Info message customization
by Иван Мастренко
Hello!
Can i customize format of Info message about password expiration?
Now, I get this message:
login as: myldapuser
myldapuser@myterminalhost's password:
Your password will expire in 5 day(s).
Last login: Mon Dec 11 11:42:13 2017
[myldapuser@myterminalhost ~]$
I want to colorize this, or make it more visible.
As I seen on github this message is hardcoded, but maybe it is some way to realize this?
6 years, 4 months
SSSD and SUDO not working
by Andrea Passuello
Hi all,
I use SSSD with OpenLDAP and I am able to authenticate users.
I am trying to configure SSSD for managing and caching sudo but I can't use
sudo and the system reply me with this:
Sorry, user xxx is not allowed to execute '/usr/bin/apt-get update' as root
on MACHINE.
This is my sssd.conf
[nss]
filter_groups = root,andrea
filter_users = root,andrea
reconnection_retries = 3
debug_level = 4
[pam]
reconnection_retries = 3
debug_level = 4
offline_credentials_expiration = 90
[sudo]
debug_level = 7
# valori di default in secondi
#ldap_sudo_full_refresh_interval=21600
#ldap_sudo_smart_refresh_interval=900
ldap_sudo_full_refresh_interval=10
ldap_sudo_smart_refresh_interval=10
[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam, sudo
domains = mydomain.com
[domain/mydomain.com]
debug_level = 7
cache_credentials = true
account_cache_expiration = 90
# With this as false, a simple "getent passwd" for testing won't work. You
must do getent passwd user(a)domain.com
# enumerate = false
enumerate = true
id_provider = ldap
auth_provider = ldap
access_provider = ldap
sudo_provider = ldap
# chpass_provider = ldap
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_uri = ldap://LDAPSERVER
ldap_search_base = dc=mydomain,dc=com
ldap_access_filter = (uidNumber=*)
ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com
This is my nssswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
sudoers: files sss
This is the log's output
tail -f /var/log/auth.log /var/log/sssd/sssd_sudo.log
/var/log/sssd/sssd_widegroup.eu.log
==> /var/log/auth.log <==
Nov 8 15:50:46 andrea-X550LA sudo: pam_unix(sudo:auth): authentication
failure; logname=MYUSER uid=1126 euid=0 tty=/dev/pts/7 ruser=MYUSER rhost=
user=MYUSER
==> /var/log/sssd/sssd_mydomain.com.log <==
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_get_account_info]
(0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=MYUSER]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain]
(0x0400): Changing request domain from [mydomain.com] to [mydomain.com]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_initgr_next_base] (0x0400): Searching for users with base
[dc=mydomain,dc=eu]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=MYUSER)(objectclass=posixAccount)(&(uidNumber=*)(!
(uidNumber=0))))][dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[krbPasswordExpiration]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginExpirationTime]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginAllowedTimeMap]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry]
(0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user]
(0x0400): Save user
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_primary_name]
(0x0400): Processing object MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user]
(0x0400): Processing user MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user]
(0x0400): Original memberOf is not available for [MYUSER].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user]
(0x0400): User principal is not available for [MYUSER].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_save_user]
(0x0400): Storing info for user MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base
[dc=mydomain,dc=eu]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(memberuid=MYUSER)(objectClass=posixGroup)(cn=*)(
&(gidNumber=*)(!(gidNumber=0))))][dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry]
(0x1000): OriginalDN: [cn=netsudo,ou=groups,dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_get_initgr_done]
(0x0400): Primary group already cached, nothing to do.
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain]
(0x0400): Changing request domain from [mydomain.com] to [mydomain.com]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler]
(0x0100): Got request with the following data
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): command: SSS_PAM_AUTHENTICATE
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): domain: mydomain.com
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): user: MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): service: sudo
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): tty: /dev/pts/7
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): ruser: MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): rhost:
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): authtok type: 1
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): priv: 0
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): cli_pid: 7144
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): logon name: not set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_server_status]
(0x1000): Status of server 'LDAPSERVER' is 'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_port_status]
(0x1000): Port status of port 389 for server 'LDAPSERVER' is 'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [get_server_status]
(0x1000): Status of server 'LDAPSERVER' is 'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_resolve_server_process] (0x0200): Found address for server LDAPSERVER:
[xxx.xxx.xxx.xxx] TTL 2222
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_uri_callback]
(0x0400): Constructed uri 'ldap://LDAPSERVER'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sss_ldap_init_send]
(0x0400): Setting 6 seconds timeout for connecting
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://LDAPSERVER:389/??base] with fd [24].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_sys_connect_done]
(0x0100): Executing START TLS
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_connect_done]
(0x0080): START TLS result: Success(0), (null)
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_set_port_status]
(0x0100): Marking port 389 of server 'LDAPSERVER' as 'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[set_server_common_status] (0x0100): Marking server 'LDAPSERVER' as
'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [fo_set_port_status]
(0x0400): Marking port 389 of duplicate server 'LDAPSERVER' as 'working'
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_send]
(0x0100): Executing simple bind as: uid=MYUSER,ou=people,dc=mydomain,dc=eu
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_done]
(0x1000): Password Policy Response: expire [-1] grace [-1] error [No error].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [simple_bind_done]
(0x0400): Bind result: Success(0), no errmsg set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_pam_auth_done]
(0x0100): Password successfully cached for MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com]
==> /var/log/auth.log <==
Nov 8 15:50:46 andrea-X550LA sudo: pam_sss(sudo:auth): authentication
success; logname=MYUSER uid=1126 euid=0 tty=/dev/pts/7 ruser=MYUSER rhost=
user=MYUSER
==> /var/log/sssd/sssd_mydomain.com.log <==
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_req_set_domain]
(0x0400): Changing request domain from [mydomain.com] to [mydomain.com]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [be_pam_handler]
(0x0100): Got request with the following data
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): command: SSS_PAM_ACCT_MGMT
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): domain: mydomain.com
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): user: MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): service: sudo
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): tty: /dev/pts/7
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): ruser: MYUSER
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): rhost:
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): authtok type: 0
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): priv: 0
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): cli_pid: 7144
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [pam_print_data]
(0x0100): logon name: not set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_access_send]
(0x0400): Performing access check for user [MYUSER]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_access_filter_send] (0x0400): Performing access filter check for user
[MYUSER]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_access_filter_send] (0x0400): Checking filter against LDAP
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=MYUSER)(objectclass=posixAccount)(uidNumber=*))][
uid=MYUSER,ou=people,dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]] [sdap_parse_entry]
(0x1000): OriginalDN: [uid=MYUSER,ou=people,dc=mydomain,dc=eu].
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[sdap_access_filter_done] (0x0400): Access granted by online lookup
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not
sending the request to it.
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Sending result [0][mydomain.com]
(Wed Nov 8 15:50:46 2017) [sssd[be[mydomain.com]]]
[be_pam_handler_callback] (0x0100): Sent result [0][mydomain.com]
==> /var/log/auth.log <==
Nov 8 15:50:46 andrea-X550LA sudo: MYUSER : command not allowed ;
TTY=pts/7 ; PWD=/home/MYUSER ; USER=root ; COMMAND=/usr/bin/apt-get update
==> /var/log/sssd/sssd_sudo.log <==
(Wed Nov 8 15:50:46 2017) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
Please, could you help me to understand what's wrong?
Many thanks in advance and any help is appreciated.
Regards.
--
Avvertenze ai sensi del D.Lgs.196 del 30/06/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
files allegati, sono da considerarsi strettamente riservati. Il loro
utilizzo è consentito esclusivamente al destinatario del messaggio, per le
finalità indicate nello stesso. Costituisce violazione ai principi dettati
dal D.Lgs. 196/2003: trattenere il messaggio stesso oltre il tempo
necessario, divulgarlo anche in parte, distribuirlo ad altri soggetti,
copiarlo od utilizzarlo per finalità diverse. In ogni momento potrà
richiederci la sospensione dell'impiego dei suoi dati, ad esclusione delle
comunicazioni effettuate in esecuzione di obblighi di legge. Qualora avesse
ricevuto questo messaggio senza esserne il destinatario La preghiamo
cortesemente di darcene notizia via e-mail e di procedere alla distruzione
del messaggio stesso dal Suo sistema. Se desidera presentare un reclamo,
può trovare informazioni e supporto sul nostro sito www.widegroup.eu/reclami
o può scrivere a reclami(a)widegroup.eu. Grazie.
--
This message is confidential. It may also be privileged or otherwise
protected by work, product, immunity or other legal rules. If you have
received it by mistake, please let us know by e-mail reply and delete it
from your system; you may not copy this message or disclose its contents to
anyone. The integrity and security of this message cannot be guaranteed on
the Internet. If you want to submit a formal complaint, you can find
information and support on our website www.widegroup.eu/reclami or writing
to reclami(a)widegroup.eu. Thank you.
6 years, 4 months
fast cache corruption
by Franky Van Liedekerke
Before opening a bug report, I wanted to discuss a new issue here.
I have ldap users that are in 1500 groups (yeah, I know ... not my choice either), ldap is using rfc2307 scheme (openldap, redhat EL7).
Now, when connecting sssd to this ldap server, I've already set enumeration=false, and also ignore_group_members=true (performance ...).
However, with ignore_group_members=true, I'm getting this in the sssd_nss.log when doing a 'groups <userid>" command:
[sssd[nss]] [sss_mc_find_record] (0x0010): Corrupted fastcache. name_ptr value is 16
(once when the cache is empty, and after that once or twice per groups-request).
I also see this in /var/log/messages (related of course):
sssd[nss]: Stored copy of corrupted mmap cache in file '/var/lib/sss/mc/group_corrupted#012'
As a result, this prevents the use of the sssd fast cache, so group requests at best take 5.5 seconds.
Now this problem happens 95% of the cases (which leads me to believe it is a timing bug), but when I set ignore_group_members=false, this is not happening (and when groups are ok in the fast cache: 0,03 secs response time).
Ideas? Hints? Or should I just go and open a bug report? Is there a real performance drawback to setting ignore_group_members=false?
Thanks,
Franky
6 years, 4 months
Multiple skel dir (one oer domain)
by Иван Мастренко
Hello!
I'm trying to implement system, where could be logged 3 types of ldap users separated per groups.
First type is full admin, another 2 is a very imited users, with rbash and unical per group home dir, which defines which commands a allowed to this groups of users.
Can i set per-domain skel dir?
My conf:
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = 01_HW_ADMINS_DOMAIN, 02_TERMINAL_RESCTRICTEC_ACCESSS_DOMAIN, 03_SECURITY_AUDIT_DOMAIN
[domain/default]
debug_level = 7
[domain/01_HW_ADMINS_DOMAIN]
autofs_provider = ldap
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://my.ldap.server:389
ldap_schema = rfc2307
ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = *****
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_base = dc=my,dc=domain
ldap_user_search_base = ou=users,dc=my,dc=domain?subtree?(memberOf=cn=HW_ADMINS,ou=groups,dc=my,dc=domain)
ldap_group_search_base = ou=groups,dc=my,dc=domain
access_provider = ldap
ldap_access_filter = (memberOf=cn=HW_ADMINS,ou=groups,dc=my,dc=domain)
override_homedir = /home/%u
override_gid = 1001
override_shell = /bin/bash
skel_dir = /etc/skel_HWadm/
debug_level = 7
[domain/02_TERMINAL_RESCTRICTEC_ACCESSS_DOMAIN]
autofs_provider = ldap
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://my.ldap.server:389
ldap_schema = rfc2307
ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = *****
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_base = dc=my,dc=domain
ldap_user_search_base = ou=users,dc=my,dc=domain?subtree?(memberOf=cn=TERMINAL_RESCTRICTEC_ACCESSS,ou=groups,dc=my,dc=domain)
ldap_group_search_base = ou=groups,dc=my,dc=domain
access_provider = ldap
ldap_access_filter = (memberOf=cn=TERMINAL_RESCTRICTEC_ACCESSS,ou=groups,dc=my,dc=domain)
override_homedir = /home/%u
override_gid = 1002
override_shell = /bin/rbash
skel_dir = /etc/skel_terminalaccess/
debug_level = 7
[domain/03_SECURITY_AUDIT_DOMAIN]
autofs_provider = ldap
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = none
ldap_uri = ldap://my.ldap.server:389
ldap_schema = rfc2307
ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = *****
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_base = dc=my,dc=domain
ldap_user_search_base = ou=users,dc=my,dc=domain?subtree?(memberOf=cn=SECURITY_AUDIT,ou=groups,dc=my,dc=domain)
ldap_group_search_base = ou=groups,dc=my,dc=domain
access_provider = ldap
ldap_access_filter = (memberOf=cn=SECURITY_AUDIT,ou=groups,dc=my,dc=domain)
override_homedir = /home/%u
override_gid = 1003
override_shell = /bin/rbash
skel_dir = /etc/skel_secaud/
debug_level = 7
[nss]
homedir_substring = /home
debug_level = 7
[pam]
[autofs]
[ssh]
[pac]
[ifp]
6 years, 4 months
Multiple skel dir (one oer domain)
by Иван Мастренко
Hello!
I'm trying to implement system, where could be logged 3 types of ldap users separated per groups.
First type is full admin, another 2 is a very imited users, with rbash and unical per group home dir, which defines which commands a allowed to this groups of users.
Can i set per-domain skel dir?
My conf:
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = 01_HW_ADMINS_DOMAIN, 02_TERMINAL_RESCTRICTEC_ACCESSS_DOMAIN, 03_SECURITY_AUDIT_DOMAIN
[domain/default]
debug_level = 7
[domain/01_HW_ADMINS_DOMAIN]
autofs_provider = ldap
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://my.ldap.server:389
ldap_schema = rfc2307
ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = *****
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_base = dc=my,dc=domain
ldap_user_search_base = ou=users,dc=my,dc=domain?subtree?(memberOf=cn=HW_ADMINS,ou=groups,dc=my,dc=domain)
ldap_group_search_base = ou=groups,dc=my,dc=domain
access_provider = ldap
ldap_access_filter = (memberOf=cn=HW_ADMINS,ou=groups,dc=my,dc=domain)
override_homedir = /home/%u
override_gid = 1001
override_shell = /bin/bash
skel_dir = /etc/skel_HWadm/
debug_level = 7
[domain/02_TERMINAL_RESCTRICTEC_ACCESSS_DOMAIN]
autofs_provider = ldap
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://my.ldap.server:389
ldap_schema = rfc2307
ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = *****
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_base = dc=my,dc=domain
ldap_user_search_base = ou=users,dc=my,dc=domain?subtree?(memberOf=cn=TERMINAL_RESCTRICTEC_ACCESSS,ou=groups,dc=my,dc=domain)
ldap_group_search_base = ou=groups,dc=my,dc=domain
access_provider = ldap
ldap_access_filter = (memberOf=cn=TERMINAL_RESCTRICTEC_ACCESSS,ou=groups,dc=my,dc=domain)
override_homedir = /home/%u
override_gid = 1002
override_shell = /bin/rbash
skel_dir = /etc/skel_terminalaccess/
debug_level = 7
[domain/03_SECURITY_AUDIT_DOMAIN]
autofs_provider = ldap
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = none
ldap_uri = ldap://my.ldap.server:389
ldap_schema = rfc2307
ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = *****
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_base = dc=my,dc=domain
ldap_user_search_base = ou=users,dc=my,dc=domain?subtree?(memberOf=cn=SECURITY_AUDIT,ou=groups,dc=my,dc=domain)
ldap_group_search_base = ou=groups,dc=my,dc=domain
access_provider = ldap
ldap_access_filter = (memberOf=cn=SECURITY_AUDIT,ou=groups,dc=my,dc=domain)
override_homedir = /home/%u
override_gid = 1003
override_shell = /bin/rbash
skel_dir = /etc/skel_secaud/
debug_level = 7
[nss]
homedir_substring = /home
debug_level = 7
[pam]
[autofs]
[ssh]
[pac]
[ifp]
6 years, 4 months
SSSD: Problem with search user groups. Wrong Filter for posixGroups
by Иван Мастренко
Hello!
I Have the problem with Getting groups list for user in ldap:
[sssd[be[DOMAIN_GROUP2]]] [sdap_initgr_rfc2307bis_next_base] (0x0400): Searching for parent groups for user [uid=hwadmin_sssd,ou=users,dc=my,dc=domain] with base [ou=groups,dc=my,dc=domain]
[sssd[be[DOMAIN_GROUP2]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberUid=uid=hwadmin_sssd,ou=users,dc=my,dc=domain)(objectClass=posixGroup)(cn=*))][ou=groups,dc=my,dc=domain].
As seen above SSSD try to search groups with filter where memberUid = <fullDN>, but this is not correct. It should search for: (&(memberUid=hwadmin_sssd)(objectClass=posixGroup)(cn=*))
My config is:
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = ,DOMAIN_GROUP2
override_homedir = /home/%u
[domain/default]
debug_level = 7
[domain/DOMAIN_GROUP2]
autofs_provider = ldap
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://172.20.47.115:389
ldap_schema = rfc2307bis
ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain
ldap_default_authtok = password
ldap_group_member = memberUid
#ldap_use_tokengroups = false
# TLS/SSL
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
# SEARCH BASE
ldap_search_base = dc=my,dc=domain
ldap_user_search_base = ou=users,dc=my,dc=domain
ldap_group_search_base = ou=groups,dc=my,dc=domain
#ldap_group_object_class = groupOfNames
# FILTER
access_provider = ldap
ldap_access_filter = (memberOf=cn=HWS_ADMINS,ou=groups,dc=my,dc=domain)
override_gid = 1001
override_shell = /bin/bash
skel_dir=/etc/skel_ptk/
debug_level = 7
[nss]
homedir_substring = /home
debug_level = 7
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
6 years, 4 months
Stupid question
by Galen Johnson
Hey,
I must be doing something stupid but how can I view the schema for the domain cache? A few weeks ago, Sumit helped me update the schemas to add a missing index and fix a case sensitivity issue for the mail attribute?:?
dn: @INDEXLIST
changetype: modify
add: @IDXATTR
@IDXATTR: ghost
dn: @ATTRIBUTES
changetype: modify
add: mail
mail: CASE_INSENSITIVE
When I went to apply the ldif today, both entries failed as "(Attribute or value exists)". I looked at the yum changelog and I don't see anything that refers to actually having fixed this. What arguments can I feed to ldbsearch to confirm that the changes actually exist (note, I'm completely removing the cache file so it shouldn't exist).
thanks
=G=
6 years, 4 months
SSSD / id returns full correct information and then returns only partial information after several minutes.
by Brian Chow
First, sorry if this is easily findable information elsewhere, I did search
but couldn't find anything that seemed relevant .. although I'm not sure I
was searching using proper terminology...
I have SSSD auth semi-working on an Arch system. When it's working, I can
auth against Active Directory, SSH logins work, GDM logins work, sudo
works, id <user> returns full group information, getent seems to work as
expected, polkit appears to work correctly inside og Gnome..everything
seems great. Untill approx ~10 - ~20 minutes passes, and then SSSD seems
to stop authenticating. id <username> returns only the ID, primary group,
and a single other group membership, although correct for the information
it does return. getent passwd <username> seems to work. getent group
<groupname> returns all the users in the group, even though id doesn't list
extended group information anymore. Polkit and SSH stop working. Even
users not previously checked return information in the same shortened way
-- uid, primary gid, and one extended gid. GDM no longer allows logins.
The SSSD process seems to be running ok. Stopping and restarting the SSSD
service, and even rebooting doesn't change anything at this point.
However, if I stop SSSD, delete the [cache?] db (rm /var/lib/sss/db/*) and
restarting sssd brings me back to a fully working state --- again only for
several minutes, and then it's right back to partial information and not
authenticating.
Where do I even start with the troubleshooting? Or is this some known
configuration issue that I've missed?
Thanks in advance.
6 years, 4 months