sssd-users October 2018

sssd-users@lists.fedorahosted.org

20 participants
22 discussions

Is it possible for SSSD to handle NTLMSSP authentication somehow?
by Reinaldo Souza Gomes 28 Oct '18

28 Oct '18

I know that this is an old topic, but I've seen contradictory answers in different places. Some topics say that SSSD has no support for NTLM due to its inherently unsecure nature, and will never have. But others such as this topic(https://bugzilla.redhat.com/show_bug.cgi?id=963341) seem to state that it could be possible through gssntlmssp package. The reason for my question is that I'm trying to use Samba with SSSD, and its authentication fail when the windows client falls back from kerberos to NTLMv2 for any reason: [2018/10/10 20:43:32.382948, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [myusername] -> [myusername] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1[2018/10/10 20:43:32.382989, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [MYDOMAIN]\[myusername] at [Wed, 10 Oct 2018 20:43:32.382980 -03] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] workstation [NTB005] remote host [ipv4:192.168.1.1:1914] mapped to [MYDOMAIN]\[myusername]. local host [ipv4:10.1.1.1:445] Is there anything I can do to make SSSD able to deal with NTLMv2/NTLMSSP?

4 10

Lowercase principals on login
by Tom 27 Oct '18

27 Oct '18

Is there a way to ensure the principal generated has the lowercase user not an uppercase user showing up in kinit? Cheers, Tom Sent from my iPhone

3 7

Intermittent issues with SSH access possibly due to the HBAC rules error
by Bart 20 Oct '18

20 Oct '18

Hi all, I have freeipa setup with 2 replicas and a trust relationship with AD. Occasionally,for periods of time usually less than half an hour all or a subset of my FreeIPA clients are not available via SSH. For the record, I use SSH keys and no password authentication. During these downtimes when I access them via local account I can see that user with his groups is resolved correctly (id, getent passwd). sss_ssh_authorizedkeys returns the correct ssh key. Users in question come from AD, they have ssh keys uploaded to the ID override. I bumped sssd debug_level to 7. /var/log/secure contains Permission denied: Oct 19 17:18:52 hostname sshd[18365]: pam_sss(sshd:account): Access denied for user testuser: 6 (Permission denied) Oct 19 17:18:52 hostname sshd[18366]: fatal: Access denied for user testuser by PAM account configuration In sssd_pam.log there are entries containing pam_reply called with result [6]: Permission denied.: Please, consider enabling SELinux in your system. (Fri Oct 19 15:21:38 2018) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'user' matched without domain, user is user (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): user: user (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.40.159 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 19055 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: user (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_send] (0x0400): CR #21495: New request 'Initgroups by name' (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_process_input] (0x0400): CR #21495: Parsing input name [user] (Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'user' matched without domain, user is user (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_set_name] (0x0400): CR #21495: Setting name [user] (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_select_domains] (0x0400): CR #21495: Performing a multi-domain search (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_domains] (0x0400): CR #21495: Search will bypass the cache and check the data provider (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_set_domain] (0x0400): CR #21495: Using domain [win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_prepare_domain_data] (0x0400): CR #21495: Preparing input data for domain [win.domain.com] rules (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_send] (0x0400): CR #21495: Looking up user(a)win.domain.com (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_ncache] (0x0400): CR #21495: Checking negative cache for [user(a)win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_ncache] (0x0400): CR #21495: [user(a)win.domain.com] is not present in negative cache (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_dp] (0x0400): CR #21495: Looking up [user(a)win.domain.com] in data provider (Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x4158f0:3:user@win.domain.com@win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [win.domain.com][0x3][BE_REQ_INITGROUPS][name=user@win.domain.com:-] (Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x4158f0:3:user@win.domain.com@win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_cache] (0x0400): CR #21495: Looking up [user(a)win.domain.com] in cache (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_ncache_filter] (0x0400): CR #21495: This request type does not support filtering result by negative cache (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_search_done] (0x0400): CR #21495: Returning updated object [user(a)win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_create_and_add_result] (0x0400): CR #21495: Found 239 entries in domain win.domain.com (Fri Oct 19 15:21:38 2018) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x4158f0:3:user@win.domain.com@win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[pam]] [cache_req_done] (0x0400): CR #21495: Finished: Success (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is user(a)win.domain.com (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: win.domain.com (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): user: user(a)win.domain.com (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.40.159 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 19055 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: user (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied. (Fri Oct 19 15:21:38 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Fri Oct 19 15:21:38 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 28 (Fri Oct 19 15:21:38 2018) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Fri Oct 19 15:21:49 2018) [sssd[pam]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled: SELINUX_getpeercon failed [92][Protocol not available]. Inside of sssd_linux.domain.com.log there are corresponding entries (ellipsized): (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=user(a)win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_attach_req] (0x0400): DP Request [Initgroups #23562]: New request. Flags [0x0001]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=user))][cn=Default Trust View,cn=views,cn=accounts,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [user] to IPA server (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_get_user_done] (0x0400): Received [239] groups in group list from IPA Server (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_get_user_done] (0x0400): [user(a)win.domain.com] (...) (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_get_user_done] (0x0400): [rule_watcher_development(a)win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_s2n_get_user_done] (0x0400): [rule_admin_development(a)win.domain.com] (...) (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=user(a)win.domain.com,cn=users,cn=win.domain.com,cn=sysdb] has set [ts_cache] attrs. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'member': value #0 on 'name=user(a)win.domain.com,cn=users,cn=win.domain.com,cn=sysdb' already exists] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sysdb_mod_group_member] (0x0400): Error: 17 (File exists) (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [user(a)win.domain.com] to group [name=user(a)win.domain.com,cn=users,cn=win.domain.com,cn=sysdb] Skipping. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_done] (0x0400): DP Request [Initgroups #23562]: Request handler finished [0]: Success (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [_dp_req_recv] (0x0400): DP Request [Initgroups #23562]: Receiving request data. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_initgr_pp_nss_notify] (0x0400): Ordering NSS responder to update memory cache (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_reply_list_success] (0x0400): DP Request [Initgroups #23562]: Finished. Success. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_reply_std] (0x1000): DP Request [Initgroups #23562]: Returning [Success]: 0,0,Success (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::win.domain.com:name=user@win.domain.com] from reply table (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_destructor] (0x0400): DP Request [Initgroups #23562]: Request removed. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_pam_handler] (0x0100): Got request with the following data (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): domain: win.domain.com (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): user: user(a)win.domain.com (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): service: sshd (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): tty: ssh (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): ruser: (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): rhost: 172.16.40.159 (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): authtok type: 0 (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): priv: 1 (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): cli_pid: 19055 (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [pam_print_data] (0x0100): logon name: not set (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_attach_req] (0x0400): DP Request [PAM Account #23563]: New request. Flags [0000]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_access_send] (0x0400): Performing access check for user [user(a)win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [user(a)win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_account_expired] (0x0400): IPA access control succeeded, checking AD access control (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [user(a)win.domain.com] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=hostname.linux.com))][cn=accounts,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [fqdn=hostname.linux.com,cn=computers,cn=accounts,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=hostname.linux.com,cn=computers,cn=accounts,dc=linux,dc=domain,dc=com] using OpenLDAP deref (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=hostname.linux.com,cn=computers,cn=accounts,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: cn=service_development,cn=hostgroups,cn=accounts,dc=linux,dc=domain,dc=com (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: cn=service_development,cn=ng,cn=alt,dc=linux,dc=domain,dc=com (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=600c5bb8-9640-11e8-97b4-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=63673c38-9640-11e8-b757-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=a72ca9bc-9640-11e8-b757-02699e009f10,cn=sudorules,cn=sudo,dc=linux,dc=domain,dc=com (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: service_development (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linux,dc=domain,dc=com][2][(objectClass=ipaHBACService)] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sshd,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=login,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su-l,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo-i,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm-password,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=crond,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=vsftpd,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=proftpd,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gssftp,cn=hbacservices,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linux,dc=domain,dc=com][2][(objectClass=ipaHBACServiceGroup)] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=linux,dc=domain,dc=com][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=hostname.linux.com,cn=computers,cn=accounts,dc=linux,dc=domain,dc=com)(memberHost=cn=service_development,cn=hostgroups,cn=accounts,dc=linux,dc=domain,dc=com)(memberHost=cn=service_development,cn=ng,cn=alt,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=600c5bb8-9640-11e8-97b4-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=63673c38-9640-11e8-b757-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=a72ca9bc-9640-11e8-b757-02699e009f10,cn=sudorules,cn=sudo,dc=linux,dc=domain,dc=com)))] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=hostname.linux.com,cn=computers,cn=accounts,dc=linux,dc=domain,dc=com)(memberHost=cn=service_development,cn=hostgroups,cn=accounts,dc=linux,dc=domain,dc=com)(memberHost=cn=service_development,cn=ng,cn=alt,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=600c5bb8-9640-11e8-97b4-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=63673c38-9640-11e8-b757-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com)(memberHost=ipaUniqueID=a72ca9bc-9640-11e8-b757-02699e009f10,cn=sudorules,cn=sudo,dc=linux,dc=domain,dc=com)))][cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=600c5bb8-9640-11e8-97b4-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=63673c38-9640-11e8-b757-02699e009f10,cn=hbac,dc=linux,dc=domain,dc=com]. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [rule_watcher_development_hbac_rule] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [rule_watcher_development_hbac_rule] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [rule_watcher_development_hbac_rule] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [rule_watcher_development_hbac_rule] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [rule_watcher_development_hbac_rule] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [rule_admin_development_hbac_rule] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [rule_admin_development_hbac_rule] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [rule_admin_development_hbac_rule] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [rule_admin_development_hbac_rule] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [rule_admin_development_hbac_rule] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_eval_user_element] (0x1000): [238] groups for [user(a)win.domain.com] (...) (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=rule_admin_development(a)win.domain.com,cn=groups,cn=win.domain.com,cn=sysdb (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=rule_watcher_development(a)win.domain.com,cn=groups,cn=win.domain.com,cn=sysdb (...) (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_evaluate] (0x0100): [< hbac_evaluate() (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_evaluate] (0x0100): The rule [rule_watcher_development_hbac_rule] did not match. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_evaluate] (0x0100): The rule [rule_admin_development_hbac_rule] did not match. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [hbac_evaluate] (0x0100): hbac_evaluate() >] (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_done] (0x0400): DP Request [PAM Account #23563]: Request handler finished [0]: Success (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #23563]: Receiving request data. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #23563]: Request removed. (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_method_enabled] (0x0400): Target selinux is not configured (Fri Oct 19 15:21:38 2018) [sssd[be[linux.domain.com]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #23563]: Sending result [6][win.domain.com] The thing is that on the server, when I test hbacrule it shows me that this user should be able to acces this client host with either rule_watcher_development_hbac_rule or rule_admin_development_hbac_rule. Moreover, without any reconfiguration, situation seems to come back to normal after a couple of minutes, usually in less than an hour. sssd version is 1.16.1, ipa version 4.6.4-2. What could be a reason for this not working?

2 1

Re: smartcard authentication directly against AD (no IPA)?
by Pavel Arnošt 15 Oct '18

15 Oct '18

Hi, I'm trying to configure smartcard (pkinit) authentication against Active Directory on latest CentOS without success. AD authentication without smartcard works without problems and standalone kinit with smartcard also works but I can't managed to login with smartcard and sssd. Is it supposed to work in current state? What problem does mentioned patch addresses? I included krb5.conf, sssd.conf and krb5_child.log. What I considered strange is this part: (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags [0]. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Pavel Arnošt PIN]. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87842: PKINIT client has no configured identity; giving up (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87843: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed i.e. X509 identity is found but not used and prompt for PIN is ignored? What can be wrong? Thanks. krb5.conf: [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true dns_canonicalize_hostname = false rdns = false default_realm = VALVERA.LOCAL default_ccache_name = KEYRING:persistent:%{uid} [realms] VALVERA.LOCAL = { kdc = 172.30.30.30 admin_server = 172.30.30.30 pkinit_anchors = FILE:/etc/ca.crt pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = valvera.local pkinit_identities = PKCS11:libcoolkeypk11.so } sssd.conf: [sssd] debug_level = 9 domains = valvera.local config_file_version = 2 services = nss, pam [pam] pam_cert_auth = True [domain/valvera.local] debug_level = 9 ad_domain = valvera.local krb5_realm = VALVERA.LOCAL ldap_user_certificate = userCertificate;binary realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%d/%u access_provider = ad krb5_child.log: (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): krb5_child started. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer] (0x1000): total buffer size: [202] (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer] (0x0100): cmd [249] uid [650201177] gid [650200513] validate [true] enterprise principal [true] offline [false] UPN [arnost(a)VALVERA.LOCAL] (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:650201177] old_ccname: [KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab] (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x2000): Running as [0][0]. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [k5c_setup] (0x2000): Running as [0][0]. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): Will perform pre-auth (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_pkinit_identity] (0x4000): Got [Pavel Arnošt][libcoolkeypk11.so]. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_pkinit_identity] (0x4000): Using pkinit identity [PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001]. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [VALVERA.LOCAL] (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480064: Getting initial credentials for arnost\@VALVERA.LOCAL@VALVERA.LOCAL (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480066: Sending request (209 bytes) to VALVERA.LOCAL (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480067: Initiating TCP connection to stream 172.30.30.30:88 (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480068: Sending TCP request to stream 172.30.30.30:88 (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480069: Received answer (189 bytes) from stream 172.30.30.30:88 (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480070: Terminating TCP connection to stream 172.30.30.30:88 (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480071: Response was from master KDC (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480072: Received error from KDC: -1765328359/Additional pre-authentication required (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480075: Processing preauth types: 16, 15, 19, 2 (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480076: Selected etype info: etype aes256-cts, salt "VALVERA.LOCALarnost", params "" (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags [0]. (Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Pavel Arnošt PIN]. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87842: PKINIT client has no configured identity; giving up (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87843: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87844: PKINIT client has no configured identity; giving up (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87845: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for arnost\@VALVERA.LOCAL@VALVERA.LOCAL]. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87846: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data] (0x0200): Received error code 0 (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [pack_response_packet] (0x2000): response packet size: [12] (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data] (0x4000): Response sent. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): krb5_child completed successfully (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): krb5_child started. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x1000): total buffer size: [208] (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x0100): cmd [241] uid [650201177] gid [650200513] validate [true] enterprise principal [true] offline [false] UPN [arnost(a)VALVERA.LOCAL] (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:650201177] old_ccname: [KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab] (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds] (0x0200): Switch user to [650201177][650200513]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:650201177] and is not active and TGT is valid. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x2000): Running as [0][0]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_setup] (0x2000): Running as [0][0]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): Will perform online auth (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity] (0x4000): Got [Pavel Arnošt][libcoolkeypk11.so]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity] (0x4000): Using pkinit identity [PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [VALVERA.LOCAL] (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364762: Getting initial credentials for arnost\@VALVERA.LOCAL@VALVERA.LOCAL (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364764: Sending request (209 bytes) to VALVERA.LOCAL (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364765: Initiating TCP connection to stream 172.30.30.30:88 (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364766: Sending TCP request to stream 172.30.30.30:88 (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364767: Received answer (189 bytes) from stream 172.30.30.30:88 (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364768: Terminating TCP connection to stream 172.30.30.30:88 (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364769: Response was from master KDC (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364770: Received error from KDC: -1765328359/Additional pre-authentication required (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364773: Processing preauth types: 16, 15, 19, 2 (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364774: Selected etype info: etype aes256-cts, salt "VALVERA.LOCALarnost", params "" (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags [0]. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87846: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data] (0x0200): Received error code 0 (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [pack_response_packet] (0x2000): response packet size: [12] (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data] (0x4000): Response sent. (Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): krb5_child completed successfully (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): krb5_child started. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x1000): total buffer size: [208] (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x0100): cmd [241] uid [650201177] gid [650200513] validate [true] enterprise principal [true] offline [false] UPN [arnost(a)VALVERA.LOCAL] (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:650201177] old_ccname: [KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab] (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds] (0x0200): Switch user to [650201177][650200513]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:650201177] and is not active and TGT is valid. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x2000): Running as [0][0]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_setup] (0x2000): Running as [0][0]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): Will perform online auth (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity] (0x4000): Got [Pavel Arnošt][libcoolkeypk11.so]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity] (0x4000): Using pkinit identity [PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [VALVERA.LOCAL] (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364762: Getting initial credentials for arnost\@VALVERA.LOCAL@VALVERA.LOCAL (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364764: Sending request (209 bytes) to VALVERA.LOCAL (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364765: Initiating TCP connection to stream 172.30.30.30:88 (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364766: Sending TCP request to stream 172.30.30.30:88 (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364767: Received answer (189 bytes) from stream 172.30.30.30:88 (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364768: Terminating TCP connection to stream 172.30.30.30:88 (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364769: Response was from master KDC (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364770: Received error from KDC: -1765328359/Additional pre-authentication required (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364773: Processing preauth types: 16, 15, 19, 2 (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364774: Selected etype info: etype aes256-cts, salt "VALVERA.LOCALarnost", params "" (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags [0]. Thanks, Regards, Pavel

1 0

SAMBA share server with SSSD and NTLM even possible?
by Erinn Looney-Triggs 12 Oct '18

12 Oct '18

I have a system that is joined to an AD domain via SSSD, it was happily running samba and serving shares using either kerberos or password authentication, with the update to Samba 4.7.1 in the RHEL 7.5 release, all of that stopped working. samba config file: [global] log level = 5 password server = * realm = AD.EXAMPLE.COM encrypt passwords = yes kerberos method = system keytab workgroup = AD server string = %h samba security = ADS map to guest = Bad User interfaces = <valid IP> hosts allow = <valid IP blocks> load printers = no passdb backend = tdbsam dns proxy = no max log size = 5000 bind interfaces only = no restrict anonymous = 2 #============================ Share Definitions ============================== [images] comment = example images path = /var/eng/ guest ok = no printable = no write list = create mask = 0664 directory mask = 0775 read only = no valid users = +valid-example-group force group = browseable = yes Now samba will not even start without either libwbclient or sssd-libwbclient installed with the above configuration. After installing sssd-libwbclient and modifying valid users to: valid users = AD\valid-example-group kerberos based connections will work just fine. However password based connections for windows systems that are not AD joined, or smbclient without kerberos, does not work. I believe this is falling back to NTLM and NTLM is simply not supported by SSSD correct? Oddly, what used to work, with basically a call to getgrnam() no longer works in 4.7.1 release of samba and there seems to be no mention that I can find as to why. Any thoughts? It looks an awful lot like, if we need to support both krb and password based connections we will need to use winbind, correct? Or is there another way to make this thing work? If I have to use winbind it looks like I need to use 'net ads join' or 'realm join --client-software=winbind' but it then seems to me that the system will be joined to the AD twice, once to use SSSD, and once for winbind is this correct? Is there a way to make winbind and SSSD work together? Further it looks like, according to this: https://bugzilla.redhat.com/show_bug.cgi?id=1558560 that RHEL 7.6 with Samba 4.8.1 will require winbind to be running period. I believe that statement to be a bit of an oversimplification because sssd-libwbclient should still work, or am I misunderstanding? Any guidance here would be great, this seems to be a fairly murky area, or my google fu is weak. -Erinn

2 9

realm re-join....
by Spike White 12 Oct '18

12 Oct '18

All, I had a VM down for a great number of days. Apparently, it was not 30 days. Because even though it initially didn't correct do AD authentication, I fixed one misconfiguration in /etc/krb5.conf, restarted SSSD and it did. But that raises a bigger question. If it's been >30 days and my machine account is no longer valid, how do I rejoin the domain? Is it: realm leave (no flags) readlm join (with all my usual flags that I use on the initial realm join) Spike

3 3

sssctl & InfoPipe
by Ondrej Valousek 12 Oct '18

12 Oct '18

Hi list. When I run # sssctl user-checks <username> The command will, under the "SSSD InfoPipe user lookup result" section: - Print some information no matter if I enable InfoPipe in the configuration or not - When I enable [ifp] and add an extra attributes, such as "user_attributes = +mail, +telephoneNumber, +givenname, +sn", they does not appear in the sssctl output as per above Is it intentional behavior? Thanks, Ondrej ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.

2 1

local id_provider krb5 auth_provider
by Ken Teh 12 Oct '18

12 Oct '18

I tried setting up a domain that uses files for the account id but to use our active directory for authentication in sssd.conf. But when I fire up the sssd daemon, it reports that it is using files for the auth_provider. Is this setup possible? I know I can add the pam_krb5 directly into the pam stack to get what I need. I thought I'd try to do this within the pam_sss module framework.

2 1

Re: AD authentication on samba server using sssd
by Reinaldo Souza Gomes 10 Oct '18

10 Oct '18

But how can I make sure that NTLM(SSP) will never be used?? I’ve set up Samba with SSSD and everything Works fine... except for a few Windows machines which every now and then happen to send NTLM authentication flags to the Samba server, which happily forwards them. And then the authentication fails because SSSD doesn’t support NTLM. I’ve tried all sorts of parameters combination on smb.conf, but I didn’t find a way to completely refuse NTLM authentication on the Samba server, and force the client to use another authentication method (kerberos).

1 0

sssd fails to start when I enable [ifp]
by Ondrej Valousek 09 Oct '18

09 Oct '18

Hi List, Seems like sssd fails to start when I enable infopipe (i.e. add "ifp" to the services list). Log says: (Mon Oct 8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0020): Unable to request name on the system bus: [Connection ":1.33273" is not allowed to own the service "org.freedesktop.sssd.infopipe" due to security policies in the configuration file] (Mon Oct 8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error message: Connection ":1.33273" is not allowed to own the service "org.freedesktop.sssd.infopipe" due to security policies in the configuration file (Mon Oct 8 14:18:08 2018) [sssd[ifp]] [ifp_process_init] (0x0020): Failed to connect to the system message bus This is Centos-7, all updates applied, i.e. dbus-1.10.24, sssd-1.16.0-19.el7 Thanks, Ondrej ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.

3 7

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users October 2018