Re: Questions about the PAC responder
by Jim Burwell
Thanks again for the reply. I think this explains the random slowness.
The users in question and the AD server had LOTS and LOTS of groups, and
group memberships among users are many and complex. It sounds like I
could also attack some of the slowness by increasing the cache timeouts
perhaps, if that can be controlled to the level needed by the conf file.
Thanks for helping me understand the issue and the role of PAC in it.
-Jim
On 2019-09-19 23:52, Jakub Hrozek wrote:
> On Thu, Sep 19, 2019 at 05:41:00PM -0700, Jim Burwell wrote:
>> Thanks for the response. Will respond inline.
>>
>> On 2019-09-19 00:07, Jakub Hrozek wrote:
>>> On Wed, Sep 18, 2019 at 06:25:31PM -0700, Jim Burwell wrote:
>>>> Hi,
>>>>
>>>> I recently encountered issues where logins on Linux clients using SSSD
>>>> and the AD provider, pointed directly to an AD server were randomly
>>>> slow. Randomly meaning, some clients experienced no slowness at all,
>>>> other clients consistently had slow logins (30+ seconds sometimes), and
>>>> yet other clients had random normal/fast logins, and frequent slow logins.
>>>>
>>>> Through troubleshooting, log analysis and experimentation, it appears
>>>> the fix for this issue is to turn off the PAC service. Once "pac" was
>>>> removed from the "services =" line in sssd.conf, the problem client
>>>> boxes were suddenly consistently fast in terms of user logins.
>>>>
>>>> This deployment has the clients talking directly to AD servers it looks
>>>> up via the normal AD DNS entries, and uses Unix POSIX attributes in AD
>>>> for uidnumber and gidnumber etc (e.g. it's not doing any SID -> unix ID
>>>> translations, it's just pulling them directly from LDAP attributes).
>>>>
>>>> I guess my questions are:
>>>>
>>>> 1. What does PAC actually do? I've read that it lists a users group as
>>>> part of a KRB5 response, but also that it might be involved in
>>>> cross-domain trusts.
>>> There is a lot of information about PAC in the PFD linked here:
>>> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/166d8...
>>> and a more readable version e.g. here:
>>> https://www.freeipa.org/page/Howto/Inspecting_the_PAC
>>>
>>> In general, Windows gives you the authoritative set of groups the user
>>> is a member of only after login, so parsing the groups out of the PAC is
>>> the most reliable way. And in older versions of SSSD, especially with
>>> IPA-AD trusts, it was even the only way, IOW 'id' would only display
>>> groups after you log in. Newer versions try to approximate the groups
>>> with other means, mostly the tokenGroups attribute.
>> I'll take a look at these links to increase my understanding.
>>>> 2. When is PAC needed. Is it only needed for deployments using IPA?
>>> It was strictly needed with some quite old IPA provider versions and
>>> recommeded at some point for AD provider also, but in the meantime, we
>>> improved the tokenGroups codepath,so the PAC provider is no longer used
>>> for AD provider, at least by default.
>> OK. Good to know. I based my "services =" line on many example configs
>> I've seen similar to our particular architecture, which is why I
>> included "pac". It seemed to be recommended to use with the AD provider
>> from my memory, but now when I do a cursory search, I see most of the
>> example configs no longer include "pac". I thought I was going crazy.
>>
>>>> 3. Is there any impact in turning off PAC if the architecture doesn't
>>>> involve IPA in the mix?
>>> As said above, it is the most reliable way, but if sssd is giving you
>>> the group membership you expect also w/o using the PAC, then feel free
>>> to not use it.
>> So far I've only removed it from services on problem hosts to fix the
>> "slow logins" problem.
>>>> 4. Why would PAC slow down such a architecture seemingly randomly?
>>> I guess you might be using an older version of SSSD? In the older
>>> versions, the PAC was processed as part of the krb5_child process, so if
>>> the PAC processing was taking too long, the krb5_child was timing out.
>>> In newer versions, the PAC handling was reworked and is now evaluated
>>> differently.
>>>
>>> The PAC data is cached iirc, so when the slowdown occured, I guess it
>>> was when the PAC data was out of date in the cache.
>> This makes sense, because in some cases these systems would not
>> successfully complete a login until I increased various timeouts in
>> sssd.conf. Then they'd take from 20-30s to login.
>>
>> But it was quite random, which is what has me confused. These systems
>> were running identical OS, package sets, and were on the same network,
>> in many cases connected to the same set of switches (blade servers).
>> Most have no issue, and login is fast (2-3s). Others took 20-30s!
>> Suspecting networking issues, we moved one to a different network whose
>> clients weren't having slow-login problems to see if it changed
>> anything, and it didn't.
> The slow part is parsing the PAC locally. The PAC includes a list of
> SIDs and for each SID, the PAC responder would ask sssd_be if the
> corresponding SID is known and to refresh it if the corresponding cache
> entry is stale.
>
> So the flow used to go like this:
> sssd_pam -> sssd_be -> krb5_child -> sssd_pac -> sssd_be (for each
> SID) -> (for each expired SID) AD LDAP
> this was too slow. And about why it was random, I guess if some users
> had overlapping group memberships, many of the groups could have been
> updated when another user with similar group memberships logged in and
> then at some point more than a critical mass of groups would go stale in
> the cache and sssd_be ended up updating them all..
>
>> What ultimately fixed it was disabling the PAC service. But near
>> identical systems except for the IP address, sitting right beside the
>> problem systems have no issues with pac enabled! Very strange!
>>
>> Disabling pac made these problem clients behave like the ones that
>> weren't having issues, and logins take 2-3s.
>>
>> These are all ubuntu 16.04 LTS systems which are running sssd 1.13-4-1
>> (or higher if there are patches, right now I don't have access to look
>> at them). So I'm not sure if this is using the older code, or the newer
>> code. Do you remember?
> git log remembers :-)
>
> and tells me that the "new" PAC approach was implemented in 1.14.
>
>> I guess this version is "old" since it came out in early 2017, and the
>> latest 1.x is 1.16.4 (I presume 1.x development has stopped except for
>> bug fixes?). Latest of course is 2.2.2! So it seems way behind when
>> looking at it that way. :-)
> Yes and no. The 1.16.x branch is stable, or long-term support and we'll
> be supporting it until RHEL-7 is supported. It's true that the 1.16
> branch no longer receives many new features and that most of the
> development happens with the 2.x branch, but bug fixes and selected new
> features are still backported to 1.16.x as well. This is not to say the
> 2.x branch is not stable, it is used in RHEL-8 after all, but the large
> amount of chances increases the chance that something would break by
> accident.
1 day, 9 hours
Questions about the PAC responder
by Jim Burwell
Hi,
I recently encountered issues where logins on Linux clients using SSSD
and the AD provider, pointed directly to an AD server were randomly
slow. Randomly meaning, some clients experienced no slowness at all,
other clients consistently had slow logins (30+ seconds sometimes), and
yet other clients had random normal/fast logins, and frequent slow logins.
Through troubleshooting, log analysis and experimentation, it appears
the fix for this issue is to turn off the PAC service. Once "pac" was
removed from the "services =" line in sssd.conf, the problem client
boxes were suddenly consistently fast in terms of user logins.
This deployment has the clients talking directly to AD servers it looks
up via the normal AD DNS entries, and uses Unix POSIX attributes in AD
for uidnumber and gidnumber etc (e.g. it's not doing any SID -> unix ID
translations, it's just pulling them directly from LDAP attributes).
I guess my questions are:
1. What does PAC actually do? I've read that it lists a users group as
part of a KRB5 response, but also that it might be involved in
cross-domain trusts.
2. When is PAC needed. Is it only needed for deployments using IPA?
3. Is there any impact in turning off PAC if the architecture doesn't
involve IPA in the mix?
4. Why would PAC slow down such a architecture seemingly randomly?
I've done a bit of searching and have only found sparse information on
sssd_pac, some in Jakob's blog! I'm trying to understand its role.
Thanks,
- Jim
3 days
[AD] Filter out disabled users
by Hinrikus Wolf
Hi,
we are currently running a Samba AD DC Server with sssd on clients. Now
we want to run sssd also on our mail server with postfix + dovecot.
Postfix and dovecot get their users from NSS i.e. from sssd.
In our Domain there are several disabled users (via User Account Control
Bit). Any of these users are listed in NSS.
Unfortunately, they can receive emails, because they are existing in the
user database of NSS. But they cannot login to read mails or even answer.
We would like to filter out disables users from NSS s.t. postfix will
not accept emails for disabled users.
We searched in man 5 sssd-ad but did not find a config option for this
use case.
Do you have any idea what we could do to achieve the desired behaviour?
Thanks a lot.
Best regards
Rikus
3 days, 1 hour
sssd_be core dumping when ‘realm permit’ command run under puppet control…
by Spike White
All,
This is a strange one. When we exec this command under puppet control:
/usr/sbin/realm permit -R AMER.COMPANY.COM
processehcprofiler(a)AMER.COMPANY.COM
Then sssd_be core dumps (segfault).
When we run that ‘realm permit’ command natively on the command line, it
executes flawlessly. No core dump.
Naturally, our first thought was that it’s something different in the
environment. So we dumped the environment under which puppet exec resource
runs.
Yes, quite minimal.
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.m4a=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.oga=01;36:*.opus=01;36:*.spx=01;36:*.xspf=01;36:
LD_LIBRARY_PATH=
LANG=en_US.UTF-8
HISTCONTROL=ignoredups
HOSTNAME=austgcore25.us.company.com
S_COLORS=auto
PWD=/root
APT_LISTCHANGES_FRONTEND=none
DEBIAN_FRONTEND=noninteractive
APT_LISTBUGS_FRONTEND=none
MAIL=/var/spool/mail/root
SHELL=/bin/bash
TERM=xterm
SHLVL=2
MANPATH=:/opt/puppetlabs/puppet/share/man
PATH=/bin:/usr/bin:/sbin:/usr/sbin
HISTSIZE=1000
LESSOPEN=||/usr/bin/lesspipe.sh %s
_=/bin/env
But when we create a bash session with no environment, then add this
puppet-supplied environment and run the above realm permit– all is still
well.
We can reproduce this easily in puppet. Just delete our breadcrumb file
(so that puppet re-executes this ‘realm permit’ command). And execute
another puppet agent run.
Doing this, we obtained a core dump from sssd_be. And it points to some
code in ad_id.c:
[root@austgcore25 tmp]# gdb -c
core-sssd_be.15405.austgcore25.us.company.com.1563210863
GNU gdb (GDB) Red Hat Enterprise Linux 8.2-5.el8
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
[New LWP 15405]
Reading symbols from /usr/libexec/sssd/sssd_be...Reading symbols from
/usr/lib/debug/usr/libexec/sssd/sssd_be-2.0.0-43.el8.x86_64.debug...done.
done.
warning: Ignoring non-absolute filename: <linux-vdso.so.1>
Missing separate debuginfo for linux-vdso.so.1
Try: dnf --enablerepo='*debug*' install
/usr/lib/debug/.build-id/06/44254f9cbaa826db070a796046026adba58266
warning: .dynamic section for "/usr/lib64/libndr-nbt.so.0.0.1" is not at
the expected address (wrong library or version mismatch?)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/libexec/sssd/sssd_be --domain AMER.COMPANY.COM
--uid 0 --gid 0 --logger=files'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f79444f53c0 in ad_get_account_domain_search
(req=req@entry=0x5557b6fd45b0)
at src/providers/ad/ad_id.c:1276
1276 state->filter = sdap_combine_filters(state, state->base_filter,
(gdb)
This is in RHEL8.
What we suspect is that the shell in which puppet executes this ‘realm
permit’ is not supplying something that this executable needs. If we know
what it is, we can preface our puppet exec resource code snippet with the
missing piece.
Spike
PS This ‘realm permit’ does seem to perform the correct actions
eventually. It adds the expected user to the simple_allow_users line of
the appropriate AD domain in /etc/sssd/sssd.conf file. But because it
segfaults and then has to start up again, it takes a very long time to
complete the puppet run. (There’s about 20 – 30 users + groups allowed; it
has to segfault on each of them).
5 days, 9 hours
Announcing SSSD 2.2.2
by Michal Židek
== SSSD 2.2.2 ===
The SSSD team is proud to announce the release of version 2.2.2 of the
System Security Services Daemon. The tarball can be downloaded from:
https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
--------
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
SSSD 2.2.2 (I have included SSSD 2.2.1 at the end as well)
==========
Highlights
----------
New features
^^^^^^^^^^^^
None
Notable bug fixes
^^^^^^^^^^^^^^^^^
* Removing domain from ad_enabled_domain was not reflected in SSSD's
cache. This has been fixed.
* Because of a race condition SSSD could crash during shutdown. The race
condition was fixed.
* Fixed a bug that limited number of external groups fetched by SSSD to
2000.
* pam_sss now properly creates gnome keyring during login.
* SSSD with KCM could wrongly pick older ccache instead of the latest
one after
login. This was fixed.
Packaging Changes
-----------------
None
Documentation Changes
---------------------
None
Tickets Fixed
-------------
* `3932 <https://pagure.io/SSSD/sssd/issue/3932>`_ - MAN: Document
that PAM stack contains the systemd-user service in the account phase in
recent distributions
* `4009 <https://pagure.io/SSSD/sssd/issue/4009>`_ - Removing domain
from ad_enabled_domains is not reflected in cache
* `4058 <https://pagure.io/SSSD/sssd/issue/4058>`_ - Paging not
enabled when fetching external groups, limits the number of external
groups to 2000
* `4063 <https://pagure.io/SSSD/sssd/issue/4063>`_ - sssd-kcm: type
confusion on KDC offset
* `4067 <https://pagure.io/SSSD/sssd/issue/4067>`_ - pam_sss with
smartcard auth does not create gnome keyring
* `4068 <https://pagure.io/SSSD/sssd/issue/4068>`_ - pam_sss: empty
smart card pin registers as authentication attempt
* `4069 <https://pagure.io/SSSD/sssd/issue/4069>`_ - pam_sss should
reset PAM_USER based on use_fully_qualified_names option in sssd.conf
* `3996 <https://pagure.io/SSSD/sssd/issue/3996>`_ - sudo: do not
update last usn when updating expired rules
* `4065 <https://pagure.io/SSSD/sssd/issue/4065>`_ - IFP: GetUserAttr
does not search by UPN
* `4074 <https://pagure.io/SSSD/sssd/issue/4074>`_ - Integration tests
use python2 unconditionally
Detailed changelog
------------------
Jakub Hrozek (6):
MAN: Document that PAM stack contains the systemd-user service in
the account phase in RHEL-8
IPA: Allow paging when fetching external groups
MAN: Document that PAM stack contains the systemd-user service in
the account phase in RHEL-8
IPA: Allow paging when fetching external groups
KCM: Use int32_t type conversion in DEBUG message for int32_t
variable
KCM: Add a forgotten return
KCM: Allow modifications of ccache's principal
KCM: Fill empty cache, do not initialize a new one
Lukas Slebodnik (18):
BUILD: Add macro for checking python3 modules
BUILD: Fix typo of detecting python module for intgcheck
BUILD: Move checking of python2 modules for intgcheck
BUILD: Add macro for checking pytest for intgcheck
BUILD: Change value of variable HAVE_PYTHON2/3_BINDINGS
BUILD: Move python checks for intgcheck to macro
INTG: Do hot hardcode version of python/pytest in intgcheck
BUILD: Prefer python3 for intgcheck
intg: Install python3 dependencies for intgcheck on new distros
pyhbac: Fix warning Wdiscarded-qualifiers
test_pam_responder: Fix unicore error
SSSDConfig: Add minimal test for parse method
SSSDConfig: Fix SyntaxWarning "is not" with a literal
TESTS: Add minimal test for pysss encrypt
pysss: Fix DeprecationWarning PY_SSIZE_T_CLEAN
pysss_murmur: Fix DeprecationWarning PY_SSIZE_T_CLEAN
test_pam_responder: Fix DeprecationWarning invalid escape sequence
testlib: Fix SyntaxWarning "is" with a literal
Michal Židek (2):
Bumping the version to track the 2.2.2 development
Update the translations for the 2.2.2 release
Pavel Březina (12):
ad: remove subdomain that has been disabled through
ad_enabled_domains from sysdb
sysdb: add sysdb_domain_set_enabled()
ad: set enabled=false attribute for subdomains that no longer exists
sysdb: read and interpret domain's enabled attribute
sysdb: add sysdb_list_subdomains()
ad: remove all subdomains if only master domain is enabled
ad: make ad_enabled_domains case insensitive
ci: use python2 version of pytest
ci: pep8 was renamed to pycodestyle in Fedora 31
ci: remove left overs from previous rebase
sudo: do not update last usn value on rules refresh
ifp: let cache_req parse input name so it can fallback to upn search
Sumit Bose (5):
pam: keep pin on the PAM stack for forward_pass
pam: do not accept empty PIN
pam: user PAM return codes where expected
pam: set PAM_USER properly with allow_missing_name
Revert "SERVER: Receving SIGSEGV process on shutdown"
Tomas Halman (3):
SERVER: Receving SIGSEGV process on shutdown
BE: Invalid oprator used in condition
SERVER: Receving SIGSEGV process on shutdown
SSSD 2.2.1
==========
Highlights
----------
New features
^^^^^^^^^^^^
* New options were added which allow sssd-kcm to handle bigger data.
See manual pages for ``max_ccaches``, ``max_uid_caches`` and
``max_ccache_size``.
* SSSD can now automatically refresh cached user data from subdomains
in IPA/AD trust.
Notable bug fixes
^^^^^^^^^^^^^^^^^
* Fixed issue with SSSD hanging when connecting to non-responsive
server with ldaps://
* SSSD is now restarted by systemd after crashes.
* Fixed refression when dyndns_update was set to True and
dyndns_refresh_interval was not set or set to 0 then DNS
records were not updated at all.
* Fixed issue when ``default_domain_suffix`` was used with
``id_provider = files`` and caused all results from files domain to be
fully qualified.
* Fixed issue with sudo rules not being visible on OpenLDAP servers
* Fixed crash with ``auth_provider = proxy`` that prevented logins
Packaging Changes
-----------------
None
Documentation Changes
---------------------
A new option ``dns_resolver_server_timeout`` was added
A new option ``max_ccaches`` was added
A new option ``max_uid_ccaches`` was added
A new option ``max_ccache_size`` was added
A new option ``ocsp_dgst`` was added
Tickets Fixed
-------------
* `2878 <https://pagure.io/SSSD/sssd/issue/2878>`_ - sssd failover
does not work on connecting to non-responsive ldaps:// server
* `3217 <https://pagure.io/SSSD/sssd/issue/3217>`_ - Conflicting
default timeout values
* `3386 <https://pagure.io/SSSD/sssd/issue/3386>`_ - sssd-kcm cannot
handle big tickets
* `3489 <https://pagure.io/SSSD/sssd/issue/3489>`_ - p11_child should
work wit openssl1.0+
* `3685 <https://pagure.io/SSSD/sssd/issue/3685>`_ - KCM: Default to a
new back end that would write to the secrets database directly
* `3833 <https://pagure.io/SSSD/sssd/issue/3833>`_ - port to pcre2
* `3894 <https://pagure.io/SSSD/sssd/issue/3894>`_ - multihost tests:
ldb-tools is needed for multihost tests
* `3905 <https://pagure.io/SSSD/sssd/issue/3905>`_ - SSSD doesn't
clear cache entries for IDs below min_id.
* `4012 <https://pagure.io/SSSD/sssd/issue/4012>`_ - SSSD is not
refreshing cached user data for the ipa sub-domain in a IPA/AD trust
* `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ -
EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1
* `4028 <https://pagure.io/SSSD/sssd/issue/4028>`_ - sssd-kcm calls
sssd-genconf which triggers nscd warning
* `4037 <https://pagure.io/SSSD/sssd/issue/4037>`_ - Logins fail after
upgrade to 2.2.0
* `4040 <https://pagure.io/SSSD/sssd/issue/4040>`_ - Reasonable to
Restart sssd on crashes?
* `4046 <https://pagure.io/SSSD/sssd/issue/4046>`_ - sudo: incorrect
usn value for openldap
* `4047 <https://pagure.io/SSSD/sssd/issue/4047>`_ - dyndns_update =
True is no longer not enough to get the IP address of the machine
updated in IPA upon sssd.service startup
* `4050 <https://pagure.io/SSSD/sssd/issue/4050>`_ -
nss_cmd_endservent resets the wrong index
* `4052 <https://pagure.io/SSSD/sssd/issue/4052>`_ - sssd config
option "default_domain_suffix" should not cause the files domain entries
to be qualified
* `3931 <https://pagure.io/SSSD/sssd/issue/3931>`_ - proxy provider is
not working with enumerate=true when trying to fetch all groups
* `4043 <https://pagure.io/SSSD/sssd/issue/4043>`_ - Typo in
systemd.m4 prevents detection of systemd.pc
* `3978 <https://pagure.io/SSSD/sssd/issue/3978>`_ - UPN negative
cache does not use values from 'filter_users' config option
* `4032 <https://pagure.io/SSSD/sssd/issue/4032>`_ -
p11_child::do_ocsp() function implementation is not FIPS140 compliant
* `4039 <https://pagure.io/SSSD/sssd/issue/4039>`_ -
p11_child::sign_data() function implementation is not FIPS140 compliant
* `4056 <https://pagure.io/SSSD/sssd/issue/4056>`_ - permission denied
on logs when running sssd as non-root user
* `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140
compliant usage of PRNG
* `2854 <https://pagure.io/SSSD/sssd/issue/2854>`_ - FAIL test-find-uid
* `3962 <https://pagure.io/SSSD/sssd/issue/3962>`_ - Problem with
tests/cmocka/test_dyndns.c
* `4022 <https://pagure.io/SSSD/sssd/issue/4022>`_ - utils:
sss_hmac_sha1() function implementation is not FIPS140 compliant
* `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140
compliant usage of PRNG
* `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ -
EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1
Detailed changelog
------------------
Alex Rodin (1):
tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to
tevent_loop_wait()
Alexey Tikhonov (14):
util/crypto/libcrypto: changed sss_hmac_sha1()
util/crypto/libcrypto: changed sss_hmac_sha1()
util/secrets: memory leaks are fixed
util/crypto/nss/nss_nite: params sanitization
crypto/libcrypto/crypto_nite: HMAC calculation changed
util/find_uid.c: fixed debug message
util/find_uid.c: fixed race condition bug
util/crypto: removed erroneous declaration
util/crypto/sss_crypto.c: cleanup of includes
util/crypto: generate_csprng_buffer() changed
util/crypto: added sss_rand()
crypto/libcrypto/crypto_nite.c: memory leak fixed
FIPS140 compliant usage of PRNG
crypto/nss: some nss_ctx_init() params made const
Jakub Hrozek (34):
Updating the version for the 2.2.1 release
TESTS: Install expect to drive password-change modifications
TESTS: Also add LDAP password when creating users
TESTS: Test changing LDAP password with extended operation and
modification
TEST: Add a multihost test for not returning / for an empty home dir
MONITOR: Don't check for the nscd socket while regenerating
configuration
SYSDB: Add sysdb_search_with_ts_attr
BE: search with sysdb_search_with_ts_attr
BE: Enable refresh for multiple domains
BE: Make be_refresh_ctx_init set up the periodical task, too
BE/LDAP: Call be_refresh_ctx_init() in the provider libraries,
not in back end
BE: Pass in attribute to look up with instead of hardcoding
SYSDB_NAME
BE: Change be_refresh_ctx_init to return errno and set
be_ctx->refresh_ctx
BE/LDAP: Split out a helper function from sdap_refresh for later
reuse
BE: Pass in filter_type when creating the refresh account request
BE: Send refresh requests in batches
BE: Extend be_ptask_create() with control when to schedule next
run after success
BE: Schedule the refresh interval from the finish time of the
last run
AD: Implement background refresh for AD domains
IPA: Implement background refresh for IPA domains
BE/IPA/AD/LDAP: Add inigroups refresh support
BE/IPA/AD/LDAP: Initialize the refresh callback from a list to
reduce logic duplication
IPA/AD/SDAP/BE: Generate refresh callbacks with a macro
MAN: Amend the documentation for the background refresh
DP/SYSDB: Move the code to set initgrExpireTimestamp to a
reusable function
IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing
refresh request
MAN: Get rid of sssd-secrets reference
MAN: Document that it is enough to systemctl restart
sssd-kcm.service lately
SECRETS: Use different option names from secrets and KCM for
quota options
SECRETS: Don't limit the global number of ccaches
KCM: Pass confdb context to the ccache db initialization
KCM: Configurable quotas for the secdb ccache back end
TESTS: Add tests for the configurable quotas
Don't qualify users from files domain when default_domain_suffix
is set
Jakub Jelen (1):
pam_sss: Add missing colon to the PIN prompt
Lukas Slebodnik (1):
PROXY: Return data in output parameter if everything is OK
Michal Židek (2):
TESTS: ldb-tools and sssd-tools are required for multihost tests
Update the translations for the 2.2.1 release
Niranjan M.R (1):
TESTS: Test kvno correctly displays vesion numbers of principals
Pavel Březina (11):
ci: disable timeout
ci: switch to new tooling and remove 'Read trusted files' stage
ci: rebase pull request on the target branch
ci: print node on which the test is being run
sudo: use proper datetime for default modifyTimestamp value
systemd: add Restart=on-failure to sssd.service
man: fix description of dns_resolver_op_timeout
man: fix description of dns_resolver_timeout
failover: add dns_resolver_server_timeout option
failover: change default timeouts
config: add dns_resolver_op_timeout to option list
Sam Morris (1):
build: fix detection of systemd.pc
Samuel Cabrero (1):
nss: Fix command 'endservent' resetting wrong struct member
Sumit Bose (10):
negcache: add fq-usernames of know domains to all UPN neg-caches
p11_child: prefer better digest function if card supports it
p11_child: fix a memory leak and other memory mangement issues
pam: make sure p11_child.log has the right permissions
ssh: make sure p11_child.log has the right permissions
BE: make sure child log files have the right permissions
utils: remove unused prototype (cert_to_ssh_key)
utils: move parse_cert_verify_opts() into separate file
p11_child: make OCSP digest configurable
pam: fix loop in Smartcard authentication
Tomas Halman (9):
MAN: ldap_user_home_directory default missing
pcre: port to pcre2
CACHE: SSSD doesn't clear cache entries
LDAP: failover does not work on non-responsive ldaps
CONFDB: Files domain if activated without .conf
TESTS: adapt tests to enabled default files domain
BE: Introduce flag for be_ptask_create
BE: Convert be_ptask params to flags
DYNDNS: dyndns_update is not enough
Yuri Chornoivan (1):
Fix minor typos in docs
5 days, 16 hours
Announcing SSSD 2.2.1
by Michal Židek
== SSSD 2.2.1 ===
The SSSD team is proud to announce the release of version 2.2.1 of the
System Security Services Daemon. The tarball can be downloaded from:
https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
--------
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
----------
New features
^^^^^^^^^^^^
* New options were added which allow sssd-kcm to handle bigger data.
See manual pages for ``max_ccaches``, ``max_uid_caches`` and
``max_ccache_size``.
* SSSD can now automatically refresh cached user data from subdomains
in IPA/AD trust.
Notable bug fixes
^^^^^^^^^^^^^^^^^
* Fixed issue with SSSD hanging when connecting to non-responsive
server with ldaps://
* SSSD is now restarted by systemd after crashes.
* Fixed refression when dyndns_update was set to True and
dyndns_refresh_interval was not set or set to 0 then DNS
records were not updated at all.
* Fixed issue when ``default_domain_suffix`` was used with
``id_provider = files`` and caused all results from files domain to be
fully qualified.
* Fixed issue with sudo rules not being visible on OpenLDAP servers
* Fixed crash with ``auth_provider = proxy`` that prevented logins
Packaging Changes
-----------------
None
Documentation Changes
---------------------
A new option ``dns_resolver_server_timeout`` was added
A new option ``max_ccaches`` was added
A new option ``max_uid_ccaches`` was added
A new option ``max_ccache_size`` was added
A new option ``ocsp_dgst`` was added
Tickets Fixed
-------------
* `2878 <https://pagure.io/SSSD/sssd/issue/2878>`_ - sssd failover
does not work on connecting to non-responsive ldaps:// server
* `3217 <https://pagure.io/SSSD/sssd/issue/3217>`_ - Conflicting
default timeout values
* `3386 <https://pagure.io/SSSD/sssd/issue/3386>`_ - sssd-kcm cannot
handle big tickets
* `3489 <https://pagure.io/SSSD/sssd/issue/3489>`_ - p11_child should
work wit openssl1.0+
* `3685 <https://pagure.io/SSSD/sssd/issue/3685>`_ - KCM: Default to a
new back end that would write to the secrets database directly
* `3833 <https://pagure.io/SSSD/sssd/issue/3833>`_ - port to pcre2
* `3894 <https://pagure.io/SSSD/sssd/issue/3894>`_ - multihost tests:
ldb-tools is needed for multihost tests
* `3905 <https://pagure.io/SSSD/sssd/issue/3905>`_ - SSSD doesn't
clear cache entries for IDs below min_id.
* `4012 <https://pagure.io/SSSD/sssd/issue/4012>`_ - SSSD is not
refreshing cached user data for the ipa sub-domain in a IPA/AD trust
* `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ -
EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1
* `4028 <https://pagure.io/SSSD/sssd/issue/4028>`_ - sssd-kcm calls
sssd-genconf which triggers nscd warning
* `4037 <https://pagure.io/SSSD/sssd/issue/4037>`_ - Logins fail after
upgrade to 2.2.0
* `4040 <https://pagure.io/SSSD/sssd/issue/4040>`_ - Reasonable to
Restart sssd on crashes?
* `4046 <https://pagure.io/SSSD/sssd/issue/4046>`_ - sudo: incorrect
usn value for openldap
* `4047 <https://pagure.io/SSSD/sssd/issue/4047>`_ - dyndns_update =
True is no longer not enough to get the IP address of the machine
updated in IPA upon sssd.service startup
* `4050 <https://pagure.io/SSSD/sssd/issue/4050>`_ -
nss_cmd_endservent resets the wrong index
* `4052 <https://pagure.io/SSSD/sssd/issue/4052>`_ - sssd config
option "default_domain_suffix" should not cause the files domain entries
to be qualified
* `3931 <https://pagure.io/SSSD/sssd/issue/3931>`_ - proxy provider is
not working with enumerate=true when trying to fetch all groups
* `4043 <https://pagure.io/SSSD/sssd/issue/4043>`_ - Typo in
systemd.m4 prevents detection of systemd.pc
* `3978 <https://pagure.io/SSSD/sssd/issue/3978>`_ - UPN negative
cache does not use values from 'filter_users' config option
* `4032 <https://pagure.io/SSSD/sssd/issue/4032>`_ -
p11_child::do_ocsp() function implementation is not FIPS140 compliant
* `4039 <https://pagure.io/SSSD/sssd/issue/4039>`_ -
p11_child::sign_data() function implementation is not FIPS140 compliant
* `4056 <https://pagure.io/SSSD/sssd/issue/4056>`_ - permission denied
on logs when running sssd as non-root user
* `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140
compliant usage of PRNG
* `2854 <https://pagure.io/SSSD/sssd/issue/2854>`_ - FAIL test-find-uid
* `3962 <https://pagure.io/SSSD/sssd/issue/3962>`_ - Problem with
tests/cmocka/test_dyndns.c
* `4022 <https://pagure.io/SSSD/sssd/issue/4022>`_ - utils:
sss_hmac_sha1() function implementation is not FIPS140 compliant
* `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140
compliant usage of PRNG
* `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ -
EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1
Detailed changelog
------------------
Alex Rodin (1):
tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to
tevent_loop_wait()
Alexey Tikhonov (14):
util/crypto/libcrypto: changed sss_hmac_sha1()
util/crypto/libcrypto: changed sss_hmac_sha1()
util/secrets: memory leaks are fixed
util/crypto/nss/nss_nite: params sanitization
crypto/libcrypto/crypto_nite: HMAC calculation changed
util/find_uid.c: fixed debug message
util/find_uid.c: fixed race condition bug
util/crypto: removed erroneous declaration
util/crypto/sss_crypto.c: cleanup of includes
util/crypto: generate_csprng_buffer() changed
util/crypto: added sss_rand()
crypto/libcrypto/crypto_nite.c: memory leak fixed
FIPS140 compliant usage of PRNG
crypto/nss: some nss_ctx_init() params made const
Jakub Hrozek (34):
Updating the version for the 2.2.1 release
TESTS: Install expect to drive password-change modifications
TESTS: Also add LDAP password when creating users
TESTS: Test changing LDAP password with extended operation and
modification
TEST: Add a multihost test for not returning / for an empty home dir
MONITOR: Don't check for the nscd socket while regenerating
configuration
SYSDB: Add sysdb_search_with_ts_attr
BE: search with sysdb_search_with_ts_attr
BE: Enable refresh for multiple domains
BE: Make be_refresh_ctx_init set up the periodical task, too
BE/LDAP: Call be_refresh_ctx_init() in the provider libraries,
not in back end
BE: Pass in attribute to look up with instead of hardcoding
SYSDB_NAME
BE: Change be_refresh_ctx_init to return errno and set
be_ctx->refresh_ctx
BE/LDAP: Split out a helper function from sdap_refresh for later
reuse
BE: Pass in filter_type when creating the refresh account request
BE: Send refresh requests in batches
BE: Extend be_ptask_create() with control when to schedule next
run after success
BE: Schedule the refresh interval from the finish time of the
last run
AD: Implement background refresh for AD domains
IPA: Implement background refresh for IPA domains
BE/IPA/AD/LDAP: Add inigroups refresh support
BE/IPA/AD/LDAP: Initialize the refresh callback from a list to
reduce logic duplication
IPA/AD/SDAP/BE: Generate refresh callbacks with a macro
MAN: Amend the documentation for the background refresh
DP/SYSDB: Move the code to set initgrExpireTimestamp to a
reusable function
IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing
refresh request
MAN: Get rid of sssd-secrets reference
MAN: Document that it is enough to systemctl restart
sssd-kcm.service lately
SECRETS: Use different option names from secrets and KCM for
quota options
SECRETS: Don't limit the global number of ccaches
KCM: Pass confdb context to the ccache db initialization
KCM: Configurable quotas for the secdb ccache back end
TESTS: Add tests for the configurable quotas
Don't qualify users from files domain when default_domain_suffix
is set
Jakub Jelen (1):
pam_sss: Add missing colon to the PIN prompt
Lukas Slebodnik (1):
PROXY: Return data in output parameter if everything is OK
Michal Židek (2):
TESTS: ldb-tools and sssd-tools are required for multihost tests
Update the translations for the 2.2.1 release
Niranjan M.R (1):
TESTS: Test kvno correctly displays vesion numbers of principals
Pavel Březina (11):
ci: disable timeout
ci: switch to new tooling and remove 'Read trusted files' stage
ci: rebase pull request on the target branch
ci: print node on which the test is being run
sudo: use proper datetime for default modifyTimestamp value
systemd: add Restart=on-failure to sssd.service
man: fix description of dns_resolver_op_timeout
man: fix description of dns_resolver_timeout
failover: add dns_resolver_server_timeout option
failover: change default timeouts
config: add dns_resolver_op_timeout to option list
Sam Morris (1):
build: fix detection of systemd.pc
Samuel Cabrero (1):
nss: Fix command 'endservent' resetting wrong struct member
Sumit Bose (10):
negcache: add fq-usernames of know domains to all UPN neg-caches
p11_child: prefer better digest function if card supports it
p11_child: fix a memory leak and other memory mangement issues
pam: make sure p11_child.log has the right permissions
ssh: make sure p11_child.log has the right permissions
BE: make sure child log files have the right permissions
utils: remove unused prototype (cert_to_ssh_key)
utils: move parse_cert_verify_opts() into separate file
p11_child: make OCSP digest configurable
pam: fix loop in Smartcard authentication
Tomas Halman (9):
MAN: ldap_user_home_directory default missing
pcre: port to pcre2
CACHE: SSSD doesn't clear cache entries
LDAP: failover does not work on non-responsive ldaps
CONFDB: Files domain if activated without .conf
TESTS: adapt tests to enabled default files domain
BE: Introduce flag for be_ptask_create
BE: Convert be_ptask params to flags
DYNDNS: dyndns_update is not enough
Yuri Chornoivan (1):
Fix minor typos in docs
5 days, 23 hours
AD user is granted access when it should be denied
by Emil Petersson
Hi,
I am running sssd-1.16.4-21.el7.x86_64 (from CR repo) on a CentOS 7 client. I authenticate to AD 2016, and control access to servers using GPO. For some reason, a completely unprivileged user in AD is allowed to login, and I'd like to understand why.
Here's a sanitized sssd.conf:
[sssd]
domains = prd.domain.com
config_file_version = 2
services = nss, pam, sudo
full_name_format = %1$s
default_domain_suffix = prd.domain.com
[domain/prd.domain.com]
debug_level = 9
ad_domain = prd.domain.com
ad_site = XX1
ad_server = dc000.prd.domain.com, dc001.prd.domain.com
krb5_realm = PRD.DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = false
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = true
use_fully_qualified_names = True
fallback_homedir = /home/%u
access_provider = ad
ldap_sudo_search_base = DC=domain,DC=com
entry_cache_sudo_timeout = 10
enumerate = true
dyndns_update = false
ad_gpo_access_control = enforcing
ldap_idmap_default_domain_sid = S-1-5-21-6607581186-1994368826-2594857426
ldap_idmap_default_domain = prd.domain.com
ad_gpo_implicit_deny = true
auto_private_groups = true
ad_gpo_ignore_unreadable = true
When I try to SSH to the client using my unprivileged user, I am getting the following output from the SSSD debug:
[sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeDenyRemoteInteractiveLogonRight] value [*S-1-5-32-546]
[ad_gpo_access_check] (0x0400): RESULTANT POLICY:
[ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive
[ad_gpo_access_check] (0x0400): allowed_size = 0
[ad_gpo_access_check] (0x0400): denied_size = 1
[ad_gpo_access_check] (0x0400): denied_sids[0] = S-1-5-32-546
... snip ...
[ad_gpo_access_check] (0x0400): CURRENT USER:
[ad_gpo_access_check] (0x0400): user_sid = S-1-5-21-6607581186-1994368826-2594857426-2570
[ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-6607581186-1994368826-2594857426-513
[ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-11
[ad_gpo_access_check] (0x0400): POLICY DECISION:
[ad_gpo_access_check] (0x0400): access_granted = 1
[ad_gpo_access_check] (0x0400): access_denied = 0
[ad_gpo_access_done] (0x0400): GPO-based access control successful.
I'm trying to understand why this user is being granted access. I find it especially confusing as there is clearly one deny sid and no allow sids detected. The wanted behaviour is that the user should be denied access as long as I've not explicitly allowed it in AD.
Thanks!
1 week, 3 days
enumerate = true strange/broken ?
by Joakim Tjernlund
Decided to try out 2.2.1 and also gave enumerate a try and got somewhat strange results:
sssd # getent group
cjhfj4j_admins:*:145421:
....
No group members ?
getent passwd
Only list linux system users and myself
Where are the rest of the users ?
Jocke
2 weeks, 4 days
sssd backend not workin on ubuntu 18.04
by Charles Hedrick
On our Ubuntu 18.04 servers, sssd won’t start. Logging shows that it can’t find any DNS servers. Restarting sssd fixes it.
/etc/resolv.conf is a symlink to ../run/systemd/resolve/stub-resolv.conf
If I replace that with a hardcoded resolv.conf with the right name server, sssd comes up. Network Manager replaces the file with a different one pointing to nameserver 127.0.0.53, but after another reboot with that file it still works.
This happens on 4 identical servers, but not on a VM with the same OS. I assume there’s a timing issue of some sort.
2 weeks, 5 days
