Latest sssd for rhel 6?
by Tom
Hey guys, checking the rhel portal, latest version of sssd I see is 1.13. Any chance to get 1.16 or higher for rhel 6?
Cheers,
Tom
Sent from my iPhone
5 years, 3 months
yubikey-based pkinit stopped working switching from sssd 1.15.2/Ubuntu 16.04 auf sssd 1.16.1/Ubuntu 18.04
by tallinn1960@yahoo.de
My client has a working setup of sssd/kerberos/ldap utilizing yubikeys and pkinit as the login mechanism, based on sssd 1.15.2 and Ubuntu 16.04.
My client wants to advance from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS. A test installation of the latter with the corresponding sssd-version 1.16.1 does not allow yubikey-based login, although both kinit and p11_child do see the yubikey and the certificate on it. Kinit with yubikey does work.
Analysis of log gives that krb5_child behavior has changed. The function answer_pkinit is called with kr->pd->cmd set to SSS_PAM_AUTHENTICATE and kr->pd->authtok set to SSS_AUTHTOK_TYPE_SC_PIN in 1.15.2, but with kr->pd->cmd set to SSS_PAM_PREAUTH and kr->pd->authtok set to 0 in 1.16.1, causing the function to skip all pkinit/smarcard-related prompting and processing.
Both installations are using the same sssd.conf,krb5.conf etc.
How shall we fix this?
5 years, 3 months
sssd database backup / restore (or transplant to another client)
by Nikos Zaharioudakis
Good morning list,
I have an idea, which I would like to experiment with, but experts
advise may save me lots of time.
The scenario I have in mind is like this:
(assume OS and vers are latest RHEL/Centos)
I join a client to an IPA server. After joining, in the
/var/lib/sss/db/ directory, a database per domain is expected. (or
perhaps populated after the first request to the IPA server for
example id some-username)
Now the question is:
If I stop the sssd client service, may I copy the content of this
directory to another client (which is already registered as well to
the same IPA server) and save some time from the initial database
population?
You may say that this operation is not time-consuming etc, but in my
case, I have to spin up some thousands of machines as fast as possible
which are practically diskless. Meaning that the whole party has to
happen as fast as possible and at the end, I have a ddos attack
against my IPA servers and their replicas with a boom of (let's say)
3K clients asking more or less the same things (mostly ldap
verification queries).
So a first question to address my situation would be: Is the sssd db
unique per client or may I "transplant" it to other clients as well?
There is also a feature in the sssd.conf file to manipulate the order
that the IPA clients will ask specific IPA servers with specific order
which I could randomise (say round robin) but I would like to do it as
a second experiment
Thanks in advance for reading so far.
Happy New Year
Nikos
########################################3
Zaharioudakis Nikos, RHC{A,DS,E,VA,X,I}, VCP(4,5},VCI, Mentor VCI,
Zimbra Instructor
https://www.redhat.com/rhtapps/verify/?certId=100-001-262
Public Calendar :
https://www.google.com/calendar/embed?src=nzahar%40gmail.com&ctz=Europe/A...
+30 694 720 40 63
http://zimbra.wikidot.com/zimbra-installations-in-greece
5 years, 3 months
