sssd.conf, authconfig and ldap_uri
by Olivier
Hello everyone,
I launch "authconfig" within a script to setup my redhat6 boxes.
I noticed that authconfig does not set up sssd.conf properly :
https://bugzilla.redhat.com/show_bug.cgi?id=874527
but the bug is declared as "closed" ?
First question :
could anyone confirm that authconfig does *not* configure
sssd.conf with "--enablesss" and "--enablesssdauth" and
that I therefore need to configure that file myself (by hand
or within my script) ?
Second question:
I noticed that sssd seemed to work properly even without
declaring the "ldap_uri" parameter within sssd.conf. Could
anyone confirm that this parameter is not necessary and
where does sssd collect the list of ldap servers to query
in that case, ldap.conf ?
Thank you for any help,
Best regards,
---
Olivier
10 years, 6 months
lines beginning with spaces in sssd.conf
by Ondrej Valousek
Hi List,
I have noticed that since F19 I can not use lines beginning with spaces in sssd.conf - sssd complains otherwise.
Was this an intentional change? I used spaces/white characters to ident the config for better readability.
Thanks,
Ondrej
10 years, 6 months
Home Directory not being created
by Chris Hartman
I'm having a problem getting pam_mkhomedir.so to make a user's home
directory when it's specified using an LDAP attribute. The backend
directory server is AD on Server 2008. The client is Ubuntu 12.04, sssd
version 1.11.1.
First, my sssd.conf:
[sssd]
config_file_version = 2
debug_level = 0
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = domain
[pam]
debug_level = 0
[nss]
debug_level = 0
filter_users =
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
filter_groups =
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
reconnection_retries = 3
[domain/domain]
debug_level = 0
ad_domain = domain.local
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
enumerate = true
cache_credentials = true
# Will check unixHomeDirectory LDAP attribute for a value first
fallback_homedir = /home/%u
ldap_user_home_directory = unixHomeDirectory
dyndns_update = true
dyndns_update_ptr = true
ldap_schema = ad
ldap_id_mapping = true
I'm testing using the Guest user.
Guest, unlike all my other users, has a home directory set in the
unixHomeDirectory attribute (/tmp/Guest). All other users rely on the
fallback_homedir option. When a normal user signs in and does not have a
home directory, I've configured pam to create one by adding this to the
common-session file:
session required pam_mkhomedir.so umask=077
This all works fine when ldap_user_home_directory is empty; the home
directory is created automatically upon logging in using the
fallback_homedir option.
However, when unixHomeDirectory actually contains a path, no home directory
is ever created and I'm always dropped in /.
Interestingly enough, "echo $HOME" as the Guest returns two different
values depending on if fallback_homedir is set. If it is set, $HOME =
/home/Guest. If it's commented out, $HOME = /tmp/Guest.
Any ideas? Thanks!
-Chris
10 years, 6 months
sssd 1.11 (F19) & AD not working
by Ondrej Valousek
Hi all,
I just used sssd in F19 and it does not seem to work with AD. The same config works fine with Centos 6 (sssd 1.9.2). Here is the log:
[be_get_account_info] (0x0100): Got request for [4097][1][name=ovalousek]
(Tue Oct 8 19:17:18 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-xxxxxxxxxxxxxxxxxxxxxxxxx]: [10]
(Tue Oct 8 19:17:18 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-xxxxxxxxxxxxxxxxxxxxxxxxx]
(Tue Oct 8 19:17:18 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
(Tue Oct 8 19:17:18 2013) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Tue Oct 8 19:17:18 2013) [sssd[be[default]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD_GC'
(Tue Oct 8 19:17:18 2013) [sssd[be[default]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Oct 8 19:17:18 2013) [sssd[be[default]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Oct 8 19:17:18 2013) [sssd[be[default]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request(Tue Oct 8 19:17:18 2013)
[sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,11,Internal Error (Have exhausted maximum number of retries for service)
What is wrong?
Thanks,
Ondrej
10 years, 6 months
Re: [SSSD-users] authenticating against all sub-domains in AD forest
by a t
Hi,
That user, test.user, is in the subdomain a.domain.org.
Thr logs mark domain.org as a subdomain of b.domain.org. however, this is not correct - domain.org is the root domain of which b.domain.org is a subdomain. We do not have users in the root domain. All users are in other subdomains.
I believe the user I tested in another subdomain, mhunt.test(a)a.domain.org did not show in the logs. When I tried to log in with mhunt.test(a)a.domain.org the logs show that sssd believes that domain "a" is a subdomain if b.domain.org rather than another subdomain of domain.org.
I might have to ask if I can send un-obfuscated incase I am adding in confusion!
Thanks,
Matthew
--- Original Message ---
From: "Jakub Hrozek" <jhrozek(a)redhat.com>
Sent: 29 September 2013 12:26
To: "End-user discussions about the System Security Services Daemon" <sssd-users(a)lists.fedorahosted.org>
Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Tue, Sep 24, 2013 at 11:02:48AM +0000, a t wrote:
>
> Hi,
>
> please see logs attached. (couldn't upload logs as they were too large so i hope a tar.gz gets through). I stopped sssd, deleted logs and started sssd. Then ran the commands below;
>
> ssh B\\test.user@localhost - run at (Tue Sep 24 10:31:19 2013) - login succeds
> ssh a\\mhunt.test@localhost - run at (Tue Sep 24 10:32:10 2013) - login fails. The error on ssh login is "Permission denied, please try again."
>
> (NOTE: I have just noticed I tested with uppercase domain "B" and lowercase domain "a". I have just retested with uppercase "A" and it still fails.)
>
> There are DNS server errors in the log.
>
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400): Deleting request watch
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
>
> However, DNS from this install is working (when querying its hostname or others on LAN or internet) and from other boxes querying its hostname. resolv.conf has correct name servers and they are responding to 'nslookup' and 'host'
>
> Also the following line looks to be creating the parent domain (domain.org) as a subdomain or b.domain.org?
>
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating [domain.org] as subdomain of [B.DOMAIN.ORG]!
>
> I have changed domain names in logs and changed bits of SIDs. Hope I have not confused anything with SID changes!!
>
> Thanks,
>
> Matthew
Hi,
I'm sorry for the late reply..
According to these logs I see three potential things to take a look at:
1)
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400): Deleting request watch
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this
machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
It looks like you were hitting https://fedorahosted.org/sssd/ticket/2063
which should be resolved by now.
What exact version was this? The one from sssd-devel?
2)
The other thing I see:
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [B.DOMAIN.ORG] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_B_DOMAIN_ORG]
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_krb5_touch_config] (0x0020): Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_write_domain_mappings] (0x0020): Unable to change last modification time of krb5.conf. Created mappings may not be loaded.
This sounds like SELinux denial to me. Could you try setting SELinux to
permissive for the duration of the test (setenforce 0)
3)
Then in the logs I see a lookup and authentication of [CN=test user,OU=No
Management,OU=User Accounts,DC=b,DC=domain,DC=org]
Is that a root domain or subdomain user? Because this particular request
seems to have completed fine.. According to the logs, the subdomain should
be just called domain.org:
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating [domain.org] as subdomain of [B.DOMAIN.ORG]!
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sdap_domain_subdom_add] (0x0400): subdomain domain.org is a new one, will create a new sdap domain object
But I don't see a request for a subdomain user from domain.org..not sure
if the real DN just got lost in the obfuscation..
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
10 years, 6 months
