sssd and difrent repositories
by Longina Przybyszewska
Hi list,
I am going to set up proof-of -concept installation of Ubuntu (Precise) client/server using sssd to authenticate/authorize
against Active Directory.
At this moment everything seems to be a challenge - as I am exclusive (ok ;-) almost exclusive... ) hard core Linux user.
As our Windows team is not ready with AD schema for Unix - my first exercise could be
-get login/ssh authenticate (and change passwd) against AD
-get uid/gid/auto.home map/shell from existing Linux NIS server
Is my plan realistic ?
Best regards
Longina Przybyszewska
Systemprogrammør, IT Services
Tel. +45 6550 2359
Mobile +45 6011 2359
Fax +45 6550 2467
Email longina(a)sdu.dk
Web http://www.sdu.dk/ansat/longina
Addr. Campusvej 55, DK-5230 Odense M, Denmark
UNIVERSITY OF SOUTHERN DENMARK
_______________________________________________________________
Campusvej 55 * DK-5230 * Odense M * Denmark * Tel. +45 6550 1000 * www.sdu.dk
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek
Sent: 12. oktober 2012 22:40
To: sssd-devel(a)lists.fedorahosted.org; sssd-users(a)lists.fedorahosted.org; freeipa-interest(a)redhat.com
Subject: [SSSD-users] Announcing SSSD 1.9.2
=== SSSD 1.9.2 ===
The SSSD team is proud to announce the release of version 1.9.2 of the System Security Services Daemon.
This is mostly a bugfix release again. I am going to branch off the 1.9 branch from master so that we can start including the 1.10 features in master.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18 and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Users or groups from trusted domains can be retrieved by UID or GID as well
* Several fixes that mitigate file descriptor leak during logins
* SSH host keys are also removed from the cache after being removed
from the server
* Fix intermittent crash in responders if the responder was shutting
down while requests were still pending
* Catch an error condition that might have caused a tight loop in the
sssd_nss process while refreshing expired enumeration request
* Fixed memory hierarchy of subdomains discovery requests that caused
use-after-free access bugs
* The krb5_child and ldap_child processes can print libkrb5 tracing
information in the debug logs
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1008
Make sssd api conf file location configurable
https://fedorahosted.org/sssd/ticket/1319
group lookups optimizations for IPA
https://fedorahosted.org/sssd/ticket/1499
Add details about TGT validation to sssd-krb5 man page
https://fedorahosted.org/sssd/ticket/1512
[sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist
https://fedorahosted.org/sssd/ticket/1514
[abrt] sssd-1.8.4-13.fc16: __GI_exit: Process /usr/libexec/sssd/sssd_pam was killed by signal 6 (SIGABRT)
https://fedorahosted.org/sssd/ticket/1539
Collect Krb5 Trace on High Debug Levels
https://fedorahosted.org/sssd/ticket/1551
sssd_nss process hangs, stuck in loop; "self restart" does recover, but old process hangs around using 100% CPU
https://fedorahosted.org/sssd/ticket/1561
getting user/group entry by uid/gid sometimes fails
https://fedorahosted.org/sssd/ticket/1569
Use pam_set_data to close the fd in the pam module
https://fedorahosted.org/sssd/ticket/1571
sssd_nss intermittent crash
https://fedorahosted.org/sssd/ticket/1574
SSH host keys are not being removed from the cache
== Packaging Changes ==
* The libsss_sudo-devel package no longer contains the package-config
file. The libsss_sudo-devel shared object has been moved to the
libsss_sudo package.
== Detailed Changelog ==
E Deon Lackey (1):
* Fix language errors in the sssd-krb5.conf man page
Jakub Hrozek (14):
* Bumping the version to 1.9.1 release
* Fix uninitialized pointer read in ssh_host_pubkeys_update_known_hosts
* Fix segfault when ID-mapping an entry without a SID
* Fix memory hierarchy in subdomains discovery
* PAM: close socket fd with pam_set_data
* Couple of specfile fixes
* Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudo
* Two fixes to child processes
* Collect krb5 trace on high debug levels
* PAM: fix handling the client fd in pam destructor
* Create ghost users when a user DN is encountered in IPA
* Only call krb5_set_trace_callback on platforms that support it
* MAN: improve wording of default_domain parameter
* Updating the translations for the 1.9.2 release
Jan Cholasta (1):
* SSH: When host keys are removed from LDAP, remove them from the
cache as well
Ondrej Kos (1):
* Add more info about ticket validation
Pavel Březina (3):
* do not fail if POLLHUP occurs while reading data
* do not call dp callbacks when responder is shutting down
* nss_cmd_retpwent(): do not go into infinite loop if n < 0
Sumit Bose (3):
* Save time of last get_domains request
* Check for subdomains if getpwuid or getgrgid are the first requests
* Allow extdom exop to return flat domain name as well
Thorsten Scherf (1):
* Fixed: translation bug
Yuri Chornoivan (1):
* Fix typos
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
11 years, 6 months
Re: [SSSD-users] sssd and different repositories
by Longina Przybyszewska
Ubuntu Precise has sssd-1.8.2
I use ' msktutil' - a very nice utility for joining AD domain.
It is easy to join a bunch of computers and renew expired passwds with it.
Realmd project looks interessant too.
longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek
Sent: 16. oktober 2012 14:13
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] sssd and different repositories
On Tue, Oct 16, 2012 at 10:21:02AM +0000, Longina Przybyszewska wrote:
> Hi list,
> I am going to set up proof-of -concept installation of Ubuntu
> (Precise) client/server using sssd to authenticate/authorize against Active Directory.
> At this moment everything seems to be a challenge - as I am exclusive (ok ;-) almost exclusive... ) hard core Linux user.
>
> As our Windows team is not ready with AD schema for Unix - my first
> exercise could be -get login/ssh authenticate (and change passwd)
> against AD -get uid/gid/auto.home map/shell from existing Linux NIS
> server
>
> Is my plan realistic ?
I'm not sure what version of the SSSD does Ubuntu Precise ship, but I would recommend using 1.9.x and the AD provider. You might also want to look into the realmd project, that could simplify joining an AD domain for you.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
11 years, 6 months
Announcing SSSD 1.9.2
by Jakub Hrozek
=== SSSD 1.9.2 ===
The SSSD team is proud to announce the release of version 1.9.2 of
the System Security Services Daemon.
This is mostly a bugfix release again. I am going to branch off the 1.9
branch from master so that we can start including the 1.10 features in
master.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18
and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Users or groups from trusted domains can be retrieved by UID or GID as well
* Several fixes that mitigate file descriptor leak during logins
* SSH host keys are also removed from the cache after being removed
from the server
* Fix intermittent crash in responders if the responder was shutting
down while requests were still pending
* Catch an error condition that might have caused a tight loop in the
sssd_nss process while refreshing expired enumeration request
* Fixed memory hierarchy of subdomains discovery requests that caused
use-after-free access bugs
* The krb5_child and ldap_child processes can print libkrb5 tracing
information in the debug logs
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1008
Make sssd api conf file location configurable
https://fedorahosted.org/sssd/ticket/1319
group lookups optimizations for IPA
https://fedorahosted.org/sssd/ticket/1499
Add details about TGT validation to sssd-krb5 man page
https://fedorahosted.org/sssd/ticket/1512
[sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist
https://fedorahosted.org/sssd/ticket/1514
[abrt] sssd-1.8.4-13.fc16: __GI_exit: Process /usr/libexec/sssd/sssd_pam was killed by signal 6 (SIGABRT)
https://fedorahosted.org/sssd/ticket/1539
Collect Krb5 Trace on High Debug Levels
https://fedorahosted.org/sssd/ticket/1551
sssd_nss process hangs, stuck in loop; "self restart" does recover, but old process hangs around using 100% CPU
https://fedorahosted.org/sssd/ticket/1561
getting user/group entry by uid/gid sometimes fails
https://fedorahosted.org/sssd/ticket/1569
Use pam_set_data to close the fd in the pam module
https://fedorahosted.org/sssd/ticket/1571
sssd_nss intermittent crash
https://fedorahosted.org/sssd/ticket/1574
SSH host keys are not being removed from the cache
== Packaging Changes ==
* The libsss_sudo-devel package no longer contains the package-config
file. The libsss_sudo-devel shared object has been moved to the
libsss_sudo package.
== Detailed Changelog ==
E Deon Lackey (1):
* Fix language errors in the sssd-krb5.conf man page
Jakub Hrozek (14):
* Bumping the version to 1.9.1 release
* Fix uninitialized pointer read in ssh_host_pubkeys_update_known_hosts
* Fix segfault when ID-mapping an entry without a SID
* Fix memory hierarchy in subdomains discovery
* PAM: close socket fd with pam_set_data
* Couple of specfile fixes
* Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudo
* Two fixes to child processes
* Collect krb5 trace on high debug levels
* PAM: fix handling the client fd in pam destructor
* Create ghost users when a user DN is encountered in IPA
* Only call krb5_set_trace_callback on platforms that support it
* MAN: improve wording of default_domain parameter
* Updating the translations for the 1.9.2 release
Jan Cholasta (1):
* SSH: When host keys are removed from LDAP, remove them from the
cache as well
Ondrej Kos (1):
* Add more info about ticket validation
Pavel Březina (3):
* do not fail if POLLHUP occurs while reading data
* do not call dp callbacks when responder is shutting down
* nss_cmd_retpwent(): do not go into infinite loop if n < 0
Sumit Bose (3):
* Save time of last get_domains request
* Check for subdomains if getpwuid or getgrgid are the first requests
* Allow extdom exop to return flat domain name as well
Thorsten Scherf (1):
* Fixed: translation bug
Yuri Chornoivan (1):
* Fix typos
11 years, 6 months
Announcing SSSD 1.8.5
by Jakub Hrozek
=== SSSD 1.8.5 ===
The SSSD team is proud to announce the bugfix release of the System
Security Services Daemon version 1.8.5.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, this time for
F-16 and F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Fixed a potential segfault when SRV records are used to discover services
* The client libraries now use robust mutexes to avoid a potential deadlock
if a thread was cancelled while holding a mutex
* Do not return an error when the SELinux support is not configured
* Fixed returning an error to the PAM stack when the SSSD was performing
authentication but the kpasswd server was unreachable
* The SSSD used to skip a whole nesting level instead of a single already
processed group when loading nested group membership structure
* Added support for terminating idle connections and make the idle
timeout configurable
* The sss_ssh_knownostsproxy command no longer aborts when processing a
host without DNS records
* The shadowLastChange attribute is noe correctly updated with days since
the Epoch, not seconds
== Tickets Fixed ==
* https://fedorahosted.org/sssd/ticket/1356
SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing
* https://fedorahosted.org/sssd/ticket/1271
Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
* https://fedorahosted.org/sssd/ticket/1360
Provide "service filter" for SELinux context
* https://fedorahosted.org/sssd/ticket/1354
Add support for terminating idle connections
* https://fedorahosted.org/sssd/ticket/1452
KRB5: Only return PAM error for unreachable kpasswd when performing chpass
* https://fedorahosted.org/sssd/ticket/1419
Fixed wrong number in shadowLastChange
* https://fedorahosted.org/sssd/ticket/1460
Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
* https://fedorahosted.org/sssd/ticket/1515
KRB5: Return PAM_AUTH_ERR on incorrect password
* https://fedorahosted.org/sssd/ticket/1364
FO: Check server validity before setting status
== Detailed Changelog ==
Jakub Hrozek (8):
* Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
* Send the correct enumeration request
* Process all groups from a single nesting level
* SYSDB: Make sysdb_attrs_get_el_int() public
* KRB5: Only return PAM error for unreachable kpasswd when performing chpass
* Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
* KRB5: Return PAM_AUTH_ERR on incorrect password
* FO: Check server validity before setting status
Jan Cholasta (3):
* SSH: Update sss_ssh_knownhostsproxy manual page
* SSH: Supress error message output in sss_ssh_knownhostsproxy
* SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing
Jan Zeleny (2):
* Provide "service filter" for SELinux context
* Fixed wrong number in shadowLastChange
Shantanu Goel (4):
* Set return errno to the value prior to calling close().
* Log message if close() fails in destructor.
* Do not send SIGPIPE on disconnection
* Add support for terminating idle connections
Stephen Gallagher (2):
* Bumping version to 1.8.5
* Make the client idle timeout configurable
Timo Aaltonen (1):
* Move SELinux processing from session to account PAM stack
11 years, 6 months
[SSSD] Announcing SSSD 1.9.1
by Jakub Hrozek
=== SSSD 1.9.1 ===
The SSSD team is proud to announce the release of version 1.9.1 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18
and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* The distribution tarball was fixed to include a missing file, which
prevented "make rpms" from running correctly.
* Handle gracefully the situation where the namingContext is zero-length,
such as when connected to the Novell eDirectory server.
* A new option default_domain_suffix was added. This option is mainly
useful for environments whose users come from a trusted domain so that
the user doesn't have to specify that trusted domain with every user lookup.
* Many man page fixes that were held from the 1.9.0 release during the
string freeze
* The entries in the generated known_hosts file are now expired preventing
the file from growing indefinitely
* The PID file is now created after all the SSSD services start up to
avoid notifying the user via the init system before SSSD is able to
handle requests.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1303
SSSD is slow at startup
https://fedorahosted.org/sssd/ticket/1357
Init script reports complete before sssd is actually working
https://fedorahosted.org/sssd/ticket/1471
Range Retrieval: Unable to retrieve all members when filter is used
in search base.
https://fedorahosted.org/sssd/ticket/1483
Mention ldap_schema types on newlines or comma separate them.
https://fedorahosted.org/sssd/ticket/1494
ldap_chpass_update_last_change is not included in the manual page
https://fedorahosted.org/sssd/ticket/1525
Explain default re_expression in IPA and AD provider man pages
https://fedorahosted.org/sssd/ticket/1529
[RFE] Login with users from a trusted domain always requires a FQ name
https://fedorahosted.org/sssd/ticket/1533
Improve recreating new ccache file when the old one is not accessible
any more
https://fedorahosted.org/sssd/ticket/1535
Flip the default value of ldap_initgroups_use_matching_rule_in_chain
https://fedorahosted.org/sssd/ticket/1537
Fix sssd-ad id ranges
https://fedorahosted.org/sssd/ticket/1540
[man sssd-ldap] 'ldap_access_filter' description needs to be updated
https://fedorahosted.org/sssd/ticket/1541
Manpage has ldap_autofs_search_base as experimental feature
https://fedorahosted.org/sssd/ticket/1542
User authentication using LDAP doesn't work
https://fedorahosted.org/sssd/ticket/1546
sss_seed "-h" and "--help" options should output similar results
https://fedorahosted.org/sssd/ticket/1548
User authentication fails when password is read from a file using -p
option of SSS_SEED tool.
https://fedorahosted.org/sssd/ticket/1549
Providing invalid UID/GID values, terminates sss_seed tool without
any error message
https://fedorahosted.org/sssd/ticket/1554
sss_seed should not allow blank passwords
https://fedorahosted.org/sssd/ticket/1562
Domains overlap in range 1 - 4294967295
https://fedorahosted.org/sssd/ticket/1563
Document the need to restart autofs service.
== Detailed Changelog ==
Jakub Hrozek (11):
* Bumping the version to 1.9.1 release
* Document ldap_chpass_update_last_change
* sudo and autofs search bases should not be marked experimental
* Flip the default value of ldap_initgroups_use_matching_rule_in_chain
* Include param_help_py.xml in the list of po4a sources
* Note that Range Retrieval is not supported when filter is used in the search base.
* Change the log level of two DEBUG messages in check_domain_ranges
* Remove unused variable
* Check for existing pidfile before starting the providers
* man: Note that automounter must be restarted to re-read the master map
* Updating the translations for 1.9.1 release
Jan Cholasta (2):
* SSH: Refactor sysdb and related code
* SSH: Expire hosts in known_hosts
Michal Zidek (7):
* Change option to display help message in man pages.
* sss_seed: Option --debug did not work in sss_seed tool.
* sss_seed: Show error message when interactive input fails.
* sss_seed: Make only first line of password file valid.
* sss_seed: Passwords longer then PASS_MAX not allowed.
* sss_seed: Improved error message when the domain does not exist.
* Variable in sdap_sudo_rules_refresh_send could be used, uninitialized.
Ondrej Kos (4):
* sssd-ldap manpage: ldap_scheme formatting
* Log possibly non-randomizable ccache file template
* Slices calculation is alway wrong for default values
* Fix default upper limit of slices
Pavel Březina (5):
* Fix few coding style issues
* monitor: create pid file after all responders are started
* remove left over principal selection
* manpage: ldap_access_filter is not always mandatory
* do not create pid file twice
Stephen Gallagher (2):
* LDAP: Handle empty namingContexts values safely
* BUILD: Include the patch file in the tarball
Sumit Bose (4):
* Add new option default_domain_suffix
* Use flat name for master domain as well
* sysdb_master_domain_get_info: fix copy-and-paste error
* Add man page section about provider specific re_expression
11 years, 6 months