SSSD Full Cache Refresh
by Yogesh Sharma
Hi Team,
We are using sssd with FreeIPA. Whenever we add a new server in FreeIPA, it
does not get reflected to clients. We have implemented the cache refresh
intervals as well. However, in some use cases , the issue only get resolved
we we delete
/var/lib/sssd/db/* and restart the sssd service.
Is there any config settings for the same which do full refresh of DB.
Currently, below is the sssd config:
enumerate = False
entry_cache_timeout = 60
refresh_expired_interval = 30
entry_cache_sudo_timeout = 60
entry_cache_netgroup_timeout = 60
ldap_enumeration_refresh_timeout = 60
ldap_purge_cache_timeout = 60
ldap_sudo_smart_refresh_interval = 60
cache_credentials = false
*Best Regards,*
*__________________________________________*
*Yogesh Sharma*
*Email: yks0000(a)gmail.com <yks0000(a)gmail.com> | Web: www.initd.in
<http://www.initd.in/> *
*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
<https://www.fb.com/yks0000> <http://in.linkedin.com/in/yks0000>
<https://twitter.com/checkwithyogesh>
<http://google.com/+YogeshSharmaOnGooglePlus>
8 years, 7 months
Odd issue with AD domain authentication (PTR records)
by John Beranek
Hi,
Where I work I've just spent a fair amount of time tracing down an issue we
were having with Linux servers (CentOS 6) which authenticate against the
company Active Directory domain.
We found that SSSD 1.12.4-46.el6 clients were failing to work correctly
against a particular DC in one of our sites. Looking in the SSSD logs I
discovered it was a Kerberos "TGS-REQ" issue, whereby it would do a request
and get back "Principal unknown".
I captured the conversation with tcpdump, and compared it with a
conversation with a working DC, and found that the "Prinical unknown"
response came back with the Kerberos server listed as:
domaindnszones.example.com
and in the working case was instead the name of the DC, let's say:
site-a-dc01.example.com
Looking further at the DNS records for the affected DC, I found that the
DC's IP had 4 PTR records:
site-a-dc01.example.com
forestdnszones.example.com
domaindnszones.com
gc._msdcs.example.com
Given we didn't believe the 3 extra PTRs were performing any useful
function, we deleted them, and started SSSD again. SSSD now happily
connected to the DC, and is functional.
So, is there any reason why these PTRs would have upset SSSD like they
appear to have?
I can supply SSSD logs and/or pcap files off-list if helpful...
Cheers,
John
--
John Beranek To generalise is to be an idiot.
http://redux.org.uk/ -- William Blake
8 years, 7 months
Race condition when /var/lib/sssd in on NFSv4
by Ondrej Valousek
Hi list,
I have just discovered that there is a race condition when we put /var/lib/sssd on NFSv4 volume (such as in diskless boot scenario).
System tends to hang randomly.
Is there any solution to this?
Only cure seems to me at the moment to mount it via NFSv3 which does not require idmapper.
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years, 7 months
ldap_user_certificate
by Michael Ströder
HI!
What's the option ldap_user_certificate used for in IPA?
Is it used for a separate map?
Or is it used e.g. for emulation of signed SSH authorized keys?
Ciao, Michael.
8 years, 7 months
sssd-ad + ldap mapping uid issue
by Guillaume Polaert
Hi everyone,
I'm using sssd-ad and I have unexpected behaviour with the ldap_mapping_id module.
I'll try to be clear as possible :)
The unexpected behaviour concerned Group ID, they are inconsistency.
For any reason, at any moment GIDs can be changed.
The AD contains about 10 domains, and 200 000 users. Domain RIDs can be very large.
I override the min, max, and slice values to extend the available window.
I've also set a default domain sid in order to be sure one (the main) domain will be consistency.
But it doesn't work.
What can be the origin of GIDs overwriting?
Maybe, I have a problem with my configuration file.
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = LDAP, domain.ad
[nss]
filter_groups = root,ldap,named,avahi,haldaemon,dbus,...
filter_users = root,ldap,named,avahi,haldaemon,dbus, ...
[pam]
[sudo]
[domain/LDAP]
id_provider = ldap
sudo_provider = ldap
auth_provider = ldap
cache_credentials = True
ldap_uri = ldaps://ldap1:636
ldap_tls_cacert = /etc/openldap/cacerts/ldap_rootca.pem
ldap_tls_reqcert = hard
ldap_default_bind_dn = ...
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = ...
ldap_search_base = base_dn
enumerate = True
ldap_referrals = False
ldap_schema = rfc2307
ldap_sudo_search_base = base_dn
[domain/domain.ad]
id_provider = ldap
access_provider = ad
auth_provider = ad
cache_credentials = True
enumerate = False
debug_level = 9
## Override attributes
override_gid = 513
override_homedir = /data/users/%u
default_shell = /bin/bash
## LDAP config
ldap_uri = ldaps://ad-server:3269
ldap_tls_cacert = /etc/openldap/cacerts/bundle-certificates.pem
ldap_tls_reqcert = hard
ldap_search_base = base_dn
ldap_group_search_base = group_dn
ldap_schema = ad
## Mapping confiugration
ldap_id_mapping = True
ldap_idmap_default_domain_sid = S-1-5-21-...932
# Allow 2000 domains, and 1 million entries per domain
# Min uid for AD account (100000)
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 1000000
I've just found this in the log file.
(Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 3)
(Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_get_primary_name] (0x0400): Processing object grp_cluster1_developer
(Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_get_primary_name] (0x0400): Processing object grp_audit_cluster1_developer
(Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_get_primary_name] (0x0400): Processing object grp_audit_cluster1_user
(Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_add_incomplete_groups] (0x1000): Mapping group [grp_audit_cluster1_user] objectSID to unix ID
(Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_add_incomplete_groups] (0x2000): Group [grp_audit_cluster1_user] has objectSID [S-1-5-21-3095416536-3097367016-2845470932-840751]
(Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_add_incomplete_groups] (0x2000): Group [grp_audit_cluster1_user] has mapped gid [940751]
(Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [sdap_add_incomplete_groups] (0x2000): Adding fake group grp_audit_cluster1_user to sysdb
(Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [ldb] (0x4000): start ldb transaction (nesting: 3)
(Wed Aug 26 15:22:37 2015) [sssd[be[dc.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1ee6fc0
[ ...]
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 1)
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_get_primary_name] (0x0400): Processing object grp_audit_cluster1_user
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_save_group] (0x0400): Processing group grp_audit_cluster1_user
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_save_group] (0x4000): AD group [grp_audit_cluster1_user] has type flags 0x80000004.
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_save_group] (0x1000): Mapping group [grp_audit_cluster1_user] objectSID [S-1-5-21-3095416536-3097367016-2845470932-840751] to unix ID
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=grp_audit_cluster1_user,....] to attributes of [grp_audit_cluster1_user].
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20150717152801.0Z] to attributes of [grp_audit_cluster1_user].
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_process_ghost_members] (0x0400): The group has 3 members
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_process_ghost_members] (0x0400): Group has 3 members
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [N5218058]
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [O3049031]
(Wed Aug 26 15:22:38 2015) [sssd[be[dc.example.com]]] [sdap_save_group] (0x0400): Storing info for group grp_audit_cluster1_user
Guillaume Polaert | Ingensi | @gpolaert - https://twitter.com/gpolaert
8 years, 7 months
cache-credentials
by mathias dufresne
Hi all,
Does "cache-credentials" option need a LDAPS connection or can we set it up
over LDAP too?
Cheers
8 years, 7 months
auth-only domain in sssd.conf
by Michael Ströder
HI!
Is it possible to have a auth-only domain in sssd.conf?
Something like this:
[domain/LDAP-ID]
id_provider = ldap
ldap_search_base = ou=stuff,dc=mydomain,dc=org
...
[domain/LDAP-AUTHC]
auth_provider = ldap
ldap_search_base = ou=virtual,dc=mydomain,dc=org
...
The idea is to let sssd search the map data beneath naming context
ou=stuff,dc=mydomain,dc=org but use ou=authc-virtual,dc=mydomain,dc=org only
for authentication via LDAP simple bind with a hard-coded pattern like:
bind DN: uid=$user,ou=virtual,dc=mydomain,dc=org
Note that user name would be the same in both naming contexts.
So sssd would not have to search in ou=virtual,dc=mydomain,dc=org to make use
of it.
Ciao, Michael.
8 years, 7 months
Tokengroups usage
by Ondrej Valousek
Hi List,
Man sssd-ldap says:
"
If ldap_group_nesting_level is set to 0 then no nested groups are processed at all. However, when connected to
Active-Directory Server 2008 and later it is furthermore required to disable usage of Token-Groups by setting
ldap_use_tokengroups to false.
"
Why is usage of tokengroups not possible with Windows server 2008 or newer?
Can someone clarify?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years, 7 months
kerberized nfs4 with sssd id mapping
by Isaiah Houston
I’ve run into an interesting problem that I’ve narrowed down to the interaction between rpcidmapd and sssd. My sssd.conf is using AD as it’s id provider. When the setting use_fully_qualified_names = True is enabled in sssd.conf, rpcidmapds append the domain name to user lookup requests. This results in having user lookup requests that include an extra @domain.name in them, for example: rpc.idmapd: Server : (group) id "1002200513" -> name "user@domain.com(a)domain.xn--com-9o0a This results in users not being able to access folders that use any kind of group permissions because they are not recognized as being members. Also if a user creates a file, it is listed as being owned by nfsnobody since the user isn’t mapped to an ID correctly.
When I adjust sssd.conf to be use_fully_qualified_names = False, the lookup request looks right: rpc.idmapd: Server : (group) id "1002200513" -> name "user(a)domain.xn--com-9o0a However, if I then mount the nfs share from a different machine, and use a domain account with a valid Kerberos ticket, I still get permission denied when trying to access files, presumably because even though rpcidmapd is displaying my name as “user(a)domain.xn--com-9o0a the server is looking for the unqualified name “user” which still fails to match.
Has anyone else experienced this? I saw there was some effort at an sssd plugin for rpcidmapd, but that doesn’t seem complete yet. Is there a viable workaround so I can get kerberized nfs mounts up?
Isaiah Houston
8 years, 7 months
Loon restrictions via GPO and groups in Security Filtering for GPO
by Davor Vusir
Hi!
I'm laborating with using GPO to restrict logon. Nothing fancy, no
modifications made to GPO-parts of sssd.conf but just out-of-the-box.
The GPO is set to be enforced.
The idea is to let at least two categories of user accounts to be able
to login via ssh; category 1 must use public/private key authentication
and category 2 uses Kerberos. The groups "pubKeyUsers" and
"KerberosUsers" are both added to "Allow log on through Terminal
Services" GPO-setting.
The "Authenticated Users"-group is being added by default when creating
a GPO and logon is working as intended; "pubKeyUsers" must use key logon
and "KerberosUsers" uses Kerberospassword. Users with no membership in
either group are denied logon.
When replacing "Authenticated users"-group with groups containing the
server account and groups "pubKeyUsers" and "KerberosUsers" to the GPO's
Security Filtering it breaks. Members of "pubKeyUsers" needs to
authenticate through Kerberospassword (the public/private key
authentication is ignored), "KerberosUsers" are allowed as well as any
other domain user.
I have also tried "loopback processing" as no user account have any
GPO's applied, but servers only.
It seems that SSSD doesn't honor Security Filtering but for "Authenticed
Users"-group only. Is that true? How is SSSD handling Security Filtering?
Regards
Davor Vusir
8 years, 7 months