Problem with cifs.upcall / sssd / kerberos mount operation on ubuntu 18.10
by rey-coyrehourcq
Hi sssd users,
Currently i have a working installation of SSSDwith ubuntu 18.10 using sssd,
pam-sssd and kerberos authentification on AD directory of my university.
Now, before i'm trying to install the plugin automount/autofs for sssd, i'm
trying to mount manually a cifs, and the problem begin.
After opening a domain session, veryfying using KList that kerberos ticket is
ok, i'm running this command :
sudo mount -v -t cifs -o user=${USER},cruid=${USER},sec=krb5,uid=${UID}
//mydomain/myshare /home/mydomain/myshare
This command return a :
Mount error(126) : Required Key not available.
When i check on journalctl -xe, i see that cifs.upcall :
- get_existing_cc:default ccache FILE:/tmp/krb5cc_1735128554
- handle_krb5_mech:getting service ticket for mydomain
- cifs_krb5_get_req : unable to get credentials for mydomain ...
Veryfing with klist -kte i have 3 type of key :
- myhostname@mydomain
- host/myhostname@mydomain
- restrictedKrbHost@mydomain
But if i use this session, this is because the key exist ... so i'm starting to
strace cifs.upcall binary to see what happens in details :
- The /var/lib/sss/pubconf/kdcinfo.mydomain is correctly found and read by cifs
- The /var/lib/sss/pubconf/kpasswdinfo.mydomain return a no such file or
directory
Program end with unable to get credential for mydomain...
What is this problem with kpasswdinfo which do not exist ? Any idea ?
I'm using ubuntu 18.10 with sssd 1.16.3
Best regards,
SR
--
Sébastien Rey-Coyrehourcq
Research Engineer UMR IDEES
02.35.14.69.30
{Stronger security for your email, follow EFF tutorial : https://ssd.eff.org/}
4 months
hostname resolution expired? (version 1.13.4-34.23.1.x86_64)
by Beale (US), Gareth
We are seeing the following in our sssd_default.log which appears to coincide with some authentication failures. What would cause the hostname resolution to expire? Can we change the length of whatever timeout might be causing this?
Sorry I have to obfuscate the hostnames per company policy. The host "XXXXX.boeing.com" is in the sssd.conf file under the [domain/default] section as:
ldap_uri = ldaps://XXXXX.boeing.com
(Wed Apr 17 06:30:20 2019) [sssd[be[default]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][idnumber=5928]
(Wed Apr 17 06:30:20 2019) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Wed Apr 17 06:31:22 2019) [sssd[be[default]]] [sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=nss8297]
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [get_server_status] (0x0100): Hostname resolution expired, resetting the server status of 'XXXXX.boeing.com'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'XXXXX.boeing.com' as 'name not resolved'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'XXXXX.boeing.com' in files
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'XXXXX.boeing.com' as 'resolving name'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'XXXXX.boeing.com' in files
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'XXXXX.boeing.com' in DNS
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'XXXXX.boeing.com' as 'name resolved'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [be_resolve_server_process] (0x0200): Found address for server XXXXX.boeing.com: [10.234.125.55] TTL 13
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server!
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: cn=YYYYY.boeing.com.*,nisMapName=netGroup.byhost,ou=enterprise,ou=unix,ou=accounts,o=boeing,c=us
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'XXXXX.boeing.com' as 'working'
(Wed Apr 17 06:35:56 2019) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'XXXXX.boeing.com' as 'working'
Gareth Beale (bemsid: 45600)
Enterprise High Performance Computing Service
Application Infrastructure Services
Global Information Technology Infrastrucure Services
Need help? http://iticket.web.boeing.com/secure/create.aspx?id=serverhpc / 425-234-0911
4 months
Listing sudo rules
by Maupertuis Philippe
Hi,
I need to collect various information about a server.
Among them are the sudo rules in place.
Is there any way to get all the sudo rules from the server itself without making assumption about how the sssd is configured ?
I know that the rules are there on the server but I don't know how to find them.
Philipe
!!!*************************************************************************************
"Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
4 months, 1 week
Speeding up sss_ssh_authorizedkeys
by Orion Poplawski
Any suggestions for speeding up sss_ssh_authorizedkeys? It seems to take
around .25s per certificate, and some of our users have many certificates.
Could this be cached?
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
4 months, 1 week
Re: Fedora 29, one successful login, then no more
by Lukas Slebodnik
On (05/04/19 21:47), Mike Hughes wrote:
>I used realm join and experienced one successful graphical login but then updated the system to the latest version and now cannot login. I can su to the account, run id user on the account so AD lookups seem to be working, but getent passwd returns only local accounts (not sure if that’s a symptom of a problem or not).
>
>This is what I see in journalctl:
>
>journalctl -q _TRANSPORT=audit | grep "mike\""
>Apr 05 11:53:41 my-hostname.internal.domain.com audit[3352]: USER_AUTH pid=3352 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss,pam_gnome_keyring acct="mike" exe="/usr/libexec/gdm-session-worker" hostname=my-hostname.internal.domain.com addr=? terminal=/dev/tty1 res=success'
>Apr 05 11:53:41 my-hostname.internal.domain.com audit[3352]: USER_ACCT pid=3352 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="mike" exe="/usr/libexec/gdm-session-worker" hostname=my-hostname.internal.domain.com addr=? terminal=/dev/tty1 res=failed'
>
Access control failed here.
You should find more info in sssd.log files after increasing debug_level
in domain section of ssd.conf
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html#troubleshoot...
LS
4 months, 1 week
Fedora 29, one successful login, then no more
by Mike Hughes
I used realm join and experienced one successful graphical login but then updated the system to the latest version and now cannot login. I can su to the account, run id user on the account so AD lookups seem to be working, but getent passwd returns only local accounts (not sure if that’s a symptom of a problem or not).
This is what I see in journalctl:
journalctl -q _TRANSPORT=audit | grep "mike\""
Apr 05 11:53:41 my-hostname.internal.domain.com audit[3352]: USER_AUTH pid=3352 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss,pam_gnome_keyring acct="mike" exe="/usr/libexec/gdm-session-worker" hostname=my-hostname.internal.domain.com addr=? terminal=/dev/tty1 res=success'
Apr 05 11:53:41 my-hostname.internal.domain.com audit[3352]: USER_ACCT pid=3352 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="mike" exe="/usr/libexec/gdm-session-worker" hostname=my-hostname.internal.domain.com addr=? terminal=/dev/tty1 res=failed'
Deleted the account, rebooted, left the realm and rejoined, nothing has helped. Can you? 😊
Thanks!
4 months, 2 weeks
logging in with AD account strangeness
by Peter de Groot
please help.
On ubuntu against AD. Logging in with an AD account works fine.. EXCEPT for just ONE account. The other AD accounts work fine
It will let me login once.. and when I try to login again, it comes up with access denied.
BUT... if I do a sssctl cache-remove, it works again .. the first time.
id, and related diagnostics on this account come up fine..
Used realmd to add the machine to AD. sssd.conf below.
Level 10 logs for at first working and not working can be downloaded from
https://intranet.egc.wa.edu.au/downloads/sssd.tar.gz
Please help .. driving me insane :-)
Peter
root@e4182s01sv025:/etc/sssd# more sssd.conf
[sssd]
domains = orange.schools.internal
config_file_version = 2
services = nss, pam ,ifp, sudo
default_domain_suffix = ORANGE.SCHOOLS.INTERNAL
[domain/orange.schools.internal]
ad_domain = orange.schools.internal
krb5_realm = ORANGE.SCHOOLS.INTERNAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
ad_gpo_access_control = permissive
root@e4182s01sv025:/etc/sssd#
4 months, 2 weeks
SSSD attempting to renew ticket with forrest domain controller not nearest
by Jay McCanta
Having trouble on an Ubuntu 16.04 (Xenial) box with sssd1.13.4-1ubuntu1.12.
The backend goes offline and authentications fail. We have debug_level=9. We expect the server to be talking with one of three DCs in its site.
The Forrest DCs are behind a firewall for us. Any ideas on what may be the cause and the cure?
Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_OUR.DOMAIN.COM], expired on [1554479058]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1554443958
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: OURHOST$
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2039
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ADSFDC01.Domain.com' as 'not working'
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ADSFDC01.Domain.com' as 'not working'
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ADSFDC01.Domain.com' as 'not working'
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_handle_release] (0x2000): Trace: sh[0x2ee3c10], connected[1], ops[(nil)], ldap[0x3012d40], destructor_lock[0], release_memory[0]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_mark_offline] (0x2000): Going offline!
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_mark_offline] (0x2000): Enable check_if_online_ptask.
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 62 seconds from now [1554443120]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
Config:
[sssd]
config_file_version = 2
domains = our.domain.com
services = nss, pam, pac
debug_level = 9
reconnection_retries = 3
[pac]
[nss]
debug_level = 9
[pam]
debug_level = 9
[domain/our.domain.com]
debug_level = 9
id_provider = ad
auth_provider = ad
ad_site=SITE
access_provider = ad
ldap_id_mapping = False
ad_gpo_access_control = permissive
ad_access_filter=DOM:our.domain.com:(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-Linux_Admins,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-NOC_Linux_Admins,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-SOS_Linux_Access,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SRV-ourhost_LocalAdmins,OU=Local Servers,OU=Groups,dc=our,dc=domain,dc=com)))
[https://cdn.f5.com/webcommon/email-signature/images/f5-logo-rgb-30x30.jpg]<https://f5.com/>
Jay McCanta | Principal Systems Administrator
D +1 (206) 272-7998 M +1-206-434-1080
4 months, 2 weeks
getent group <ad-group-name> empty output - no members shown
by Hans Schou
Hi
"getent group <name>" does not give any output at all.
However "getent passwd" looks correctly up in the AD:
$ getent passwd zmir2
zmir2:*:2956636:100:Hans Schou:/home/zmir2:/bin/bash
$ grep -c ^zmir2 /etc/passwd
0
nsswitch looks fine:
$ egrep "^(group|passwd)" /etc/nsswitch.conf
passwd: files sss
group: files sss
SSO is working fine with both ssh and samba share.
$ realm list
foo.org
type: kerberos
realm-name: FOO.ORG
domain-name: foo.org
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: %U
login-policy: allow-any-login
foo.org
type: kerberos
realm-name: FOO.ORG
domain-name: foo.org
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
# cat /etc/sssd/sssd.conf
[sssd]
domains = foo.org
config_file_version = 2
services = nss, pam
[domain/foo.org]
ad_domain = foo.org
krb5_realm = FOO.ORG
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
All on Red Hat 7.6.
The goal is to use an AD group in a samba share but it obviously does not
lookup groups in the AD, only specific users.
--
Venlig hilsen - best regards
4 months, 2 weeks
