November 2018 - sssd-users - Fedora Mailing-Lists

by Harald Dunkel

Hi folks, sssd 1.16.3-1 (rebuilt for Debian 9), systemd At boot time sssd_nss fails to initialize. systemctl status sssd shows root@srvl061:~# systemctl status sssd * sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2018-11-22 11:57:30 CET; 46s ago Main PID: 1312 (sssd) Tasks: 5 (limit: 7372) CGroup: /system.slice/sssd.service |-1312 /usr/sbin/sssd -i --logger=files |-1345 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files |-1533 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --logger=files |-1534 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --logger=files `-1535 /usr/lib/x86_64-linux-gnu/sssd/sssd_pac --uid 0 --gid 0 --logger=files Nov 22 11:57:25 srvl061.ac.example.com systemd[1]: Starting System Security Services Daemon... Nov 22 11:57:25 srvl061.ac.example.com sssd[1312]: Starting up Nov 22 11:57:25 srvl061.ac.example.com sssd[be[1345]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1533]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1534]: Starting up Nov 22 11:57:30 srvl061.ac.example.com sssd[1535]: Starting up Nov 22 11:57:30 srvl061.ac.example.com systemd[1]: Started System Security Services Daemon. Nov 22 11:57:45 srvl061.ac.example.com sssd[be[1345]: Backend is offline Apparently this is a problem of resolvconf generating /etc/\ resolv.conf at boot time. If I replace it by a static file, then the problem is gone. Question is, how can I tell systemd to wait for resolv.conf? Is there some timeout in the backend I could adjust? Does it wait for the network at all? Every helpful comment is highly appreciated Regards Harri

3 months, 2 weeks

5
7
0 / 0

Failed gssapi-with-mic

by Sergei Gerasenko

Hi, I've run into a dead end debugging a case of passwordless authentication between two IPA'd hosts. Running `sshd -p 5000 -d` on the receiving host (let's call it HOST_B), I see this: ``` Postponed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 [preauth] debug1: Received some client credentials debug1: ssh_gssapi_k5login_exists: Checking existence of file /home/USER/.k5login Failed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 ``` The client then gets an interactive password prompt. Here are some facts and things I've tried: * If I put the user into `.k5login` on the receiving host and it works. * The receiving host is correctly enrolled into IPA. I can ssh from it to other hosts using GSSAPI. * I can issue `kvno host/HOST_B` on the connecting host and I get a service ticket. * It looks like all this happens before any pam stuff kicks in (?). So I'm ruling PAM issues out. * No errors in the logs of the KDCs. * The ticket from the connecting host is not expired. * The sssd version is 1.16.0. * Turning up the debugging in sssd with `debug_level = 7` for the domain section doesn't reveal anything obvious. What else could I check? Thanks for any ideas, SG

8 months, 2 weeks

2
1
0 / 0

Access alternative yubikey slots

by Orion Poplawski

I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates: - my "orion" certificate - went into slot 9a PIV Auth - A MacOS keychain cert per their docs - when into slot 9d Key Management - Another auth certificate for "orion-admin" - went into slot 82 I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this? Thanks! -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion(a)nwra.com Boulder, CO 80301 https://www.nwra.com/

8 months, 3 weeks

2
10
0 / 0

Problem with resolving unqualified group names

by Ondrej Valousek

Hi List, I have noticed that in my case both getent passwd <username>@<domain> and getent passwd <username> works, but getent group <groupname>@<domain> does not, only: getent group <groupname> works. Is that expected behavior? Thanks, Ondrej

9 months

1
0
0 / 0

Re: Ubuntu Bionic - sssd 1.16.1 - kerberos ticket not renewing

by Jakub Hrozek

On Thu, Nov 01, 2018 at 05:20:57PM +0000, Jay McCanta wrote: > I have the snippets. May I mail them to you directly. I was trying to cleanse them, but I'm afraid I'm changing them too much. Yes, sure.

9 months, 1 week

2
1
0 / 0

Re: Fwd: Re: disable querying trusted "foreign" domains

by Michael Ströder

Sumit, thanks for your answer. Sumit Bose <sbose(a)redhat.com> wrote: > Michael Ströder wrote: >> I'm currently trouble-shooting performance issues on CentOS 6.10 running >> sssd 1.13.3 using sssd-ad as backend. >> >> Enumeration is already disabled. >> >> Also these options were set (DNS names obfuscated): >> ad_enabled_domains = ad1.example.com >> ad_server = dc1.ad1.example.com, dc2.ad1.example.com >> ad_enable_dns_sites = false >> >> Looking sssd still asks various naming contexts of the *many* other >> trusted domains. >> >> Any clue how to effectively disable all "foreign" lookups? > > ad_enabled_domains will ignore requests looking up users and groups from > domains not listed but I guess if a user from domain ad1.example.com is > a member of a group from ad2.example.com this group will still be looked > up. Fortunately every group needed should be in forest ad1.example.com. > Setting 'subdomain_provider = none' should disable all kind of domain > discovery. I couldn't find this in the man pages. Where is this parameter documented? Is it already available in package sssd-1.13.3-60.el6.x86_64 on RHEL/CentOS 6.10? Is it a global or a domain-specific parameter? We tried that (both global and domain), but no change. Still all domains are tried which are found beneath DC=DomainDnsZones,DC=ad1,DC=example,DC=com. My impression is also that this is done recursively leading to sssd contacting 70+ domains... > But depending on the other stetting you might e.g. have to > set ldap_idmap_default_domain_sid to tell SSSD about the domain SID of > the local domain to make automatic id-mapping work. No ID-mapping needed in this case. The MS AD entries contains uidNumber and gidNumber attributes. Ciao, Michael.

9 months, 1 week

2
1
0 / 0

sssd with sudo and non posix groups

by Leonard Lawton

I have a group in ldap(I'm using 389DS) called "_all" which has a groupofnames object class. Members are stored with the uniquemember attrtibute. The users in the group are able to login fine via ssh using this setup. However, I can't seem to figure out how to get sudo(via ldap) to work with my needs. The problem seems to be that I am using uniquemember which my configuration is not interpreting. I can't use rfc2307 and fall back to posix groups(and memberUID) only as I rely heavily on the groupofnames's functionality, so I really need to keep that. How can I configure sssd to let me use sudo while having a groupofnames as an authoritative source? Here is my config: [domain/dingos] ldap_schema = rfc2307bis ldap_group_search_base = dc=dingos?sub? ldap_user_search_base = ou=people,dc=dingos ldap_uri = ldaps://ldap-server ldap_tls_cacertdir = /etc/openldap/cacerts sudo_provider = ldap ldap_access_filter = (|(memberof=cn=_all,ou=hosts,ou=roles,dc=dingos)) id_provider = ldap auth_provider = ldap chpass_provider = ldap cache_credentials = false access_provider = ldap debug_level = 0x3ff0 ldap_sudo_search_base = ou=SUDOers,ou=roles,dc=dingos entry_cache_timeout = 1 [sssd] config_file_version = 2 services = nss, pam, sudo domains = dingos

9 months, 1 week

2
3
0 / 0

disable querying trusted "foreign" domains

by Michael Ströder

HI! I'm currently trouble-shooting performance issues on CentOS 6.10 running sssd 1.13.3 using sssd-ad as backend. Enumeration is already disabled. Also these options were set (DNS names obfuscated): ad_enabled_domains = ad1.example.com ad_server = dc1.ad1.example.com, dc2.ad1.example.com ad_enable_dns_sites = false Looking sssd still asks various naming contexts of the *many* other trusted domains. Any clue how to effectively disable all "foreign" lookups? Ciao, Michael.

9 months, 1 week

2
1
0 / 0

SSSD, Group accounts, Kerberos, and prompt_principal

by Pat Riehecky

With the release of the RHEL8 beta I was wondering if there was any thoughts/ideas/suggestions regarding https://bugzilla.redhat.com/show_bug.cgi?id=1623624 Pat -- Pat Riehecky Fermi National Accelerator Laboratory www.fnal.gov www.scientificlinux.org

9 months, 1 week

1
0
0 / 0

SSSD in AIX

by Ayappan

Hi, I am from AIX OS development team here in IBM. We have some customers who are interested in running SSSD in AIX. So i basically invested some amount of time to first build SSSD in AIX. I built the recent version 1.16.3 after working around some build issues. Below is the configure options. ./configure --prefix=/opt/freeware --disable-cifs-idmap-plugin --without-nfsv4-idmapd-plugin --disable-rpath --with-manpages=no --without-python3-bindings --with-selinux=no --with-semanage=no --with-crypto=libcrypto --without-secrets --without-kcm I started the daemon but then it failed later with no stderr / logs produced anywhere. # /opt/freeware/sbin/sssd -i -d4 (1) root @ fvt-p7a2-lp16: / I see it invokes two other child process which also failed /opt/freeware/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 -d 0x01f0 --logger=stderr /opt/freeware/libexec/sssd/sssd_nss --uid 0 --gid 0 -d 0x01f0 --logger=stderr Any help would be appreciated. Thanks Ayappan P

9 months, 1 week

4
5
0 / 0

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users November 2018