RHEL 6.7 sssd version
by John Beranek
So, RHEL 6.7 has been released, but I was surprised at the version
contained in it:
1.12.4-47.el6
Does this version have the important fixes in it? I thought 1.12.5 was
required...
Cheers,
John
--
John Beranek To generalise is to be an idiot.
http://redux.org.uk/ -- William Blake
8 years, 9 months
Re: [SSSD-users] RHEL 6.7 sssd version
by Jakub Hrozek
On Thu, Jul 23, 2015 at 12:56:50PM +0200, Lukas Slebodnik wrote:
> On (23/07/15 11:51), Jakub Hrozek wrote:
> >On Thu, Jul 23, 2015 at 10:30:54AM +0100, John Beranek wrote:
> >> So, RHEL 6.7 has been released, but I was surprised at the version
> >> contained in it:
> >>
> >> 1.12.4-47.el6
> >
> >That's a relict of how RHEL works. You can only put a new tarball until
> >a certain point, then you're only allowed to add patches that address a
> >specific problem or RFE. That guarantees a certain level of stability.
> >
> >The -47 is "patch number", which means 47 bugs addressed atop 1.12.4. (I
> >normally use a patch number per bugzilla..)
> >
> >>
> >> Does this version have the important fixes in it? I thought 1.12.5 was
> >> required...
> >
> >1.12.4-47 in RHEL ~= 1.12.5 upstream
> >
> >Actually here is a diff between my git branch that tracks rhel-6.7 and
> >the upstream sssd-1-12 branch:
> > < d119324 Updating version for the 1.12.6 release
> > < 40f1824 Updating translations for the 1.12.5 release
> > < 45429eb PROXY: Do not register signal with SA_SIGINFO
> > < d3ff187 PROXY: proxy_child should work in non-root mode
> > < c494e10 krb5: new option krb5_map_user
> > < d788ec2 libwbclient-sssd: update interface to version 0.12
> > < 1590f8d LDAP: warn about lockout option being deprecated
> > < 39e33e3 SDAP: use DN to update entry
> > < fec528a LDAP: return after tevent_req_error
> ^^^^^^^
> I hope this missing patch will not cause a troubles in rhel6.
setenv() is very unlikely to fail.
>
> We had a similar bugs an it caused use-after free and then crash.
>
> LS
8 years, 9 months
sssd+ad-provider + sudo slow
by Евгений
Hi All!
Work very well with sssd+ad provider, but sudo su - very slow working when running first time(running again <1sec),
user1@host$ sudo su - ( slow ~ 8-15 sec).
user1 domain user - member of many groups (+300) in Active Directory.
/etc/sssd/sssd.conf:
[domain/default]
cache_credentials = true
ignore_group_members = true
[domain/domain.local]
debug_level = 6
id_provider = ad
ad_server = msa-dc13. domain.local, msk-dc11. domain.local
ad_domain = domain.local
ad_hostname = msa-mailsys1.domain.local
override_homedir = /home/%u
override_shell = /bin/bash
ignore_group_members = true
# FILTER
access_provider = simple
simple_allow_groups = ROL-Linux-Admin
[sssd]
services = nss, pam, sudo
cache_credentials = true
config_file_version = 2
domains = domain.local
[nss]
debug_level= 6
[pam]
[sudo]
#debug_level = 9
In /var/log/sssd/sssd_nss.log more requesting to domain,when run sudo first time.
Whether it is possible to cache operations with sudo or or some other way to get around there is the problem?
--
Eugene
8 years, 9 months
ssh passwordless with sssd-1.12.5
by Longina Przybyszewska
Hi,
I have SSSD setup with AD as auth/id provider in multi domain trust realm, and POSIX attributes in AD for users.
With this setup users can use short names (short names match sSAMaccount name in AD user object)) for login and get access to
their homedir ,NFS mounted with Kerberos security.
The "short user names" are unique across domains in realm.
Setup works fine, even after recently made possible sssd upgrade to 1.12.5 (all Linux clients run Ubuntu LTS).
We would like to establish passwordless ssh between all AD-integrated clients - and have problems.
The important detail is, that all machines are in one domain, while users can be from other domains inclusive, machine's domain .
Until now, passwordless ssh is possible when user and machine are from the same domain .
Users from domains other than machines's own domain , are asked for passwd.
All tickets for host and nfs service in user's cache seems to be ok.
After debugging ssh/sshd session it seems that connection ssh< - -> sshd fails on user authorization.
Any ideas?
Ssh client side debug:
----------------------------------
[9537] 1436450526.619393: Got service principal host/lnx.a.c.realm(a)A.C.REALM
[9537] 1436450526.621139: ccselect can't find appropriate cache for server principal host/lnx.a.c.realm(a)A.C.REALM
[9537] 1436450526.621254: Getting credentials longina(a)N.C.REALM -> host/lnx.a.c.realm(a)A.C.REALM using ccache FILE:/tmp/krb5cc_XXXXX_CN76dg
[9537] 1436450526.621355: Retrieving longina(a)N.C.REALM -> host/lnx.a.c.realm(a)A.C.REALM from FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success
[9537] 1436450526.621490: Creating authenticator for longina(a)N.C.REALM -> host/lnx.a.c.realm(a)A.C.REALM, seqnum 1059254370, subkey aes256-cts/4255, session key aes256-cts/2F16
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
[9537] 1436450526.623050: Convert service host (service with host as instance) on host lnx.a.c.realmto principal
[9537] 1436450526.624716: Remote host after forward canonicalization: lnx.a.c.realm
[9537] 1436450526.624760: Remote host after reverse DNS processing: lnx.a.c.realm
[9537] 1436450526.624793: Got service principal host/lnx.a.c.realm(a)A.C.REALM
[9537] 1436450526.626601: ccselect can't find appropriate cache for server principal host/lnx.a.c.realm(a)A.C.REALM
[9537] 1436450526.626719: Getting credentials longina(a)N.C.REALM -> host/lnx.a.c.realm(a)A.C.REALM using ccache FILE:/tmp/krb5cc_XXXXX_CN76dg
[9537] 1436450526.626821: Retrieving longina(a)N.C.REALM -> host/lnx.a.c.realm(a)A.C.REALM from FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success
[9537] 1436450526.626984: Getting credentials longina(a)N.C.REALM -> host/lnx.a.c.realm(a)A.C.REALM using ccache FILE:/tmp/krb5cc_XXXXX_CN76dg
[9537] 1436450526.627067: Retrieving longina(a)N.C.REALM -> host/lnx.a.c.realm(a)A.C.REALM from FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success
[9537] 1436450526.627162: Creating authenticator for longina(a)N.C.REALM -> host/lnx.a.c.realm(a)A.C.REALM, seqnum 778106202, subkey aes256-cts/CBE6, session key aes256-cts/2F16
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
sshd server side debug:
------------------------------------
....
debug2: input_userauth_request: setting up authctxt for longina [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send entering: type 100 [preauth]
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 100
debug1: PAM: initializing for "longina"
debug1: PAM: setting PAM_RHOST to "10.80.8.108"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=, role=
debug2: monitor_read: 4 used once, disabling now
debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: mm_request_send entering: type 42 [preauth]
debug3: mm_request_receive_expect entering: type 43 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 42
debug3: mm_request_send entering: type 43
Postponed gssapi-with-mic for longina from 10.80.8.108 port 53479 ssh2 [preauth]
debug3: mm_request_send entering: type 44 [preauth]
debug3: mm_request_receive_expect entering: type 45 [preauth]
debug3: mm_request_send entering: type 47
Failed gssapi-with-mic for longina from 10.80.8.108 port 53479 ssh2
debug3: mm_ssh_gssapi_userok: user not authenticated [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 3 failures 1 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 4 failures 1 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
sssd.conf
-------------
[nss]
debug_level = 9
filter_groups = root
filter_users = root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
#override_home_directory = /home/%u
[sssd]
debug_level = 6
domains = n.c.realm,a.c.realm,c.realm
#default_domain_suffix = c.realm
config_file_version = 2
services = nss,pam,ssh
[pam]
pam_verbosity = 3
debug_level = 9
[domain/n.c.realm]
debug_level = 9
dyndns_update = false
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = n.c.realm
krb5_realm = N.C.REALM
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
ad_hostname = lnx.a.c.realm
ad_gpo_access_control = disabled
[domain/a.c.realm]
debug_level = 9
dyndns_update = false
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = a.c.realm
krb5_realm = A.C.REALM
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
ad_hostname = lnx.a.c.realm
ad_gpo_access_control = disabled
[domain/c.realm]
debug_level = 9
dyndns_update = true
dyndns_update_ptr = false
ad_hostname = lnx.a.c.realm
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = c.realm
krb5_realm = C.REALM
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
ad_gpo_access_control = disabled
best
Longina
8 years, 9 months
Unable to load modules for /var/lib/sss/db/cache_default.ldb: (null)
by Srinivasa Rao Ragolu
Hi All,
I am new to sssd. I have ported sssd for my embedded environment. Using
authconfig, I could create sssd.conf as well.
Followed Link:
https://onemoretech.wordpress.com/2014/02/23/sssd-for-ldap-auth-on-linux/
Problem:
When I run #service sssd start, Output in /var/log/sssd/sssd.log looks like
below
*(Fri Jul 17 09:43:45 2015) [sssd] [ldb] (0x0010): WARNING: Module
[memberof] not found - do you need to set LDB_MODULES_PATH?*
*(Fri Jul 17 09:43:45 2015) [sssd] [ldb] (0x0010): Unable to load modules
for /var/lib/sss/db/cache_default.ldb: (null)*
Could you please help me in resolving this issue. Please find "authconfig
--test" log and sssd.conf as attachemnt
8 years, 9 months
Badly need your help in configuring sssd
by Srinivas
Hi All,
I am very new to sssd and trying to deploy sssd to our custom embedded
platform.
I could able to build sssd and its dependencies such as samba, openldap,
pam-nss-ldapd etc.
When I try to run authconfig, my output is
+ NAME=nslcd
+ CONFIG=/etc/nslcd.conf
+ DAEMON=/usr/sbin/nslcd
+ DESC='LDAP connection daemon'
+ STATEDIR=/var/run/nslcd
+ PIDFILE=/var/run/nslcd/nslcd.pid
+ case "$1" in
+ start
+ '[' -e /var/run/nslcd/nslcd.pid ']'
+ echo -n 'Starting LDAP connection daemon...'
Starting LDAP connection daemon...+ start-stop-daemon --start --oknodo
--pidfile /var/run/nslcd/nslcd.pid --startas /usr/sbin/nslcd
+ '[' 0 -eq 0 ']'
+ echo done.
done.
+ exit 0
But I could not able to see any /etc/sssd/sssd.conf
Please help me in getting sssd.conf.
If I run #sssd -f -D
uration] (0x0010): ConfDB initialization has failed [Missing configuration
file]
20): Configuration file: /etc/sssd/sssd.conf does not exist.
Also attaching authconfig --test log
Please help me in debugging this problem
Thanks,
Srinivas.
8 years, 9 months
SSSD and multiple AD domains
by mathias dufresne
Hi all,
I'm trying to configure SSSD to access several domains at the same time and
I'm not able to achieve that.
The two domains are A.DOMAIN.TLD and B.DOMAIN.TLD.
Using that krb5.conf I can't retrieve any user from any domain:
---------------------------
[libdefaults]
default_realm = A.DOMAIN.TLD
dns_lookup_realm = true
dns_lookup_kdc = true
rdns_lookup_kdc = false
realm_try_domains = 0
[realms]
A.DOMAIN.TLD = {
default_domain = A.DOMAIN.TLD
}
B.DOMAIN.TLD = {
default_domain = B.DOMAIN.TLD
}
[domain_realm]
.a.domain.tld = .A.DOMAIN.TLD
a.domain.tld = A.DOMAIN.TLD
.b.domain.tld = .B.DOMAIN.TLD
b.domain.tld = B.DOMAIN.TLD
-----------------------------
Using this krb5.conf I can retrieve users from A.DOMAIN.TLD:
---------------------------
[libdefaults]
default_realm = A.DOMAIN.TLD
dns_lookup_realm = true
dns_lookup_kdc = true
rdns_lookup_kdc = false
---------------------------
And the sssd.conf is in both cases:
---------------------------
[sssd]
services = nss, pam
config_file_version = 2
domains = a.domain.tld, b.domain.tld
[nss]
[pam]
[domain/a.domain.tld]
id_provider = ldap
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_uri = ldap://adc.a.domain.tld
ldap_search_base = dc=A,dc=DOMAIN,dc=TLD
ldap_force_upper_case_realm = true
# See man sssd-simple
access_provider = simple
# Uncomment to check for account expiration in DC
# access_provider = ldap
# ldap_access_order = expire
# ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons.
# enumerate = true
auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = adc$(a)A.DOMAIN.TLD
krb5_realm = A.DOMAIN.TLD
krb5_server = adc.a.domain.tld
krb5_kpasswd = adc.a.domain.tld
ldap_krb5_keytab = /etc/krb5.sssd_multi.keytab
ldap_user_object_class = user
#ldap_user_name = sAMAccountName
ldap_user_name = userPrincipalName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_shell = loginShell
ldap_group_object_class = group
[domain/b.domain.tld]
id_provider = ldap
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_uri = ldap://bdc.b.domain.tld
ldap_search_base = dc=B,dc=DOMAIN,dc=TLD
ldap_force_upper_case_realm = true
# See man sssd-simple
access_provider = simple
# Uncomment to check for account expiration in DC
# access_provider = ldap
# ldap_access_order = expire
# ldap_account_expire_policy = ad
# Enumeration is discouraged for performance reasons.
# enumerate = true
auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = bdc$(a)B.DOMAIN.TLD
krb5_realm = B.DOMAIN.TLD
krb5_server = dc.b.domain.tld
krb5_kpasswd = dc.b.domain.tld
ldap_krb5_keytab = /etc/krb5.sssd_multi.keytab
ldap_user_object_class = user
#ldap_user_name = sAMAccountName
ldap_user_name = userPrincipalName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_shell = loginShell
ldap_group_object_class = group
---------------------------
Best regards,
mathias
8 years, 9 months
Issue with SSSD connectivity to OpenLDAP
by Christian Tardif
Hi,
I'm working on setting a LDAP proxy (with OpenLDAP) to ActiveDirectory.
And testing the proxy with SSSD gives me strange results I don't
understand. When someone is trying to connect to a Linuxbox on which
SSSD is looking after the LDAP-Proxy, it fails because of a bad filter
thing (which is OK, as you'll see in the logs). The logs from SSSD
shows:
(Thu Jul 16 14:51:00 2015) [sssd[be[DOMAIN]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=christian.tardif1)(objectclass=user)(uid=*)((null)=*))][ou=users,ou=outhing,dc=domain,dc=int].
(Thu Jul 16 14:51:00 2015) [sssd[be[LABNHS]]]
[sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search
filter
Look at that (null)=* thing. Where does that comes from ? My sssd.conf
looks like:
[domain/DOMAIN]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = simple
ldap_uri = ldap://172.22.211.114/
ldap_search_base = ou=outhing,dc=domain,dc=int
#ldap_default_bind_dn = cn=ldap
binduser,ou=others,ou=users,ou=outhing,dc=domain,dc=int
#ldap_default_authtok = B1ndPassw0rd!
ldap_default_bind_dn = cn=Manager,dc=domain,dc=int
ldaP_default_authtok = *********
ldap_default_authtok_type = password
ldap_user_name = uid
ldap_user_object_class = user
ldap_user_search_base = ou=users,ou=outhing,dc=domain,dc=int
ldap_user_extra_attrs = mail
ldap_group_object_class = group
ldap_group_search_base = ou=groups,ou=outhing,dc=domain,dc=int
ldap_id_mapping = true
ldap_schema = rfc2307bis
ldap_tls_reqcert = never
ldap_id_use_start_tls = false
ldap_network_timeout = 6
override_gid = 100
enumerate = true
cache_credentials = true
cache_sensitive = false
entry_cache_timeout = 300
debug_level = 6
[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
override_homedir = /home/%u
default_shell = /bin/bash
[pam]
[sudo]
[autofs]
[ssh]
Is something wrong in my config to create this (null)=* thing ?
--
CHRISTIAN TARDIF
8 years, 9 months
Reject new users form logging in
by Ondrej Valousek
Hi List,
We I know I am probably crying at the wrong grave - but I'll give it a try anyway :):
Does anyone know if I can somehow prevent new users from logging in to a certain machine? We have a logon server here with SSSD which needs a maintenance.
I know there is pam_nologin, but I still need to allow users with disconnected NX sessions there to connect and properly terminate those.
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years, 9 months
sssd core dumps
by Gerard .
Hi,
We have SSSD authenticating against Active Directory on a large cluster of
hadoop machines. Intermittently we're seeing JVM processes (Apache Spark
jobs) core dumping when they attempt to lookup the group owner of a file.
The group comes from Active Directory. The group contains roughly 30 users.
Is anyone able to help identify what might be causing this?
############################################################
(gdb) bt
#0 0x00007f789005acc9 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007f789005e0d8 in __GI_abort () at abort.c:89
#2 0x00007f788f3abd69 in os::abort(bool) () from
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/server/libjvm.so
#3 0x00007f788f53133f in VMError::report_and_die() () from
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/server/libjvm.so
#4 0x00007f788f3b4b4f in JVM_handle_linux_signal () from
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/server/libjvm.so
#5 <signal handler called>
#6 sss_nss_check_header (ctx=ctx@entry=0x7f788d541280 <gr_mc_ctx>) at
../src/sss_client/nss_mc_common.c:65
#7 0x00007f788d33ed1b in sss_nss_mc_get_ctx (name=name@entry=0x7f788d33fae1
"group", ctx=ctx@entry=0x7f788d541280 <gr_mc_ctx>) at
../src/sss_client/nss_mc_common.c:151
#8 0x00007f788d33f7d9 in sss_nss_mc_getgrgid (gid=gid@entry=10002,
result=result@entry=0x7f783d325800, buffer=0x14f2bb0 "postdrop",
buflen=buflen@entry=1024) at ../src/sss_client/nss_mc_group.c:182
#9 0x00007f788d33da56 in _nss_sss_getgrgid_r (gid=10002,
result=0x7f783d325800, buffer=0x14f2bb0 "postdrop", buflen=1024,
errnop=0x7f783d329660) at ../src/sss_client/nss_group.c:454
#10 0x00007f78900e2b0c in __getgrgid_r (gid=10002, resbuf=0x7f783d325800,
buffer=0x14f2bb0 "postdrop", buflen=1024, result=0x7f783d325828) at
../nss/getXXbyYY_r.c:266
#11 0x00007f7841cabfe6 in ?? ()
#12 0x00000000014f2bb0 in ?? ()
############################################################
Here's our sssd config:
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
#debug_level = 0x4000
[nss]
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldaps://192.168.16.2,ldaps://192.168.16.5
ldap_search_base = <hidden>
ldap_id_mapping = False
ldap_user_search_base = <hidden>
ldap_group_search_base = <hidden>
ldap_user_object_class = user
ldap_user_name = msSFU30Name
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
#Bind credentials
ldap_default_bind_dn = <CN>
ldap_default_authtok = secret
ldap_tls_reqcert = allow
cache_credentials = true
enumerate = false
Our nsswitch.conf:
passwd: compat sss
group: compat sss
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
$ grep sss /etc/pam.d/
common-account:account [default=bad success=ok user_unknown=ignore]
pam_sss.so
common-auth:auth [success=2 default=ignore] pam_sss.so use_first_pass
common-password:password sufficient pam_sss.so use_authtok
common-session:session optional pam_sss.so
Versions:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
Linux 3.13.0-49-generic #83-Ubuntu SMP Fri Apr 10 20:11:33 UTC 2015 x86_64
x86_64 x86_64 GNU/Linux
$ dpkg -l | grep sssd
ii sssd 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Active
Directory back end
ii sssd-ad-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon --
PAC responder
ii sssd-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon --
common files
ii sssd-ipa 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- IPA
back end
ii sssd-krb5 1.11.5-1ubuntu3 amd64 System Security Services Daemon --
Kerberos back end
ii sssd-krb5-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon
-- Kerberos helpers
ii sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP
back end
ii sssd-proxy 1.11.5-1ubuntu3 amd64 System Security Services Daemon --
proxy back end
ii sssd-tools 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- tools
8 years, 9 months