Logwatch and FreeIPA/sssd
by Lachlan Musicman
Hola,
I have logwatch set up on my server, and there is a stanza in my daily
email called "**Unmatched Entries**", which is filled with lines from
either ipa or sssd:
Failed password for usename(a)domain.com from 10.126.67.170 port 57331 ssh2 :
2 time(s)
Accepted password for usename(a)domain.com from 10.126.67.170 port 61402 ssh2
: 1 time(s)
pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh
ruser= rhost=hostname.domain.com user=usename(a)domain.com : 1 time(s)
Does anyone have a logwatch .conf script that they have written? Does such
a thing formally exist for ipa/sssd?
cheers
L.
------
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*
6 years, 10 months
i have no name
by Thomas Beaudry
Hi guys,
i am running into an issue in which my users lose their name momentarily. I have tried disabling reverse dns, and I have a cron job that restarts sssd every hour as well as checking the id of each username to keep the usernames fresh. Is there something else I can do, or a cache I can enable so it doesn't need to recheck the username after you log in (i know i have been told that sssd cache's everything, so I don't understand, why I would lose the username) ?
thanks,
Thomas
6 years, 10 months
autofs NFS v4.1 no longer working
by Thomas Beaudry
Hi Folks.
I have sssd managing autofs to mount some nfs share with v 4.1. Up until recently it has worked flawlessly, but now it isn't working on one of my machines. The username and group, is being being shown as: nobody 4294967294 so there is obviously a problem with the user id mapping of the Windows AD accounts. I tried manually mounting the same share, and the i have the same problem.
Now this used to work, so is this problem sssd related? If I look at the domain log i see stuff like:
(Mon Jun 19 12:19:57 2017) [sssd[be[domain.ca]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Mon Jun 19 12:19:57 2017) [sssd[be[domain.ca]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Mon Jun 19 12:20:01 2017) [sssd[be[domain.ca]]] [be_process_init] (0x0020): No selinux module provided for [domain.ca] !!
(Mon Jun 19 12:20:01 2017) [sssd[be[domain.ca]]] [be_process_init] (0x0020): No host info module provided for [domain.ca] !!
(Mon Jun 19 12:20:02 2017) [sssd[be[domain.ca]]] [child_sig_handler] (0x0020): child [1693] failed with status [1].
(Mon Jun 19 12:20:08 2017) [sssd[be[domain.ca]]] [sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect request failed: [110]: Connection timed out.
(Mon Jun 19 12:20:08 2017) [sssd[be[domain.ca]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [110]: Connection timed out.
(Mon Jun 19 12:20:08 2017) [sssd[be[domain.ca]]] [child_sig_handler] (0x0020): waitpid did not found a child with changed status.
(Mon Jun 19 12:20:17 2017) [sssd[be[domain.ca]]] [nsupdate_child_timeout] (0x0020): Timeout reached for dynamic DNS update
(Mon Jun 19 12:20:17 2017) [sssd[be[domain.ca]]] [child_sig_handler] (0x0020): child [1697] was terminated by signal [9].
(Mon Jun 19 12:32:48 2017) [sssd[be[domain.ca]]] [be_process_init] (0x0020): No selinux module provided for [domain.ca] !!
(Mon Jun 19 12:32:48 2017) [sssd[be[domain.ca]]] [be_process_init] (0x0020): No host info module provided for [domain.ca] !!
(Mon Jun 19 12:32:48 2017) [sssd[be[domain.ca]]] [child_sig_handler] (0x0020): child [8919] failed with status [1].
(Mon Jun 19 12:33:03 2017) [sssd[be[domain.ca]]] [nsupdate_child_timeout] (0x0020): Timeout reached for dynamic DNS update
(Mon Jun 19 12:33:03 2017) [sssd[be[domain.ca]]] [child_sig_handler] (0x0020): child [8923] was terminated by signal [9].
(Mon Jun 19 12:37:20 2017) [sssd[be[domain.ca]]] [be_process_init] (0x0020): No selinux module provided for [domain.ca] !!
(Mon Jun 19 12:37:20 2017) [sssd[be[domain.ca]]] [be_process_init] (0x0020): No host info module provided for [domain.ca] !!
(Mon Jun 19 12:37:21 2017) [sssd[be[domain.ca]]] [child_sig_handler] (0x0020): child [10170] failed with status [1].
(Mon Jun 19 12:37:36 2017) [sssd[be[domain.ca]]] [nsupdate_child_timeout] (0x0020): Timeout reached for dynamic DNS update
(Mon Jun 19 12:37:36 2017) [sssd[be[domain.ca]]] [child_sig_handler] (0x0020): child [10174] was terminated by signal [9].
(Mon Jun 19 12:48:28 2017) [sssd[be[domain.ca]]] [sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect request failed: [110]: Connection timed out.
(Mon Jun 19 12:48:28 2017) [sssd[be[domain.ca]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [110]: Connection timed out.
(Mon Jun 19 12:48:34 2017) [sssd[be[domain.ca]]] [sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect request failed: [110]: Connection timed out.
(Mon Jun 19 12:48:34 2017) [sssd[be[domain.ca]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [110]: Connection timed out.
(Mon Jun 19 12:48:40 2017) [sssd[be[domain.ca]]] [sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect request failed: [110]: Connection timed out.
(Mon Jun 19 12:48:40 2017) [sssd[be[domain.ca]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [110]: Connection timed out.
(Mon Jun 19 12:48:40 2017) [sssd[be[domain.ca]]] [sdap_save_grpmem] (0x0020): Group members are ignored, nothing to do. If you see this message it might indicate an error in the group processing logic.
(Mon Jun 19 12:48:40 2017) [sssd[be[domain.ca]]] [sdap_save_grpmem] (0x0020): Group members are ignored, nothing to do. If you see this message it might indicate an error in the group processing logic.
(Mon Jun 19 12:48:40 2017) [sssd[be[domain.ca]]] [sdap_save_grpmem] (0x0020): Group members are ignored, nothing to do. If you see this message it might indicate an error in the group processing logic.
Does this give a clue as to what the problem could be? Thanks!
Thomas
6 years, 10 months
can't restart sssd
by Thomas Beaudry
Hi,
Up until recently I had sssd running on a ubuntu machine for 10 months. This machine has an identical setup to 20 other ones. When i try to restart sssd i get the following error:
root@perf-hpc01:/var/log/sssd# systemctl status sssd.service
? sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2017-06-16 11:08:39 EDT; 7s ago
Process: 120110 ExecStart=/usr/sbin/sssd -i -f (code=exited, status=2)
Main PID: 120110 (code=exited, status=2)
Jun 16 11:08:39 perf-hpc01 systemd[1]: Starting System Security Services Daemon...
Jun 16 11:08:39 perf-hpc01 sssd[120110]: SSSD is already running
Jun 16 11:08:39 perf-hpc01 systemd[1]: sssd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 16 11:08:39 perf-hpc01 systemd[1]: Failed to start System Security Services Daemon.
Jun 16 11:08:39 perf-hpc01 systemd[1]: sssd.service: Unit entered failed state.
Jun 16 11:08:39 perf-hpc01 systemd[1]: sssd.service: Failed with result 'exit-code'.
If i look at my sssd.log (the only one that had something written to it), I see:
(Fri Jun 16 11:08:39:282642 2017) [sssd] [main] (0x0010): pidfile exists at /var/run/sssd.pid
I have my debug level set to 10.
Any help would be greatly appreciated!
Thomas
6 years, 10 months
SSSD cached logins on screen lock
by falbee@cassens.com
Hi,
I have recently setup a test freeipa server, and sssd on a client machine. Everything works as expected, but if the freeipa server is offline, I cannot get past the lock screen. I can not even type the password in. To get past this I have to click login as a different user, and than relogin with the original user.
I noticed these in the logs while trying to unlock
in /var/log/messages:
gdm: AccountsService: ActUserManager: user (null) has no username (object path: /org/freedesktop/Accounts/User0, uid: 0)
in /var/log/secure:
gkr-pam: no password is available for user
By editing /etc/pam.d/gdm-password I can get around this.
I edited the line:
session required pam_namespace.so ignore_config_error to have the ignore_config_error parameter added to pam_namespace.so
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth include postlogin
account required pam_nologin.so
account include password-auth
password substack password-auth
-password optional pam_gnome_keyring.so use_authtok
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
-session optional pam_ck_connector.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so ignore_config_error
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
Is this an expected or normal behaviour? Is there any other way to get around this issue other than ignoring the error message?
~
6 years, 10 months
Is there any way to disable dns lookup or set different dns server.
by Rishat Teregulov
Is there any way to fully disable dns server lookup or set different dns server for service discovery (like dyndns_server string, but just dns_server string) ?
I tried to set all parameters in krb5.conf and sssd.conf for server, but it still try to dns lookup.
6 years, 10 months
Unable to get accounts from parent domain to authenticate
by acybulski@albany.edu
I'm trying to get my system to accept logins from both the child domain it is a part of, and my campuses parent domain, where most user accounts are stored. I have added both domains to the sssd.conf and the krb5.conf files. (Perhaps incorrectly)
The child domain authenticates fine, the parent domain does not. Oddly, the system seems to connect to AD well enough, as the login screen translates the account name to the users full name, and I receive this in the secure log:
Jun 13 13:05:40 host-univ-school-edu gdm-password]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=sysuser(a)univ.school.edu
Jun 13 13:05:40 host-univ-school-edu gdm-password]: pam_sss(gdm-password:account): Access denied for user sysuser(a)univ.school.edu: 6 (Permission denied)
Jun 13 13:10:55 host-univ-school-edu gdm-password]: gkr-pam: no password is available for user
Any help is appreciated. Let me know if i should attach any files.
6 years, 10 months
login hangs with enumerate = true
by Joakim Tjernlund
both 1.15.2 and git master hangs after less than 24 hour on
a server.
I can see this repeating the domain log:
(Fri Jun 9 18:21:49 2017) [sssd[be[infinera.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Fri Jun 9 18:21:49 2017) [sssd[be[infinera.com]]] [ldb] (0x0010): A transaction is still active in ldb context [0xf65ce0] on /var/lib/sss/db/cache_infinera.com.ldb
(Fri Jun 9 18:22:42 2017) [sssd[be[infinera.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Fri Jun 9 18:22:42 2017) [sssd[be[infinera.com]]] [ldb] (0x0010): A transaction is still active in ldb context [0x239cce0] on /var/lib/sss/db/cache_infinera.com.ldb
(Fri Jun 9 18:23:35 2017) [sssd[be[infinera.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Fri Jun 9 18:23:35 2017) [sssd[be[infinera.com]]] [ldb] (0x0010): A transaction is still active in ldb context [0x1421ce0] on /var/lib/sss/db/cache_infinera.com.ldb
(Fri Jun 9 18:24:28 2017) [sssd[be[infinera.com]]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Fri Jun 9 18:24:28 2017) [sssd[be[infinera.com]]] [ldb] (0x0010): A transaction is still active in ldb context [0x1cb0ce0] on /var/lib/sss/db/cache_infinera.com.ldb
Ideas?
Jocke
6 years, 10 months
Re: SSSD: Cross Forest AD Trust with sssd-ad provider
by Tony Barganski
H Jakub Hrozek
I also have a use case for this. My situation is that we are building out Linux Server environments in AWS cloud for SAP clients and want a way to have centralised accounts for our engineers and allow customers to login with their Microsoft AD user accounts.
I’ve been able to get this to work with the Linux Servers (CentOS 7) connected to our IPA Domain with a one-way trust relationship between our IPA Domain and the customers AD forest however, IPA is another set of infrastructure that we would rather do without and use our existing Microsoft AD domain with a one-way trust from customer to us.
This doesn’t seem to work when the Linux Server is a member of our Microsoft AD domain.
On Tue, Mar 01, 2016 at 12:10:30AM -0000, kprprl(a)gmail.com wrote:
… <https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...> "Not supported at the moment short of joining the client to the two forests and defining two [domain] sections.”
Q1. How can I join the client to two forests and define two [domain] sections?
On Tue, Mar 01, 2016 at 12:10:30AM -0000, kprprl(a)gmail.com wrote:
“...It's planned but we're not there yet…”
Q2. Any news on when this feature may be implemented on your Road Map?
Best Regards,
Tony Barganski
6 years, 10 months
Inconsistent group membership
by Ondrej Valousek
Hi,
For some users I experience inconsistent group membership, i.e. "getent group G" does not list user U as a member, but "id -a U" command shows the group G.
Is that normal or a known issue?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
6 years, 10 months
