sss_obfuscate and conf.d
by Mario Rossi
Hi sssd users!
I am trying to encrypt a password via sss_obfuscate , but the binary
refuses to work to conf.d/ folder configs
root@sd7[/etc/sssd]# sss_obfuscate -d 'LDAP' -f sssd.conf.se
Enter password:
Re-enter password:
No such domain LDAP
If I append the contents of conf.d/LDAP.conf to sssd.conf.se, it works
as expected
root@sd7[/etc/sssd]# sss_obfuscate -d 'LDAP' -f sssd.conf.se
Enter password:
Re-enter password:
root@sd7[/etc/sssd]#
root@sd7[/etc/sssd]# rpm -q sssd
sssd-1.16.2-13.el7_6.5.x86_64
root@sd7[/etc/sssd]# cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)
Thanks
4 years, 12 months
Windows 10 Roaming Profile Issue
by Bob Smith
Hi,
On Windows Server 2008 R2 Enterprise, Profiles path is \\fs\profiles\rprofile
On Centos Version 7, Samba Version 4.7.1 and ROLE_DOMAIN_MEMBER
I'm getting Event ID 1521 on Windows 10 PC and roaming profile is not working.
I was told the roaming profile works with winbind, but I'm using sssd. My issue is that Domain Admins is unknown to the Unix OS. Does roaming profile work with sssd?
Thanks!
B.
4 years, 12 months
Problems with subdomains_provider & group membership
by Ondrej Valousek
Hi List,
I just noticed that sssd is unable to detect any groups user belongs to after I set
Subdomains_provider = none
In my sssd.conf
Using AD provider, using token groups, not using fully qualified names.
Is this an expected behavior?
Note I switched subdomain_provider off as otherwise sssd keeps poking around and requesting domain controllers which are not available.
Thanks.
Ondrej
5 years
sssd-ldap: specify source port for LDAP connections?
by Dmitry Donskih
Hello everyone,
I have a terminal server with sssd-ldap setup, users authenticate to Active Directory. Now I need to restrict users' access to AD server with LDAP from their terminal sessions.
My idea is to define one privileged source IP port which is used only by SSSD when connecting to AD, and block connections originating from other ports.
Is it possible?
Does anyone have other ideas on similar problem?
5 years
Problem with cifs.upcall / sssd / kerberos mount operation on ubuntu 18.10
by rey-coyrehourcq
Hi sssd users,
Currently i have a working installation of SSSDwith ubuntu 18.10 using sssd,
pam-sssd and kerberos authentification on AD directory of my university.
Now, before i'm trying to install the plugin automount/autofs for sssd, i'm
trying to mount manually a cifs, and the problem begin.
After opening a domain session, veryfying using KList that kerberos ticket is
ok, i'm running this command :
sudo mount -v -t cifs -o user=${USER},cruid=${USER},sec=krb5,uid=${UID}
//mydomain/myshare /home/mydomain/myshare
This command return a :
Mount error(126) : Required Key not available.
When i check on journalctl -xe, i see that cifs.upcall :
- get_existing_cc:default ccache FILE:/tmp/krb5cc_1735128554
- handle_krb5_mech:getting service ticket for mydomain
- cifs_krb5_get_req : unable to get credentials for mydomain ...
Veryfing with klist -kte i have 3 type of key :
- myhostname@mydomain
- host/myhostname@mydomain
- restrictedKrbHost@mydomain
But if i use this session, this is because the key exist ... so i'm starting to
strace cifs.upcall binary to see what happens in details :
- The /var/lib/sss/pubconf/kdcinfo.mydomain is correctly found and read by cifs
- The /var/lib/sss/pubconf/kpasswdinfo.mydomain return a no such file or
directory
Program end with unable to get credential for mydomain...
What is this problem with kpasswdinfo which do not exist ? Any idea ?
I'm using ubuntu 18.10 with sssd 1.16.3
Best regards,
SR
--
Sébastien Rey-Coyrehourcq
Research Engineer UMR IDEES
02.35.14.69.30
{Stronger security for your email, follow EFF tutorial : https://ssd.eff.org/}
5 years
hostname resolution expired? (version 1.13.4-34.23.1.x86_64)
by Beale (US), Gareth
We are seeing the following in our sssd_default.log which appears to coincide with some authentication failures. What would cause the hostname resolution to expire? Can we change the length of whatever timeout might be causing this?
Sorry I have to obfuscate the hostnames per company policy. The host "XXXXX.boeing.com" is in the sssd.conf file under the [domain/default] section as:
ldap_uri = ldaps://XXXXX.boeing.com
(Wed Apr 17 06:30:20 2019) [sssd[be[default]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][idnumber=5928]
(Wed Apr 17 06:30:20 2019) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Wed Apr 17 06:31:22 2019) [sssd[be[default]]] [sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=nss8297]
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [get_server_status] (0x0100): Hostname resolution expired, resetting the server status of 'XXXXX.boeing.com'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'XXXXX.boeing.com' as 'name not resolved'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'XXXXX.boeing.com' in files
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'XXXXX.boeing.com' as 'resolving name'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'XXXXX.boeing.com' in files
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'XXXXX.boeing.com' in DNS
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'XXXXX.boeing.com' as 'name resolved'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [be_resolve_server_process] (0x0200): Found address for server XXXXX.boeing.com: [10.234.125.55] TTL 13
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server!
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: cn=YYYYY.boeing.com.*,nisMapName=netGroup.byhost,ou=enterprise,ou=unix,ou=accounts,o=boeing,c=us
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'XXXXX.boeing.com' as 'working'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'XXXXX.boeing.com' as 'working'
Gareth Beale (bemsid: 45600)
Enterprise High Performance Computing Service
Application Infrastructure Services
Global Information Technology Infrastrucure Services
Need help? http://iticket.web.boeing.com/secure/create.aspx?id=serverhpc / 425-234-0911
5 years
Listing sudo rules
by Maupertuis Philippe
Hi,
I need to collect various information about a server.
Among them are the sudo rules in place.
Is there any way to get all the sudo rules from the server itself without making assumption about how the sssd is configured ?
I know that the rules are there on the server but I don't know how to find them.
Philipe
!!!*************************************************************************************
"Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
5 years
Speeding up sss_ssh_authorizedkeys
by Orion Poplawski
Any suggestions for speeding up sss_ssh_authorizedkeys? It seems to take
around .25s per certificate, and some of our users have many certificates.
Could this be cached?
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
5 years
Re: Fedora 29, one successful login, then no more
by Lukas Slebodnik
On (05/04/19 21:47), Mike Hughes wrote:
>I used realm join and experienced one successful graphical login but then updated the system to the latest version and now cannot login. I can su to the account, run id user on the account so AD lookups seem to be working, but getent passwd returns only local accounts (not sure if that’s a symptom of a problem or not).
>
>This is what I see in journalctl:
>
>journalctl -q _TRANSPORT=audit | grep "mike\""
>Apr 05 11:53:41 my-hostname.internal.domain.com audit[3352]: USER_AUTH pid=3352 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss,pam_gnome_keyring acct="mike" exe="/usr/libexec/gdm-session-worker" hostname=my-hostname.internal.domain.com addr=? terminal=/dev/tty1 res=success'
>Apr 05 11:53:41 my-hostname.internal.domain.com audit[3352]: USER_ACCT pid=3352 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="mike" exe="/usr/libexec/gdm-session-worker" hostname=my-hostname.internal.domain.com addr=? terminal=/dev/tty1 res=failed'
>
Access control failed here.
You should find more info in sssd.log files after increasing debug_level
in domain section of ssd.conf
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html#troubleshoot...
LS
5 years
Fedora 29, one successful login, then no more
by Mike Hughes
I used realm join and experienced one successful graphical login but then updated the system to the latest version and now cannot login. I can su to the account, run id user on the account so AD lookups seem to be working, but getent passwd returns only local accounts (not sure if that’s a symptom of a problem or not).
This is what I see in journalctl:
journalctl -q _TRANSPORT=audit | grep "mike\""
Apr 05 11:53:41 my-hostname.internal.domain.com audit[3352]: USER_AUTH pid=3352 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss,pam_gnome_keyring acct="mike" exe="/usr/libexec/gdm-session-worker" hostname=my-hostname.internal.domain.com addr=? terminal=/dev/tty1 res=success'
Apr 05 11:53:41 my-hostname.internal.domain.com audit[3352]: USER_ACCT pid=3352 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="mike" exe="/usr/libexec/gdm-session-worker" hostname=my-hostname.internal.domain.com addr=? terminal=/dev/tty1 res=failed'
Deleted the account, rebooted, left the realm and rejoined, nothing has helped. Can you? 😊
Thanks!
5 years