Hello again,
thanks for quick answer ;-)
Meanwhile, I was dig man pages and solutions ...which led me to "sss_debuglevel"
command and then to "sssctl" command.
The same situation
=> "sssctl cache-expire" ...didn't work
but
=> "sssctl cache-remove" did the work as I expected!
I was interested what this particularo command do and ran it again with strace:
#strace sssctl cache-remove
|\truncated output from above command/|:
*********************************************************************
write(1, "SSSD must not be running. Stop S"..., 56SSSD must not be running. Stop
SSSD now? (yes/no) [yes] ) = 56
read(0, yes
"yes\n", 1024) = 4
getresuid([0], [0], [0]) = 0
getresgid([0], [0], [0]) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 9
connect(9, {sa_family=AF_UNIX, sun_path="/var/run/dbus/system_bus_socket"}, 33)
= 0
fcntl(9, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(9, F_SETFL, O_RDWR|O_NONBLOCK) = 0
geteuid() = 0
getsockname(9, {sa_family=AF_UNIX}, [128->2]) = 0
poll([{fd=9, events=POLLOUT}], 1, 0) = 1 ([{fd=9, revents=POLLOUT}])
sendto(9, "\0", 1, MSG_NOSIGNAL, NULL, 0) = 1
sendto(9, "AUTH EXTERNAL 30\r\n", 18, MSG_NOSIGNAL, NULL, 0) = 18
poll([{fd=9, events=POLLIN}], 1, -1) = 1 ([{fd=9, revents=POLLIN}])
read(9, "OK 965e44f2f27fc580d53341ec615ea"..., 2048) = 37
poll([{fd=9, events=POLLOUT}], 1, -1) = 1 ([{fd=9, revents=POLLOUT}])
sendto(9, "NEGOTIATE_UNIX_FD\r\n", 19, MSG_NOSIGNAL, NULL, 0) = 19
poll([{fd=9, events=POLLIN}], 1, -1) = 1 ([{fd=9, revents=POLLIN}])
read(9, "AGREE_UNIX_FD\r\n", 2048) = 15
poll([{fd=9, events=POLLOUT}], 1, -1) = 1 ([{fd=9, revents=POLLOUT}])
sendto(9, "BEGIN\r\n", 7, MSG_NOSIGNAL, NULL, 0) = 7
poll([{fd=9, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=9, revents=POLLOUT}])
sendmsg(9, {msg_name=NULL, msg_namelen=0,
msg_iov=[{iov_base="l\1\0\1\0\0\0\0\1\0\0\0n\0\0\0\1\1o\0\25\0\0\0/org/fre"...,
iov_len=128}, {iov_base="", iov_len=0}], msg_iovlen=2, msg_controllen=0,
msg_flags=0}, MSG_NOSIGNAL) = 128
poll([{fd=9, events=POLLIN}], 1, 25000) = 1 ([{fd=9, revents=POLLIN}])
recvmsg(9, {msg_name=NULL, msg_namelen=0,
msg_iov=[{iov_base="l\2\1\1\v\0\0\0\1\0\0\0=\0\0\0\6\1s\0\6\0\0\0:1.114\0\0"...,
iov_len=2048}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC},
MSG_CMSG_CLOEXEC) = 262
recvmsg(9, {msg_namelen=0}, MSG_CMSG_CLOEXEC) = -1 EAGAIN (Resource temporarily
unavailable)
sendmsg(9, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1
\0\0\0\2\0\0\0\240\0\0\0\1\1o\0\31\0\0\0/org/fre"..., iov_len=176},
{iov_base="\f\0\0\0sssd.service\0\0\0\0\7\0\0\0replace\0", iov_len=32}],
msg_iovlen=2, msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = 208
poll([{fd=9, events=POLLIN}], 1, 120000) = 1 ([{fd=9, revents=POLLIN}])
recvmsg(9, {msg_name=NULL, msg_namelen=0,
msg_iov=[{iov_base="l\2\1\1(\0\0\0S\34\0\0-\0\0\0\5\1u\0\2\0\0\0\6\1s\0\6\0\0\0"...,
iov_len=2048}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC},
MSG_CMSG_CLOEXEC) = 104
recvmsg(9, {msg_namelen=0}, MSG_CMSG_CLOEXEC) = -1 EAGAIN (Resource temporarily
unavailable)
write(1, "Creating backup of local data..."..., 33Creating backup of local
data...
) = 33
umask(077) = 022
mkdir("/var/lib/sss/backup", 0700) = -1 EEXIST (File exists)
umask(022) = 077
access("/var/lib/sss/backup/sssd_user_overrides.bak", F_OK) = 0
write(1, "SSSD backup of local data alread"..., 66SSSD backup of local data
already exists, override? (yes/no) [no] ) = 66
read(0, yes
"yes\n", 1024) = 4
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7fbde72f3b90) = 79307
wait4(79307, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 79307
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=79307, si_uid=0, si_status=0,
si_utime=0, si_stime=0} ---
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7fbde72f3b90) = 79308
wait4(79308, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 79308
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=79308, si_uid=0, si_status=0,
si_utime=0, si_stime=0} ---
write(1, "Removing cache files...\n", 24Removing cache files...
) = 24
openat(AT_FDCWD, "/var/lib/sss/db", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_DIRECTORY) =
10
fstat(10, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
fcntl(10, F_GETFL) = 0x38000 (flags
O_RDONLY|O_LARGEFILE|O_NOFOLLOW|O_DIRECTORY)
fcntl(10, F_SETFD, FD_CLOEXEC) = 0
getdents64(10, /* 8 entries */, 32768) = 320
newfstatat(10, "fast_ccache_UX.EXAMPLE.COM", {st_mode=S_IFREG|0600, st_size=756,
...}, AT_SYMLINK_NOFOLLOW) = 0
unlinkat(10, "fast_ccache_UX.EXAMPLE.COM", 0) = 0
newfstatat(10, "ccache_UX.EXAMPLE.COM", {st_mode=S_IFREG|0600, st_size=1462,
...}, AT_SYMLINK_NOFOLLOW) = 0
unlinkat(10, "ccache_UX.EXAMPLE.COM", 0) = 0
newfstatat(10, "timestamps_ux.EXAMPLE.COM.ldb", {st_mode=S_IFREG|0600,
st_size=1286144, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlinkat(10, "timestamps_ux.EXAMPLE.COM.ldb", 0) = 0
newfstatat(10, "config.ldb", {st_mode=S_IFREG|0600, st_size=1286144, ...},
AT_SYMLINK_NOFOLLOW) = 0
unlinkat(10, "config.ldb", 0) = 0
newfstatat(10, "sssd.ldb", {st_mode=S_IFREG|0600, st_size=1286144, ...},
AT_SYMLINK_NOFOLLOW) = 0
unlinkat(10, "sssd.ldb", 0) = 0
newfstatat(10, "cache_ux.EXAMPLE.COM.ldb", {st_mode=S_IFREG|0600,
st_size=1609728, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlinkat(10, "cache_ux.EXAMPLE.COM.ldb", 0) = 0
getdents64(10, /* 0 entries */, 32768) = 0
close(10) = 0
openat(AT_FDCWD, "/var/run/sssd.pid", O_RDONLY) = -1 ENOENT (No such file or
directory)
write(1, "SSSD needs to be running. Start "..., 57SSSD needs to be running.
Start SSSD now? (yes/no) [yes] ) = 57
read(0, yes
"yes\n", 1024)
*************************************************************
...shows that this actually removes files from /var/lib/sss/db
Thanks again!
REgards
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
czwartek, 7 października 2021 15:47, Alexander Bokovoy via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> napisał(a):
> On to, 07 loka 2021, m57n2 via FreeIPA-users wrote:
>
> > Hi,
> >
> > thanks for the answer.
> >
> > To clarify:
> >
> > 1. "What doesn't work?"
> >
> > => Command "sss_cache -E" on client host... doesn't have impact
on
> >
> > possibility to logon with cached credentials. I can login again with
> >
> > debug info: "Authenticated with cached credentials." << which
come from
> >
> > "pam_verbosity = 3" parameter inside sssd.conf
> >
> > //of course I have disabled both (master and replica) IPA services by
> >
> > "ipactl stop" before testing off-line login.
>
> 'sss_cache -E' invalidates entries, it does not remove them completely.
>
> Man page for sss_cache says about it quite clearly:
>
> Invalidated records are forced to be reloaded from server as soon as
>
> related SSSD backend is online.
>
> So if you are offline, the database will still be present and if you
>
> have cached credentials, you'll be able to login with the data stored in
>
> the database content.
>
> You certainly should not use sss_cache to imitate offline mode.
>
> If you have removed the cache with 'sssctl cache-remove', then you'd be
>
> unable to login at all when an SSSD backend is offline.
>
> > 2. "What are you expecting?"
> >
> > As an linux env admin(s) we are going to implement IdM/IPA solution for
> >
> > "ux" part of our mixed win-linux hosts env. We realized that
"SSH key
> >
> > management with local accounts" is... let's say "not
scalable" ;-)
> >
> > ...but in the other hand I need to be sure that in case of admin/user
> >
> > account modification or IPA server unavailability => user will not have
> >
> > a possibility to logon (there are some users from AD which should have
> >
> > acces to shell and they will be added via IPA<=>AD trust [final step of
> >
> > our deployment]. //I mean that this "off-line logon" is ...expectetd
> >
> > behavior, but I want to have full control over it.
>
> As long as SSSD backend provider is offline, it will rely on the data it
>
> has in the local cache to allow or deny access, if you have enabled the
>
> ability to handle offline cached authentication. This pretty much
>
> corresponds to a similar behavior within Active Directory environment as
>
> well.
>
> If there is no cached information about a specific user locally, then
>
> login will not succeed in offline state of SSSD backend.
>
> > I know that there is no possibility to turn of caching due to
> >
> > sofisticated architecture of sssd daemon
> >
> > (
https://sssd.io/docs/architecture.html) but, as i described above, we
> >
> > need to know "what is going on under the hood".
> >
> > 3. Is there only solution for that - is a ...removing all files from
> >
> > '/var/lib/sss/db' from each client-host on which particular user
has
> >
> > had an access?
>
> Either disable offline cached authentication or remove those databases
>
> with 'sssctl cache-remove'.
>
> You have
>
> krb5_store_password_if_offline = True
>
> this is what triggers offline cached authentication.
>
> > Regards,
> >
> > M.
> >
> > Sent with ProtonMail Secure Email.
> >
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> >
> > czwartek, 7 października 2021 14:51, Rob Crittenden rcritten(a)redhat.com
napisał(a):
> >
> > > m57n2 via FreeIPA-users wrote:
> > >
> > > > Hello,
> > > >
> > > > I have had set up a test-bed environment consist of:
> > > >
> > > > IPA server [master] - OL8.4
> > > >
> > > > IPA server [replica] - OL8.4
> > > >
> > > > IPA client1 - OL8.4
> > > >
> > > > IPA client2 - OL8.4
> > > >
> > > > IPA client3 - Ubuntu20.04LTS
> > > >
> > > > //I've installed "master" manually and the rest of hosts
via ansible
> > > >
> > > > playbooks.
> > > >
> > > > All works fine: user created on IPA directory [let's say:
"adminux"] can
> > > >
> > > > succesfully login on clients with SUDO priviliges.
> > > >
> > > > Now I started to test offline [sssd] login ....and it works [too]fine
=>
> > > >
> > > > user can log into system even though it was disabled on IPA server!
> > > >
> > > > I started to tune-up sssd.conf parameters:
> > > > ------------------------------------------
> > > >
> > > > root@cl3:~# vim /etc/sssd/sssd.conf
> > > >
> > > > [
domain/ux.example.com]
> > > >
> > > > id_provider = ipa
> > > >
> > > > ipa_server = srv,
idm1.ux.example.com
> > > >
> > > > ipa_domain =
ux.example.com
> > > >
> > > > ipa_hostname =
cl3.ux.example.com
> > > >
> > > > auth_provider = ipa
> > > >
> > > > chpass_provider = ipa
> > > >
> > > > access_provider = ipa
> > > >
> > > > cache_credentials = True
> > > >
> > > > ldap_tls_cacert = /etc/ipa/ca.crt
> > > >
> > > > dyndns_update = True
> > > >
> > > > dyndns_iface = ens33
> > > >
> > > > krb5_store_password_if_offline = True
> > > >
> > > > *entry_cache_timeout = 60
> > > >
> > > > account_cache_expiration = 1
> > > >
> > > > [sssd]
> > > >
> > > > services = nss, pam, ssh, sudo
> > > >
> > > > domains =
ux.example.com
> > > >
> > > > [nss]
> > > >
> > > > homedir_substring = /home
> > > >
> > > > *enum_cache_timeout = 10
> > > >
> > > > entry_cache_nowait_percentage = 0
> > > >
> > > > [pam]
> > > >
> > > > *pam_verbosity = 3
> > > >
> > > > offline_credentials_expiration = 1
> > > >
> > > > [sudo]
> > > >
> > > > [sudo]
> > > >
> > > > [autofs]
> > > >
> > > > [ssh]
> > > >
> > > > [pac]
> > > >
> > > > [ifp]
> > > >
> > > > [secrets]
> > > >
> > > > [session_recording]
> > > > -------------------
> > > >
> > > > I was also trying to erase sssd cache with command:
> > > >
> > > > #sss_cache -E
> > > >
> > > > ...but it doesn't work in my test env!
> > >
> > > What doesn't work? What are you expecting?
> > >
> > > > I'll appreciate any suggestions "How can I control off-line
logon
> > > >
> > > > cache in case of user creation, user deletion, user rights change and
> > > >
> > > > so on..." ?
> > >
> > > If its offline then the client will not see user creation, deletion, etc
> > >
> > > because it's offline, right?
> > >
> > > rob
> >
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> >
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> >
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
> > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>
> --
>
> / Alexander Bokovoy
>
> Sr. Principal Software Engineer
>
> Security / Identity Management Engineering
>
> Red Hat Limited, Finland
>
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure