sssd troubles under load
by Orion Poplawski
We're having some trouble with sssd on centos 7 under load on a VPS.
389ds ldap server for id/auth. Part may be an issue with the VPS, but
I'm trying to track down all possible issues.
Also, we realized that we were running in a bit of a bad state - the
primary ldap server was not available, but the backup was.
Some logs:
General question, is this bad?:
(Tue Jan 6 23:17:43 2015) [sssd[be[default]]] [sdap_get_users_done]
(0x0040): Failed to retrieve users
see that fairly frequently.
Trouble:
(Tue Jan 6 22:30:31 2015) [sssd[be[default]]]
[sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect
request failed.
(Tue Jan 6 22:30:31 2015) [sssd[be[default]]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed.
(Tue Jan 6 22:30:36 2015) [sssd[be[default]]]
[resolv_gethostbyname_done] (0x0040): querying hosts database failed
[5]: Input/output error
(Tue Jan 6 22:30:36 2015) [sssd[be[default]]] [fo_resolve_service_done]
(0x0020): Failed to resolve server 'server.com': Timeout while
contacting DNS servers
(Tue Jan 6 22:30:36 2015) [sssd[be[default]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server
(server.com), resolver returned (5)
(Tue Jan 6 22:30:45 2015) [sssd[be[default]]]
[sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect
request failed.
(Tue Jan 6 22:30:45 2015) [sssd[be[default]]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed.
(Tue Jan 6 22:30:45 2015) [sssd[be[default]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'LDAP'
(Tue Jan 6 22:30:45 2015) [sssd[be[default]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Jan 6 22:30:45 2015) [sssd[be[default]]] [be_run_offline_cb]
(0x0080): Going offline. Running callbacks.
(Tue Jan 6 22:31:52 2015) [sssd[be[default]]]
[sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect
request failed.
(Tue Jan 6 22:31:52 2015) [sssd[be[default]]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed.
(Tue Jan 6 22:31:52 2015) [sssd[be[default]]]
[sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect
request failed.
(Tue Jan 6 22:31:52 2015) [sssd[be[default]]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed.
(Tue Jan 6 22:32:00 2015) [sssd[be[default]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'LDAP'
(Tue Jan 6 22:32:00 2015) [sssd[be[default]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Jan 6 22:32:00 2015) [sssd[be[default]]] [be_run_offline_cb]
(0x0080): Going offline. Running callbacks.
(Tue Jan 6 22:33:07 2015) [sssd[be[default]]]
[sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect
request failed.
(Tue Jan 6 22:33:07 2015) [sssd[be[default]]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed.
(Tue Jan 6 22:33:07 2015) [sssd[be[default]]]
[sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect
request failed.
(Tue Jan 6 22:33:07 2015) [sssd[be[default]]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed.
(Tue Jan 6 22:33:08 2015) [sssd[be[default]]]
[get_single_value_as_string] (0x0080): More than one value found.
(Tue Jan 6 22:33:08 2015) [sssd[be[default]]]
[sdap_set_config_options_with_rootdse] (0x0020): get_naming_context failed.
(Tue Jan 6 22:33:14 2015) [sssd[be[default]]]
[get_single_value_as_string] (0x0080): More than one value found.
(Tue Jan 6 22:33:14 2015) [sssd[be[default]]]
[sdap_set_config_options_with_rootdse] (0x0020): get_naming_context failed.
(Tue Jan 6 22:34:06 2015) [sssd[be[default]]]
[be_resolve_server_process] (0x0040): The fail over cycled through all
available servers
(Tue Jan 6 22:34:06 2015) [sssd[be[default]]] [be_run_offline_cb]
(0x0080): Going offline. Running callbacks.
(Tue Jan 6 22:34:06 2015) [sssd[be[default]]]
[be_resolve_server_process] (0x0040): The fail over cycled through all
available servers
(Tue Jan 6 22:34:06 2015) [sssd[be[default]]] [be_run_offline_cb]
(0x0080): Going offline. Running callbacks.
(Tue Jan 6 22:34:06 2015) [sssd[be[default]]]
[be_resolve_server_process] (0x0040): The fail over cycled through all
available servers
(Tue Jan 6 22:34:06 2015) [sssd[be[default]]] [be_run_offline_cb]
(0x0080): Going offline. Running callbacks.
(Tue Jan 6 22:34:06 2015) [sssd[be[default]]]
[sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect
request failed.
(Tue Jan 6 22:34:06 2015) [sssd[be[default]]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed.
(Tue Jan 6 22:34:06 2015) [sssd[be[default]]]
[sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect
request failed.
(Tue Jan 6 22:34:06 2015) [sssd[be[default]]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed.
(Tue Jan 6 22:34:16 2015) [sssd[be[default]]]
[sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect
request failed.
(Tue Jan 6 22:34:16 2015) [sssd[be[default]]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed.
(Tue Jan 6 22:34:16 2015) [sssd[be[default]]]
[sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect
request failed.
(Tue Jan 6 22:34:16 2015) [sssd[be[default]]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed.
don't know why it wasn't able to reconnect to the backup, or perhaps it
did, but just not logged.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion(a)cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
9 years, 2 months
Re: [SSSD-users] idmaping, AD multi domain forest
by John Hodrien
On 20 Jan 2015 10:28, Longina Przybyszewska <longina(a)sdu.dk> wrote:
>
> Thanks for your answer-you sound very sceptic so I would be very happy if you can deepen your meaning;
> Is my goal possible to achieve, is this the right strategy?? -
> to integrate Linux into AD with SSSD , NFS mounted homedir with Kerberos security, cross realm authentication,
> with Posix attributes for user/group objects in AD .
>
> I have to mention that my boss supports me, and my MS-admin colleagues have a positive attitude for the project.
I've done all of that other than the cross realm bit, and it works like a charm.
jh
9 years, 3 months
Re: [SSSD-users] idmaping, AD multi domain forest
by Longina Przybyszewska
Thanks for your answer-you sound very sceptic so I would be very happy if you can deepen your meaning;
Is my goal possible to achieve, is this the right strategy?? -
to integrate Linux into AD with SSSD , NFS mounted homedir with Kerberos security, cross realm authentication,
with Posix attributes for user/group objects in AD .
I have to mention that my boss supports me, and my MS-admin colleagues have a positive attitude for the project.
Best,
Longina
Mange hilsner
Longina
> -----Original Message-----
> From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-
> bounces(a)lists.fedorahosted.org] On Behalf Of Jakub Hrozek
> Sent: 19. januar 2015 21:51
> To: sssd-users(a)lists.fedorahosted.org
> Subject: Re: [SSSD-users] idmaping, nfs4krb, AD multi domain forest
>
> On Fri, Jan 16, 2015 at 02:34:19PM +0000, Longina Przybyszewska wrote:
> >
> > Hi,
> > We have problems with authorization to the nfs mounted share with
> sec=krb5 in multi domain AD forest environment.
> >
> > When server, client and user are from the same native domain, user’s
> login,nfs+krb mount and access to nfs mounted share works fine.
> > server(a)nat.c.example.com
> > client(a)nat.c.example.com
> > user-n(a)nat.c.example.com
> >
> > When user is from another domain, login(via ssh, GUI) and nfs+krb
> > mount works; User gets ‘Permission denied ‘ to the nfsshare for rw
> > server(a)nat.c.example.com client(a)nat.c.example.com
> > user-a(a)adm.c.example.com
> >
> > AD user test accounts (user-n, user-a) have Posix attributes ; AD
> > groups for Posix enabled users have Posix gids;
> >
> > Test users are members of universal group usr-sdu-glu(a)c.example.com;
> >
> > SSSD is configured identically on client and server:
> >
> >
> > [sssd]
> > domains = nat.c.example.com
> > config_file_version = 2
> > services = nss, pam
> >
> > [pam]
> > pam_verbosity = 3
> > debug_level = 9
> >
> > [domain/nat.c.example.com]
> >
> > debug_level = 9
> > ad_domain = nat.c.example.com
> > ad_hostname = host.nat.c.example.com
> > krb5_realm = NAT.C.EXAMPLE.COM
> > #cache_credentials = True
> > id_provider = ad
> > access_provider = ad
> > chpass_provider = ad
> > auth_provider = ad
> > #
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = False
> > use_fully_qualified_names = False
> > #use_fully_qualified_names = True
> > fallback_homedir = /home-local/%d/%u
> > ldap_user_principal = userPrincipalName
> >
> > ------
> > On client machine , in the “Permission denied” session, all AD groups,
> > ids are shown correctly using id, getent ;
> >
> > Obviousely configuring nfs idmaping requires special attention in multi
> domain trust ( doesn’t seem trivial using UMICH method!).
> > May be some other AD specifics should be considered as well .
>
> I don't know enough about NFSv4 + Kerberos to assess whether there is
> some gotcha in that part of configuration, but I'll try to answer the rest..
>
> >
> > In the SSSD documentation is mentioned PAC service.
> > Here come my questions:
> >
> > Do we need PAC service enabled to get properly resolved AD groups in
> Kerberos context between domains?
>
> No. Also above you said that all groups are resolved correctly. Isn't that the
> case?
>
> >
> > IS it possible in the 1.11.7 version and with (kernel 3.13.0-44) to integrate
> SSSD plugin nfsidmap_sss.so introduced first in 1.12.1?
>
> If you compile the plugin yourself, then yes. I'm not sure if it wold help you,
> though.
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
9 years, 3 months
idmaping, nfs4krb, AD multi domain forest
by Longina Przybyszewska
Hi,
We have problems with authorization to the nfs mounted share with sec=krb5 in multi domain AD forest environment.
When server, client and user are from the same native domain, user’s login,nfs+krb mount and access to nfs mounted share works fine.
server(a)nat.c.example.com
client(a)nat.c.example.com
user-n(a)nat.c.example.com
When user is from another domain, login(via ssh, GUI) and nfs+krb mount works; User gets ‘Permission denied ‘ to the nfsshare for rw
server(a)nat.c.example.com
client(a)nat.c.example.com
user-a(a)adm.c.example.com
AD user test accounts (user-n, user-a) have Posix attributes ;
AD groups for Posix enabled users have Posix gids;
Test users are members of universal group usr-sdu-glu(a)c.example.com;
SSSD is configured identically on client and server:
[sssd]
domains = nat.c.example.com
config_file_version = 2
services = nss, pam
[pam]
pam_verbosity = 3
debug_level = 9
[domain/nat.c.example.com]
debug_level = 9
ad_domain = nat.c.example.com
ad_hostname = host.nat.c.example.com
krb5_realm = NAT.C.EXAMPLE.COM
#cache_credentials = True
id_provider = ad
access_provider = ad
chpass_provider = ad
auth_provider = ad
#
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
#use_fully_qualified_names = True
fallback_homedir = /home-local/%d/%u
ldap_user_principal = userPrincipalName
------
On client machine , in the “Permission denied” session, all AD groups, ids are shown correctly using id, getent ;
Obviousely configuring nfs idmaping requires special attention in multi domain trust ( doesn’t seem trivial using UMICH method!).
May be some other AD specifics should be considered as well .
In the SSSD documentation is mentioned PAC service.
Here come my questions:
Do we need PAC service enabled to get properly resolved AD groups in Kerberos context between domains?
IS it possible in the 1.11.7 version and with (kernel 3.13.0-44) to integrate SSSD plugin nfsidmap_sss.so introduced first in 1.12.1?
Best,
Longina
9 years, 3 months
Re: [SSSD-users] SSSD starts, then stops
by Lukas Slebodnik
On (12/01/15 13:39), Christian Tardif wrote:
>It looks like it existed gracefully, from my sssd.log
>
>I'm using sssd version 1.11.6
>
>I'm attaching all (rather big) logs
>
>From sssd.log:
(Mon Jan 12 08:32:56 2015) [sssd] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Mon Jan 12 08:32:56 2015) [sssd] [mt_svc_exit_handler] (0x0040): Child [SERVINFO] terminated with signal [6]
signal 6 is SIGABRT.
Could you provide coredump?
If you are using CentOS or Fedora then the simplest way is to use abrt.
LS
9 years, 3 months
sssd-ad : AD Authenticated users cant run 'su -' or 'su - root'
by Chris Price
PLatform is RHEL 6 Update 6.
Relevent RPMS are :
sssd-ad-1.11.6-30.el6.x86_64
krb5-workstation-1.10.3-33.el6.x86_64
Pam was setup using " authconfig --enablesssd --enablesssdauth
--enablemkhomedir --update"
I have test users successfully authenticating against a test domain server
with both the test linux RHEL6U6 box and the Windows 2008R2 AD server on
an isolated subnet.
After I login to the RHEL6U6 box with an AD user via either ssh, or via
the console I cannot run 'su - <username>' to any other user, either AD
based or local password file based. All I get is a 'incorrect password'
error message.
My sssd.conf:
[sssd]
config_file_version = 2
domains = CORPTEST.LOCAL
services = nss, pam
debug_level = 10
timeout = 300
[domain/CORPTEST.LOCAL]
id_provider = ad
auth_provider = ad
access_provider = ad
debug_level = 10
ldap_id_mapping = False
default shell = /bin/bash
fallback_homedir = /home/%u
use_fully_qualified_names = False
nsswitch.conf has these lines for passwd, shadow and group:
passwd: files sss
shadow: files sss
group: files sss
/etc/pam.d/system-auth-ac (not hand edited at all)
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=14
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
The sssd-ad package in rhel6 update 6 is fairly new and as such I've been
able to find limited web resources about its config directives.
Any help you can provide will be appreciated.
Cheers,
Chris
9 years, 3 months
SSSD starts, then stops
by Christian Tardif
Hi,
I have SSSD installed and setup as I did numerous times. But this times,
it refuses to work correctly.
The domain is a samba 4.1.14 domain with rfc2307 enabled (and users
provisionned accordingly). SSSD has been ser as:
========================================================
[domain/THEDOMAIN]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = simple
ldap_uri = ldap://THESERVERDOMAIN/
ldap_search_base = dc=THEDOMAIN,dc=THESUFFIX
ldap_default_bind_dn = cn=ldap,cn=users,dc=THEDOMAIN,dc=THESUFFIX
ldap_default_authtok = *********************
ldap_default_authtok_type = password
ldap_user_object_class = user
ldap_user_search_base = cn=users,dc=THEDOMAIN,dc=THESUFFIX
ldap_group_object_class = group
ldap_group_search_base = cn=users,dc=THEDOMAIN,dc=THESUFFIX
ldap_id_mapping = false
#ldap_schema = ad
ldap_schema = rfc2307bis
ldap_tls_reqcert = never
ldap_id_use_start_tls = false
ldap_network_timeout = 6
override_gid = 100
enumerate = true
cache_credentials = true
cache_sensitive = false
entry_cache_timeout = 600
debug_level = 9
[sssd]
services = nss, pam
config_file_version = 2
domains = THEDOMAIN
debug_level = 9
[nss]
filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd
override_homedir = /home/%u
default_shell = /bin/bash
debug_level = 9
[pam]
[sudo]
[autofs]
[ssh]
========================================================
When I start sssd, the users from the domain appears for a few seconds,
then disappear, corresponding, obviously, with the moment that sssd
dies. From the logs, there's nothing, from what I can understand, that
leads to a solution to fix this.
Can someone helps be with that?
Thanks,
--------------------------------------------------------------------------------
Christian
9 years, 3 months
Announcing SSSD 1.12.3
by Jakub Hrozek
=== SSSD 1.12.3 ===
The SSSD team is proud to announce the release of version 1.12.3 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 21 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This is mostly a bug fixing release with only minor enhancements visible
to the end user
* Contains many fixes and enhancements related to the ID views functionality of
FreeIPA servers
* SSSD now allows the IPA client to move from one ID view to another
after SSSD restart
* It is possible to apply ID views to IPA domains as well. Previous SSSD
versions only allowed views to be applied to AD trusted domains
* Overriding SSH public keys is supported in this release
* This release contains several fixes and enhancements related to users
and groups from trusted AD domains
* When a trusted AD domain is disabled on the server side, access is
denied for users logging in from these domains
* External group memberships (i.e. memberships in IPA groups) are now
resolved correctly for trusted AD users
* The localauth plugin configuration is written into the pubconf directory
which should be included from krb5.conf on IPA clients. As a result,
the localauth plugin should be configured automatically on IPA clients.
* Password change when One-Time-Passwords are used was fixed
* The tokenGroups support was disabled by default in the LDAP provider. The
tokenGroups support is still enabled by default in the AD provider
* Simple access provider skips user or group names that can't be resolved
if only allow rules are configured
== Packaging Changes ==
* Support for running SSSD as a non-privileged user was added. SSSD's
directories must be owned by this user, hence SSSD needs to be
configured properly at build time, using the new configure option
--with-sssd-user. Additionally, the non-privileged user must also be
selected in sssd.conf using the "user" configuration option.
== Documentation Changes ==
* A new configuration option "krb5_confd_path" was added. This option
specifies the directory where SSSD places Kerberos configuration snippets.
* The default value of "ldap_user_uuid" was changed to be "objectSID"
for the AD back end and unset for all other back ends.
* The option "ldap_use_tokengroups" changed its default value to True
for AD and IPA providers only.
* The "allowed_shells" option newly accepts the wildcard ("*") value, allowing any shell
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1195
4 functions with reference leaks within sssd (src/python/pyhbac.c)
https://fedorahosted.org/sssd/ticket/1939
Create unit test for be_ptask
https://fedorahosted.org/sssd/ticket/2102
disable midpoint refresh for netgroups if ptask refresh is enabled
https://fedorahosted.org/sssd/ticket/2219
Shell fallback mechanism in SSSD
https://fedorahosted.org/sssd/ticket/2370
sssd should run under unprivileged user
https://fedorahosted.org/sssd/ticket/2372
SELinux: Audit changes to the SELinux label files
https://fedorahosted.org/sssd/ticket/2404
Remove password from the PAM stack if OTP is used
https://fedorahosted.org/sssd/ticket/2430
sssd segfaults repeatedly with error 4 in memberof.so
https://fedorahosted.org/sssd/ticket/2439
Return a different errno from client when sssd is not running.
https://fedorahosted.org/sssd/ticket/2445
Race condition while invalidating memory cache in client code
https://fedorahosted.org/sssd/ticket/2451
sssd-ldap man page changes, add 'access_provider = ldap' as a requirement 'ldap_access_order = for lockout'
https://fedorahosted.org/sssd/ticket/2454
[RFE] Views: apply user SSH public key override
https://fedorahosted.org/sssd/ticket/2456
Error message not helpful if extdom lookup fails
https://fedorahosted.org/sssd/ticket/2460
service lookups returned in lowercase with case_sensitive=preserving
https://fedorahosted.org/sssd/ticket/2461
Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving
https://fedorahosted.org/sssd/ticket/2462
Manpage description of case_sensitive=preserving is incomplete
https://fedorahosted.org/sssd/ticket/2464
Use ldap_extra_attrs when requesting attributes from extdom plugin
https://fedorahosted.org/sssd/ticket/2467
Set the right permissions in Makefile.am when installing from source
https://fedorahosted.org/sssd/ticket/2468
Don't set the umask in the utility function that creates sockets
https://fedorahosted.org/sssd/ticket/2470
refactor create_pipe_fd()
https://fedorahosted.org/sssd/ticket/2473
RFE: Add a configuration option to specify where a snippet with sssd_krb5_localauth_plugin.so is generated
https://fedorahosted.org/sssd/ticket/2475
Wrong results returned with enumeration
https://fedorahosted.org/sssd/ticket/2477
SSSD doesn't tell that it can't start because of no longer existent ID range
https://fedorahosted.org/sssd/ticket/2481
ID Views implementation does not support IPA user&group overrides
https://fedorahosted.org/sssd/ticket/2484
Password change over ssh doesn't work with OTP and FreeIPA
https://fedorahosted.org/sssd/ticket/2487
sssd does not work with custom value of option re_expression
https://fedorahosted.org/sssd/ticket/2490
dereferencing failure against openldap server
https://fedorahosted.org/sssd/ticket/2492
Group membership gets lost in IPA server mode
https://fedorahosted.org/sssd/ticket/2498
"debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.
https://fedorahosted.org/sssd/ticket/2501
pam_sss domains option: Untrusted users from the same domain are allowed to auth.
https://fedorahosted.org/sssd/ticket/2503
Use the MEMORY ccache to pass around keytab contents
https://fedorahosted.org/sssd/ticket/2506
Check unlink return values to silence Coverity warnings
https://fedorahosted.org/sssd/ticket/2510
The Kerberos provider is not properly views-aware
https://fedorahosted.org/sssd/ticket/2512
selinuxusermap rule does not apply to trusted AD users
https://fedorahosted.org/sssd/ticket/2514
gid is overridden by uid in default trust view
https://fedorahosted.org/sssd/ticket/2516
pam_sss domains option: User auth should fail when domains=<emtpy value>
https://fedorahosted.org/sssd/ticket/2518
SSSD master doesn't build on RHEL-6
https://fedorahosted.org/sssd/ticket/2519
SSSD should not fail authentication when only allow rules are used
https://fedorahosted.org/sssd/ticket/2520
Crash in function get_object_from_cache
https://fedorahosted.org/sssd/ticket/2521
be_ptask unit test fails sometimes
https://fedorahosted.org/sssd/ticket/2524
getent fails for posix group with AD users after login
https://fedorahosted.org/sssd/ticket/2526
User is unable to authenticate if the option krb5_fast_principal is NULL
https://fedorahosted.org/sssd/ticket/2529
IPA: incomplete group memberships for AD users on IPA clients
https://fedorahosted.org/sssd/ticket/2530
MAN: Document that only usernames are checked for pam_trusted_uids
https://fedorahosted.org/sssd/ticket/2535
Access is not rejected for disabled domain
https://fedorahosted.org/sssd/ticket/2537
sssd-libwbclient conflicts with Samba's and causes crash in wbinfo
== Detailed Changelog ==
Carlos A. Munoz (1):
* Add zanata.xml file for integration with Zanata command line client
Dan Lavu (3):
* MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451
* MAN: page edit for ldap_use_tokengroups
* MAN: Clarify ad_gpo_map* options
Denis Kutin (1):
* NSS: Possibility to use any shells in 'allowed_shells'
Jakub Hrozek (68):
* Updating the version for the 1.12.3 development
* SSSD: Add the options to specify a UID and GID to run as
* SSSD: Chown the log files
* UTIL: Use a custom PID_PATH and DB_PATH when unit testing server.c
* TESTS: Unit tests can use confdb without using sysdb
* TESTS: Unit tests for server_setup
* RPM: Package the libsss_semanage.so library
* IPA: Handle NULL members in process_members()
* UTIL: Add a function to convert id_t from a number or a name
* BUILD: Add a config option for sssd user, own private directories as the user
* RPM: Change file ownership to sssd.sssd
* SSSD: Load a user to run a service as from configuration
* SBUS: Chown the sbus socket if needed
* SBUS: Allow connections from other UIDs
* BE: Own the sbus socket as the SSSD user
* NSS: Run as a user specified by monitor
* TEST: Unit test for create_pipe_fd
* AUTOFS: Run the autofs responder as the SSSD user
* PAC: Run the pac responder as the SSSD user
* SUDO: Run the sudo responder as the SSSD user
* SSH: Run the ssh responder as the SSSD user
* GPO: Terminate request on error
* TESTS: Add tests for the views-related option maps
* IPA: Don't fail the request when BE doesn't find the object
* IPA: Rename user_dom into obj_dom
* BUILD: Install ldap_child and as setuid if running under non-privileged user
* LDAP: Move sss_krb5_verify_keytab_ex to ldap_child
* LDAP: read the correct data type from ldap_child's input buffer
* LDAP: Drop privileges after kinit in ldap_child
* UTIL: Remove code duplication of struct io
* UTIL: Remove more code duplication setting up child processes
* IPA: Move setting the SELinux context to a child process
* BE: Make struct bet_queue_item private to sssd_be
* BUILD: Install krb5_child as suid if running under non-privileged user
* KRB5: Drop privileges in the child, not the back end
* KRB5: Move ccache-related functions to krb5_ccache.c
* KRB5: Move checking for illegal RE to krb5_utils.c
* KRB5: Move all ccache operations to krb5_child.c
* KRB5: Do not switch_creds() if already the specified user
* BUILD: Use separate chown to make changing ownership to the sssd user non-fatal
* BUILD: Make chown of files to sssd user non-fatal
* BUILD: Touch files in DESTDIR
* BE: Become a regular user after initialization
* BE: Fix a debug message
* IPA: Handle IPA groups returned from extop plugin
* Hint about removing sysdb if initializing ID map fails
* PAM: Make pam_forwarder_parse_data static
* SBUS: Initialize DBusError before using it
* PAM: Check for trusted domain before sending the request to BE
* PAM: Move is_uid_trusted from pam_ctx to preq
* TESTS: Basic child tests
* Add extra_args to exec_child()
* KRB5: Create the fast ccache in a child process
* LDAP: Remove useless include
* sss_atomic_write_s() return value is signed
* KRB5: Relax DEBUG message
* TESTS: Build test_child even without cmocka
* Rename test-child to dummy-child
* CI: Suppress memory errors from poptGetNextOpt
* tests: Free popt_context
* IFP: Return group names with the right case
* KRB5: Check FAST kinit errors using get_tgt_times()
* Skip CHAUTHTOK_PRELIM when using OTPs
* PAM: Domain names are case-insensitive
* PAM: Missing argument to domains= should fail auth
* MAN: Misspelled username in pam_trusted_users is not fatal
* RESPONDER: Log failures to resolve user names in csv_string_to_uid_array
* Updating translations for the 1.12.3 release
Lukas Slebodnik (28):
* BUILD: Fix automake warning
* test_server: Fix waiting for background process
* SPEC: Print testsuite log for failed test
* SBUS: Fix error handling after closing container
* BUILD: Fix linking cwrap tests with -Wl,--as-needed
* test_sysdb_views: Use unique directory for cache
* IPA: Store right username to selinux child context
* PAM: Remove authtok from PAM stack with OTP
* NSS: Fix warning enumerated type mixed with another type
* Revert "LDAP: Change defaults for ldap_user/group_objectsid"
* AD: Change level of debug message
* CI: Build sssd on debian with samba support
* LDAP: Disable token groups by default
* sss_client: Extract destroying of mmap cache to function
* sss_client: Fix race condition in memory cache
* krb5: Check return value of krb5_principal_get_realm
* krb5: Check return value of sss_krb5_princ_realm
* AD: Set dp_error if gc was not used
* TOOLS: sss_debuglevel should worh with ifp responder
* CI: Update valgrind suppresion database for libselinux
* IPA: Do not append domain name to fq name
* sss_client: Work around glibc bug
* MAKE: Fix linking of test_child_common
* UTIL: Fix dependencies of internal sss libraries
* BUILD: Install libsss_crypt after its dependencies
* MONITOR: Disable inlining of function load_configuration
* krb5_child: Initialize REALM earlier
* IPA: properly handle groups from different domains
Michal Zidek (21):
* util: Move semanage related functions to src/util
* sss_semanage: Add mlsrange parameter to set_seuser
* IPA: Use set_seuser instead of writing selinux login file
* MONITOR: Allow confdb to be accessed by nonroot user
* SYSDB: Allow calling chown on the sysdb file from monitor
* responder_common: Create fd for pipe in helper
* responders: Do not initialize pipe fd if already present
* PAM: Create pipe file descriptors before privileges are dropped
* PAM: Run pam responder as nonroot
* nss: preserve service name in getsrv call
* MONITOR: Fix warning may be used uninitialized
* selinux_child: Do not ignore return values.
* proxy: Do not try to store same alias twice
* PROXY: Preserve service name in proxy provider
* MAN: Update case_sensitive=Preserving in man pages.
* Man: debug_timestamps and debug_microseconds
* test: Wrong parameter type in sss_parse_name_check
* util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name
* util: sss_get_domain_name regex mismatch not fatal
* confdb: Make confdb_set_string accept const char pointer
* AD: Never store case_sensitive as "true" to confdb
Nikolai Kondrashov (1):
* CI: Remove Clang analyzer
Pavel Březina (8):
* IPA: use ipaUserGroup object class for groups
* be_ptask: create a private header file
* be_ptask: handle OFFLINE_DISABLE mode before task execution
* be_ptask: add next_execution time to struct be_ptask
* be_ptask: do not store sync ctx to _task
* tests: be_ptask
* be_ptask: let backoff affect only period
* be_ptask: use gettimeofday() instead of time()
Pavel Reichl (20):
* TESTS: Add -std=gnu99 to cwrap tests CFLAGS
* Fix debug messages - trailing '.'
* pyhbac,pysss: fix reference leaks
* RESPONDERS: refactor create_pipe_fd()
* RESPONDERS: Don't hard-code umask value in utility function
* RESPONDERS: Set default value for umask
* CONFDB: Detect&fix misconf opt refresh_expired_interval
* NSS: disable midpoint refresh for netgroups
* SYSDB: sysdb_idmap_get_mappings returns ENOENT
* Fix: always check return value of unlink()
* BUILD: restrict perms. when installing from source
* SYSDB: sysdb_get_bool() return ENOENT & unit tests
* simple access provider: non-existing object
* simple-access-provider: break matching allowed users
* LDAP: retain external members
* TESTS: sysdb_delete_by_sid() test return value
* NSS: nss_cmd_getbysid_search return ENOENT
* SYSDB: sysdb_search_object_by_sid returns ENOENT
* CONFDB: Typo in debug message
* TESTS: typo in 'assert message'
Stephen Gallagher (1):
* monitor: Service restart fixes
Sumit Bose (48):
* ipa: fix issues with older servers not supporting views
* ipa: improve error reporting for extdom LDAP exop
* ipa_subdomains_handler_master_done: initialize reply_count
* nss: group enumeration fix
* sdap_print_server: use getpeername() to get server address
* IFP: Fix typo in debug message
* memberof: check for empty arrays to avoid segfaults
* Add add_strings_lists() utility function
* IPA: inherit ldap_user_extra_attrs to AD subdomains
* Add parse_attr_list_ex() helper function
* nss: parse user_attributes option
* nss: return user_attributes in origbyname request
* sysdb_get_user_attr_with_views: add mandatory override attributes
* sysdb_add_overrides_to_object: add new parameter and multi-value support
* Views: apply user SSH public key override
* Add test for sysdb_add_overrides_to_object()
* Add ssh pubkey to origbyname request
* Revert "LDAP: Remove unused option ldap_user_uuid"
* Revert "LDAP: Remove unused option ldap_group_uuid"
* Fix uuid defaults
* sysdb: add sysdb_search_object_by_uuid()
* ipa: add split_ipa_anchor()
* LDAP: add support for lookups by UUID
* LDAP: always store UUID if available
* ipa: add get_be_acct_req_for_uuid()
* IPA: make get_object_from_cache() public
* IPA: check overrrides for IPA users as well
* Enable views for all domains
* Fix KRB5_CONF_PATH
* AD/IPA: add krb5_confd_path configuration option
* sysdb: add sysdb_delete_view_tree()
* sysdb: add sysdb_invalidate_overrides()
* views: allow view name change at startup
* krb5: make krb5 provider view aware
* IPA: only update view data if it really changed
* krb5: do not fail if checking the old ccache failed
* test: avoid leaks in leak tests
* krb5: add copy_ccache_into_memory()
* krb5: add copy_keytab_into_memory()
* ldap_child: copy keytab into memory to drop privileges earlier
* krb5_child: become user earlier
* krb5: add wrapper for krb5_kt_have_content()
* krb5: handle KRB5KRB_ERR_GENERIC as unspecific error
* IPA: verify group memberships of trusted domain users
* IPA: do not try to add override gid twice
* IPA: handle GID overrides for MPG domains on clients
* libwbclient: initialize some return values
* Add test for sysdb_store_override
9 years, 3 months
rfc2307bis
by Brendan Kearney
i am so close yet so far...
i have an older env with ldap, kerberos, sasl and sssd using rfc2307.
i built a new env with ldap, kerberos, sasl and sssd using rfc2307bis.
i am finding that when i ssh into one of the new boxes and run "id", i
am only getting back:
uid=1000(brendan) gid=1000(brendan) groups=1000(brendan)
the info is all the rfc2307/posix info, and not any of the rfc2307bis
info. i am a member of several other groups that are groupOfNames
objects, but the "id" command is not returning them.
is there a client side config that i am missing, in order to get the
group memberships of groupOfNames groups? i imagine i could add the
posixAccount object class to those groupOfNames groups, but wanted to
make sure that was the only/right way to do things before i did it.
i am not clueless, just have one clue less...
brendan
9 years, 3 months
