3489 <https://pagure.io/SSSD/sssd/issue/3489>`_ - p11_child should work wit openssl1.0+ * `3685 <https://pagure.io/SSSD/sssd/issue/3685>`_ - KCM: Default to a new back end that would write to the secrets database directly * `3833 <https://pagure.io/SSSD/sssd/issue/3833>`_ - port to pcre2 * `3894 <https://pagure.io/SSSD/sssd/issue/3894>`_ - multihost tests: ldb-tools is needed for multihost tests * `3905 <https://pagure.io/SSSD/sssd/issue/3905>`_ - SSSD doesn't clear cache entries for IDs below min_id. * `4012 <https://pagure.io/SSSD/sssd/issue/4012>`_ - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust * `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1 * `4028 <https://pagure.io/SSSD/sssd/issue/4028>`_ - sssd-kcm calls sssd-genconf which triggers nscd warning * `4037 <https://pagure.io/SSSD/sssd/issue/4037>`_ - Logins fail after upgrade to 2.2.0 * `4040 <https://pagure.io/SSSD/sssd/issue/4040>`_ - Reasonable to Restart sssd on crashes? * `4046 <https://pagure.io/SSSD/sssd/issue/4046>`_ - sudo: incorrect usn value for openldap * `4047 <https://pagure.io/SSSD/sssd/issue/4047>`_ - dyndns_update = True is no longer not enough to get the IP address of the machine updated in IPA upon sssd.service startup * `4050 <https://pagure.io/SSSD/sssd/issue/4050>`_ - nss_cmd_endservent resets the wrong index * `4052 <https://pagure.io/SSSD/sssd/issue/4052>`_ - sssd config option "default_domain_suffix" should not cause the files domain entries to be qualified * `3931 <https://pagure.io/SSSD/sssd/issue/3931>`_ - proxy provider is not working with enumerate=true when trying to fetch all groups * `4043 <https://pagure.io/SSSD/sssd/issue/4043>`_ - Typo in systemd.m4 prevents detection of systemd.pc * `3978 <https://pagure.io/SSSD/sssd/issue/3978>`_ - UPN negative cache does not use values from 'filter_users' config option * `4032 <https://pagure.io/SSSD/sssd/issue/4032>`_ - p11_child::do_ocsp() function implementation is not FIPS140 compliant * `4039 <https://pagure.io/SSSD/sssd/issue/4039>`_ - p11_child::sign_data() function implementation is not FIPS140 compliant * `4056 <https://pagure.io/SSSD/sssd/issue/4056>`_ - permission denied on logs when running sssd as non-root user * `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140 compliant usage of PRNG * `2854 <https://pagure.io/SSSD/sssd/issue/2854>`_ - FAIL test-find-uid * `3962 <https://pagure.io/SSSD/sssd/issue/3962>`_ - Problem with tests/cmocka/test_dyndns.c * `4022 <https://pagure.io/SSSD/sssd/issue/4022>`_ - utils: sss_hmac_sha1() function implementation is not FIPS140 compliant * `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140 compliant usage of PRNG * `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1 Detailed changelog ------------------ Alex Rodin (1): tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to tevent_loop_wait() Alexey Tikhonov (14): util/crypto/libcrypto: changed sss_hmac_sha1() util/crypto/libcrypto: changed sss_hmac_sha1() util/secrets: memory leaks are fixed util/crypto/nss/nss_nite: params sanitization crypto/libcrypto/crypto_nite: HMAC calculation changed util/find_uid.c: fixed debug message util/find_uid.c: fixed race condition bug util/crypto: removed erroneous declaration util/crypto/sss_crypto.c: cleanup of includes util/crypto: generate_csprng_buffer() changed util/crypto: added sss_rand() crypto/libcrypto/crypto_nite.c: memory leak fixed FIPS140 compliant usage of PRNG crypto/nss: some nss_ctx_init() params made const Jakub Hrozek (34): Updating the version for the 2.2.1 release TESTS: Install expect to drive password-change modifications TESTS: Also add LDAP password when creating users TESTS: Test changing LDAP password with extended operation and modification TEST: Add a multihost test for not returning / for an empty home dir MONITOR: Don't check for the nscd socket while regenerating configuration SYSDB: Add sysdb_search_with_ts_attr BE: search with sysdb_search_with_ts_attr BE: Enable refresh for multiple domains BE: Make be_refresh_ctx_init set up the periodical task, too BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx BE/LDAP: Split out a helper function from sdap_refresh for later reuse BE: Pass in filter_type when creating the refresh account request BE: Send refresh requests in batches BE: Extend be_ptask_create() with control when to schedule next run after success BE: Schedule the refresh interval from the finish time of the last run AD: Implement background refresh for AD domains IPA: Implement background refresh for IPA domains BE/IPA/AD/LDAP: Add inigroups refresh support BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication IPA/AD/SDAP/BE: Generate refresh callbacks with a macro MAN: Amend the documentation for the background refresh DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request MAN: Get rid of sssd-secrets reference MAN: Document that it is enough to systemctl restart sssd-kcm.service lately SECRETS: Use different option names from secrets and KCM for quota options SECRETS: Don't limit the global number of ccaches KCM: Pass confdb context to the ccache db initialization KCM: Configurable quotas for the secdb ccache back end TESTS: Add tests for the configurable quotas Don't qualify users from files domain when default_domain_suffix is set Jakub Jelen (1): pam_sss: Add missing colon to the PIN prompt Lukas Slebodnik (1): PROXY: Return data in output parameter if everything is OK Michal Židek (2): TESTS: ldb-tools and sssd-tools are required for multihost tests Update the translations for the 2.2.1 release Niranjan M.R (1): TESTS: Test kvno correctly displays vesion numbers of principals Pavel Březina (11): ci: disable timeout ci: switch to new tooling and remove 'Read trusted files' stage ci: rebase pull request on the target branch ci: print node on which the test is being run sudo: use proper datetime for default modifyTimestamp value systemd: add Restart=on-failure to sssd.service man: fix description of dns_resolver_op_timeout man: fix description of dns_resolver_timeout failover: add dns_resolver_server_timeout option failover: change default timeouts config: add dns_resolver_op_timeout to option list Sam Morris (1): build: fix detection of systemd.pc Samuel Cabrero (1): nss: Fix command 'endservent' resetting wrong struct member Sumit Bose (10): negcache: add fq-usernames of know domains to all UPN neg-caches p11_child: prefer better digest function if card supports it p11_child: fix a memory leak and other memory mangement issues pam: make sure p11_child.log has the right permissions ssh: make sure p11_child.log has the right permissions BE: make sure child log files have the right permissions utils: remove unused prototype (cert_to_ssh_key) utils: move parse_cert_verify_opts() into separate file p11_child: make OCSP digest configurable pam: fix loop in Smartcard authentication Tomas Halman (9): MAN: ldap_user_home_directory default missing pcre: port to pcre2 CACHE: SSSD doesn't clear cache entries LDAP: failover does not work on non-responsive ldaps CONFDB: Files domain if activated without .conf TESTS: adapt tests to enabled default files domain BE: Introduce flag for be_ptask_create BE: Convert be_ptask params to flags DYNDNS: dyndns_update is not enough Yuri Chornoivan (1): Fix minor typos in docs

1 0

Announcing SSSD 2.2.1
by Michal Židek 16 Sep '19

16 Sep '19

== SSSD 2.2.1 === The SSSD team is proud to announce the release of version 2.2.1 of the System Security Services Daemon. The tarball can be downloaded from: https://releases.pagure.org/SSSD/sssd/ RPM packages will be made available for Fedora shortly. Feedback -------- Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users Highlights ---------- New features ^^^^^^^^^^^^ * New options were added which allow sssd-kcm to handle bigger data. See manual pages for ``max_ccaches``, ``max_uid_caches`` and ``max_ccache_size``. * SSSD can now automatically refresh cached user data from subdomains in IPA/AD trust. Notable bug fixes ^^^^^^^^^^^^^^^^^ * Fixed issue with SSSD hanging when connecting to non-responsive server with ldaps:// * SSSD is now restarted by systemd after crashes. * Fixed refression when dyndns_update was set to True and dyndns_refresh_interval was not set or set to 0 then DNS records were not updated at all. * Fixed issue when ``default_domain_suffix`` was used with ``id_provider = files`` and caused all results from files domain to be fully qualified. * Fixed issue with sudo rules not being visible on OpenLDAP servers * Fixed crash with ``auth_provider = proxy`` that prevented logins Packaging Changes ----------------- None Documentation Changes --------------------- A new option ``dns_resolver_server_timeout`` was added A new option ``max_ccaches`` was added A new option ``max_uid_ccaches`` was added A new option ``max_ccache_size`` was added A new option ``ocsp_dgst`` was added Tickets Fixed ------------- * `2878 <https://pagure.io/SSSD/sssd/issue/2878>`_ - sssd failover does not work on connecting to non-responsive ldaps:// server * `3217 <https://pagure.io/SSSD/sssd/issue/3217>`_ - Conflicting default timeout values * `3386 <https://pagure.io/SSSD/sssd/issue/3386>`_ - sssd-kcm cannot handle big tickets * `3489 <https://pagure.io/SSSD/sssd/issue/3489>`_ - p11_child should work wit openssl1.0+ * `3685 <https://pagure.io/SSSD/sssd/issue/3685>`_ - KCM: Default to a new back end that would write to the secrets database directly * `3833 <https://pagure.io/SSSD/sssd/issue/3833>`_ - port to pcre2 * `3894 <https://pagure.io/SSSD/sssd/issue/3894>`_ - multihost tests: ldb-tools is needed for multihost tests * `3905 <https://pagure.io/SSSD/sssd/issue/3905>`_ - SSSD doesn't clear cache entries for IDs below min_id. * `4012 <https://pagure.io/SSSD/sssd/issue/4012>`_ - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust * `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1 * `4028 <https://pagure.io/SSSD/sssd/issue/4028>`_ - sssd-kcm calls sssd-genconf which triggers nscd warning * `4037 <https://pagure.io/SSSD/sssd/issue/4037>`_ - Logins fail after upgrade to 2.2.0 * `4040 <https://pagure.io/SSSD/sssd/issue/4040>`_ - Reasonable to Restart sssd on crashes? * `4046 <https://pagure.io/SSSD/sssd/issue/4046>`_ - sudo: incorrect usn value for openldap * `4047 <https://pagure.io/SSSD/sssd/issue/4047>`_ - dyndns_update = True is no longer not enough to get the IP address of the machine updated in IPA upon sssd.service startup * `4050 <https://pagure.io/SSSD/sssd/issue/4050>`_ - nss_cmd_endservent resets the wrong index * `4052 <https://pagure.io/SSSD/sssd/issue/4052>`_ - sssd config option "default_domain_suffix" should not cause the files domain entries to be qualified * `3931 <https://pagure.io/SSSD/sssd/issue/3931>`_ - proxy provider is not working with enumerate=true when trying to fetch all groups * `4043 <https://pagure.io/SSSD/sssd/issue/4043>`_ - Typo in systemd.m4 prevents detection of systemd.pc * `3978 <https://pagure.io/SSSD/sssd/issue/3978>`_ - UPN negative cache does not use values from 'filter_users' config option * `4032 <https://pagure.io/SSSD/sssd/issue/4032>`_ - p11_child::do_ocsp() function implementation is not FIPS140 compliant * `4039 <https://pagure.io/SSSD/sssd/issue/4039>`_ - p11_child::sign_data() function implementation is not FIPS140 compliant * `4056 <https://pagure.io/SSSD/sssd/issue/4056>`_ - permission denied on logs when running sssd as non-root user * `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140 compliant usage of PRNG * `2854 <https://pagure.io/SSSD/sssd/issue/2854>`_ - FAIL test-find-uid * `3962 <https://pagure.io/SSSD/sssd/issue/3962>`_ - Problem with tests/cmocka/test_dyndns.c * `4022 <https://pagure.io/SSSD/sssd/issue/4022>`_ - utils: sss_hmac_sha1() function implementation is not FIPS140 compliant * `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140 compliant usage of PRNG * `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1 Detailed changelog ------------------ Alex Rodin (1): tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to tevent_loop_wait() Alexey Tikhonov (14): util/crypto/libcrypto: changed sss_hmac_sha1() util/crypto/libcrypto: changed sss_hmac_sha1() util/secrets: memory leaks are fixed util/crypto/nss/nss_nite: params sanitization crypto/libcrypto/crypto_nite: HMAC calculation changed util/find_uid.c: fixed debug message util/find_uid.c: fixed race condition bug util/crypto: removed erroneous declaration util/crypto/sss_crypto.c: cleanup of includes util/crypto: generate_csprng_buffer() changed util/crypto: added sss_rand() crypto/libcrypto/crypto_nite.c: memory leak fixed FIPS140 compliant usage of PRNG crypto/nss: some nss_ctx_init() params made const Jakub Hrozek (34): Updating the version for the 2.2.1 release TESTS: Install expect to drive password-change modifications TESTS: Also add LDAP password when creating users TESTS: Test changing LDAP password with extended operation and modification TEST: Add a multihost test for not returning / for an empty home dir MONITOR: Don't check for the nscd socket while regenerating configuration SYSDB: Add sysdb_search_with_ts_attr BE: search with sysdb_search_with_ts_attr BE: Enable refresh for multiple domains BE: Make be_refresh_ctx_init set up the periodical task, too BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx BE/LDAP: Split out a helper function from sdap_refresh for later reuse BE: Pass in filter_type when creating the refresh account request BE: Send refresh requests in batches BE: Extend be_ptask_create() with control when to schedule next run after success BE: Schedule the refresh interval from the finish time of the last run AD: Implement background refresh for AD domains IPA: Implement background refresh for IPA domains BE/IPA/AD/LDAP: Add inigroups refresh support BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication IPA/AD/SDAP/BE: Generate refresh callbacks with a macro MAN: Amend the documentation for the background refresh DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request MAN: Get rid of sssd-secrets reference MAN: Document that it is enough to systemctl restart sssd-kcm.service lately SECRETS: Use different option names from secrets and KCM for quota options SECRETS: Don't limit the global number of ccaches KCM: Pass confdb context to the ccache db initialization KCM: Configurable quotas for the secdb ccache back end TESTS: Add tests for the configurable quotas Don't qualify users from files domain when default_domain_suffix is set Jakub Jelen (1): pam_sss: Add missing colon to the PIN prompt Lukas Slebodnik (1): PROXY: Return data in output parameter if everything is OK Michal Židek (2): TESTS: ldb-tools and sssd-tools are required for multihost tests Update the translations for the 2.2.1 release Niranjan M.R (1): TESTS: Test kvno correctly displays vesion numbers of principals Pavel Březina (11): ci: disable timeout ci: switch to new tooling and remove 'Read trusted files' stage ci: rebase pull request on the target branch ci: print node on which the test is being run sudo: use proper datetime for default modifyTimestamp value systemd: add Restart=on-failure to sssd.service man: fix description of dns_resolver_op_timeout man: fix description of dns_resolver_timeout failover: add dns_resolver_server_timeout option failover: change default timeouts config: add dns_resolver_op_timeout to option list Sam Morris (1): build: fix detection of systemd.pc Samuel Cabrero (1): nss: Fix command 'endservent' resetting wrong struct member Sumit Bose (10): negcache: add fq-usernames of know domains to all UPN neg-caches p11_child: prefer better digest function if card supports it p11_child: fix a memory leak and other memory mangement issues pam: make sure p11_child.log has the right permissions ssh: make sure p11_child.log has the right permissions BE: make sure child log files have the right permissions utils: remove unused prototype (cert_to_ssh_key) utils: move parse_cert_verify_opts() into separate file p11_child: make OCSP digest configurable pam: fix loop in Smartcard authentication Tomas Halman (9): MAN: ldap_user_home_directory default missing pcre: port to pcre2 CACHE: SSSD doesn't clear cache entries LDAP: failover does not work on non-responsive ldaps CONFDB: Files domain if activated without .conf TESTS: adapt tests to enabled default files domain BE: Introduce flag for be_ptask_create BE: Convert be_ptask params to flags DYNDNS: dyndns_update is not enough Yuri Chornoivan (1): Fix minor typos in docs

3 4

enumerate = true strange/broken ?
by Joakim Tjernlund 04 Sep '19

04 Sep '19

Decided to try out 2.2.1 and also gave enumerate a try and got somewhat strange results: sssd # getent group cjhfj4j_admins:*:145421: .... No group members ? getent passwd Only list linux system users and myself Where are the rest of the users ? Jocke

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users September 2019