sssd.conf and /var/lib/sss/db/config.ldb
by Daniel Hermans
Hi,
not sure if a bug or not but a quick warning that hopefully may save someone some time!
We use puppet to install sssd based on a condition. we:
- yum install -y sssd
- authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --enablemkhomedir --enablecachecreds --update ( to setup PAM and nsswitch - not sure if ALL of these are necessary? )
- copy over our private config ( as you can't do all of the config with authconfig that i can see? )
This didn't work - intermittently sssd was using a 'stale' config. After much headbutting issue was twofold:
- sssd is started and activated by the authconfig command, this creates config.ldb and cache_default.ldb
- puppet writes the config file immediately and sssd restarted
- sssd compares modification time of /etc/sssd/sssd.conf with /var/lib/sss/db/config.ldb and, because the times are the same ( written in the same minute ), IT IGNORES the new config file
Solution:
- add a '--nostart' to the authconfig to stop the initial start, this will prevent creation of the cache. Copy over the config and then start/enable ( which will create the cache ).
Not sure if related but there is a TODO in the code around this area (src/confdb/confdb_setup.c)
ret = sss_ini_get_mtime(init_data, sizeof(timestr), timestr);
if (ret <= 0 || ret >= (int)sizeof(timestr)) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to convert time_t to string ??\n");
ret = errno ? errno : EFAULT;
}
/* FIXME: Determine if the conf file or any snippet has changed
* since we last updated the confdb or if some snippet was
* added or removed.
*/
Puppet then
7 years, 5 months
Problem mixed provider
by Michael Wandel
Hey,
I want to setup the following scenario.
- the nss will be used from the local source (/etc/passwd, /etc/group)
- the pam authentication will come from ldap that will exist on an
Windows AD server
the OS is an centos 7.2.
the actual test setup gives me some errors that i did not understand
------------ sssd.conf ----------------
[sssd]
config_file_version = 2
services = pam, nss
domains = testad
[nss]
[pam]
[domain/testad]
id_provider = proxy
proxy_lib_name = files
auth_provider = ldap
ldap_schema = AD
ldap_default_bind_dn = cn=administrator,cn=users,dc=example,dc=com
ldap_default_authtok=XXXXXXXXXXXX
ldap_uri = ldaps://192.168.122.222:3269/
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
-------- sssd_testad.log -----------------------------
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [set_server_common_status]
(0x0100): Marking server '192.168.122.222' as 'working'
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [fo_set_port_status]
(0x0400): Marking port 3269 of duplicate server '192.168.122.222' as
'working'
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]]
[sdap_search_user_next_base] (0x0400): Searching for users with base
[dc=example,dc=com]
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(sAMAccountName=testnutzer1)(objectclass=user))][dc=example,dc=com].
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Operations
error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, v1db1
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]]
[sdap_get_generic_op_finished] (0x0040): Unexpected result from ldap:
Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, v1db1
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]]
[generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed
[5]: Eingabe-/Ausgabefehler
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [get_user_dn_done]
(0x0040): Failed to retrieve users
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [be_pam_handler_callback]
(0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (Systemfehler)]
it will be great if somebody can say, if it is a structural problem or a
misconfiguration.
any helpful tip would be appreciated.
best regards
Michael
m.wandel(a)t-online.de
7 years, 5 months
Windows 10 prefers NTLMSSP to KRB5
by johnnykimble@gmail.com
Hi all,
I've posted a thread about this on the Samba mailing list and been redirected to the SSSD experts here (see https://lists.samba.org/archive/samba/2016-November/204371.html)
I'm using a Samba file server as a domain member in a Windows 2012 AD domain. Everything works correctly as a pre-Windows 10 user (8.1 and 7), with authentication of domain users being handled by SSSD, as well as resolution of the SIDs on the Samba share. However, when Windows 10 connects to the Samba share, it presents (or selects) only 1 GSS-API mechanism, NTLMSSP.
My preference for SSSD over Winbind was because I don't need to support NTLM and prefer the most secure KRB5.
Is it possible to configure SSSD (if indeed it's SSSDs responsibility...) so that NTLMSSP is not presented as a GSS-API mechanism? Any ideas why Windows 10 would be behaving in what looks to be a less secure fashion to previous Windows versions?
Many thanks,
JK
7 years, 5 months
special sssd use, id_provider=proxy, auth_provider=ldap
by Michael Wandel
Hey,
i"m strugglin a bit with my sssd configuration. We want to use local accounts (users and groups) and as authentication should be the ldap from the windows AD used. My current configuration throws some errors that i can't understand.
---------- sssd.conf ------------
[sssd]
config_file_version = 2
services = pam, nss
domains = testad
[nss]
[pam]
[domain/testad]
id_provider = proxy
proxy_lib_name = files
auth_provider = ldap
ldap_schema = AD
ldap_default_bind_dn = cn=administrator,cn=users,dc=example,dc=com
ldap_default_authtok=XXXXXXXXXXXX
ldap_uri = ldaps://192.168.122.222:3269/
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
----------- sssd_testad.log ---------------------
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_search_user_next_base] (0x04
00): Searching for users with base [dc=example,dc=com]
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_get_generic_ext_step] (0x040
0): calling ldap_search_ext with [(&(sAMAccountName=testnutzer1)(objectclass=use
r))][dc=example,dc=com].
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_get_generic_op_finished] (0x
0400): Search result: Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, com
ment: In order to perform this operation a successful bind must be completed on
the connection., data 0, v1db1
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_get_generic_op_finished] (0x
0040): Unexpected result from ldap: Operations error(1), 000004DC: LdapErr: DSID
-0C0906E8, comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, v1db1
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [generic_ext_search_handler] (0x00
40): sdap_get_generic_ext_recv failed [5]: Eingabe-/Ausgabefehler
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [get_user_dn_done] (0x0040): Faile
d to retrieve users
Every tip is welcome, i"m not sure if it is possible to use this combination of id / auth provider.
best regards
Michael Wandel
7 years, 5 months
Announcing SSSD 1.14.2
by Jakub Hrozek
=== SSSD 1.14.2 ===
The SSSD team is proud to announce the release of version 1.14.2 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Several more regressions caused by cache refactoring to use qualified names internally were fixed, including a regression that prevented the krb5_map_user option from working correctly.
* A regression when logging in with a smart card using the GDM login manager was fixed
* SSSD now removes the internal timestamp on startup cache when the persistent cache is removed. This enables admins to follow their existing workflow of just removing the persistent cache and start from a fresh slate
* Several fixes to the sssd-secrets responder are present in this release
* A bug in the autofs responder that prevented automounter maps from being returned when sssd_be was offline was fixed
* A similar bug in the NSS responder that prevented netgroups from being returned when sssd_be was offline was fixed
* Disabling the netlink integration can now be done with a new option disable_netlink. Previously, the netlink integration could be disabled with a sssd command line switch, which is being deprecated in this release.
* The internal watchdog no longer kills sssd processes in case time shifts during sssd runtime
* The fail over code is able to cope with concurrent SRV resolution requests better in this release
* The proxy provider gained a new option proxy_max_children that allows the administrator to control the maximum number of child helper processes that authenticate users with auth_provider=proxy
* The InfoPipe D-Bus responder exports the UUIDs of user and group objects through a uniqueID property
== Packaging Changes ==
* The private pipe directory permissions were changed from 0700 to 0750. The restrictive permissions we causing SELinux dac_override denials
* The Python packages for python2 were renamed from python-package to python2-package with backwards-compatible Provides and Obsoletes
* The sssd-common subpackage contains a new manual page sssd-secrets(5)
* The sssd-tools subpackage explicitly Requires /sbin/service on platforms that don't support systemd in order to be able to restart sssd from the sssctl tool
== Documentation Changes ==
* The kill_service option that was no longer useful after we moved from in-process pings to watchdog was removed
* The --disable-netlink sssd(8) command-line option was removed in favor of [sssd] section option disable_netlink
* The proxy_max_children option was added. Please see the highlights section for more details.
* The sssd-secrets responder gained a man page in this release.
* Two new options containers_nest_level and max_secrets options were added to the sssd-secrets responder. The former allows the administrator to configure the maximum nesting level of secrets containers, the latter allows the administrator to configure the maximum number of secrets that can be stored. Please note that both option apply to the local secrets provider only.
* The sssd-ldap man page didn't specify different default for user and group name LDAP attribute default for the AD provider. This documentation bug was fixed.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/2813
man page for sss_override command provides irrelevant information for --debug option
https://fedorahosted.org/sssd/ticket/2841
sssd stores and returns incorrect information about empty netgroup (ldap-server: 389-ds)
https://fedorahosted.org/sssd/ticket/3051
Move the diag_cmd option so that it's usable by the watchdog.
https://fedorahosted.org/sssd/ticket/3052
Remove the no longer used kill_service command
https://fedorahosted.org/sssd/ticket/3053
The sssd-secrets responder needs a manpage
https://fedorahosted.org/sssd/ticket/3054
Create integration tests for the sssd-secrets responder
https://fedorahosted.org/sssd/ticket/3056
The sssctl tool should restart the service with systemd's dbus API
https://fedorahosted.org/sssd/ticket/3107
Python SSSD Config API deletes an item during iteration
https://fedorahosted.org/sssd/ticket/3123
Netgroup resolution doesn't work offline
https://fedorahosted.org/sssd/ticket/3125
secrets responder throws an internal error when trying to delete a non-existent secret
https://fedorahosted.org/sssd/ticket/3127
SSSD qualifies principal twice in IPA-AD trust if the principal attribute doesn't exist on the AD side
https://fedorahosted.org/sssd/ticket/3128
throw away the timestamp cache if re-initializing the persistent cache
https://fedorahosted.org/sssd/ticket/3134
sssd is not able to authenticate with alias
https://fedorahosted.org/sssd/ticket/3137
secrets: creating a secret in a container doesn't work
https://fedorahosted.org/sssd/ticket/3140
autofs map resolution doesn't work offline
https://fedorahosted.org/sssd/ticket/3142
expose disabling the netlink support as a sssd.conf option
https://fedorahosted.org/sssd/ticket/3143
selinux avc denial for vsftp login as ipa user
https://fedorahosted.org/sssd/ticket/3145
Update sssd-sudo man page to reflect native sudo support
https://fedorahosted.org/sssd/ticket/3154
sssd exits if clock is adjusted backwards after boot
https://fedorahosted.org/sssd/ticket/3163
resolving IPA nested user group is broken in 1.14
https://fedorahosted.org/sssd/ticket/3165
login using gdm calls for gdm-smartcard when smartcard authentication is not enabled
https://fedorahosted.org/sssd/ticket/3167
SECRETS: Deleting a container that has children should fail
https://fedorahosted.org/sssd/ticket/3168
secrets: Add a configurable depth limit for containers
https://fedorahosted.org/sssd/ticket/3172
Access denied for user when access_provider = krb5 is set in sssd.conf
https://fedorahosted.org/sssd/ticket/3173
unable to create group in sssd cache
https://fedorahosted.org/sssd/ticket/3174
Clock skew makes SSSD return System Error
https://fedorahosted.org/sssd/ticket/3175
sss_groupshow does not work
https://fedorahosted.org/sssd/ticket/3178
unable to add local user in sssd to a group in sssd
https://fedorahosted.org/sssd/ticket/3179
sss_override fails to export
https://fedorahosted.org/sssd/ticket/3180
sss_cache -r option does not print error message if more than one argument is supplied
https://fedorahosted.org/sssd/ticket/3181
libwbclient-sssd: update interface to version 0.13
https://fedorahosted.org/sssd/ticket/3184
sss_groupshow <user> fails with error "No such group in local domain. Printing groups only allowed in local domain"
https://fedorahosted.org/sssd/ticket/3185
SSSD goes offline when the LDAP server returns sizelimit exceeded
https://fedorahosted.org/sssd/ticket/3188
krb5_map_user doesn't seem effective anymore
https://fedorahosted.org/sssd/ticket/3194
[RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases
https://fedorahosted.org/sssd/ticket/3205
Typo In SSSD-AD Man Page
https://fedorahosted.org/sssd/ticket/3207
SSSD logs error upon adding [secrets] section.
https://fedorahosted.org/sssd/ticket/3212
secrets: 500 internal server error when proxy is defined but not running
https://fedorahosted.org/sssd/ticket/3213
IPA: Uninitialized variable during subdomain check
== Detailed Changelog ==
Fabiano Fidêncio (24):
* PROXY: Use the fqname when converting to lowercase
* SYSDB: Rework sysdb_cache_connect()
* SYSDB: Remove the timestamp cache for a newly created cache
* SECRETS: Return ENOENT when_deleting a non-existent secret
* PROXY: Remove lowercase attribute from save_user()
* PROXY: Remove cache_timeout attribute from save_user()
* PROXY: Remove cache_timeout attribute from save_group()
* PROXY: Mention that save_user()'s parameters are already qualified
* PROXY: Share common code of save_{group,user}()
* BUILD: Add a few more targets for intg tests
* BUILD: Clean up prerelease targets
* BUILD: Fix typo in intgcheck-run rule
* MONITOR: Remove leftovers from diag_cmd
* MONITOR: Remove leftovers from kill_service
* SECRETS: Search by the right type when checking containers
* SECRETS: Don't remove a container when it has children
* CONFIG: Add secrets responder to the allowed sections
* CONFIG: Add secrets provider options
* SECRETS: Make functions from local.c static
* SECRETS: Use a tmp_context on local_db_check_containers()
* SECRETS: Add a configurable depth limit for nested containers
* SECRETS: Add a configurable limit of secrets that can be stored
* TESTS: Remove a leftover debug message
* TESTS: Fix check for py bindings in dlopen tests
Jakub Hrozek (35):
* Updating the version for the 1.14.2 release
* CONFIG: selinux_provider is a valid provider type
* CONFIG: session_provider does not exist anymore
* IPA: Parse qualified names when guessing AD user principal
* MONITOR: Remove the no longer used diag_cmd command
* MONITOR: Remove the no longer used kill_service command
* WATCHDOG: define and use _MAX_TICKS as 3
* SECRETS: Make internal function static
* SECRETS: Make reading the config options more uniform
* netlink: Don't define USE_GNU
* MAN: Document the ldap_user_primary_group option
* TOOLS: Fix a typo in groupadd()
* KRB5: Send the output username, not internal fqname to krb5_child
* KRB5: Return ERR_NETWORK_IO on clock skew
* LDAP: Return partial results from adminlimit exceeded
* TESTS: Add integration tests for the sssd-secrets
* AUTOFS: Fix offline resolution of autofs maps
* NSS: Fix offline resolution of netgroups
* TESTS: Test offline netgroups resolution
* tests: Add a regression test for upstream ticket #3131
* MAN: sssd-secrets documentation
* CONFIG: List allowed secrets responder options
* SECRETS: Add DEBUG messages to the sssd-secrets provider
* SECRETS: Use a better data type for ret
* SECRETS: Fix a typo in function name
* SECRETS: Use HTTP error code 504 when a proxy server cannot be reached
* IPA: Initialize a boolean control value
* tests: Add tests for sidbyname NSS operation
* tests: Add tests for getorig by UPN NSS op
* BUILD: Detect the path of the "service" executable
* BUILD: Only search for service in /sbin and /usr/sbin
* BUILD: Not having /sbin/service is not fatal
* RPM: Require initscripts on non-systemd platforms
* sssctl: Fix a typo in preprocessor macro
* Updating the translations for the 1.14.2 release
Justin Stephenson (4):
* MONITOR: Remove --disable-netlink command-line option
* MONITOR: Add disable_netlink option
* MAN: sssd-sudo manual update IPA native LDAP tree support
* sss_cache: improve option argument handling
Lukas Slebodnik (16):
* sssd_netgroup.py: Resolve nested netgroups
* BUILD: Allow to read private pipes for root
* SPEC: Fix typo in Summary
* SYSDB: Fix uninitialized scalar variable
* BUILD: Remove leftover after sysdb refactoring
* PROXY: Use right name in ldap filter
* SYSDB: Fix error handling in sysdb_get_user_members_recursively
* DEBUG: Apend line feed to messages from libsemanage
* SYSDB: Suppress warning from clang static analyser
* SDAP: Fix settig paging attribute in sdap_get_generic_ext_send
* Remove double semicolon at the end of line
* TESTS: Add simple test for double semicolon
* SSSDConfig: Do not fail with nonexisting domains/services
* SPEC: Rename python packages using macro %python_provide
* BUILD: intgcheck need to fail if pytest fails
* CI: Remove dlopen-test from valgrind blacklist
Michal Židek (12):
* TOOLS: sss_groupshow did not work
* TESTS: sss_groupadd/groupshow regressions
* TOOLS: use internal fqdn for DN
* TESTS: Test for sss_user/groupmod -a
* TOOLS: sss_mc_refresh_nested_group short/fqname usage
* TESTS: Add FQDN variants for some tests
* TOOLS: sss_override without name override
* TEST: Add regression test for ticket #3179
* TOOLS: sss_groupshow fails to show MPG
* TESTS: sss_groupshow with MPG
* MAN: Typo in id mapping explanation
* MAN: Wrong defaults for AD provider
Pavel Březina (7):
* watchdog: cope with time shift
* dyndns: fix typo and unify ipa with ad debug message when off
* failover: proceed normally when no new server is found
* sss_override: improve --debug description
* man page: fix language in debug level description
* sssctl: use systemd D-Bus API
* sssctl: call service with absolute path
Petr Cech (4):
* LDAP: Fixing of removing netgroup from cache
* INTG: Adding support for netgroups to ldap_ent
* INTG: Tests for ldap nested netgroups
* PROXY: Adding proxy_max_children option
Petr Čech (5):
* SYSDB: Removing of unused parameter
* TESTS: Fixing of 'const' warnings in sbus tests
* MAKEFILE: Fixing CFLAGS in some tests
* KRB5: Fixing FQ name of user in krb5_setup()
* TESTS: Adding intg. tests on nested groups
Sumit Bose (8):
* sdap_initgr_nested_get_membership_diff: use fully-qualified names
* p11: only set PKCS11_LOGIN_TOKEN_NAME if gdm-smartcard is used
* p11: return a fully-qualified name
* pam_sss: check PKCS11_LOGIN_TOKEN_NAME
* PAM: call free only when memory is expected to be allocated
* nss: allow UPNs in SSS_NSS_GETSIDBYNAME and SSS_NSS_GETORIGBYNAME
* libwbclient-sssd: update interface to version 0.13
* LDAP: Removing of member link from group
Thomas Equeter (1):
* IFP: expose user and group unique IDs through DBus
7 years, 5 months
1.14.2 insists on using StartTLS
by Michael Ströder
HI!
With sssd-ldap I always prefer to use LDAPS for encrypted LDAP connections
especially because I can seamlessly mix it with LDAPI (for accessing local slapd
replica).
This works with 1.13.x but not with 1.14.2.
Although the domain debug log shows
Option ldap_id_use_start_tls is FALSE
the syslog shows:
sssd[be[AE-DIR]]: Could not start TLS encryption. unknown error
Switching sssd.conf to use StartTLS everything works (CA cert ok etc.) but
that's not what I want (because LDAPI precludes using StartTLS).
Ciao, Michael.
7 years, 5 months
Issue with SSSD in a Parent and child domain configuration
by downloader009@gmail.com
Hi,
I have a domain "example.com" which has several child domains "abc.example.com", "def.example.com", "ghi.example.com".
I have joined my CentOS 6.8 server to the domain "example.com" using adcli and my sssd version is sssd-1.13.3-22
Here is my sssd.conf:
====================== BEGIN =======================
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = example.com
[pam]
pam_id_timeout = 20
[domain/example.com]
id_provider = ad
auth_provider = ad
ldap_id_mapping = true
cache_credentials = true
override_homedir = /home/%u
subdomain_enumerate = all
krb5_auth_timeout = 20
[nss]
override_shell = /bin/bash
======================== END =========================
I have user1 in example.com and user2 in abc.example.com
when I run "getent passwd user1" I get the expected output.
user1:*:123456789:987654321:User 1:/home/user1:/bin/bash
But when I run "getent passwd user2", I do not get any output.
And when I run "getent passwd user2(a)abc.example.com", I get the output as follows;
user2@abc.infores.com:*:123456780:987654321:User 2:/home/user2:/bin/bash
I would like to use only the username (without the child domain name suffix) for all purposes (login/id command/getent command etc).
How can I get the getent output for the IDs in the child domain to be the same as the getent output for IDs in the parent domain?
I have read the man pages and also tried the "use_fully_qualified_names = false" option. It didn't help the child domain IDs
Thanks in advance,
7 years, 5 months