I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4
Jocke
My recollection is that finger used a terribly inefficient way of getting information, at least one time, and asked for information on every user despite the fact that it was only going to need one. I recall installing something called finger-ldap, because in the pre-SSSD days, finger could cause a lot of trouble on large LDAP directories because it would ask for the entire contents of the directory. I wouldn't be surprised if this was related. You might want to look into the same solution. ________________________________________ From: Joakim Tjernlund Joakim.Tjernlund@infinera.com Sent: Tuesday, September 6, 2016 1:36 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] finger <user> cmd not working unless enumerate = true
I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Ryan Novosielski wrote:
My recollection is that finger used a terribly inefficient way of getting information, at least one time, and asked for information on every user despite the fact that it was only going to need one. I recall installing something called finger-ldap, because in the pre-SSSD days, finger could cause a lot of trouble on large LDAP directories because it would ask for the entire contents of the directory. I wouldn't be surprised if this was related. You might want to look into the same solution.
Or one could simply drop support for finger and query the user's entry from the LDAP server directly. Doing this over TLS would also protect against some of the attacks possible with finger.
Ciao, Michael.
On (06/09/16 17:36), Joakim Tjernlund wrote:
I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4
It's very difficult to say without log files.
https://fedorahosted.org/sssd/wiki/Troubleshooting
LS
On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote:
On (06/09/16 17:36), Joakim Tjernlund wrote:
I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4
It's very difficult to say without log files.
I only get a hit in sssd_nss.log when I do "finger <user>"
(Wed Sep 7 08:21:41 2016) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[1001] egid[100] pid[21947]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_getpwent] (0x0100): Requesting info for all accounts (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0x2641510][24]
On (07/09/16 06:22), Joakim Tjernlund wrote:
On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote:
On (06/09/16 17:36), Joakim Tjernlund wrote:
I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4
It's very difficult to say without log files.
I only get a hit in sssd_nss.log when I do "finger <user>"
maybe data were already cached.
"finger user" works for me without enumeration.
LS
On Wed, 2016-09-07 at 09:24 +0200, Lukas Slebodnik wrote:
On (07/09/16 06:22), Joakim Tjernlund wrote:
On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote:
On (06/09/16 17:36), Joakim Tjernlund wrote:
I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4
It's very difficult to say without log files.
I only get a hit in sssd_nss.log when I do "finger <user>"
maybe data were already cached.
if it were cached I would get data from "finger user" but all I get is "No such user"
"finger user" works for me without enumeration.
Strange, why is my log complaining that enumeration is disabled ?
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Wed, 2016-09-07 at 09:24 +0200, Lukas Slebodnik wrote:
On (07/09/16 06:22), Joakim Tjernlund wrote:
On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote:
On (06/09/16 17:36), Joakim Tjernlund wrote:
I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4
It's very difficult to say without log files.
I only get a hit in sssd_nss.log when I do "finger <user>"
maybe data were already cached.
"finger user" works for me without enumeration.
stop sssd and rm -f /var/lib/sss/db/* start sssd
Now I think finger will stop for to0.
Jocke
On 09/07/2016 02:22 AM, Joakim Tjernlund wrote:
On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote:
On (06/09/16 17:36), Joakim Tjernlund wrote:
I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4
It's very difficult to say without log files.
I only get a hit in sssd_nss.log when I do "finger <user>"
(Wed Sep 7 08:21:41 2016) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[1001] egid[100] pid[21947]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_getpwent] (0x0100): Requesting info for all accounts (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0x2641510][24]
Definitely looks like it's trying to run setpwent(), which doesn't work without enumeration. I'm guessing that whatever implementation of `finger` you have is doing things really, really wrong.
On Wed, 2016-09-07 at 16:22 -0400, Stephen Gallagher wrote:
On 09/07/2016 02:22 AM, Joakim Tjernlund wrote:
On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote:
On (06/09/16 17:36), Joakim Tjernlund wrote:
I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4
It's very difficult to say without log files.
I only get a hit in sssd_nss.log when I do "finger <user>"
(Wed Sep 7 08:21:41 2016) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[1001] egid[100] pid[21947]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_getpwent] (0x0100): Requesting info for all accounts (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0x2641510][24]
Definitely looks like it's trying to run setpwent(), which doesn't work without enumeration. I'm guessing that whatever implementation of `finger` you have is doing things really, really wrong.
I got netkit-fingerd-0.17, is there another one? Also finger -m <user> works as that does not need setpwent()
Jocke
On Thu, Sep 08, 2016 at 06:47:22AM +0000, Joakim Tjernlund wrote:
On Wed, 2016-09-07 at 16:22 -0400, Stephen Gallagher wrote:
On 09/07/2016 02:22 AM, Joakim Tjernlund wrote:
On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote:
On (06/09/16 17:36), Joakim Tjernlund wrote:
I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4
It's very difficult to say without log files.
I only get a hit in sssd_nss.log when I do "finger <user>"
(Wed Sep 7 08:21:41 2016) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[1001] egid[100] pid[21947]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_getpwent] (0x0100): Requesting info for all accounts (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0x2641510][24]
Definitely looks like it's trying to run setpwent(), which doesn't work without enumeration. I'm guessing that whatever implementation of `finger` you have is doing things really, really wrong.
I got netkit-fingerd-0.17, is there another one? Also finger -m <user> works as that does not need setpwent()
It looks like Fedora uses bsd-finger (https://admin.fedoraproject.org/pkgdb/package/rpms/finger/).
When run with ltrace I see that getpwnam("user") is called first and the setpwent() and getpwent() are called to find other matching users. Maybe the netkit-fingerd command skips the first getpwnam() when called without -m?
HTH
bye, Sumit
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org