Am Thu, Oct 07, 2021 at 04:47:09PM +0300 schrieb Alexander Bokovoy via FreeIPA-users:
On to, 07 loka 2021, m57n2 via FreeIPA-users wrote:
> Hi,
> thanks for the answer.
>
> To clarify:
>
> 1. "What doesn't work?"
>
> => Command "sss_cache -E" on client host... doesn't have impact on
> possibility to logon with cached credentials. I can login again with
> debug info: "Authenticated with cached credentials." << which come
from
> "pam_verbosity = 3" parameter inside sssd.conf
>
> //of course I have disabled both (master and replica) IPA services by
> "ipactl stop" before testing off-line login.
'sss_cache -E' invalidates entries, it does not remove them completely.
Man page for sss_cache says about it quite clearly:
Invalidated records are forced to be reloaded from server as soon as
related SSSD backend is online.
So if you are offline, the database will still be present and if you
have cached credentials, you'll be able to login with the data stored in
the database content.
You certainly should not use sss_cache to imitate offline mode.
If you have removed the cache with 'sssctl cache-remove', then you'd be
unable to login at all when an SSSD backend is offline.
>
>
> 2. "What are you expecting?"
> As an linux env admin(s) we are going to implement IdM/IPA solution for
> "ux" part of our mixed win-linux hosts env. We realized that "SSH
key
> management with local accounts" is... let's say "not scalable"
;-)
>
> ...but in the other hand I need to be sure that in case of admin/user
> account modification or IPA server unavailability => user will not have
> a possibility to logon (there are some users from AD which should have
> acces to shell and they will be added via IPA<=>AD trust [final step of
> our deployment]. //I mean that this "off-line logon" is ...expectetd
> behavior, but I want to have full control over it.
As long as SSSD backend provider is offline, it will rely on the data it
has in the local cache to allow or deny access, if you have enabled the
ability to handle offline cached authentication. This pretty much
corresponds to a similar behavior within Active Directory environment as
well.
If there is no cached information about a specific user locally, then
login will not succeed in offline state of SSSD backend.
>
> I know that there is no possibility to turn of caching due to
> sofisticated architecture of sssd daemon
> (
https://sssd.io/docs/architecture.html) but, as i described above, we
> need to know "what is going on under the hood".
>
> 3. Is there only solution for that - is a ...removing all files from
> '/var/lib/sss/db' from each client-host on which particular user has
> had an access?
Either disable offline cached authentication or remove those databases
with 'sssctl cache-remove'.
You have krb5_store_password_if_offline = True
this is what triggers offline cached authentication.
Hi,
I agree with all above, only the option is called 'cache_credentials'.
The option 'krb5_store_password_if_offline' can be used to even store
the clear text password in the kernel keyring until the system gets
online again to request a Kerberos ticket automatically.
bye,
Sumit
>
>
> Regards,
> M.
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> czwartek, 7 października 2021 14:51, Rob Crittenden <rcritten(a)redhat.com>
napisał(a):
>
> > m57n2 via FreeIPA-users wrote:
> >
> > > Hello,
> > >
> > > I have had set up a test-bed environment consist of:
> > >
> > > IPA server [master] - OL8.4
> > >
> > > IPA server [replica] - OL8.4
> > >
> > > IPA client1 - OL8.4
> > >
> > > IPA client2 - OL8.4
> > >
> > > IPA client3 - Ubuntu20.04LTS
> > >
> > > //I've installed "master" manually and the rest of hosts via
ansible
> > >
> > > playbooks.
> > >
> > > All works fine: user created on IPA directory [let's say:
"adminux"] can
> > >
> > > succesfully login on clients with SUDO priviliges.
> > >
> > > Now I started to test offline [sssd] login ....and it works [too]fine
=>
> > >
> > > user can log into system even though it was disabled on IPA server!
> > >
> > > I started to tune-up sssd.conf parameters:
> > > ------------------------------------------
> > >
> > > root@cl3:~# vim /etc/sssd/sssd.conf
> > >
> > > [
domain/ux.example.com]
> > >
> > > id_provider = ipa
> > >
> > > ipa_server = srv,
idm1.ux.example.com
> > >
> > > ipa_domain =
ux.example.com
> > >
> > > ipa_hostname =
cl3.ux.example.com
> > >
> > > auth_provider = ipa
> > >
> > > chpass_provider = ipa
> > >
> > > access_provider = ipa
> > >
> > > cache_credentials = True
> > >
> > > ldap_tls_cacert = /etc/ipa/ca.crt
> > >
> > > dyndns_update = True
> > >
> > > dyndns_iface = ens33
> > >
> > > krb5_store_password_if_offline = True
> > >
> > > *entry_cache_timeout = 60
> > >
> > > *
> > >
> > > account_cache_expiration = 1
> > >
> > > [sssd]
> > >
> > > services = nss, pam, ssh, sudo
> > >
> > > domains =
ux.example.com
> > >
> > > [nss]
> > >
> > > homedir_substring = /home
> > >
> > > *enum_cache_timeout = 10
> > >
> > > *
> > >
> > > entry_cache_nowait_percentage = 0
> > >
> > > [pam]
> > >
> > > *pam_verbosity = 3
> > >
> > > *
> > >
> > > offline_credentials_expiration = 1
> > >
> > > [sudo]
> > >
> > > [sudo]
> > >
> > > [autofs]
> > >
> > > [ssh]
> > >
> > > [pac]
> > >
> > > [ifp]
> > >
> > > [secrets]
> > >
> > > [session_recording]
> > > -------------------
> > >
> > > I was also trying to erase sssd cache with command:
> > >
> > > #sss_cache -E
> > >
> > > ...but it doesn't work in my test env!
> >
> > What doesn't work? What are you expecting?
> >
> > > I'll appreciate any suggestions "How can I control off-line
logon
> > >
> > > cache in case of user creation, user deletion, user rights change and
> > >
> > > so on..." ?
> >
> > If its offline then the client will not see user creation, deletion, etc
> >
> > because it's offline, right?
> >
> > rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure