HI!
Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with
StartTLS or LDAPS using client certs?
In a project they have certs in all systems anyway (because of using puppet)
and I'd like to let the sssd instances on all the systems authenticate to the
LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid
having to set/configure passwords for each system's sssd.
Ciao, Michael.
Hi, could someone tell Timo that sssd for precise on his ppa is broken,
libpam-sss depends on libpam-pwquality (>= 1.2.2-1). There is no
libpam-pwquality available for precise, unless he knows where to find it ;-)
Rowland
Hello all,
I was wondering if someone would be able to help me track down where I went wrong with a 2008 R2 AD > Linux sssd configuration. I am following the guide "Configuring sssd to authenticate with a Windows 2008 Domain Server" found on the sssd website on fedorahosted.org. Here is the link: https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%2…
I'm at the step where I run kinit -k CLIENT$(a)AD.EXAMPLE.COM. Unfortunately it's not working for me.
When I run the command on the client I get this:
kinit: Client not found in Kerberos database while getting initial credentials
The Windows server is running Windows 2008 R2, for forest functional level I selected 2008 R2. The Linux server is running Debian 6.0.8. The version of sssd is 1.2.1-4+squeeze1.
Here is my output from klist -ke :
root@client:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 host/server.domain.local(a)DOMAIN.LOCAL (DES cbc mode with CRC-32)
5 host/server.domain.local(a)DOMAIN.LOCAL (DES cbc mode with RSA-MD5)
5 host/server.domain.local(a)DOMAIN.LOCAL (ArcFour with HMAC/md5)
5 host/server.domain.local(a)DOMAIN.LOCAL (AES-256 CTS mode with 96-bit SHA-1 HMAC)
5 host/server.domain.local(a)DOMAIN.LOCAL (AES-128 CTS mode with 96-bit SHA-1 HMAC)
I had a similar problem a while back, and I even mailed the list for help. In that case however, I was able to get things to work by simply re-running the setspn and ktpass commands. However, that workaround is not fixing the issue this time.
Any help would be greatly appreciated.
Bryan
=== SSSD 1.11.3 ===
The SSSD team is proud to announce the release of version 1.11.3 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-develhttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release mostly focuses on bug fixes, especially in the AD provider
* The AD provider is able to resolve group memberships for groups with
Global and Universal scope
* The initgroups (get groups for user) operation for users from trusted
AD domains was made more reliable by reading the required tokenGroups
attribute from LDAP instead of Global Catalog
* A new option ad_enable_gc was added to the AD provider. This option
allows the administrator to force SSSD to talk to LDAP port only and never
try the Global Catalog
* The AD provider is now able to leverage the tokenGroups attribute even
when POSIX attributes are used, providing better performance during logins.
* A memory leak in the NSS responder that affected long-lived clients that
requested netgroup data was fixed
== Documentation Changes ==
* A new option ldap_group_type was added to LDAP, IPA and AD providers
* A new option ad_enable_gc was added to the AD provider
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1568
[RFE] AD Provider should use tokenGroups with non-ID-mapping
https://fedorahosted.org/sssd/ticket/2077
[RFE] If originalDN is not available during LDAP auth, the SSSD should look it up
https://fedorahosted.org/sssd/ticket/2132
Improve detection of the right domain when processing group with members from several domains
https://fedorahosted.org/sssd/ticket/2133
sss_idmap: add API to free objects allocated by the library
https://fedorahosted.org/sssd/ticket/2137
SSSD fails to fetch netgroup information with setnetgrent failed error
https://fedorahosted.org/sssd/ticket/2138
Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"
https://fedorahosted.org/sssd/ticket/2145
Push patch to bump version-info of libsss_idmap
https://fedorahosted.org/sssd/ticket/2146
sssd can't retrieve auto.master when using the "default_domain_suffix" option in
https://fedorahosted.org/sssd/ticket/2147
sssd_be crashes on manually adding a cleartext password to ldap_default_authtok
https://fedorahosted.org/sssd/ticket/2148
Individual group search returned multiple results in GC lookups
https://fedorahosted.org/sssd/ticket/2154
Incorrect mention of access_filter in sssd-ad manpage
https://fedorahosted.org/sssd/ticket/2156
Non descriptive error message when sssd.conf is missing completely
https://fedorahosted.org/sssd/ticket/2157
sssd_be segfaults if empty grop is resolved using ad_matching_rule
https://fedorahosted.org/sssd/ticket/2161
tokenGroups do not work reliable with Global Catalog
https://fedorahosted.org/sssd/ticket/2165
Update Gentoo init script
https://fedorahosted.org/sssd/ticket/2168
If SSSD starts offline, subdomains list is never read.
https://fedorahosted.org/sssd/ticket/2170
sssd_nss grows memory footprint when netgroups are requested
https://fedorahosted.org/sssd/ticket/2173
sssd_be crashes occasionally
https://fedorahosted.org/sssd/ticket/2178
AD groups with domain-local scope should be filtered out for trusted domains
== Detailed Changelog ==
Aron Parsons (1):
* do not use default_domain_suffix with autofs
Jakub Hrozek (14):
* Updating the version for the 1.11.3 release
* Initialize sid_str to NULL to avoid freeing random data
* LDAP: Split out a request to search for a user w/o saving
* LDAP: Search for original DN during auth if it's missing
* AD: Fix a typo in the man page
* LDAP: Initialize user count for AD matching rule
* SUBDOMAINS: Reuse cached results if DP is offline
* AD: Refresh subdomain data structures on startup
* IPA: Refresh subdomain data structures on startup
* IPA: Call ipa_ad_subdom_refresh when server mode is initialized
* AD: Add a utility function to create list of connections
* AD: Add a new option to turn off GC lookups
* AD: Enable fallback to LDAP of trusted domain
* Updating translations for the 1.11.3 release
Jan Engelhardt (1):
* build: fix ordering of linker flags
Lukas Slebodnik (7):
* NSS: Set packet length for initgroups
* LDAP: Prevent from using uninitialized sdap_options
* SYSDB: Skip malformed netgroup attribute.
* SYSDB: Sanitize filter before sysdb_search_groups
* SYSDB: Sanitize filter before removing ghost attrs
* NSS: Fix memory leak in sss_setnetgrent
* AUTOTOOLS: krb5 1.12 is also supported krb5 libs
Markos Chandras (2):
* sysv/gentoo: Use xdm if possible
* sysv/gentoo: Send debug output to a file instead of stderr
Pavel Březina (11):
* idmap: add API to free allocated SIDs
* free idmapped SIDs correctly
* free idmapped dom SIDs correctly
* free idmapped smb SIDs correctly
* free idmapped binary SIDs correctly
* pac: fix double free
* pac: fix potential memory leaks
* failover: check dns_domain if primary servers lookup failed
* ad: refactor tokengroups initgroups
* ad: use tokengroups even when id mapping is disabled
* Bump sss_idmap version to 3:0:3
Pavel Reichl (3):
* monitor: Specific error message for missing sssd.conf
* SSSD: Improved domain detection
* SSSD: Unit test - sss_ldap_dn_in_search_bases
Sumit Bose (10):
* AD: use LDAP for group lookups
* sss_cache: initialize names member of sss_domain_info
* sss_cache: fix case-sensitivity issue
* Add sysdb_attrs_add_lc_name_alias
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive alias
* Use lower-case name for case-insensitive searches
* Add new option ldap_group_type
* Add sysdb_attrs_get_int32_t
* AD: filter domain local groups for trusted/sub domains
* AD: cross-domain membership fix
Hi, this is my first post to this group, I hope someone can help me.
I'm interested to map ID mapping and authentication from a LDAP Server
in a CentOS 6.5 box.
The LDAP Server (running IBM TDS afaik) is managed by a third party
provider, so I just can make queries but not modifications.
I noted that there's no posixAccount objectClass in LDAP users, so I
wonder, How can I integrate those users using SSSD? This is an example
of my domain:
[domain/custom.domain.com]
id_provider = ldap
auth_providers = ldap
chpass_provider = ldap
ldap_uri = ldaps://directory.domain.com
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
#ldap_search_base = ""
ldap_id_use_start_tls = true
cache_credentials = false
enumerate = false
use_fully_qualified_names = false
#ldap_user_name = notesShortName
As you can see, I tried to use "ldap_user_name" but without luck. I'm
concerned about entries that don't exist on the LDAP server like
homeDirectory or loginShell. Can SSSD deal with those attributes not
present?
I like to use just the credentials (user authentication) from the LDAP
server to get my users logged in my linux box.
I hope someone understand this scenario and can be able to help me.
Thanks in advance.