December 2018 - sssd-users - Fedora Mailing-Lists

yubikey-based pkinit stopped working switching from sssd 1.15.2/Ubuntu 16.04 auf sssd 1.16.1/Ubuntu 18.04

by tallinn1960＠yahoo.de

My client has a working setup of sssd/kerberos/ldap utilizing yubikeys and pkinit as the login mechanism, based on sssd 1.15.2 and Ubuntu 16.04. My client wants to advance from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS. A test installation of the latter with the corresponding sssd-version 1.16.1 does not allow yubikey-based login, although both kinit and p11_child do see the yubikey and the certificate on it. Kinit with yubikey does work. Analysis of log gives that krb5_child behavior has changed. The function answer_pkinit is called with kr->pd->cmd set to SSS_PAM_AUTHENTICATE and kr->pd->authtok set to SSS_AUTHTOK_TYPE_SC_PIN in 1.15.2, but with kr->pd->cmd set to SSS_PAM_PREAUTH and kr->pd->authtok set to 0 in 1.16.1, causing the function to skip all pkinit/smarcard-related prompting and processing. Both installations are using the same sssd.conf,krb5.conf etc. How shall we fix this?

3 months, 1 week

2
5
0 / 0

Cannot authenticate user from parent domain in a child-domain joined server

by Chris J

Hi all, I'm having problems having sssd authenticate a user in a parent domain in the same forest with SSSD. In brief, it's an Ubuntu 18.04 box with sssd 1.16.1: the box was joined to the domain 'development.cseserve.com' with 'realm join'. Users in the that domain can authenticate successfully, but users in the parent domain cseserve.com cannot. After some reading, I found the sssctl command, and that the sssd.conf file needed a tweak to add 'ifp' to the list of services, which gave access to the user-checks. Configuration file and output of various sssctl checks is at the bottom of this email. If I attempt authenticate as user in cseserv.com, I get: root@hs-svn-02:/var/log/sssd# sssctl user-checks chris.johnson(a)cseserv.com -a auth user: chris.johnson(a)cseserv.com action: auth service: system-auth SSSD nss user lookup result: - user name: chris.johnson(a)cseserv.com - user id: 715601141 - group id: 715601141 - gecos: Chris Johnson - home directory: /home/chris.johnson(a)cseserv.com - shell: /bin/bash SSSD InfoPipe user lookup result: - name: chris.johnson(a)cseserv.com - uidNumber: 715601141 - gidNumber: 715601141 - gecos: Chris Johnson - homeDirectory: - loginShell: testing pam_authenticate Password: pam_authenticate for user [chris.johnson(a)cseserv.com]: Authentication failure PAM Environment: - no env - root@hs-svn-02:/var/log/sssd# Now in /var/log/syslog, when I tail -f during sssctl user-checks, I get the error: Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found in Kerberos database Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found in Kerberos database I can't see any other pertinent errors in log files, but I'm happy to provide more if I know what to send over :-) This error does not occur for a user in the development.cseserv.com domain, which completes successfully: [...deleted the preamble...] testing pam_authenticate Password: pam_authenticate for user [cjohnson(a)development.cseserve.com]: Success PAM Environment: - KRB5CCNAME=FILE:/tmp/krb5cc_376801009_vS8U1c I've tried various things based on various searches, including creating a /etc/krb5.conf file to specify encryption protocols, and after a restart this did not change the behaviour: [libdefaults] allow_weak_crypto = true default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 rdns=false dns_lookup_kdc = true Additionally I've tried explicitly declaring the cseserv domain as a trusted domain in sssd.conf (based on https://docs.pagure.org/SSSD.sssd/users/ad_provider.html#etc-sssd-sssd-conf), and this failed as well: [sssd] domains = development.cseserv.com, cseserv.com {...rest unchanged...} [domain/development.cseserve.com/cseserve.com] ad_server = hs-dc-01.cseserve.com What obvious thing am I missing? From what I'm reading, this should work. Regards, Chris ==================================================================== Sanity checking the domain configuration: realm list gives: root@hs-svn-02:/var/log/sssd# realm list development.cseserv.com type: kerberos realm-name: DEVELOPMENT.CSESERV.COM domain-name: development.cseserv.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U(a)development.cseserv.com login-policy: allow-realm-logins root@hs-svn-02:/var/log/sssd# sssctl domain-list shows that the parent domain was auto-discovered: root@hs-svn-02:/var/log/sssd# sssctl domain-list development.cseserve.com test.cseserve.com hst.cseserve.com cseserve.com root@hs-svn-02:/var/log/sssd# sssctl domain-status development.cseserv.com gives: Online status: Online Active servers: AD Global Catalog: hs-dc-01.development.cseserv.com AD Domain Controller: hs-dc-01.development.cseserv.com Discovered AD Global Catalog servers: - hs-dc-01.development.cseserv.com - hs-dc-02.development.cseserv.com - gsh-dc-04.cseserv.com - gsh-dc-05.cseserv.com - gsh-dc-01.cseserv.com Discovered AD Domain Controller servers: - hs-dc-01.development.cseserv.com - hs-dc-02.development.cseserv.com sssctl domain-status cseserv.com gives: root@hs-svn-02:/var/log/sssd# sssctl domain-status cseserv.com Online status: Online Active servers: AD Domain Controller: gsh-dc-04.cseserv.com AD Global Catalog: hs-dc-01.development.cseserv.com Discovered AD Domain Controller servers: - gsh-dc-04.cseserv.com - gsh-dc-01.cseserv.com - gsh-dc-05.cseserv.com - gln-dc-01.cseserv.com Discovered AD Global Catalog servers: - hs-dc-01.development.cseserv.com - hs-dc-02.development.cseserv.com - gsh-dc-04.cseserv.com - gsh-dc-05.cseserv.com - gsh-dc-01.cseserv.com My sssd.conf file: [sssd] domains = development.cseserve.com config_file_version = 2 services = nss, pam, ifp debug_level = 9 [domain/development.cseserve.com] ad_domain = development.cseserve.com krb5_realm = DEVELOPMENT.CSESERVE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad

4 months, 1 week

2
3
0 / 0

Can I have sssd manage known_hosts with LDAP?

by George Diamantopoulos

Hello all, I've been trying (and failing) to configure sssd to use LDAP to retrieve hosts' public SSH keys. I'd like to ask if this is possible with LDAP at all, or this feature is only supported with FreeIPA. If yes, what search filter does sssd use to lookup keys in LDAP? I'm using the sshPublicKey attribute for both people and machines in my LDAP schema, but I can't figure out what attribute is checked to determine the hostname. User ssh public key retrieval works fine in my configuration. I'm using sssd 1.15 which ships with debian stretch. Thanks! BR, George

4 months, 1 week

5
6
0 / 0

sssd AD authentication working; sssd autofs against LDAP / rfc2307bis not working...

by Spike White

Sssd experts, This is all on RHEL7. I have sssd properly authenticating against AD for my multi-domain forest. All good – even cross-domain auth (as long as I don’t use tokengroups.) Our company’s AD implementation is RFC2307bis schema-extended. Now – for complicated reasons – I’m told I need to get nis automaps and nis netgroups in AD and also working on the clients (via sssd) also. As a first testing step, I’ve stood up an openLDAP server on another RHEL7 server. And schema extended it with RFC 2307 bis. http://bubblesorted.raab.link/content/replace-nis-rfc2307-rfc2307bis-sche... I added an initial automap. When I query via ldapsearch, all looks good: [root@spikerealmd02 sssd]# ldapsearch -LLL -x -H ldap:// austgcore17.us.example.com -b 'ou=automount,ou=admin,dc=itzgeek,dc=local' -s sub -D 'cn=ldapadm,dc=itzgeek,dc=local' -w ldppassword 'objectClass=automountMap' dn: automountMapName=auto.master,ou=automount,ou=admin,dc=itzgeek,dc=local objectClass: top objectClass: automountMap automountMapName: auto.master dn: automountMapName=auto.home,ou=automount,ou=admin,dc=itzgeek,dc=local objectClass: top objectClass: automountMap automountMapName: auto.home [root@spikerealmd02 sssd]# ldapsearch -LLL -x -H ldap:// austgcore17.us.example.com -b 'ou=automount,ou=admin,dc=itzgeek,dc=local' -s sub -D 'cn=ldapadm,dc=itzgeek,dc=local' -w ldppassword 'objectClass=automount' dn: automountKey=/home2,automountMapName=auto.master,ou=automount,ou=admin,dc= itzgeek,dc=local objectClass: top objectClass: automount automountKey: /home2 automountInformation: ldap:automountMapName=auto.home,ou=automount,ou=admin,dc =itzgeek,dc=local --timeout=60 --ghost dn: automountKey=/,automountMapName=auto.home,ou=automount,ou=admin,dc=itzgeek ,dc=local objectClass: top objectClass: automount automountKey: / automountInformation: -fstype=nfs,rw,hard,intr,nodev,exec,nosuid,rsize=8192,ws ize=8192 austgcore17.us.example.com:/export/& [root@spikerealmd02 sssd]# Next, the sssd client configuration. In my good sssd client’s sssd.conf file, I added “autofs” to my services line and added an “autofs” section. That is, I have changed my /etc/sssd/sssd.conf file as so: [sssd] … services = nss,pam,autofs … [autofs] debug_level = 9 autofs_provider = ldap ldap_uri= ldap://austgcore17.us.example.com ldap_schema = rfc2307bis ldap_default_bind_dn = cn=ldapadm,dc=itzgeek,dc=local ldap_default_authtok = ldppassword ldap_autofs_search_base = ou=automount,ou=admin,dc=itzgeek,dc=local ldap_autofs_map_object_class = automountMap ldap_autofs_map_name = automountMapName ldap_autofs_entry_object_class = automount ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation [nss] debug_level = 9 I appended sss to automount line in /etc/nsswitch.conf file: automount: files sss Yet, when I try to restart autofs service it (eventually) times out: [root@spikerealmd02 sssd]# systemctl restart sssd [root@spikerealmd02 sssd]# systemctl restart autofs Job for autofs.service failed because a timeout was exceeded. See "systemctl status autofs.service" and "journalctl -xe" for details. Journalctl –xe reports this: Dec 03 11:14:09 spikerealmd02.us.example.com [sssd[ldap_child[9653]]][9653]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. … Dec 03 11:14:15 spikerealmd02.us.example.com [sssd[ldap_child[9680]]][9680]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication faile Dec 03 11:14:22 spikerealmd02.us.example.com systemd[1]: autofs.service start operation timed out. Terminating. Dec 03 11:14:22 spikerealmd02.us.example.com systemd[1]: Failed to start Automounts filesystems on demand. -- Subject: Unit autofs.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit autofs.service has failed. -- -- The result is failed. Dec 03 11:14:22 spikerealmd02.us.example.com systemd[1]: Unit autofs.service entered failed state. Dec 03 11:14:22 spikerealmd02.us.example.com systemd[1]: autofs.service failed. Dec 03 11:14:22 spikerealmd02.us.example.com polkitd[897]: Unregistered Authentication Agent for unix-process:9073:241010 (system bus :1.132, object path /org/freedeskt /var/log/sssd/ssd_nss.log looks like this: (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [sysdb_get_certmap] (0x0020): Failed to read certmap config, skipping. (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f7263a1fc0 (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f7263a2080 (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [ldb] (0x4000): Running timer event 0x55f7263a1fc0 "ltdb_callback" (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [ldb] (0x4000): Destroying timer event 0x55f7263a2080 "ltdb_timeout" (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [ldb] (0x4000): Ending timer event 0x55f7263a1fc0 "ltdb_callback" (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [sysdb_get_certmap] (0x0400): No certificate maps found. What is wrong? BTW, for now – I don’t care about a GSSAPI SASL LDAP binding; a simple binding is what I want. BTW, I have not modified the /etc/autofs.conf file. I considered this, but it seems that if I did – it’d be bypassing nss / sssd. Also, I’d have another SASL creds hanging out there that’d I’d have to periodically rotate on all clients, instead of relying on SSSD’s machine account that’s auto-rotated every 30 days.

4 months, 1 week

2
2
0 / 0

filter out disabled ipa user

by Stijn De Weirdt

hi all, we are using ipa as id_provider/access_provider/auth_provider for a domain, and we want to somehow completely hide users that are disabled in ipa. for now, disabled users are still known on the hosts (eg "getent passwd userxyz" works and gives the correct userid). we would like that eg "getent passwd userxyz" returns nothing (in particular we want that that userid can't start any new process anymore, and that the nfs mounts show that files the belong to the disabled user show up as owned by nobody etc etc. is there any way to filter these users? perhaps some config setting i overlooked, or some ldap filter i can use? many thanks, stijn

4 months, 1 week

2
2
0 / 0

Failed gssapi-with-mic

by Sergei Gerasenko

Hi, I've run into a dead end debugging a case of passwordless authentication between two IPA'd hosts. Running `sshd -p 5000 -d` on the receiving host (let's call it HOST_B), I see this: ``` Postponed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 [preauth] debug1: Received some client credentials debug1: ssh_gssapi_k5login_exists: Checking existence of file /home/USER/.k5login Failed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 ``` The client then gets an interactive password prompt. Here are some facts and things I've tried: * If I put the user into `.k5login` on the receiving host and it works. * The receiving host is correctly enrolled into IPA. I can ssh from it to other hosts using GSSAPI. * I can issue `kvno host/HOST_B` on the connecting host and I get a service ticket. * It looks like all this happens before any pam stuff kicks in (?). So I'm ruling PAM issues out. * No errors in the logs of the KDCs. * The ticket from the connecting host is not expired. * The sssd version is 1.16.0. * Turning up the debugging in sssd with `debug_level = 7` for the domain section doesn't reveal anything obvious. What else could I check? Thanks for any ideas, SG

4 months, 1 week

2
1
0 / 0

Re: Problem with resolving unqualified group names

by Jakub Hrozek

On Fri, Nov 23, 2018 at 10:16:26AM +0000, Ondrej Valousek wrote: > Hi List, > > > I have noticed that in my case both > > getent passwd <username>@<domain> and getent passwd <username> > > works, but > > getent group <groupname>@<domain> > > does not, only: > > getent group <groupname> > > works. > > > Is that expected behavior? No (but I don't know what else to add except worksforme..)

4 months, 1 week

1
0
0 / 0

Mail problems with new submissions to sssd-users list?

by Spike White

Is there any problem with new email messages going to to this sssd-users mailing list? I sent an email 6 days ago and again re-submitted it 4 days ago, about sssd auth against AD working; sssd autofs against LDAP / rfc2307bis not working. to date, I have not seen it appear in this sssd-users mailbox yet. I'm flummoxed on the problem and need help from people more knowledgeable than me. The mail message wasn't in violation of any mailing list policies (wasn't excessively long, etc). The above subject line might be slightly long, but I don't think that'd be a problem. I realize these sssd-user mailing list maintainers are frequently out for 2-3 days, due to their job roles, but I've seen other email responses on this mailing list since then. Spike White

4 months, 1 week

2
2
0 / 0

Access alternative yubikey slots

by Orion Poplawski

I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates: - my "orion" certificate - went into slot 9a PIV Auth - A MacOS keychain cert per their docs - when into slot 9d Key Management - Another auth certificate for "orion-admin" - went into slot 82 I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this? Thanks! -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion(a)nwra.com Boulder, CO 80301 https://www.nwra.com/

4 months, 2 weeks

2
10
0 / 0

sssd AD authentication working; sssd autofs against LDAP / rfc2307bis not working?

by Spike White

Sssd experts, This is all on RHEL7. I have sssd properly authenticating against AD for my multi-domain forest. All good – even cross-domain auth (as long as I don’t use tokengroups.) Our company’s AD implementation is RFC2307bis schema-extended. Now – for complicated reasons – I’m told I need to get nis automaps and nis netgroups in AD and also working on the clients (via sssd) also. As a first testing step, I’ve stood up an openLDAP server on another RHEL7 server. And schema extended it with RFC 2307 bis. http://bubblesorted.raab.link/content/replace-nis-rfc2307-rfc2307bis-sche... I added an initial automap. When I query via ldapsearch, all looks good: [root@spikerealmd02 sssd]# ldapsearch -LLL -x -H ldap:// austgcore17.us.example.com -b 'ou=automount,ou=admin,dc=itzgeek,dc=local' -s sub -D 'cn=ldapadm,dc=itzgeek,dc=local' -w ldppassword 'objectClass=automountMap' dn: automountMapName=auto.master,ou=automount,ou=admin,dc=itzgeek,dc=local objectClass: top objectClass: automountMap automountMapName: auto.master dn: automountMapName=auto.home,ou=automount,ou=admin,dc=itzgeek,dc=local objectClass: top objectClass: automountMap automountMapName: auto.home [root@spikerealmd02 sssd]# ldapsearch -LLL -x -H ldap:// austgcore17.us.example.com -b 'ou=automount,ou=admin,dc=itzgeek,dc=local' -s sub -D 'cn=ldapadm,dc=itzgeek,dc=local' -w ldppassword 'objectClass=automount' dn: automountKey=/home2,automountMapName=auto.master,ou=automount,ou=admin,dc= itzgeek,dc=local objectClass: top objectClass: automount automountKey: /home2 automountInformation: ldap:automountMapName=auto.home,ou=automount,ou=admin,dc =itzgeek,dc=local --timeout=60 --ghost dn: automountKey=/,automountMapName=auto.home,ou=automount,ou=admin,dc=itzgeek ,dc=local objectClass: top objectClass: automount automountKey: / automountInformation: -fstype=nfs,rw,hard,intr,nodev,exec,nosuid,rsize=8192,ws ize=8192 austgcore17.us.example.com:/export/& [root@spikerealmd02 sssd]# Next, the sssd client configuration. In my good sssd client’s sssd.conf file, I added “autofs” to my services line and added an “autofs” section. That is, I have changed my /etc/sssd/sssd.conf file as so: [sssd] … services = nss,pam,autofs … [autofs] debug_level = 9 autofs_provider = ldap ldap_uri= ldap://austgcore17.us.example.com ldap_schema = rfc2307bis ldap_default_bind_dn = cn=ldapadm,dc=itzgeek,dc=local ldap_default_authtok = ldppassword ldap_autofs_search_base = ou=automount,ou=admin,dc=itzgeek,dc=local ldap_autofs_map_object_class = automountMap ldap_autofs_map_name = automountMapName ldap_autofs_entry_object_class = automount ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation [nss] debug_level = 9 I appended sss to automount line in /etc/nsswitch.conf file: automount: files sss Yet, when I try to restart autofs service it (eventually) times out: [root@spikerealmd02 sssd]# systemctl restart sssd [root@spikerealmd02 sssd]# systemctl restart autofs Job for autofs.service failed because a timeout was exceeded. See "systemctl status autofs.service" and "journalctl -xe" for details. Journalctl –xe reports this: Dec 03 11:14:09 spikerealmd02.us.example.com [sssd[ldap_child[9653]]][9653]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. … Dec 03 11:14:15 spikerealmd02.us.example.com [sssd[ldap_child[9680]]][9680]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication faile Dec 03 11:14:22 spikerealmd02.us.example.com systemd[1]: autofs.service start operation timed out. Terminating. Dec 03 11:14:22 spikerealmd02.us.example.com systemd[1]: Failed to start Automounts filesystems on demand. -- Subject: Unit autofs.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit autofs.service has failed. -- -- The result is failed. Dec 03 11:14:22 spikerealmd02.us.example.com systemd[1]: Unit autofs.service entered failed state. Dec 03 11:14:22 spikerealmd02.us.example.com systemd[1]: autofs.service failed. Dec 03 11:14:22 spikerealmd02.us.example.com polkitd[897]: Unregistered Authentication Agent for unix-process:9073:241010 (system bus :1.132, object path /org/freedeskt /var/log/sssd/ssd_nss.log looks like this: (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [sysdb_get_certmap] (0x0020): Failed to read certmap config, skipping. (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f7263a1fc0 (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f7263a2080 (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [ldb] (0x4000): Running timer event 0x55f7263a1fc0 "ltdb_callback" (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [ldb] (0x4000): Destroying timer event 0x55f7263a2080 "ltdb_timeout" (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [ldb] (0x4000): Ending timer event 0x55f7263a1fc0 "ltdb_callback" (Mon Dec 3 11:11:13 2018) [sssd[autofs]] [sysdb_get_certmap] (0x0400): No certificate maps found. What is wrong? BTW, for now – I don’t care about a GSSAPI SASL LDAP binding; a simple binding is what I want. BTW, I have not modified the /etc/autofs.conf file. I considered this, but it seems that if I did – it’d be bypassing nss / sssd. Also, I’d have another SASL creds hanging out there that’d I’d have to periodically rotate on all clients, instead of relying on SSSD’s machine account that’s auto-rotated every 30 days. Spike White

4 months, 2 weeks

1
0
0 / 0

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users December 2018