Problem with user group enumeration
by Ondrej Valousek
Hi List,
I have a strange problem. I have 2 machines on different locations, but running a same sssd version and configuration.
First one works fine, enumerates (via "id -a" command) all groups user belongs to.
Second does not enumerate groups for the same user, only shows the primary group.
Comparing the logs (same debug level):
1st machine (working one):
[sssd[be[default]]] [sdap_get_initgr_user] (0x4000): Process user's groups
[sssd[be[default]]] [sdap_initgr_rfc2307bis_next_base] (0x0400): Searching for parent groups for user [CN=Jan Kovalsky....
[sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with ...(ldap search filter here)
2nd machine (not working):
[sssd[be[default]]] [sdap_get_initgr_user] (0x4000): Process user's groups
[sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
[sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=Jan Kovalsky.....
[sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [tokenGroups]
Both machines starts with clear cache - seems like there must be some difference in AD servers they connect to?
Could you clarify?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years, 6 months
Scalable group-based access control - best practices?
by Ray Van Dolson
Trying to finalize a standard setup for access control and finding
there are numerous options for group or username based access control.
I'm using the ad access_provider (2012 R2 servers).
- ad_access_filter
+ Pros: Pretty powerful. I can do nested groups with the proper
syntax. Good speed?
- Cons: Configurations can get pretty ugly (especially with the
nested group ldap syntax) and complex all on one very long
line. Must be in the sssd.conf file so can't have thing
separated easily per-machine or per role that a machine may
participate in.
- simple_allow_groups (with access_provider = simple)
+ Pros: Simple. Readable config.
- Cons: Not sure? Maybe some performance limitations as compared
to ad_access_filter? Don't believe supports nested group
membership.
- pam_access (actually, not sure if this one works, but in theory it
should)
+ Pros: Could externalize / customize per machine or per Ansible
role more easily due to ability to easily use multiple
external include files.
- Cons: Not sure. Another layer in the process so potentially adds
some delay and complexity.
- SSH's AllowGroups (should work with sssd-ad I believe?)
+Pros: Simple.
+Cons: Only works w/ SSH (maybe not a big deal for my use case).
Unsure on speed.
- ad_gpo_access_control (no idea how this one works but sounds
powerful)
+Pros: In theory means everything is managed centrally in AD GPO.
+Cons: I've never tried it so don't know. :-)
Maybe I am missing some good alternatives above? Right now am using
ad_access_filter mostly and planning to use Ansible's templating system
to manage per host or service roles. Could get complex if we end up
needing to do customizations on a per machine basis in certain cases...
Thanks,
Ray
8 years, 6 months
[SSSD] two forests authentication
by Anthony Gautier De Lahaut
Hi,
I would like to contact you because I have a problem with authentication
via SSSD .
I explain my problem...
I have 2 forest , LESLANDE.LOCAL and ESSONNE.LOCAL.
_LESLANDES.LOCAL is composed :_
- srv.LESLANDES.LOCAL /(WS 2012 R2 : AD (+ trust relationship) , DNS (+
DNS Forwarders)./
- client.LESLANDES.LOCAL (CentOS 6.7 : SSSD (sssd-1.12.4-47.el6.x86_64).
_ESSONNE.LOCAL is composed :_
- srv.ESSONNE.LOCAL /(WS 2012 R2 : AD (+ trust relationship) , DNS (+
DNS Forwarders)./
Domain users LESLANDES.LOCAL (ex : bwillis(a)LESLANDES.LOCAL) can loggin
in a client.LESLANDES.LOCAL but domain users ESSONNE.LOCAL doesn't work ....
I have follow and read differents topics but nothing....
https://fedorahosted.org/sssd/wiki/InternalsDocs#a4.2.MultipleDomainsandT...
http://jhrozek.livejournal.com/
....
Many thanks,
Regard,
Anthony.
PS : In attachment , detail of project (configuration and logs).
8 years, 6 months
domain name in capitals sssd- 12.5
by Longina Przybyszewska
Hi,
Do capital letters matter for domain names in sssd.conf in cross-realm AD + SSSD environment? ?
[domain/DOMAIN.NAME] <-> [domain/domain.name]
Best
Longina
8 years, 6 months
Slow email responses this week from FreeIPA/SSSD teams at Red Hat
by Alexander Bokovoy
Hi everyone!
We have a gathering of Red Hat members of FreeIPA and SSSD teams in
Brno, Czech Republic this week with a lot of design and discussion
meetings. Naturally, we try to lock ourselves down in dungeons without
wifi access and without laptops (not!) to avoid distractions and great
weather of early autumn in Southern Moravia. This has unfortunate effect
of reducing our availability on the mailing lists and IRC channels.
We are apologizing in case you have something urgent to help with and
hope that someone will be able to help as time permits.
Once we re-emerge from the dungeons of Red Hat Brno offices, there
will be wiki updates and blog posts about what is discussed and
reflected on. At least, I have plans to do so on a number of topics.
On a brighter note, FreeIPA 4.2.1 is on its way to Fedora 23
repositories. It is currently pending the acceptance to updates-testing
repository so we most likely miss Fedora 23 beta release but it gives us
chances to test FreeIPA 4.1 to 4.2.1 upgrade path before final Fedora 23
release later this autumn.
https://bodhi.fedoraproject.org/updates/FEDORA-2015-15284
Once packages are in the repositories, we'll send a proper announcement
of FreeIPA 4.2.1 release.
--
/ Alexander Bokovoy
8 years, 6 months
Use some posix attributes with AD ID mapping
by jeff macfarland
Trying to get rid of having to define NIS groups along with AD. But also
would like to keep ability to set shell and homedirectory without resorting
to a template.
However, unixHomeDirectory and loginShell (when defined in our AD) show up
in getent until 'su -' or login and then they disappear.
Can't tell if I need to use ALL posix (uid, gid, nis groups,etc) or not.
[root@machine1 db]# getent passwd user1
user1:*:975801176:975800513:User One:/home/user1:/bin/bash
[root@machine1 db]# su - user1
[user1@machine1 ~]$ echo $SHELL
/bin/bash
[user1@machine1 ~]$ logout
[root@machine1 db]# getent passwd user1
user1:*:975801176:975800513:User One:/:
[root@machine1 db]# su - user1
-sh-4.1$ echo $SHELL
/bin/sh
-sh-4.1$ logout
[root@machine1 db]#
Nothing really in sssd_nss.log other than complaining about a missing
homedir template.
[sssd[nss]] [nss_memcache_initgr_check] (0x1000): Got request for
[user1(a)dom1.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input
[user1].
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched
without domain, user is user1
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [user1] from
[<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[user1(a)dom1.local]
[sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning..
sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user
[user1(a)dom1.local]
[sssd[nss]] [expand_homedir_template] (0x0020): Missing template.
[sssd[nss]] [client_recv] (0x0200): Client disconnected!
8 years, 6 months
Kerberos + AD: session encryption
by l@avc.su
Hello.
I've configured domain membership for one linux server, and now I'm
trying to understand one thing. I can't figure out how SASL-GSSAPI
encrypts LDAP requests and GC interactions. As long as I understood
Kerberos, it's a protocol solely for authentication, and SASL-GSSAPI
gives it ability to encrypt all data transactions between authenticated
hosts. But this encryption is not mandatory.
I've done several queries via 'id' utility to generate traffic, and
captured it. All I can see is LDAP traffic to 389/tcp and 3268/tcp,
which is encrypted. I can decrypt it by loading host's keytab to
Wireshark.
We've disabled anonymous and insecure binds (without integrity checking
or SSL/TLS encryption) in AD, and didn't adjust minssf/maxssf parameters
on Linux. As long as I understood, AD does not require whole session
encryption, neither does Linux.
All authentication is done in SSSD (authconfig --enablesssd
--enablesssdauth).
To summarize: I want to understand, why SASL-GSSAPI encrypts whole
connection and not just auth phase, so I could be sure that one day all
connections wouldn't appear in plaintext on the network.
If I had more experience in programming, I've could find the answer in
source code (all hail to opensource) to fullfill my curiosity, but
unfortunately I can't do that, so I'll appreciate any help/hints/links
on the topic.
Kind regards.
8 years, 7 months
kvno out of sync and trust issues
by Carl Pettersson (BN)
Hi,
(Warning: It's been a looong day, and upon rereading, the below may not be entirely coherent. I'll gladly clarify in the morning where needed)
We've been struggling for several months with getting our Linux (a mix of CentOS 7 and RHEL 7.1) servers AD integrated. We have a Win2012R2 domain with two sites, and several cross-forest, one-way trusts, and at the moment we are mostly (see below) able to authenticate with accounts local to our domain. We currently have two problems (that we know of):
* After a few days, it is no longer possible to log in with a domain account. Restarting sssd mostly works, and if not, performing a domain join again does. What we've seen is that this seems to change the KVNO field of kinit -k, and we've seen an error message (which I can't find again at the moment, sorry) indicating that this is a problem. Oddly enough, on some of the servers which we still can log on to, the KVNO can be different from the one which we just "fixed". The KVNO seems to always be either 2 or 5, switching when we "fix" a server.
* Authenticating with an account from a trusted domain never works. I can ping domain controllers from the other domain, I can telnet all the AD ports I can think of (significantly, 389 and 88), and there's no real error message shown anywhere. Right now /var/log/secure complains about unknown users, and journalctl says "Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)". I can resolve both A and PTR records, both on local and remote domains.
I'm at a loss on how to continue with the troubleshooting. People are starting to mumble about requesting local accounts on all machines. Tonight, I tried throwing PBIS Open (previously Likewise) on a machine, and it just worked. I'd like to avoid PBIS, though, since it is a bit more opaque about how it works, and we'd probably end up having to pay to get the features we could get from sssd in a (mostly) more understandable and clean packaging. But this would at least seem to indicate that the issue is with our configuration, rather than some infrastructural problem?
Here's the configuration files:
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.MAIN-DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
[domain_realm]
/etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = AD.MAIN-DOMAIN.COM
[nss]
override_homedir = /home/%d/%u
override_shell = /bin/bash
[domain/AD.MAIN-DOMAIN.COM]
id_provider = ad
use_fully_qualified_names = TRUE
krb5_renew_interval = 1h
I tried replacing the krb5.conf file with the one generated by PBIS, but that didn't help, unfortunately.
Any ideas for things to try would be greatly appreciated!
Best regards,
Carl
8 years, 7 months