Simplify ldap `memberOf` searches
by Sean Roberts
SSSD experts - Is it possible to simplify ldap searches like the one below
to specify the group name without it's full path:
```
ldap_user_search_base="DC=example,DC=internal?subtree?(|(memberOf=CN=project-users,OU=2,OU=1,DC=example,DC=internal)(memberOf=CN=project-admins,OU=2,OU=1,DC=example,DC=internal))
```
Doing so would simplify configurations and prevent issues when objects are
moved within the directory:
*p.s. for access_provider, the following has worked to simplify part of our
config. Likely means less load on LDAP. I'm assuming it's safe.*
````
id_provider=ldap
access_provider=simple
simple_allow_groups=group1, group2
```
--
Sean Roberts
5 years, 3 months
Sssd and gidNumber
by Dmitrij S. Kryzhevich
I have setup with 3 clients and server. Server runs samba as AD and ldap + kerberos. Clients use sss: 1) fedora with 2.0.0, 2) centos with 1.16.0 and 3) centos with 1.16.2. All clients use 1:1 sssd.conf. I want sss to use primary group id from gidNumber record in ldap and I have no issues with first and second clients. But not third. I don't understand why but primary gid is set equal to uid. Can't see anything relevant in logs.
Where to dig?
sssd.conf:
[domain/default]
id_provider = ldap
ldap_uri = ldap://pdc.lkkm/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_base = dc=pdc,dc=lkkm
ldap_default_bind_dn = <DN>
ldap_default_authtok_type = password
ldap_default_authtok = <password>
ldap_user_search_base = cn=Users,dc=pdc,dc=lkkm
ldap_user_home_directory = unixHomeDirectory
ldap_user_object_class = person
ldap_group_search_base = dc=PosixGroups,dc=pdc,dc=lkkm
ldap_group_object_class = group
auth_provider = krb5
chpass_provider = krb5
krb5_server = pdc.lkkm
krb5_kpasswd = pdc.lkkm
krb5_realm = PDC.LKKM
krb5_store_password_if_offline = False
krb5_ccname_template = KEYRING:persistent:%{uid}
krb5_auth_timeout = 15
5 years, 3 months
SSSD with Kerberos for SPENGO ( Nginx + pam + sss + sss_krb )
by Eugen Mayer
Hello,
i am really struggling to understand if what i am trying to do is actually something that is supported by SSD in that terms.
I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP .. keytab, spn.
This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation of existing tickets. So i can do kinit + curl --negotiate on a client and get pass the authentication.
Now i am trying to replace apache with nginx with this case. I want to use nginx_pam, and then forward this to sssd using pam_sss.
My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL
I see that the AD access works using GSSAPI authentication using the provided keytab file, but when a client request though nginx is handled, i see something that sssd is trying to lookup www-data(a)KWTEST.local out of any reason.
I would have expected that it uses the HOST requested by the client, like HTTP/mywebservice.lan(a)KWTEST.local - in mod_auth_kerb one can set the SPN to use, i am not sure how this is intended in sssd and that is my actual question.
- Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active client krb tokens)
- What SPN is used when pam calls SSSD?
I hope i could explain this at least a little ;/
Thank you
Eugen
5 years, 3 months
Intermittent SSH authentication failures: SSSD+AD+PAM+Duo
by Jordan Thomas
Hello,
I am facing a very confounding issue with my SSSD/AD integration on CentOS 7. I am configured to use SSSD and Active Directory to authenticate SSH logins. Users use an SSH key stored in an Active Directory attribute to log in, followed by a Duo 2FA prompt. SSH is configured to check the key, then provide the Duo prompt via PAM. About 80% of the time this works correctly. The other 20% of the time, users see a long hang (approx 1-2 minutes) after the Duo prompt, followed by a generic "Authentication failure" error. This with login attempts from the same user, on the same host, logging in to the same server, authenticating against the same AD DC.
I am having a hard time discovering the underlying issue causing this problem. From my sshd logs, the best error I seem to have found is this:
Jan 16 11:33:49 cerberusvm sshd[4201]: debug3: PAM: do_pam_account pam_acct_mgmt = 9 (Authentication service cannot retrieve authentication info)
Jan 16 11:33:49 cerberusvm sshd[4201]: debug3: ssh_msg_send: type 13
Jan 16 11:33:49 cerberusvm sshd[4197]: debug3: PAM: User account has expired
Here is my relevant sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
UseDNS no
UsePAM yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
Here is my current sssd.conf file (I have been frequently experimenting with config changes here. Logins work, but the occasional failure occurs for reasons I cannot determine):
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam, ssh
[ssh]
debug_level = 3
[domain/mydomain.com]
debug_level = 3
ad_domain = mydomain.com
ad_server = prodad1.mydomain.com
ad_hostname = cerberusvm.mydomain.com
dyndns_update = false
krb5_realm = MYDOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = False
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
id_provider = ad
auth_provider = ad
ldap_user_ssh_public_key = sshPublicKeys
Here is my pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Here is my pam.d/sshd:
#%PAM-1.0
auth required pam_sepermit.so
auth required pam_env.so
auth sufficient pam_duo.so
auth required pam_deny.so
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
From sssd's side, here is the error I tend to see that does not appear in a log from a working login:
(Wed Jan 16 11:32:20 2019) [sssd[be[mydomain.com]]] [ad_check_gc_usability_search_done] (0x0080): Cannot get isMemberOfPartialAttributeSet(Wed Jan 16 11:32:20 2019) [sssd[be[mydomain.com]]] [ad_check_gc_usability_search_done] (0x0080): Cannot get isMemberOfPartialAttributeSet(Wed Jan 16 11:32:20 2019) [sssd[be[mydomain.com]]] [ad_disable_gc] (0x0040): POSIX attributes were requested but are not present on the server side. Global Catalog lookups will be disabled
I have found this (https://bugzilla.redhat.com/show_bug.cgi?id=1583725) related patch to the above error, but we are running the errata that is supposed to be an upstream fix for it, so I am not sure if this is a new or different issue.
I have sssd_ssh.log, sssd_mydomain.com.log, and sshd logs for both working and non-working login flows and will gladly attach them but do not see a way to do that when creating a thread.
Here is my environment:
SSH: OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
SSD 1.16.2
PAM pam-1.1.8-22
duo_unix-1.11.1
5 years, 3 months
Samba 4.8, Winbind and SSSD
by Carwyn Edwards
We've just been bitten by the Samba 4.8 rebase in CentOS/RHEL 7.6, specifically this bit from the RHEL 7.6 release notes:
"The smbd service no longer queries user and group information from Active Directory domain controllers and NT4 primary domain controllers directly. Installations with the security parameter set to ads or domain now require that the winbindd service is running."
Which stems from the Samba 4.8 release notes:
"Domain member setups require winbindd - Setups with "security = domain" or "security = ads" require a
running 'winbindd' now. The fallback that smbd directly contacts domain controllers is gone."
The RHEL 7 Systems Administration Guide now states:
"Red Hat only supports running Samba as a server with the winbindd service to provide domain users and groups to the local system. Due to certain limitations, such as missing Windows access control list (ACL) support and NT LAN Manager (NTLM) fallback, the System Security Services Daemon (SSSD) is not supported."
Now in RHEL 7.5 we were managing to use SSSD with Samba, the only real glitch (we think) was that SIDs rather than names showing up in the share ACLs. Unfortunately Red Hat support are sticking to the above like glue so far.
My question to this list is, given the changes to Samba from 4.8, is there a way to get RHEL 7.6 winbind (for Samba) to use SSSD for the lookups that works?
I noticed that the package sssd-winbind-idmap that ships in RHEL 7.6 contains the library /usr/lib64/samba/idmap/sss.so which from the idmap_sss man page states:
"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs."
With a config example:
[global]
...
idmap config * : backend = sss
(There an open bugzilla and pagure bug about this example being wrong as sss is read only).
There's also the following file in the package sssd-client
/usr/lib64/cifs-utils/cifs_idmap_sss.so
Which is controlled via the alternatives system.
I'm not entirely sure how these differ yet but I get the impression that the intention somewhere is to re-enable Samba to Winbind to SSSD lookups? Am I on the right track? Could this be made to work with the versions in RHEL 7.6 if so?
The alternative we're facing is to reset ownership on many millions of files as a side effect of swapping from sssd to winbind and many open questions as to whether winbind will handle our active directory (University context, messy). We'd tuned SSSD to finally work well for us here.
Carwyn
5 years, 3 months
Sudo in a ldap
by Maupertuis Philippe
Hi,
I am new on this mailing list so please forgive me if my question has already been answered.
I did read the archive to try find something.
My ssssd.conf retrieve the information from a 389ds ldap including sudo rules.
Everything is working fine except for one point regarding sudo.
For a given user only one entry is fetched from the ldap.
Is it working as intended ?
What I would like to achieve is basically something as simple as :
User => root :some commands
User => mysql : ALL
This is easily done with a local sudoers, but I failed to have it working with sssd and the ldap.
Any help would be greatly appreciated.
Philippe
!!!*************************************************************************************
"Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
5 years, 3 months
sssd + AD (samba) id mapping in multi-OS environment
by Zdravko Zdravkov
I have working AD (Samba) for office with mostly Linux machines and few
users on Windows 10.
I'm using sssd to join the AD with the following configuration:
[sssd]
> domains = xxxxx
> config_file_version = 2
> services = nss, pam
> [domain/xxxxx]
> ad_domain = xxxxxx
> krb5_realm = XXXXXXX
> realmd_tags = manages-system joined-with-samba
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = False
> fallback_homedir = /home/%u
> access_provider = ad
We have EMC storage, joined to the AD. Everyone is using it. On Windows
it's being mapped via smb, and in Linux via nfs.
I'll explain it as simple as I can. If I'm Linux user X and I create folder
on the storage then list it to check ownership and permissions, it appears
as it should - with owner X, and group domain users.
Next, I log on Windows machine with the same user (X), browse the storage
and create another folder. Then, on a Linux machine I list it, to check
ownership. Now for owner I'm getting bizarre generated uID - "1000043", but
the group remains as it should (domain users). Obviously this is a problem,
as it messes up access to files/folders which need to be used between
different operating systems.
Next, from linux machine I check the uid for that particular user: *id X*,
so I'm getting result "1115001239" which is OK. This is the uid as Linux
understands it.
If I copy that uid, then in AD users and computers management tool (in
windows) I browse that particular user, and manually add the uid to the
shown uidNumber attribute:
[image: ad_attrs.PNG]
Then clear SSSD cache with *sss_cache -E*.
The next file/folder I create from Windows is now successfully shown with
correct owner name in Linux.
This is kind of a solution, but isn't perfect as it requires a bit of
manual interaction. I'm wondering if it has anything to do with SSSD, or it
is purely up to Samba? Is there a better way to achieve what I want.
Cheers guys
5 years, 3 months
AD: Get both POSIX and standard AD users
by Sean Roberts
I'm working on an AD where they've completely separate normal AD users and
POSIX users.
- AD: All employees have a user.
- POSIX: Certain employees get a separate user which is used for POSIX use
cases. *(Usernames are prefixed so they never collide). *Their groups are
only POSIX groups.
How can SSSD get both sets of users and their groups?
Could we create a separate [domain/...] for each? Would overrides in
[application/...] work?
Currently SSSD is only getting the POSIX users and ldap_id_mapping=false is
set. We can't really disable that without massive `chown`s across all the
systems.
--
Sean Roberts
5 years, 3 months
sssd: AD service discovery and invalidating cache
by R Davies
(re-sending as I initially sent to ssd-users-owners in error)
For an AD environment using service discovery.
Periodically sssd will invalidate its cache at unexpected times. Digging
around debug logs and sources leads me to understand the following:
Every 15 minutes (or as defined by ldap_connection_expire_timeout) sssd
re-establishes the connection to LDAP, closing the exiting collection.
When sssd is configured to auto discover (via DNS _srv_ records, where the
priority is the same for each server); auto-discovery might return a
different LDAP server, at which point sssd's stored uSNChanged values are
invalid (as these are unique to each server), the cached values are
cleared, and enumeration is run - essentially afresh - against the new LDAP
server.
Is this outcome expected by design?
This behaviour is rather unfortunate as sssd_be will become CPU hog as it
rebuilds the cache again.
It is possible to work around the behaviour e.g.:
1) by not using service discovery, i.e.
ad_server = server1
ad_backup = server2
which is fairly tiresome to maintain across an estate - separate
configurations for different sites etc, faking load balancing by swapping
configurations.
2) having different priorities for each AD server in a given site, losing
load balancing - unless DNS gave out different priorities depending on the
source of the request, but this seems messy.
A better approach might be to patch sssd's auto discovery to "stick" to the
previously bound LDAP server, currently the first server in the list of
primary servers returned by ad_sort_servers_by_dns(). I have a proof of
concept patch that is straight forward, and fairly well contained, the
behaviour is controlled by an ad_sticky option in sssd.conf.
Is there a better solution to this problem? Would a patch - as vaguely
outlined above - likely gain acceptance?
5 years, 3 months
