Hi list, I am going to set up proof-of -concept installation of Ubuntu (Precise) client/server using sssd to authenticate/authorize against Active Directory. At this moment everything seems to be a challenge - as I am exclusive (ok ;-) almost exclusive... ) hard core Linux user.
As our Windows team is not ready with AD schema for Unix - my first exercise could be -get login/ssh authenticate (and change passwd) against AD -get uid/gid/auto.home map/shell from existing Linux NIS server
Is my plan realistic ?
Best regards
Longina Przybyszewska Systemprogrammør, IT Services
Tel. +45 6550 2359 Mobile +45 6011 2359 Fax +45 6550 2467 Email longina@sdu.dk Web http://www.sdu.dk/ansat/longina Addr. Campusvej 55, DK-5230 Odense M, Denmark
UNIVERSITY OF SOUTHERN DENMARK _______________________________________________________________ Campusvej 55 * DK-5230 * Odense M * Denmark * Tel. +45 6550 1000 * www.sdu.dk
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 12. oktober 2012 22:40 To: sssd-devel@lists.fedorahosted.org; sssd-users@lists.fedorahosted.org; freeipa-interest@redhat.com Subject: [SSSD-users] Announcing SSSD 1.9.2
=== SSSD 1.9.2 ===
The SSSD team is proud to announce the release of version 1.9.2 of the System Security Services Daemon.
This is mostly a bugfix release again. I am going to branch off the 1.9 branch from master so that we can start including the 1.10 features in master.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18 and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights == * Users or groups from trusted domains can be retrieved by UID or GID as well * Several fixes that mitigate file descriptor leak during logins * SSH host keys are also removed from the cache after being removed from the server * Fix intermittent crash in responders if the responder was shutting down while requests were still pending * Catch an error condition that might have caused a tight loop in the sssd_nss process while refreshing expired enumeration request * Fixed memory hierarchy of subdomains discovery requests that caused use-after-free access bugs * The krb5_child and ldap_child processes can print libkrb5 tracing information in the debug logs
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1008 Make sssd api conf file location configurable https://fedorahosted.org/sssd/ticket/1319 group lookups optimizations for IPA https://fedorahosted.org/sssd/ticket/1499 Add details about TGT validation to sssd-krb5 man page https://fedorahosted.org/sssd/ticket/1512 [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist https://fedorahosted.org/sssd/ticket/1514 [abrt] sssd-1.8.4-13.fc16: __GI_exit: Process /usr/libexec/sssd/sssd_pam was killed by signal 6 (SIGABRT) https://fedorahosted.org/sssd/ticket/1539 Collect Krb5 Trace on High Debug Levels https://fedorahosted.org/sssd/ticket/1551 sssd_nss process hangs, stuck in loop; "self restart" does recover, but old process hangs around using 100% CPU https://fedorahosted.org/sssd/ticket/1561 getting user/group entry by uid/gid sometimes fails https://fedorahosted.org/sssd/ticket/1569 Use pam_set_data to close the fd in the pam module https://fedorahosted.org/sssd/ticket/1571 sssd_nss intermittent crash https://fedorahosted.org/sssd/ticket/1574 SSH host keys are not being removed from the cache
== Packaging Changes ==
* The libsss_sudo-devel package no longer contains the package-config file. The libsss_sudo-devel shared object has been moved to the libsss_sudo package.
== Detailed Changelog ==
E Deon Lackey (1): * Fix language errors in the sssd-krb5.conf man page
Jakub Hrozek (14): * Bumping the version to 1.9.1 release * Fix uninitialized pointer read in ssh_host_pubkeys_update_known_hosts * Fix segfault when ID-mapping an entry without a SID * Fix memory hierarchy in subdomains discovery * PAM: close socket fd with pam_set_data * Couple of specfile fixes * Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudo * Two fixes to child processes * Collect krb5 trace on high debug levels * PAM: fix handling the client fd in pam destructor * Create ghost users when a user DN is encountered in IPA * Only call krb5_set_trace_callback on platforms that support it * MAN: improve wording of default_domain parameter * Updating the translations for the 1.9.2 release
Jan Cholasta (1): * SSH: When host keys are removed from LDAP, remove them from the cache as well
Ondrej Kos (1): * Add more info about ticket validation
Pavel Březina (3): * do not fail if POLLHUP occurs while reading data * do not call dp callbacks when responder is shutting down * nss_cmd_retpwent(): do not go into infinite loop if n < 0
Sumit Bose (3): * Save time of last get_domains request * Check for subdomains if getpwuid or getgrgid are the first requests * Allow extdom exop to return flat domain name as well
Thorsten Scherf (1): * Fixed: translation bug
Yuri Chornoivan (1): * Fix typos
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Yes, it is. sssd will do the first task for you and for the second you need to install IDMU (Identity mgmt for Unix) and its migration assistant to migrate your maps into AD. Just note you will need Windows server 2003 R2 or newer for this (older AD schema is incompatible w/ sssd). Ondrej
On 10/16/2012 12:21 PM, Longina Przybyszewska wrote:
Hi list, I am going to set up proof-of -concept installation of Ubuntu (Precise) client/server using sssd to authenticate/authorize against Active Directory. At this moment everything seems to be a challenge - as I am exclusive (ok ;-) almost exclusive... ) hard core Linux user.
As our Windows team is not ready with AD schema for Unix - my first exercise could be -get login/ssh authenticate (and change passwd) against AD -get uid/gid/auto.home map/shell from existing Linux NIS server
Is my plan realistic ?
Best regards
Longina Przybyszewska Systemprogrammør, IT Services
Tel. +45 6550 2359 Mobile +45 6011 2359 Fax +45 6550 2467 Email longina@sdu.dk Web http://www.sdu.dk/ansat/longina Addr. Campusvej 55, DK-5230 Odense M, Denmark
UNIVERSITY OF SOUTHERN DENMARK _______________________________________________________________ Campusvej 55 * DK-5230 * Odense M * Denmark * Tel. +45 6550 1000 * www.sdu.dk
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 12. oktober 2012 22:40 To: sssd-devel@lists.fedorahosted.org; sssd-users@lists.fedorahosted.org; freeipa-interest@redhat.com Subject: [SSSD-users] Announcing SSSD 1.9.2
=== SSSD 1.9.2 ===The SSSD team is proud to announce the release of version 1.9.2 of the System Security Services Daemon.
This is mostly a bugfix release again. I am going to branch off the 1.9 branch from master so that we can start including the 1.10 features in master.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18 and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights == * Users or groups from trusted domains can be retrieved by UID or GID as well * Several fixes that mitigate file descriptor leak during logins * SSH host keys are also removed from the cache after being removed from the server * Fix intermittent crash in responders if the responder was shutting down while requests were still pending * Catch an error condition that might have caused a tight loop in the sssd_nss process while refreshing expired enumeration request * Fixed memory hierarchy of subdomains discovery requests that caused use-after-free access bugs * The krb5_child and ldap_child processes can print libkrb5 tracing information in the debug logs
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1008 Make sssd api conf file location configurable https://fedorahosted.org/sssd/ticket/1319 group lookups optimizations for IPA https://fedorahosted.org/sssd/ticket/1499 Add details about TGT validation to sssd-krb5 man page https://fedorahosted.org/sssd/ticket/1512 [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist https://fedorahosted.org/sssd/ticket/1514 [abrt] sssd-1.8.4-13.fc16: __GI_exit: Process /usr/libexec/sssd/sssd_pam was killed by signal 6 (SIGABRT) https://fedorahosted.org/sssd/ticket/1539 Collect Krb5 Trace on High Debug Levels https://fedorahosted.org/sssd/ticket/1551 sssd_nss process hangs, stuck in loop; "self restart" does recover, but old process hangs around using 100% CPU https://fedorahosted.org/sssd/ticket/1561 getting user/group entry by uid/gid sometimes fails https://fedorahosted.org/sssd/ticket/1569 Use pam_set_data to close the fd in the pam module https://fedorahosted.org/sssd/ticket/1571 sssd_nss intermittent crash https://fedorahosted.org/sssd/ticket/1574 SSH host keys are not being removed from the cache
== Packaging Changes ==
* The libsss_sudo-devel package no longer contains the package-config file. The libsss_sudo-devel shared object has been moved to the libsss_sudo package.== Detailed Changelog ==
E Deon Lackey (1): * Fix language errors in the sssd-krb5.conf man page
Jakub Hrozek (14): * Bumping the version to 1.9.1 release * Fix uninitialized pointer read in ssh_host_pubkeys_update_known_hosts * Fix segfault when ID-mapping an entry without a SID * Fix memory hierarchy in subdomains discovery * PAM: close socket fd with pam_set_data * Couple of specfile fixes * Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudo * Two fixes to child processes * Collect krb5 trace on high debug levels * PAM: fix handling the client fd in pam destructor * Create ghost users when a user DN is encountered in IPA * Only call krb5_set_trace_callback on platforms that support it * MAN: improve wording of default_domain parameter * Updating the translations for the 1.9.2 release
Jan Cholasta (1): * SSH: When host keys are removed from LDAP, remove them from the cache as well
Ondrej Kos (1): * Add more info about ticket validation
Pavel Březina (3): * do not fail if POLLHUP occurs while reading data * do not call dp callbacks when responder is shutting down * nss_cmd_retpwent(): do not go into infinite loop if n< 0
Sumit Bose (3): * Save time of last get_domains request * Check for subdomains if getpwuid or getgrgid are the first requests * Allow extdom exop to return flat domain name as well
Thorsten Scherf (1): * Fixed: translation bug
Yuri Chornoivan (1): * Fix typos
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
HI, Thanks, but actually I asked if I can use _Linux NIS_ server for authorization. You say I have to move NIS maps into AD and use Windows NIS – that means “no” ?. . All users at my site have accounts in AD, and in addition, Linux users have Linux accounts in respective NIS domains. In AD there are 3 domains for users accounts, in Linux, several other. Can WINdows NIS manage multi domains?
I am not able to perform migration, as we have the Windows team dealing with MSWins and have to wait until they WILL do that. I have admin credentials but am not authorized to more than create user and computer account.
Saying so – is there anything I can do now with sssd, in the existing env ironment, to improve authentication on Linux (using AD Kerberos for authentication and existing linux NIS server for the rest) ???
Best regards
Longina Przybyszewska Systemprogrammør, IT Services Tel.
+45 6550 2359
Mobile
+45 6011 2359
Fax
+45 6550 2467
longina@sdu.dk
Web
http://www.sdu.dk/ansat/longina
Addr.
Campusvej 55, DK-5230 Odense M, Denmark
[Description: C:\Documents and Settings\longina\Application Data\Microsoft\Signaturer\sduemaillogoUK.jpg] ________________________________
Campusvej 55 · DK-5230 Odense M · Denmark · Tel. +45 6550 1000 · www.sdu.dkhttp://www.sdu.dk/
From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: 16. oktober 2012 13:14 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and difrent repositories
Yes, it is. sssd will do the first task for you and for the second you need to install IDMU (Identity mgmt for Unix) and its migration assistant to migrate your maps into AD. Just note you will need Windows server 2003 R2 or newer for this (older AD schema is incompatible w/ sssd). Ondrej
On 10/16/2012 12:21 PM, Longina Przybyszewska wrote:
Hi list,
I am going to set up proof-of -concept installation of Ubuntu (Precise) client/server using sssd to authenticate/authorize
against Active Directory.
At this moment everything seems to be a challenge - as I am exclusive (ok ;-) almost exclusive... ) hard core Linux user.
As our Windows team is not ready with AD schema for Unix - my first exercise could be
-get login/ssh authenticate (and change passwd) against AD
-get uid/gid/auto.home map/shell from existing Linux NIS server
Is my plan realistic ?
Best regards
Longina Przybyszewska
Systemprogrammør, IT Services
Tel. +45 6550 2359
Mobile +45 6011 2359
Fax +45 6550 2467
Email longina@sdu.dkmailto:longina@sdu.dk
Web http://www.sdu.dk/ansat/longina
Addr. Campusvej 55, DK-5230 Odense M, Denmark
UNIVERSITY OF SOUTHERN DENMARK
_______________________________________________________________
Campusvej 55 * DK-5230 * Odense M * Denmark * Tel. +45 6550 1000 * www.sdu.dkhttp://www.sdu.dk
-----Original Message-----
From: sssd-users-bounces@lists.fedorahosted.orgmailto:sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek
Sent: 12. oktober 2012 22:40
To: sssd-devel@lists.fedorahosted.orgmailto:sssd-devel@lists.fedorahosted.org; sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org; freeipa-interest@redhat.commailto:freeipa-interest@redhat.com
Subject: [SSSD-users] Announcing SSSD 1.9.2
=== SSSD 1.9.2 ===
The SSSD team is proud to announce the release of version 1.9.2 of the System Security Services Daemon.
This is mostly a bugfix release again. I am going to branch off the 1.9 branch from master so that we can start including the 1.10 features in master.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18 and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Users or groups from trusted domains can be retrieved by UID or GID as well
* Several fixes that mitigate file descriptor leak during logins
* SSH host keys are also removed from the cache after being removed
from the server
* Fix intermittent crash in responders if the responder was shutting
down while requests were still pending
* Catch an error condition that might have caused a tight loop in the
sssd_nss process while refreshing expired enumeration request
* Fixed memory hierarchy of subdomains discovery requests that caused
use-after-free access bugs
* The krb5_child and ldap_child processes can print libkrb5 tracing
information in the debug logs
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1008
Make sssd api conf file location configurable
https://fedorahosted.org/sssd/ticket/1319
group lookups optimizations for IPA
https://fedorahosted.org/sssd/ticket/1499
Add details about TGT validation to sssd-krb5 man page
https://fedorahosted.org/sssd/ticket/1512
[sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist
https://fedorahosted.org/sssd/ticket/1514
[abrt] sssd-1.8.4-13.fc16: __GI_exit: Process /usr/libexec/sssd/sssd_pam was killed by signal 6 (SIGABRT)
https://fedorahosted.org/sssd/ticket/1539
Collect Krb5 Trace on High Debug Levels
https://fedorahosted.org/sssd/ticket/1551
sssd_nss process hangs, stuck in loop; "self restart" does recover, but old process hangs around using 100% CPU
https://fedorahosted.org/sssd/ticket/1561
getting user/group entry by uid/gid sometimes fails
https://fedorahosted.org/sssd/ticket/1569
Use pam_set_data to close the fd in the pam module
https://fedorahosted.org/sssd/ticket/1571
sssd_nss intermittent crash
https://fedorahosted.org/sssd/ticket/1574
SSH host keys are not being removed from the cache
== Packaging Changes ==
* The libsss_sudo-devel package no longer contains the package-config
file. The libsss_sudo-devel shared object has been moved to the
libsss_sudo package.
== Detailed Changelog ==
E Deon Lackey (1):
* Fix language errors in the sssd-krb5.conf man page
Jakub Hrozek (14):
* Bumping the version to 1.9.1 release
* Fix uninitialized pointer read in ssh_host_pubkeys_update_known_hosts
* Fix segfault when ID-mapping an entry without a SID
* Fix memory hierarchy in subdomains discovery
* PAM: close socket fd with pam_set_data
* Couple of specfile fixes
* Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudo
* Two fixes to child processes
* Collect krb5 trace on high debug levels
* PAM: fix handling the client fd in pam destructor
* Create ghost users when a user DN is encountered in IPA
* Only call krb5_set_trace_callback on platforms that support it
* MAN: improve wording of default_domain parameter
* Updating the translations for the 1.9.2 release
Jan Cholasta (1):
* SSH: When host keys are removed from LDAP, remove them from the
cache as well
Ondrej Kos (1):
* Add more info about ticket validation
Pavel Březina (3):
* do not fail if POLLHUP occurs while reading data
* do not call dp callbacks when responder is shutting down
* nss_cmd_retpwent(): do not go into infinite loop if n < 0
Sumit Bose (3):
* Save time of last get_domains request
* Check for subdomains if getpwuid or getgrgid are the first requests
* Allow extdom exop to return flat domain name as well
Thorsten Scherf (1):
* Fixed: translation bug
Yuri Chornoivan (1):
* Fix typos
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
Yes, you can use your existing NIS servers for authorization AND use Kerberos for authentication - no need for sssd here. You just need to make sure all users in your NIS passwd table have also accounts in AD. Ondrej
On 10/16/2012 02:25 PM, Longina Przybyszewska wrote:
HI,
Thanks, but actually I asked if I can use _/Linux NIS/_ server for authorization.
You say I have to move NIS maps into AD and use Windows NIS – that means “no” ?. .
All users at my site have accounts in AD, and in addition, Linux users have Linux accounts in respective NIS domains.
In AD there are 3 domains for users accounts, in Linux, several other.
Can WINdows NIS manage multi domains?
I am not able to perform migration, as we have the Windows team dealing with MSWins and
have to wait until they WILL do that.
I have admin credentials but am not authorized to more than create user and computer account.
Saying so – is there anything I can do now with sssd, in the existing env ironment, to improve authentication on Linux (using AD Kerberos
for authentication and existing linux NIS server for the rest) ???
Best regards
*Longina Przybyszewska* Systemprogrammør, IT Services
Tel.
+45 6550 2359
Mobile
+45 6011 2359
Fax
+45 6550 2467
longina@sdu.dk
Web
http://www.sdu.dk/ansat/longina
Addr.
Campusvej 55, DK-5230 Odense M, Denmark
Description: C:\Documents and Settings\longina\Application Data\Microsoft\Signaturer\sduemaillogoUK.jpg
*Campusvej 55 · DK-5230 Odense M · Denmark · Tel. +45 6550 1000 · www.sdu.dk http://www.sdu.dk/*
*From:*sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] *On Behalf Of *Ondrej Valousek *Sent:* 16. oktober 2012 13:14 *To:* End-user discussions about the System Security Services Daemon *Subject:* Re: [SSSD-users] sssd and difrent repositories
Yes, it is. sssd will do the first task for you and for the second you need to install IDMU (Identity mgmt for Unix) and its migration assistant to migrate your maps into AD. Just note you will need Windows server 2003 R2 or newer for this (older AD schema is incompatible w/ sssd). Ondrej
On 10/16/2012 12:21 PM, Longina Przybyszewska wrote:
Hi list, I am going to set up proof-of -concept installation of Ubuntu (Precise) client/server using sssd to authenticate/authorize against Active Directory. At this moment everything seems to be a challenge - as I am exclusive (ok ;-) almost exclusive... ) hard core Linux user.
As our Windows team is not ready with AD schema for Unix - my first exercise could be -get login/ssh authenticate (and change passwd) against AD -get uid/gid/auto.home map/shell from existing Linux NIS server
Is my plan realistic ?
Best regards
Longina Przybyszewska Systemprogrammør, IT Services
Tel. +45 6550 2359 Mobile +45 6011 2359 Fax +45 6550 2467 Emaillongina@sdu.dk mailto:longina@sdu.dk Webhttp://www.sdu.dk/ansat/longina Addr. Campusvej 55, DK-5230 Odense M, Denmark
UNIVERSITY OF SOUTHERN DENMARK _______________________________________________________________ Campusvej 55 * DK-5230 * Odense M * Denmark * Tel. +45 6550 1000 *www.sdu.dk http://www.sdu.dk
-----Original Message----- From:sssd-users-bounces@lists.fedorahosted.org mailto:sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 12. oktober 2012 22:40 To:sssd-devel@lists.fedorahosted.org mailto:sssd-devel@lists.fedorahosted.org;sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org;freeipa-interest@redhat.com mailto:freeipa-interest@redhat.com Subject: [SSSD-users] Announcing SSSD 1.9.2
=== SSSD 1.9.2 ===The SSSD team is proud to announce the release of version 1.9.2 of the System Security Services Daemon.
This is mostly a bugfix release again. I am going to branch off the 1.9 branch from master so that we can start including the 1.10 features in master.
As always, the source is available fromhttps://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18 and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights == * Users or groups from trusted domains can be retrieved by UID or GID as well * Several fixes that mitigate file descriptor leak during logins * SSH host keys are also removed from the cache after being removed from the server * Fix intermittent crash in responders if the responder was shutting down while requests were still pending * Catch an error condition that might have caused a tight loop in the sssd_nss process while refreshing expired enumeration request * Fixed memory hierarchy of subdomains discovery requests that caused use-after-free access bugs * The krb5_child and ldap_child processes can print libkrb5 tracing information in the debug logs
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1008 Make sssd api conf file location configurable https://fedorahosted.org/sssd/ticket/1319 group lookups optimizations for IPA https://fedorahosted.org/sssd/ticket/1499 Add details about TGT validation to sssd-krb5 man page https://fedorahosted.org/sssd/ticket/1512 [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist https://fedorahosted.org/sssd/ticket/1514 [abrt] sssd-1.8.4-13.fc16: __GI_exit: Process /usr/libexec/sssd/sssd_pam was killed by signal 6 (SIGABRT) https://fedorahosted.org/sssd/ticket/1539 Collect Krb5 Trace on High Debug Levels https://fedorahosted.org/sssd/ticket/1551 sssd_nss process hangs, stuck in loop; "self restart" does recover, but old process hangs around using 100% CPU https://fedorahosted.org/sssd/ticket/1561 getting user/group entry by uid/gid sometimes fails https://fedorahosted.org/sssd/ticket/1569 Use pam_set_data to close the fd in the pam module https://fedorahosted.org/sssd/ticket/1571 sssd_nss intermittent crash https://fedorahosted.org/sssd/ticket/1574 SSH host keys are not being removed from the cache
== Packaging Changes ==
* The libsss_sudo-devel package no longer contains the package-config file. The libsss_sudo-devel shared object has been moved to the libsss_sudo package.== Detailed Changelog ==
E Deon Lackey (1): * Fix language errors in the sssd-krb5.conf man page
Jakub Hrozek (14): * Bumping the version to 1.9.1 release * Fix uninitialized pointer read in ssh_host_pubkeys_update_known_hosts * Fix segfault when ID-mapping an entry without a SID * Fix memory hierarchy in subdomains discovery * PAM: close socket fd with pam_set_data * Couple of specfile fixes * Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudo * Two fixes to child processes * Collect krb5 trace on high debug levels * PAM: fix handling the client fd in pam destructor * Create ghost users when a user DN is encountered in IPA * Only call krb5_set_trace_callback on platforms that support it * MAN: improve wording of default_domain parameter * Updating the translations for the 1.9.2 release
Jan Cholasta (1): * SSH: When host keys are removed from LDAP, remove them from the cache as well
Ondrej Kos (1): * Add more info about ticket validation
Pavel Březina (3): * do not fail if POLLHUP occurs while reading data * do not call dp callbacks when responder is shutting down * nss_cmd_retpwent(): do not go into infinite loop if n< 0
Sumit Bose (3): * Save time of last get_domains request * Check for subdomains if getpwuid or getgrgid are the first requests * Allow extdom exop to return flat domain name as well
Thorsten Scherf (1): * Fixed: translation bug
Yuri Chornoivan (1): * Fix typos
sssd-users mailing list sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 10/16/2012 08:25 AM, Longina Przybyszewska wrote:
HI, Thanks, but actually I asked if I can use _Linux NIS_ server for authorization. You say I have to move NIS maps into AD and use Windows NIS – that means “no” ?. . All users at my site have accounts in AD, and in addition, Linux users have Linux accounts in respective NIS domains. In AD there are 3 domains for users accounts, in Linux, several other. Can WINdows NIS manage multi domains?
I am not able to perform migration, as we have the Windows team dealing with MSWins and have to wait until they WILL do that. I have admin credentials but am not authorized to more than create user and computer account.
Saying so – is there anything I can do now with sssd, in the existing env ironment, to improve authentication on Linux (using AD Kerberos for authentication and existing linux NIS server for the rest) ???
I think you misunderstood what Jakub was suggesting. If you use SSSD 1.9.2 and the AD provider, you can connect your Linux machines to AD without the need for NIS at all.
UIDs/GIDs can be automatically generated from the objectSID value in Active Directory (see sssd-ad(5) for details).
As Jakub mentioned, if you use the 'realmd' project, you can use its interfaces to easily configure SSSD to get identity and authentication data from Active Directory.
On Tue, Oct 16, 2012 at 10:21:02AM +0000, Longina Przybyszewska wrote:
Hi list, I am going to set up proof-of -concept installation of Ubuntu (Precise) client/server using sssd to authenticate/authorize against Active Directory. At this moment everything seems to be a challenge - as I am exclusive (ok ;-) almost exclusive... ) hard core Linux user.
As our Windows team is not ready with AD schema for Unix - my first exercise could be -get login/ssh authenticate (and change passwd) against AD -get uid/gid/auto.home map/shell from existing Linux NIS server
Is my plan realistic ?
I'm not sure what version of the SSSD does Ubuntu Precise ship, but I would recommend using 1.9.x and the AD provider. You might also want to look into the realmd project, that could simplify joining an AD domain for you.
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Longina Przybyszewska -
Ondrej Valousek -
Stephen Gallagher