[re-sent after subscribing with my sender address]
All,
I am working on deploying sssd to a number of Debian Linux workstations, and it's slow-going... and I could use some help.
The workstations mount users' homes and a few public shares over NFS, using automount. User information, automounter maps etc are shared through NIS. Besides caching, easy switching of backends (say, to Kerberos and LDAP) is why I want to move to sssd. But it looks like NIS support is a bit under-documented.
The installed ssd version ("wheezy-backports") is
# dpkg-query -l sssd Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-================================= ii sssd 1.11.7.3-3~b amd64 System Security Services Daemon - #
Debian updates pam.d/common-*
# fgrep sss /etc/pam.d/* /etc/pam.d/common-account:account [default=bad success=ok user_unknown=ignore] pam_sss.so /etc/pam.d/common-auth:auth [success=1 default=ignore] pam_sss.so use_first_pass /etc/pam.d/common-password:password sufficient pam_sss.so /etc/pam.d/common-session:session optional pam_sss.so #
and nsswitch.conf, funny enough by appending the sss modules
# fgrep sss /etc/nsswitch.conf passwd: files nis sss group: files nis sss shadow: files nis sss netgroup: nis sss sudoers: files sss #
and does not install any /etc/sssd/sssd.conf, so the system is broken after installing sssd and friends.
My sssd.conf is
[sssd]
config_file_version = 2 reconnection_retries = 3 debug_level = 0x0070 services = nss, pam domains = spgnts
[nss]
filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 0x0070
[pam]
reconnection_retries = 3 pam_verbosity = 3 debug_level = 0x0070
[domain/spgnts]
debug_level = 0x0070 enumerate = true
id_provider = proxy proxy_lib_name = nis min_id = 500
auth_provider = proxy proxy_pam_target = none
-- if there is any further configuration detail you consider relevant to the issue, please let me know.
When I start all this, things work until I take out the 'nis' entries from nsswitch.conf. To my understanding, as long as they are in, queries never go to the nss_sss module.
Once I take out the 'nis' entries, I can log in as root on the console, I can log in as a regular user over ssh (public key auth), but all other login attempts time out. kdm mutters about pam_setcred() problems on the console.
The /var/log/sssd/* logs are voluminous, but virtually free of any helpful information. Upon login, sssd appears to start a bunch of proxy_child processes, which hang there until timeout, at which point they get killed. I tried copying a commandline from ps, and strace a proxy_child invocation, but the trace didn't speak to me.
I have searched the web far and wide, but there is little more than lip service to using the proxymodule, much less NIS. As of now, my hunch is the problem lies with PAM - how do you configure the domain's auth_provider for NIS? I came across "#proxy_auth_target = nis_pam_proxy", but it wasn't documented.
Thanks for reading this far; any comments are most welcome!
Cheerio, Hauke
Why you need NIS? It does not make any sense to me. There are only 2 scenarios makings sense: - you go for SSSD (no need for NIS) - you stick with NIS (no need for SSSD)
Ondrej
________________________________________ From: Hauke Fath [hf@spg.tu-darmstadt.de] Sent: Friday, March 04, 2016 4:20 PM To: sssd-users@lists.fedorahosted.org Cc: Hauke Fath Subject: [SSSD-users] sssd and NIS?
[re-sent after subscribing with my sender address]
All,
I am working on deploying sssd to a number of Debian Linux workstations, and it's slow-going... and I could use some help.
The workstations mount users' homes and a few public shares over NFS, using automount. User information, automounter maps etc are shared through NIS. Besides caching, easy switching of backends (say, to Kerberos and LDAP) is why I want to move to sssd. But it looks like NIS support is a bit under-documented.
The installed ssd version ("wheezy-backports") is
# dpkg-query -l sssd Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-================================= ii sssd 1.11.7.3-3~b amd64 System Security Services Daemon - #
Debian updates pam.d/common-*
# fgrep sss /etc/pam.d/* /etc/pam.d/common-account:account [default=bad success=ok user_unknown=ignore] pam_sss.so /etc/pam.d/common-auth:auth [success=1 default=ignore] pam_sss.so use_first_pass /etc/pam.d/common-password:password sufficient pam_sss.so /etc/pam.d/common-session:session optional pam_sss.so #
and nsswitch.conf, funny enough by appending the sss modules
# fgrep sss /etc/nsswitch.conf passwd: files nis sss group: files nis sss shadow: files nis sss netgroup: nis sss sudoers: files sss #
and does not install any /etc/sssd/sssd.conf, so the system is broken after installing sssd and friends.
My sssd.conf is
[sssd]
config_file_version = 2 reconnection_retries = 3 debug_level = 0x0070 services = nss, pam domains = spgnts
[nss]
filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 0x0070
[pam]
reconnection_retries = 3 pam_verbosity = 3 debug_level = 0x0070
[domain/spgnts]
debug_level = 0x0070 enumerate = true
id_provider = proxy proxy_lib_name = nis min_id = 500
auth_provider = proxy proxy_pam_target = none
-- if there is any further configuration detail you consider relevant to the issue, please let me know.
When I start all this, things work until I take out the 'nis' entries from nsswitch.conf. To my understanding, as long as they are in, queries never go to the nss_sss module.
Once I take out the 'nis' entries, I can log in as root on the console, I can log in as a regular user over ssh (public key auth), but all other login attempts time out. kdm mutters about pam_setcred() problems on the console.
The /var/log/sssd/* logs are voluminous, but virtually free of any helpful information. Upon login, sssd appears to start a bunch of proxy_child processes, which hang there until timeout, at which point they get killed. I tried copying a commandline from ps, and strace a proxy_child invocation, but the trace didn't speak to me.
I have searched the web far and wide, but there is little more than lip service to using the proxymodule, much less NIS. As of now, my hunch is the problem lies with PAM - how do you configure the domain's auth_provider for NIS? I came across "#proxy_auth_target = nis_pam_proxy", but it wasn't documented.
Thanks for reading this far; any comments are most welcome!
Cheerio, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344 _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org = -----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Sat, 5 Mar 2016 17:26:50 +0000, Ondrej Valousek wrote:
Why you need NIS?
It stores data for identifying and authorizing users(*) centrally, and distributes them to clients.
It does not make any sense to me. There are only 2 scenarios makings sense:
- you go for SSSD (no need for NIS)
SSSD is a caching proxy for (mainly) identification and authorization data. It has to get this data from one or more backends - like NIS.
- you stick with NIS (no need for SSSD)
And no client-side caching, which is what I want.
Cheerio, Hauke
* discounting automounter maps for now
On Fri, Mar 04, 2016 at 05:20:00PM +0100, Hauke Fath wrote:
[re-sent after subscribing with my sender address]
All,
I am working on deploying sssd to a number of Debian Linux workstations, and it's slow-going... and I could use some help.
The workstations mount users' homes and a few public shares over NFS, using automount. User information, automounter maps etc are shared through NIS. Besides caching, easy switching of backends (say, to Kerberos and LDAP) is why I want to move to sssd. But it looks like NIS support is a bit under-documented.
The installed ssd version ("wheezy-backports") is
# dpkg-query -l sssd Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-================================= ii sssd 1.11.7.3-3~b amd64 System Security Services Daemon - #
Debian updates pam.d/common-*
# fgrep sss /etc/pam.d/* /etc/pam.d/common-account:account [default=bad success=ok user_unknown=ignore] pam_sss.so /etc/pam.d/common-auth:auth [success=1 default=ignore] pam_sss.so use_first_pass /etc/pam.d/common-password:password sufficient pam_sss.so /etc/pam.d/common-session:session optional pam_sss.so #
and nsswitch.conf, funny enough by appending the sss modules
# fgrep sss /etc/nsswitch.conf passwd: files nis sss group: files nis sss shadow: files nis sss netgroup: nis sss sudoers: files sss #
and does not install any /etc/sssd/sssd.conf, so the system is broken after installing sssd and friends.
My sssd.conf is
[sssd]
config_file_version = 2 reconnection_retries = 3 debug_level = 0x0070 services = nss, pam domains = spgnts
[nss]
filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 0x0070
[pam]
reconnection_retries = 3 pam_verbosity = 3 debug_level = 0x0070
[domain/spgnts]
debug_level = 0x0070 enumerate = true
id_provider = proxy proxy_lib_name = nis min_id = 500
auth_provider = proxy proxy_pam_target = none
-- if there is any further configuration detail you consider relevant to the issue, please let me know.
When I start all this, things work until I take out the 'nis' entries from nsswitch.conf. To my understanding, as long as they are in, queries never go to the nss_sss module.
Once I take out the 'nis' entries, I can log in as root on the console, I can log in as a regular user over ssh (public key auth), but all other login attempts time out. kdm mutters about pam_setcred() problems on the console.
The /var/log/sssd/* logs are voluminous, but virtually free of any helpful information. Upon login, sssd appears to start a bunch of proxy_child processes, which hang there until timeout, at which point they get killed. I tried copying a commandline from ps, and strace a proxy_child invocation, but the trace didn't speak to me.
I have searched the web far and wide, but there is little more than lip service to using the proxymodule, much less NIS. As of now, my hunch is the problem lies with PAM - how do you configure the domain's auth_provider for NIS? I came across "#proxy_auth_target = nis_pam_proxy", but it wasn't documented.
Thanks for reading this far; any comments are most welcome!
Cheerio, Hauke
I haven't configured NIS myself for a very long time, but before logins start working, sssd must be able to retrieve user information. I presume "getent passwd -s sss $nisuser" doesn't return anything using this configuration? It might be interesting to see the logs when you request the user..
If you want to start testing just identity w/o authentication, you can start with: auth_provider = none
On Sun, 6 Mar 2016 16:30:22 +0100, Jakub Hrozek wrote:
I haven't configured NIS myself for a very long time, but before logins start working, sssd must be able to retrieve user information. I presume "getent passwd -s sss $nisuser" doesn't return anything using this configuration?
Yes, it does:
# getent passwd -s sss wtestman wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh # getent shadow -s sss wtestman # getent shadow -s nis wtestman wtestman:$TOPSECRET:10779:0:99999:7::: #
The "identification" part of the setup appears to work.
If you want to start testing just identity w/o authentication, you can start with: auth_provider = none
Interesting enough, this doesn't make a difference. I suspect PAM plays a role here, but my PAM fu is not up to the challenge...
FTR, I got the
auth_provider = proxy proxy_pam_target = none
from https://fedorahosted.org/sssd/ticket/1339; I also followed the example in https://bugzilla.redhat.com/show_bug.cgi?id=578463, setting nsswitch.conf up like
passwd files sss group files sss shadow files nis
all of which do not make a difference for authentication.
A typical cycle in the logs is
### sssd.log
(Mon Mar 7 11:22:00 2016) [sssd] [ping_check] (0x0020): A service PING timed out on [spgnts]. Attempt [1] (Mon Mar 7 11:22:10 2016) [sssd] [ping_check] (0x0020): A service PING timed out on [spgnts]. Attempt [2] (Mon Mar 7 11:22:20 2016) [sssd] [tasks_check_handler] (0x0020): Killing service [spgnts], not responding to pings! (Mon Mar 7 11:22:20 2016) [sssd] [ping_check] (0x0020): A service PING timed out on [spgnts]. Attempt [3] (Mon Mar 7 11:22:20 2016) [sssd] [mt_svc_exit_handler] (0x0040): Child [spgnts] exited with code [0]
### sssd_nss.log
(Mon Mar 7 11:22:20 2016) [sssd[nss]] [sbus_dispatch] (0x0020): Performing auto-reconnect (Mon Mar 7 11:22:21 2016) [sssd[nss]] [nss_dp_reconnect_init] (0x0020): Reconnected to the Data Provider. (Mon Mar 7 11:22:34 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
### sssd_pam.log
(Mon Mar 7 11:22:20 2016) [sssd[pam]] [sbus_dispatch] (0x0020): Performing auto-reconnect (Mon Mar 7 11:22:21 2016) [sssd[pam]] [pam_dp_reconnect_init] (0x0020): Reconnected to the Data Provider. (Mon Mar 7 11:22:21 2016) [sssd[pam]] [pam_check_user_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 5, (null)
### sssd_spgnts
(Mon Mar 7 11:16:40 2016) [sssd[be[spgnts]]] [get_initgr_groups_process] (0x0040): proxy -> initgroups_dyn failed (0)[Success] (Mon Mar 7 11:16:40 2016) [sssd[be[spgnts]]] [get_initgr] (0x0040): Could not process initgroups (Mon Mar 7 11:16:40 2016) [sssd[be[spgnts]]] [be_process_init] (0x0020): No selinux module provided for [spgnts] !! (Mon Mar 7 11:16:40 2016) [sssd[be[spgnts]]] [be_process_init] (0x0020): No host info module provided for [spgnts] !! (Mon Mar 7 11:16:40 2016) [sssd[be[spgnts]]] [be_process_init] (0x0020): Subdomains are not supported for [spgnts] !! (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [pc_init_sig_handler] (0x0020): waitpid did not find a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [pc_init_sig_handler] (0x0020): waitpid did not find a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid failed [10][No child processes]. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid failed [10][No child processes]. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid failed [10][No child processes]. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid failed [10][No child processes]. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid failed [10][No child processes]. (Mon Mar 7 11:17:42 2016) [sssd[be[spgnts]]] [proxy_child_sig_handler] (0x0020): waitpid failed [10][No child processes].
### proxy_child_spgnts.log
(Mon Mar 7 11:08:11 2016) [sssd[proxy_child[spgnts]]] [main] (0x0020): Proxy child for domain [spgnts] started!
Cheerio, Hauke
On (07/03/16 11:31), Hauke Fath wrote:
On Sun, 6 Mar 2016 16:30:22 +0100, Jakub Hrozek wrote:
I haven't configured NIS myself for a very long time, but before logins start working, sssd must be able to retrieve user information. I presume "getent passwd -s sss $nisuser" doesn't return anything using this configuration?
Yes, it does:
# getent passwd -s sss wtestman wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh # getent shadow -s sss wtestman # getent shadow -s nis wtestman wtestman:$TOPSECRET:10779:0:99999:7:::
That's correct. sssd does not provide shadow maps.
Therefore you will need to have nis for shadow in /etc/nsswitch.conf and then I cannot see a benefit of using sssd if you cannot get rid of nis. in nsswitch.conf.
#
The "identification" part of the setup appears to work.
If you want to start testing just identity w/o authentication, you can start with: auth_provider = none
Interesting enough, this doesn't make a difference. I suspect PAM plays a role here, but my PAM fu is not up to the challenge...
FTR, I got the
auth_provider = proxy proxy_pam_target = none
You set pam target to "none" What is a content of file /etc/pam.d/none ?
from https://fedorahosted.org/sssd/ticket/1339; I also followed the example in https://bugzilla.redhat.com/show_bug.cgi?id=578463, setting nsswitch.conf up like
BZ578463 is for winbind and you can see pam_winbind.so in /etc/pam.d/winbind
But I assume it should be handled by pam_unix.
BTW why do you need/want to use NIS. You can achieve the same with LDAP/FreeIPA ...
LS
On Mon, 7 Mar 2016 12:14:17 +0100, Lukas Slebodnik wrote:
On (07/03/16 11:31), Hauke Fath wrote:
# getent passwd -s sss wtestman wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh # getent shadow -s sss wtestman # getent shadow -s nis wtestman wtestman:$TOPSECRET:10779:0:99999:7:::
That's correct. sssd does not provide shadow maps.
That's why I followed the NIS example in https://bugzilla.redhat.com/show_bug.cgi?id=578463 and configured nsswitch.conf like
passwd files sss group files sss shadow files nis
as mentioned.
Therefore you will need to have nis for shadow in /etc/nsswitch.conf and then I cannot see a benefit of using sssd if you cannot get rid of nis. in nsswitch.conf.
Well, it would still cache user and group information, which is probably accessed more frequently than the password.
FTR, I got the
auth_provider = proxy proxy_pam_target = none
You set pam target to "none" What is a content of file /etc/pam.d/none ?
Ah.
I was under the impression that 'none' had special meaning, like for auth_provider? Certainly the logs do not mention a file not found...
BTW why do you need/want to use NIS. You can achieve the same with LDAP/FreeIPA
We use NIS here, and I figured sssd might help with a transition towards LDAP. But it has to work with NIS first.
Cheerio, Hauke
On (07/03/16 12:30), Hauke Fath wrote:
On Mon, 7 Mar 2016 12:14:17 +0100, Lukas Slebodnik wrote:
On (07/03/16 11:31), Hauke Fath wrote:
# getent passwd -s sss wtestman wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh # getent shadow -s sss wtestman # getent shadow -s nis wtestman wtestman:$TOPSECRET:10779:0:99999:7:::
That's correct. sssd does not provide shadow maps.
That's why I followed the NIS example in https://bugzilla.redhat.com/show_bug.cgi?id=578463 and configured nsswitch.conf like
yes, but in NIS example there is used "auth_provider = krb5" and you want to use "auth_provider = proxy". I do not have and experience with NIS
But it might be related to following output.
# getent passwd -s sss wtestman wtestman:*:580:504:Walter A. Testman:/home/wtestman:/bin/tcsh
^ IIRC If you want to check password with pam_unix then there shoudl be "x" instead of "*"
Btw is there a difference beween: getent passwd -s sss wtestman and getent passwd -s nis wtestman
(you might temporary add "nis" for passwd in nsswitch.conf)
passwd files sss group files sss shadow files nis
as mentioned.
Therefore you will need to have nis for shadow in /etc/nsswitch.conf and then I cannot see a benefit of using sssd if you cannot get rid of nis. in nsswitch.conf.
Well, it would still cache user and group information, which is probably accessed more frequently than the password.
FTR, I got the
auth_provider = proxy proxy_pam_target = none
You set pam target to "none" What is a content of file /etc/pam.d/none ?
Ah.
I would also recommend to look into /var/log/secure and not only into sssd logs.
I was under the impression that 'none' had special meaning, like for auth_provider? Certainly the logs do not mention a file not found...
BTW why do you need/want to use NIS. You can achieve the same with LDAP/FreeIPA
We use NIS here, and I figured sssd might help with a transition towards LDAP. But it has to work with NIS first.
I hope it will be jsut transition and not final state :-)
LS
On Mon, 7 Mar 2016 13:09:35 +0100, Lukas Slebodnik wrote:
We use NIS here, and I figured sssd might help with a transition towards LDAP. But it has to work with NIS first.
I hope it will be jsut transition and not final state :-)
Thanks for all the helpful comments.
As I have run out of round tuits for experimenting, I have decided to stick with nscd for now.
Cheerio, Hauke
Hello everyone I see a strange behaviour in the ticket listing of my users:
I always have a ticket with the REALM and without the realm. This could fit to other problem I have like nonworking kerberos login via ssh and access issues.
Any ideas where this could come from?
my klist output:
Ticket cache: FILE:/tmp/krb5cc_59123 Default principal: User1@DOMAIN.NET
Valid starting Expires Service principal 03/09/16 14:39:41 03/12/16 14:39:41 krbtgt/DOMAIN.NET@DOMAIN.NET renew until 04/06/16 15:39:41 03/09/16 14:39:50 03/10/16 00:39:50 host/anotherserver.domain.net@ renew until 04/06/16 15:39:41 03/09/16 14:39:50 03/10/16 00:39:50 host/anotherserver.domain.net@DOMAIN.NET renew until 04/06/16 15:39:41 03/10/16 12:31:52 03/10/16 22:31:52 nfs/fileserver.domain.net@ renew until 04/06/16 15:39:41 03/10/16 12:31:52 03/10/16 22:31:52 nfs/fileserver.domain.net@DOMAIN.NET renew until 04/06/16 15:39:41
My keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 10/30/15 18:47:15 host/thisserver.domain.net@DOMAIN.NET (des-cbc-crc) 2 10/30/15 18:47:15 host/thisserver.domain.net@DOMAIN.NET (des-cbc-md5) 2 10/30/15 18:47:15 host/thisserver.domain.net@DOMAIN.NET (aes128-cts-hmac-sha1-96) 2 10/30/15 18:47:15 host/thisserver.domain.net@DOMAIN.NET (aes256-cts-hmac-sha1-96) 2 10/30/15 18:47:15 host/thisserver.domain.net@DOMAIN.NET (arcfour-hmac) 2 10/30/15 18:47:15 host/THISSERVER@DOMAIN.NET (des-cbc-crc) 2 10/30/15 18:47:15 host/THISSERVER@DOMAIN.NET (des-cbc-md5) 2 10/30/15 18:47:15 host/THISSERVER@DOMAIN.NET (aes128-cts-hmac-sha1-96) 2 10/30/15 18:47:15 host/THISSERVER@DOMAIN.NET (aes256-cts-hmac-sha1-96) 2 10/30/15 18:47:15 host/THISSERVER@DOMAIN.NET (arcfour-hmac) 2 10/30/15 18:47:15 THISSERVER$@DOMAIN.NET (des-cbc-crc) 2 10/30/15 18:47:15 THISSERVER$@DOMAIN.NET (des-cbc-md5) 2 10/30/15 18:47:15 THISSERVER$@DOMAIN.NET (aes128-cts-hmac-sha1-96) 2 10/30/15 18:47:15 THISSERVER$@DOMAIN.NET (aes256-cts-hmac-sha1-96) 2 10/30/15 18:47:15 THISSERVER$@DOMAIN.NET (arcfour-hmac) 2 10/30/15 18:47:15 nfs/thisserver.domain.net@DOMAIN.NET (des-cbc-crc) 2 10/30/15 18:47:15 nfs/thisserver.domain.net@DOMAIN.NET (des-cbc-md5) 2 10/30/15 18:47:15 nfs/thisserver.domain.net@DOMAIN.NET (aes128-cts-hmac-sha1-96) 2 10/30/15 18:47:15 nfs/thisserver.domain.net@DOMAIN.NET (aes256-cts-hmac-sha1-96) 2 10/30/15 18:47:15 nfs/thisserver.domain.net@DOMAIN.NET (arcfour-hmac) 2 10/30/15 18:47:15 nfs/THISSERVER@DOMAIN.NET (des-cbc-crc) 2 10/30/15 18:47:15 nfs/THISSERVER@DOMAIN.NET (des-cbc-md5) 2 10/30/15 18:47:15 nfs/THISSERVER@DOMAIN.NET (aes128-cts-hmac-sha1-96) 2 10/30/15 18:47:15 nfs/THISSERVER@DOMAIN.NET (aes256-cts-hmac-sha1-96) 2 10/30/15 18:47:15 nfs/THISSERVER@DOMAIN.NET (arcfour-hmac) 3 12/18/15 16:04:42 nfs/thisserver.domain.net@DOMAIN.NET (des-cbc-crc) 3 12/18/15 16:04:42 nfs/thisserver.domain.net@DOMAIN.NET (des-cbc-md5) 3 12/18/15 16:04:42 nfs/thisserver.domain.net@DOMAIN.NET (aes128-cts-hmac-sha1-96) 3 12/18/15 16:04:42 nfs/thisserver.domain.net@DOMAIN.NET (aes256-cts-hmac-sha1-96) 3 12/18/15 16:04:42 nfs/thisserver.domain.net@DOMAIN.NET (arcfour-hmac) 3 12/18/15 16:04:42 nfs/THISSERVER@DOMAIN.NET (des-cbc-crc) 3 12/18/15 16:04:42 nfs/THISSERVER@DOMAIN.NET (des-cbc-md5) 3 12/18/15 16:04:42 nfs/THISSERVER@DOMAIN.NET (aes128-cts-hmac-sha1-96) 3 12/18/15 16:04:42 nfs/THISSERVER@DOMAIN.NET (aes256-cts-hmac-sha1-96) 3 12/18/15 16:04:42 nfs/THISSERVER@DOMAIN.NET (arcfour-hmac) 3 12/18/15 16:04:41 host/thisserver.domain.net@DOMAIN.NET (des-cbc-crc) 3 12/18/15 16:04:41 host/thisserver.domain.net@DOMAIN.NET (des-cbc-md5) 3 12/18/15 16:04:41 host/thisserver.domain.net@DOMAIN.NET (aes128-cts-hmac-sha1-96) 3 12/18/15 16:04:41 host/thisserver.domain.net@DOMAIN.NET (aes256-cts-hmac-sha1-96) 3 12/18/15 16:04:41 host/thisserver.domain.net@DOMAIN.NET (arcfour-hmac) 3 12/18/15 16:04:41 host/THISSERVER@DOMAIN.NET (des-cbc-crc) 3 12/18/15 16:04:41 host/THISSERVER@DOMAIN.NET (des-cbc-md5) 3 12/18/15 16:04:41 host/THISSERVER@DOMAIN.NET (aes128-cts-hmac-sha1-96) 3 12/18/15 16:04:41 host/THISSERVER@DOMAIN.NET (aes256-cts-hmac-sha1-96) 3 12/18/15 16:04:41 host/THISSERVER@DOMAIN.NET (arcfour-hmac) 3 12/18/15 16:04:41 THISSERVER$@DOMAIN.NET (des-cbc-crc) 3 12/18/15 16:04:41 THISSERVER$@DOMAIN.NET (des-cbc-md5) 3 12/18/15 16:04:41 THISSERVER$@DOMAIN.NET (aes128-cts-hmac-sha1-96) 3 12/18/15 16:04:41 THISSERVER$@DOMAIN.NET (aes256-cts-hmac-sha1-96) 3 12/18/15 16:04:41 THISSERVER$@DOMAIN.NET (arcfour-hmac)
My krb5.conf:
[logging] default = FILE:/var/log/krb5libs.log
[libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 4d renew_lifetime = 28d forwardable = true rdns = false default_ccache_name = /tmp/krb5cc_%{uid} canonicalize = yes
allow_weak_crypto = true
[realms] DOMAIN.NET = { kdc = LINDC2.DOMAIN.NET master_kdc = LINDC2.DOMAIN.NET admin_server = LINDC2.DOMAIN.NET }
[domain_realm] .DOMAIN.NET = DOMAIN.NET DOMAIN.NET = DOMAIN.NET
my sssd.conf: [sssd] config_file_version = 2 domains = DOMAIN.NET
services = nss, pam, ssh [ssh]
[domain/DOMAIN.NET]
id_provider = ad auth_provider = ad access_provider = ad
ad_server = dc2.roseninspection.net
# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side ldap_id_mapping = False
# Comment out if the users have the shell and home dir set on the AD side default_shell = /bin/bash fallback_homedir = /home/DOMAIN/%u krb5_renewable_lifetime = 3d krb5_renew_interval = 3600 krb5_lifetime = 28d krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U
canonicalize = yes debug_level = 3 #case_sensitive = preserving case_sensitive = false ad_gpo_access_control = permissive #krb5_realm = DOMAIN.NET
sssd-users@lists.fedorahosted.org
-
Hauke Fath -
Jakub Hrozek -
Lukas Slebodnik -
Ondrej Valousek -
Peter Tulpen