sssd with sudo and non posix groups
by Leonard Lawton
I have a group in ldap(I'm using 389DS) called "_all" which has a
groupofnames object class. Members are stored with the uniquemember
attrtibute. The users in the group are able to login fine via ssh using
this setup. However, I can't seem to figure out how to get sudo(via
ldap) to work with my needs.
The problem seems to be that I am using uniquemember which my
configuration is not interpreting. I can't use rfc2307 and fall back to
posix groups(and memberUID) only as I rely heavily on the groupofnames's
functionality, so I really need to keep that. How can I configure sssd
to let me use sudo while having a groupofnames as an authoritative source?
Here is my config:
[domain/dingos]
ldap_schema = rfc2307bis
ldap_group_search_base = dc=dingos?sub?
ldap_user_search_base = ou=people,dc=dingos
ldap_uri = ldaps://ldap-server
ldap_tls_cacertdir = /etc/openldap/cacerts
sudo_provider = ldap
ldap_access_filter = (|(memberof=cn=_all,ou=hosts,ou=roles,dc=dingos))
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
cache_credentials = false
access_provider = ldap
debug_level = 0x3ff0
ldap_sudo_search_base = ou=SUDOers,ou=roles,dc=dingos
entry_cache_timeout = 1
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = dingos
5 years, 5 months
disable querying trusted "foreign" domains
by Michael Ströder
HI!
I'm currently trouble-shooting performance issues on CentOS 6.10 running
sssd 1.13.3 using sssd-ad as backend.
Enumeration is already disabled.
Also these options were set (DNS names obfuscated):
ad_enabled_domains = ad1.example.com
ad_server = dc1.ad1.example.com, dc2.ad1.example.com
ad_enable_dns_sites = false
Looking sssd still asks various naming contexts of the *many* other
trusted domains.
Any clue how to effectively disable all "foreign" lookups?
Ciao, Michael.
5 years, 5 months
SSSD in AIX
by Ayappan
Hi,
I am from AIX OS development team here in IBM. We have some customers
who are interested in running SSSD in AIX. So i basically invested
some amount of time to first build SSSD in AIX. I built the recent
version 1.16.3 after working around some build issues. Below is the
configure options.
./configure --prefix=/opt/freeware --disable-cifs-idmap-plugin
--without-nfsv4-idmapd-plugin --disable-rpath --with-manpages=no
--without-python3-bindings --with-selinux=no --with-semanage=no
--with-crypto=libcrypto --without-secrets --without-kcm
I started the daemon but then it failed later with no stderr / logs
produced anywhere.
# /opt/freeware/sbin/sssd -i -d4
(1) root @ fvt-p7a2-lp16: /
I see it invokes two other child process which also failed
/opt/freeware/libexec/sssd/sssd_be --domain implicit_files --uid 0
--gid 0 -d 0x01f0 --logger=stderr
/opt/freeware/libexec/sssd/sssd_nss --uid 0 --gid 0 -d 0x01f0 --logger=stderr
Any help would be appreciated.
Thanks
Ayappan P
5 years, 5 months
SSSD login delay
by Jonathan Gray
Hello,
We need help debugging this issue.
For some servers we're experiencing over 10 second delay logging in with IPA user.
Since the issue isn't present everywhere we're finding it hard to debug.
SSSD config looks like this::
[domain/hostname.com]
cache_credentials = true
krb5_store_password_if_offline = true
ipa_domain = hostname.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = hostname.com
chpass_provider = ipa
dyndns_update = True
ipa_server = ipa1-hostname, ipa2-hostname
dyndns_iface = eth0
dns_discovery_domain = hostname.com
debug_level = 9
[sssd]
services = nss, sudo, pam, ssh
domains = hostname.com
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
We're wondering if there's any obvious configurations we could apply above that would improve SSSD performance, and what exactly to look out for in sssd debug logs that would help us with our investigation.
Thanks
5 years, 5 months
Id vs ldapsearch
by Tom
Just a general question about the behaviour of sss_cache , is and ldapsearch.
Id will return say 8 groups and for the same user ldapsearch will return 10.
Now as long as if returns 8 apps report authentication denied because the user is not in an expected group. Now when we run sss_cache -E to invalidate the cache, id Will now return all 10 groups.
Now the group change was done days ago and our entry_cache_timeout is at default of 5400.
Why do we still need to run sss_cache -E if the timeout should take care of things? We are directly authenticated against AD via computer objects.
Just asking a general question as I’m curious how this works.
Cheers,
Tom
Sent from my iPhone
5 years, 5 months
Re: Ubuntu Bionic - sssd 1.16.1 - kerberos ticket not renewing
by Jakub Hrozek
On Wed, Oct 31, 2018 at 08:20:55PM +0000, Jay McCanta wrote:
> Yes. Kinit -R renews the ticket (if it hasn't expired).
OK, can you attach a snippet of the logs? I thiknk the domain log and
the krb5_child.log are the most important.
5 years, 5 months
