Using sssd sudo with CIDR addressing
by Kelley Cook
I've seem to have noticed a problem with using sssd with LDAP SudoHost's that contain CIDR addresses.
We break our clusters into subnets and each have a few rules explicitly for those systems
Lets call them
cluster_a 192.168.1.0/24
cluster_b 192.168.2.0/24
cluster_c1 192.168.3.0/25
cluster_c2 192.168.3.128/25
cluster_d 192.168.4.0/23
cluster_f 192.168.6.0/24
...
cluster_z: 192.168.26.0/24
Each one may (or may not) have individual sudoUser / sudoCommand allowing certain groups access.
So in LDAP for cluster b we have for example
dn: cn=cluster_b,ou=sudoers,dc=EXAMPLE,dc=COM
objectClass: top
objectClass: sudoRole
cn: cluster_root
sudoHost: 192.168.2.0/24
sudoUser: Buser1
sudoUser: Buser2
sudoCommand: su - sap
But then we have few additional sudo rules (mostly for administrators) which encompass that whole group of clusters:
dn: cn=cluster_all,ou=sudoers,dc=EXAMPLE,dc=COM
objectClass: top
objectClass: sudoRole
cn: cluster_all
sudoHost: 192.168.0.0/19
sudoUser: Admin1
sudoUser: Admin2
sudoCommand: ALL
This worked fine when just using sudo pointing to our ldap server. As sudo apparently on execution grabs all the rules and figures out if our host is in it. It has been working like this for us for years.
But it is no longer working now that we are attempting to implement sssd caching. Namely because sssd sends an ldap query for sudoHost={ALL, current hostname, current IP, and just the currently used subnet (say 192.168.8.0/24) }. Not all possible larger sub ranges to which it belongs.
We've worked around it for now by putting in all the various subranges we use, but that has made the sudo rules in LDAP really messy and worse always subject to change as we add an delete specialized equipment.
Can someone confirm this behavior?
8 years
SSSD-AD GPO integration | general question
by Rolla Matthieu
Hello, I was using previously sssd to authenticate my user using id_provider = LDAP and it works great.
Now that my samba 4 DC is configured and that the GPO can finally be used, I reconfigured sssd with realmd to be able to use sssd-ad to centralize the authentification for some services via the GPO.
SSSD was configured automatically by realm as expected and the server is registrer in the appropriate OU as define in /etc/realmd.conf in my DC. I can also successfully retrieve my users/group info with getent and id.
Following the example presented here https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration, I notice that when I try to authenticate a user with SSH I can see errors relative to the retrieve of the GPO http://pastebin.com/6wzXUrCr
Here is my sssd,confconfiguration:
[sssd]
config_file_version = 2
services = nss, pam
domains = hq.mydc.com
[nss]
# Ensure that certain users are not authenticated from network accounts
filter_users = root,lightdm,nslcd,dnsmasq,dbus,avahi,avahi-autoipd,backup,beagleindex,bin,daemon,games,gdm,gnats,haldaemon,hplip,irc,ivman,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,ntp,openldap,polkituser,proxy,pulse,puppet,saned,sshd,sync,sys,syslog,uucp,vde2-net,www-data
filter_groups = root
[pam]
[domain/hq.mydc.com] <----------------------- this part was generated automatically
debug_level = 9
ad_domain = hq.mydc.com
krb5_realm = HQ.mydc.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
Does sssd need to mount/access to the sysvol folder somehow ? Did I missed something in the configuration of sssd ?
Looking forward for some help ,thanks by advance.
8 years
Dear lazyweb... not getting cached ticket from PuTTY login
by Ray Van Dolson
RHEL7 w/ sssd 1.13.0-40.el7_2.2. Connecting via SSH from PuTTY from a
Windows box. GSSAPI is set up and also configured to allow credential
delegation. When I connect, I am not prompted for a password and get
into the system just fine.
However, klist shows nothing in my credential cache:
$ klist
klist: Credentials cache file '/tmp/krb5cc_1766242567' not found
(I also see no other differently named krb5cc file under /tmp).
If I first SSH into a host runing winbind from the same PuTTY, I
properly get a cached ticket there and can then ssh to the RHEL7 host
and the ticket is properly forwarded across (klist shows it in the
output).
$ klist
Ticket cache: FILE:/tmp/krb5cc_1766242567_CMtqGFX6EG
Default principal: username(a)DOMAIN.COM
Valid starting Expires Service principal
04/20/2016 20:57:41 04/21/2016 03:04:48 krbtgt/DOMAIN.COM(a)DOMAIN.COM
renew until 04/27/2016 17:04:48
Have run sssd in foreground w/ debug and looked for krb5 message, but
not even seeing it attempt to create or use ccache.
Figured someone here might be able to set me down the right course?
Thanks in advance.
Ray
My sssd.conf:
[sssd]
config_file_version = 2
domains = domain.com
services = nss, pam
debug_level = 0
override_space = _
[nss]
debug_level = 0
override_shell = /bin/bash
allowed_shells = /bin/bash, /bin/tcsh
vetoed_shells = /bin/csh
shell_fallback = /bin/bash
[pam]
debug_level = 0
[domain/domain.com]
debug_level = 0
id_provider = ad
access_provider = ad
ignore_group_members = true
cache_credentials = True
ldap_group_nesting_level = 5
ldap_idmap_range_min = 200000
ldap_idmap_range_max = 2000200000
ldap_idmap_range_size = 500000
krb5_realm = DOMAIN.COM
override_homedir = /home/%u
ldap_referrals = false
#krb5_ccachedir = /tmp
#krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_renewable_lifetime = 12h
krb5_renew_interval = 1h
krb5_store_password_if_offline = True
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = true
#default_ccache_name =
[realms]
DOMAIN.COM = {
#kdc = kerberos.example.com
#admin_server = kerberos.example.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
8 years
Re: Inconsistent SSSD function [SEC=UNOFFICIAL]
by Kosseck, Adam MR
UNOFFICIAL
Hi Jakub,
I'm trying to use ID mapping, not POSIX - as the extensions aren't installed on the domain controllers (and the extensions are now deprecated after 2012 R2!).
Most of the entries in the SSSD config (like selinux and subdomains_provider) were enabled to reduce errors/warnings in the logs (and try to narrow down the cause of the issue). I have now removed these.
The sssd.conf file now looks like the below.
I've also noticed that with the subdomains_provider config removed, it's attempting to contact the parent domain and looks to be getting blocked by the firewalls in between.
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
debug_level = 3
domains = domain.subdomain.com
services = nss, pam, ssh, pac, sudo
default_domain_suffix = domain.subdomain.com
[domain/domain.subdomain.com]
debug_level = 9
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
# Permits offline logins:
cache_credentials = true
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
ldap_schema = ad
#Use FQDN for logins - when multiple domains share same username use_fully_qualified_domain_names = true
#Don't attempt to auto update DNS records dyndns_update = false
[ssh]
debug_level = 3
[nss]
debug_level = 9
[pam]
debug_level = 3
[sudo]
debug_level = 3
[pac]
debug_level = 3
8 years
sssd unable to start
by Jeff White
I have ~80 CentOS 7 machines which use sssd and are joined to Active
Directory. On two systems sssd fails to start and the logs are unclear
("Could not add domain [ad.example.edu] to the map"). I re-installed
sssd, removed the existing keytab and re-joined the machine to Active
Directory, etc. but sssd still fails to start. How can I determine what
is wrong?
--
Jeff White
HPC Systems Engineer
Information Technology Services - WSU
8 years
Samba file server, on a direct AD joined el6 member server
by Ahmed Kamal
Hi everyone,
Thanks for making the life of linux admins easier, sssd is awesome! I just
joined a bunch of el6 machines directly to a 2008r2 AD. It worked
beautifully. Now one of those machines is acting as NFS server to the rest
of the linux machines.
I would like to also expose the files (/home) to Windows PCs using samba.
Is this configuration possible? Ideally, I'd want Windows user to connect
to Samba using SSO (kerberos), however if that won't work, just entering
the domain's username/password combo is good enough.
It would be great if someone would share configuration snippets with me. I
googled a lot but wasn't lucky.
Thanks!
8 years
SSSD does not destroy kerberos cache on user logout
by Ondrej Valousek
Hi list,
I just discovered that SSSD does not destroy user Kerberos cache credentials upon logout on Centos-7 (sssd vers 1.13).
Is that known issue?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years
Announcing SSSD 1.13.4
by Jakub Hrozek
== SSSD 1.13.4 ===
The SSSD team is proud to announce the release of version 1.13.4 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* The IPA sudo provider was reimplemented. The new version reads the
data from IPA's LDAP tree (as opposed to the compat tree populated by
the slapi-nis plugin that was used previously). The benefit is that
deployments which don't require the compat tree for other purposes,
such as support for non-SSSD clients can disable those autogenerated
LDAP trees to conserve resources that slapi-nis otherwise requires. There
should be no visible changes to the end user.
* SSSD now has the ability to renew the machine credentials (keytabs)
when the ad provider is used. Please note that a recent version of
the adcli (0.8 or newer) package is required for this feature to work.
* The automatic ID mapping feature was improved so that the administrator
is no longer required to manually set the range size in case a RID in
the AD domain is larger than the default range size
* A potential infinite loop in the NFS ID mapping plugin that was
resulting in an excessive memory usage was fixed
* Clients that are pinned to a particular AD site using the ad_site
option no longer communicate with DCs outside that site during service
discovery.
* The IPA identity provider is now able to resolve external
(typically coming from a trusted AD forest) group members during
get-group-information requests. Please note that resolving external
group memberships for AD users during the initgroup requests used to
work even prior to this update. This feature is mostly useful for cases
where an IPA client is using the compat tree to resolve AD trust users.
* The IPA ID views feature now works correctly even for deployments
without a trust relationship. Previously, the subdomains IPA provider
failed to read the views data if no master domain record was created
on the IPA server during trust establishment.
* A race condition in the client libraries between the SSSD closing
the socket as idle and the client application using the socket was
fixed. This bug manifested with a Broken Pipe error message on the
client.
* SSSD is now able to resolve users with the same usernames in different
OUs of an AD domain
* The smartcard authentication now works properly with gnome-screensaver
== Packaging Changes ==
* The krb5.include.d directory is now owned by the sssd user and
packaged in the krb5-common subpackage
== Documentation Changes ==
* A new option ldap_idmap_helper_table_size was added. This option can
help tune allocation of new ID mapping slices for AD domains with a high
RID values. Most deployments can use the default value of this option.
* Several PAM services were added to the lists that are used to map
Windows logon services to Linux PAM services. The newly added PAM
services include login managers (lightdm, lxdm, sddm and xdm) as well
as the cockpit service.
* The AD machine credentials renewal task can be fine-tuned using
the ad_machine_account_password_renewal_opts to change the initial
delay and period of the credentials renewal task. In addition, the new
ad_maximum_machine_account_password_age option allows the administrator
to select how old the machine credential must be before trying to
renew it.
* The administrator can use the new option pam_account_locked_message to
set a custom informational message when the account logging in is locked.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1041
[RFE] Support Automatic Renewing of Kerberos Host Keytabs
https://fedorahosted.org/sssd/ticket/1108
[RFE] SUDO: Support the IPA schema
https://fedorahosted.org/sssd/ticket/2188
automatically assign new slices for any AD domain
https://fedorahosted.org/sssd/ticket/2522
[RFE] IPA: resolve external group memberships of IPA groups during
getgrnam and getgrgid
https://fedorahosted.org/sssd/ticket/2626
Retry EPIPE from clients
https://fedorahosted.org/sssd/ticket/2764
the colondb intreface has no unit tests
https://fedorahosted.org/sssd/ticket/2765
ad_site parameter does not work
https://fedorahosted.org/sssd/ticket/2785
incompatibility between sparkleshare and sss_ssh_knownhostsproxy due
to setlocale()
https://fedorahosted.org/sssd/ticket/2791
sssd dereference processing failed : Input/output error
https://fedorahosted.org/sssd/ticket/2829
collapse_srv_lookups frees fo_server structure that is returned by
fail over API
https://fedorahosted.org/sssd/ticket/2839
Allow SSSD to notify user of denial due to AD account lockout
https://fedorahosted.org/sssd/ticket/2849
cache_req: don't search override values in LDAP when using LOCAL view
https://fedorahosted.org/sssd/ticket/2865
sssd_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86_64
(RHEL6.7) when trying to retrieve non-existing netgroups
https://fedorahosted.org/sssd/ticket/2881
MAN: Clarify that subdomains always use service discovery
https://fedorahosted.org/sssd/ticket/2888
SRV lookups with id_provider=proxy and auth_provider=krb5
https://fedorahosted.org/sssd/ticket/2899
[sssd] Trusted (AD) user's info stays in sssd cache for much more
than expected.
https://fedorahosted.org/sssd/ticket/2902
Review and update wiki pages for 1.13.4
https://fedorahosted.org/sssd/ticket/2904
sssd_be AD segfaults on missing A record
https://fedorahosted.org/sssd/ticket/2906
Cannot retrieve users after upgrade from 1.12 to 1.13
https://fedorahosted.org/sssd/ticket/2909
extreme memory usage in libnfsidmap sss.so plug-in when resolving
groups with many members
https://fedorahosted.org/sssd/ticket/2910
sssd mixup nested group from AD trusted domains
https://fedorahosted.org/sssd/ticket/2912
refresh_expired_interval stops sss_cache from working
https://fedorahosted.org/sssd/ticket/2917
Properly remove OriginalMemberOf attribute in SSSD cache if user has
no secondary groups anymore
https://fedorahosted.org/sssd/ticket/2922
ID mapping - bug in computing max id for slice range
https://fedorahosted.org/sssd/ticket/2925
Add gnome-screensaver to the list of PAM services considered for
Smartcard authentication
https://fedorahosted.org/sssd/ticket/2931
Warn if user cannot read krb5.conf
https://fedorahosted.org/sssd/ticket/2934
After removing certificate from user in IPA and even after sss_cache,
FindByCertificate still finds the user
https://fedorahosted.org/sssd/ticket/2937
sss_obfuscate: SyntaxError: Missing parentheses in call to 'print'
https://fedorahosted.org/sssd/ticket/2938
Cannot start sssd after switching to non-root
https://fedorahosted.org/sssd/ticket/2959
The delete operation of the memberof plugin allocates memory on
NULL context
https://fedorahosted.org/sssd/ticket/2960
IPA view: view name not stored properly with default FreeIPA installation
https://fedorahosted.org/sssd/ticket/2961
Initgroups in AD provider might fail if user is stored in a non-default ou
https://fedorahosted.org/sssd/ticket/2962
GPO: Access denied in non-root mode
https://fedorahosted.org/sssd/ticket/2964
GPO: Access denied after blocking connection to AD.
https://fedorahosted.org/sssd/ticket/2969
sudorule not working with ipa sudo_provider on older freeipa
https://fedorahosted.org/sssd/ticket/2970
sudo smart refresh does not work correctly on openldap
https://fedorahosted.org/sssd/ticket/2971
SSSD PAM module does not support multiple password prompts (e.g. Password
+ Token) with sudo
https://fedorahosted.org/sssd/ticket/2972
IPA sudo: support the externalUser attribute
https://fedorahosted.org/sssd/ticket/2980
sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0
error 4 in libsss_ipa.so[7ff889fcf000+5d000]
== Detailed Changelog ==
Dan Lavu (1):
* PAM: Fix man for pam_account_{expired,locked}_message
David Disseldorp (1):
* build: detect endianness at configure time
Jakub Hrozek (17):
* Upgrading the version for the 1.13.4 release
* SDAP: Make it possible to silence errors from dereference
* Add a new option ldap_group_external_member
* IPA: Add interface to call into IPA provider from LDAP provider
* LDAP: Use the IPA provider interface to resolve external group members
* FO: Don't free rc-allocated structure
* tests: Reduce failover code duplication
* FO: Use refcount to keep track of servers returned to callers
* FO: Use tevent_req_defer_callback() when notifying callers
* memberof: Don't allocate on a NULL context
* tests: Add a unit test for the external groups resolution
* MAN: Remove duplicate description of the pam_account_locked_message option
* AD: Recognize Windows Server 2016
* memberof: Fix a memory leak when removing ghost users
* memberof: Don't allocate on NULL when deleting memberUids
* tests: Check NULL context in sysdb-tests when removing group members
* Updating translations for the 1.13.4 release
Lukas Slebodnik (33):
* SPEC: Change package ownership of %{pubconfpath}/krb5.include.d
* CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL
* TESTS: Fix race condition in python test
* PYTHON: sss_obfuscate should work with python3
* PYTHON: Fix pep8 errors in sss_obfuscate
* UTIL: Backport error code ERR_ACCOUNT_LOCKED
* sss_idmap-tests: Fix segmentation fault
* krb5_child: Warn if user cannot read krb5.conf
* Fix typos reported by lintian
* UTIL: Use prefix for debug function
* UTIL: Provide varargs version of debug_fn
* UTIL: Use sss_vdebug_fn for callbacks
* Revert "DEBUG: Preventing chown_debug_file if journald on"
* DEBUG: Ignore ENOENT for change owner of log files
* TOOLS: Fix minor memory leak in sss_colondb_writeline
* CI: Use yum-deprecated instead of dnf
* FAIL_OVER: Fix warning value computed is not used
* UTIL: Fix indentation in dlinklist.h
* UTIL: Fix warning misleading-indentation
* CLIENT: Reduce code duplication
* CLIENT: Retry request after EPIPE
* UTIL: Move debug part from util.h -> new debug.h
* UTIL: Allow to append new line in sss_vdebug_fn
* AUTOMAKE: Force usage of parallel test harness
* CI: Use make check instead of make-check-wrap
* test_ipa_subdom_server: Workaround for slow krb5 + SELinux
* SPEC: Run extra unit tests with epel
* GPO: Soften umask in gpo_child
* GPO_CHILD: Create directories in gpo_cache with right permissions
* GPO: Process GPOS in offline mode if ldap search failed
* IPA: Check RDN in ipa_add_ad_memberships_get_next
* dp_ptask: Fix memory leak in synchronous ptask
* test_be_ptask: Check leaks in tests
Michal Židek (6):
* NSS: do not skip cache check for netgoups
* util: Continue if setlocale fails
* server_setup: Log failed attempt to set locale
* tests: Run intgcheck without libsemanage
* tests: Regression test with wrong LC_ALL
* GPO: log specific ini parse error messages
Pavel Březina (37):
* AD SRV: prefer site-local DCs in LDAP ping
* SDAP: do not fail if refs are found but not processed
* SDAP: Add request that iterates over all search bases
* SDAP: rename sdap_get_id_specific_filter
* SDAP: support empty filters in sdap_combine_filters()
* SUDO: use sdap_search_bases instead custom sb iterator
* SUDO: make sudo sysdb interface more reusable
* SUDO: move code shared between ldap and ipa to separate module
* SUDO: allow to disable ptask
* SUDO: fail on failed request that cannot be retry
* IPA: add ipa_get_rdn and ipa_check_rdn
* SDAP: use ipa_get_rdn() in nested groups
* IPA SUDO: choose between IPA and LDAP schema
* IPA SUDO: Add ipasudorule mapping
* IPA SUDO: Add ipasudocmdgrp mapping
* IPA SUDO: Add ipasudocmd mapping
* IPA SUDO: Implement sudo handler
* IPA SUDO: Implement full refresh
* IPA SUDO: Implement rules refresh
* IPA SUDO: Remember USN
* SDAP: Add sdap_or_filters
* IPA SUDO: Implement smart refresh
* SUDO: sdap_sudo_set_usn() do not steal usn
* SUDO: remove full_refresh_in_progress
* SUDO: assume zero if usn is unknown
* SUDO: allow disabling full refresh
* SUDO: remember usn as number instead of string
* SUDO: simplify usn filter
* IPA SUDO: Add support for ipaSudoRunAsExt* attributes
* sdap_connect_send: fail if uri or sockaddr is NULL
* cache_req: simplify cache_req_cache_check()
* cache_req: do not lookup views if possible
* remove user certificate if not found on the server
* IPA SUDO: download externalUser attribute
* IPA SUDO: fix typo
* IPA SUDO: support old ipasudocmd rdn
* SUDO: be able to parse modifyTimestamp correctly
Pavel Reichl (11):
* sudo: remove unused param name in sdap_sudo_get_usn()
* sudo: remove unused param. in ldap_get_sudo_options
* IDMAP: Fix computing max id for slice range
* IDMAP: New structure for domain range params
* IDMAP: Add support for automatic adding of ranges
* IDMAP: Fix minor memory leak
* IDMAP: Man change for ldap_idmap_range_size option
* NSS: Fix memory leak netgroup
* IDMAP: Add test to validate off by one bug
* SDAP: Add return code ERR_ACCOUNT_LOCKED
* PAM: Pass account lockout status and display message
Petr Cech (6):
* KRB5: Adding DNS SRV lookup for krb5 provider
* TOOLS: Fix memory leak after getline() failed
* TOOLS: Add comments on functions in colondb
* TEST_TOOLS_COLONDB: Add tests for sss_colondb_*
* REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)
* REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK)
Stephen Gallagher (2):
* GPO: Add Cockpit to the Remote Interactive defaults
* GPO: Add other display managers to interactive logon
Sumit Bose (20):
* nfs idmap: fix infinite loop
* Use right domain for user lookups
* sdap_save_grpmem: determine domain by SID if possible
* ipa_s2n_save_objects(): use configured user and group timeout
* ldap: remove originalMeberOf if there is no memberOf
* UTIL: allow to skip default options for child processes
* DP_TASK: add be_ptask_get_timeout()
* AD: add task to renew the machine account password if needed
* FO: add fo_get_active_server()
* FO: add be_fo_get_active_server_name()
* AD: try to use current server in the renewal task
* p11: add gnome-screensaver to list of allowed services
* IPA: lookup idview name even if there is no master domain record
* IPA: invalidate override data if original view is missing
* sdap: improve filtering of multiple results in GC lookups
* pam_sss: reorder pam_message array
* sss_override: do not generate DN, search object
* tools: read additional data of the master domain
* sss_override: only add domain if name is not fully qualified
* intg: local override for user with mixed case name
8 years
sssd cache issues
by jupiter
Hi,
We are running sssd version 1.12.4-47 on CentOS 6. It works fine in
general, but from time to time, some nodes listed all user ids with
"nobody", calling id username immediatly returned "No such user", it looks
the id went to cache and did not contact to the LDAP.
On one occasion, I added debug_level = 6 to the sssd.conf, restarted sssd,
the "nobody" was gone and id username was returned correct LDAP user id. It
did not make any sense to me how adding a debug_level could fix the
problem. I could smell the issue from sssd cache, but I have no idea since
the all default cache setting only for some seconds, but when the node
caught in that problem, it can sit for many days with uids in nobody, id
returns no such user.
After searching from Internet, someone suggested to run sss_cache -E to
invalidate all cached entries would solve the problem, I tried, it did not
work.
Could anyone explain what is the issue in sssd cache, and give an effective
way to fix the problem?
Thank you.
Kind regards,
- h
8 years
SSSD and AD trusts
by Chadwick Banning
Hi all,
I have an interesting situation that I couldn't find and definitive
information on.
I have a parent AD domain (ad.example.com) and a child domain (
child.ad.example.com). I have a machine joined to the child domain (
machine.child.ad.example.com). This machine has no access to the parent
domain controllers, only the child domain controllers can access the parent
domain controllers.
Should user accounts in the ad.example.com domain be able to authenticate
to machine.child.ad.example.com? Will machine.child.ad.example.com attempt
to connect to the DCs in ad.example.com to authenticate the login? Or will
this "parent account-in-child domain" authentication be handled by the
child DC contacting the parent DC as part of the trust?
--
Chadwick Banning
8 years