sssd with samba
by Edouard Guigné
Dear sssd users,
I would like to get informations about the use of sssd with samba
(centos 7, samba 4.8.3).
I need it because I configured a samba share, accessible with sssd.
The authentication is against a windows AD.
My /etc/nsswitch.cnf is configured only with sssd :
/passwd: files sss//
//shadow: files sss//
//group: files sss/
For an other purpose, I set an sftpd access also configured with sssd
against the AD.
I followed some discussions on the samba user list about samba + sssd.
I would like to understand if there are some issues with sssd and samba
4.8.3 on centos 7 ?
Or is it with next RHEL 8 ?
/The RHEL 8 documentation states this: //
////
//"Red Hat only supports running Samba as a server with the winbindd //
//service to provide domain users and groups to the local system. Due to //
//certain limitations, such as missing Windows access control list (ACL) //
//support and NT LAN Manager (NTLM) fallback, SSSD is not supported." //
////
//https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers////
////
//What's confusing is that the RHEL 7 documentation says: //
////
//"Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this //
//functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer //
//need to run Winbind and SSSD in parallel to access SMB shares. For //
//example, accessing the Access Control Lists (ACLs) no longer requires //
//Winbind on SSSD clients." //
////
//and //
////
//"4.2.2. Determining Whether to Use SSSD or Winbind for SMB Shares //
//For most SSSD clients, using SSSD is recommended:" //
////
//and most worrisome, in my use case: //
////
//"In environments with direct Active Directory integration where the //
//clients use SSSD for general Active Directory user mappings, using //
//Winbind for the SMB ID mapping instead of SSSD can result in //
//inconsistent mapping."
/
In my case, running samba 4.8.3 with SSSD on centos 7 do I need to :
- enable and start winbind service , in conjunction to sssd ?
- or only sssd is enough with samba ?
- Do I have to fear issues in next release of sssd for the support of
samba ? especially for acls support ?/
/
A nsswitch.conf like :
passwd: files sss winbind
shadow: files sss winbind
group: files sss winbind
or
passwd: files winbind sss
shadow: files winbind sss
group: files winbind sss
Does not seem to work... I test and this is not stable.
Best Regards,
Edouard
1 week, 2 days
SSSD 1.16 for RHEL 6
by TomK
Hi All,
Earlier I've asked if there is a 1.16.X release of SSSD for RHEL 6. I
was given the link in this post.
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
I have some additional questions:
1) How much testing has this version gone through vs the official RHEL 6
/ 7 releases of SSSD 1.16. Does RH perform alot more testing for SSSD
or does RH perform only a few more tests before certifying an SSSD
release for a RHEL release? In other words, how much testing has gone
into the above version.
2) Is there a 1.16 release available specifically for RHEL 6 from
additional repos? What is the repo?
--
Thx,
TK.
10 months
SSSD.Service not starting
by Manjot Singh
● sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2020-01-29 14:12:32 EST; 9s ago
Process: 23217 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 23217 (code=exited, status=4)
Jan 29 14:12:32 pop-os systemd[1]: sssd.service: Service RestartSec=100ms expired, scheduling restart.
Jan 29 14:12:32 pop-os systemd[1]: sssd.service: Scheduled restart job, restart counter is at 5.
Jan 29 14:12:32 pop-os systemd[1]: Stopped System Security Services Daemon.
Jan 29 14:12:32 pop-os systemd[1]: sssd.service: Start request repeated too quickly.
Jan 29 14:12:32 pop-os systemd[1]: sssd.service: Failed with result 'exit-code'.
Jan 29 14:12:32 pop-os systemd[1]: Failed to start System Security Services Daemon.
10 months
Is it possible to utilize dyndns with samba_dlz?
by Z Z
I have working Samba AD server with linux and windows members. Windows
machines are fine with the dynamic DNS updates. I'd like to have that for
my linux machines too.
I'm already using SSSD to join them to the AD domain, so I'm wondering if
it's possible to use dyndns with the samba_dlz module? Has anyone tried it
yet?
10 months
Is there an RFC or detailed design document describing SSSD's ID Mapping algorithm?
by Jeff Thornsen
The reason I ask is because I use a bunch of storage appliances that offer Secure-NFS (NETAPP, EMC UNITY, etc.), but they only support NIS, IDMU, RFC2307, and RFC2307bis style Identity Mapping, all of which require manual assignment of UID/GID numbers to objects in LDAP, which is untenable for large environments. Microsoft even removed Unix Attribute editor from their LDAP GUI for the RFC2307 attributes in Windows Server 2016 to push people away from using rfc2307.
I would like to be able to provide a link to an RFC or design document describing the SSSD ID Mapping algorithm so that these 3rd party vendors can incorporate an identical identity mapping algorithm into their products, so that I can use their Secure-NFS product in conjunction with sssd and have the uid and gid numbers match up with the other Linux hosts in our environment.
10 months, 1 week
Re: best way to check if a host is in a net group
by Charles Hedrick
I’d like to return to a discussion from a few months ago. I complained that I couldn’t find members of some netgroups. Here’s an example. I did “getent netgroup lcsrcf” and got no members. This is on Centos 8.1
It makes the right LDAP queries, and gets the right results.
Here’s the final section of the log:
Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [sdap_process_result] (0x2000): Trace: sh[0x5617e2787d10], connected[1], ops[0x5617e27f5d60], ldap[0x\
5617e27c7da0]
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [sdap_get_generic_op_finished] (0x2000): Total count [0]
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [sdap_op_destructor] (0x2000): Operation 14 finished
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_members_process] (0x2000): Found 184 members in current search base
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracting netgroup members of netgroup 0
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 1 netgroup members
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x4000): Extracting user members of netgroup 0
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 0 user members
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x4000): Extracting host members of netgroup 0
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 0 host members
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_save_netgroup] (0x2000): Storing netgroup studentdb
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_save_netgroup] (0x1000): Adding original DN [ipaUniqueID=a5eacc30-c406-11e7-9045-000c29dbd083,cn\
=ng,cn=alt,dc=cs,dc=rutgers,dc=edu] to attributes of [studentdb].
Here’s what a check the works looks like:
Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [sysdb_set_entry_attr] (0x0200): Entry [name=dcsilab_random,cn=Netgroups,cn=cs.rutgers.edu,cn=sysdb] \
has set [cache] attrs.
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracting netgroup members of netgroup 5
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 0 netgroup members
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x4000): Extracting user members of netgroup 5
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 0 user members
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x4000): Extracting host members of netgroup 5
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 6 host members
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Putting together triples of netgroup 5
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_save_netgroup] (0x2000): Storing netgroup dcsilab_linuxclients__3
Note that the first search was for net group lcsrcf, yer it stores the value as studentdb. Is it getting confused? studentdb is an indirect member of lcsrcf.
> On Nov 4, 2019, at 11:24 AM, Charles Hedrick <hedrick(a)rutgers.edu> wrote:
>
> the query that generated that was
>
> ./test lcsrcf ilab1.cs.rutgers.edu
>
> We have 242 net groups in a complex multi-level setup. It’s historical, and doesn’t make a lot of sense. Lots of redundancy and dead systems. I’m attaching an LDAP dump
>
> <ng.out>
>
>> On Nov 4, 2019, at 11:18 AM, Charles Hedrick <hedrick(a)rutgers.edu> wrote:
>>
>> <sssd_cs.rutgers.edu.log>
>>
>>> On Nov 1, 2019, at 9:03 AM, Sumit Bose <sbose(a)redhat.com> wrote:
>>>
>>> On Thu, Oct 31, 2019 at 02:02:51PM +0000, Charles Hedrick wrote:
>>>> I need to support netgroup checks in a service, written in C. I’m asking the SSSD list because we’re using SSSD, which means that net group operations are routed to the SSSD provider.
>>>>
>>>> I found that innetgr doesn’t work if there are nested net groups. The man page doesn’t suggest that this would happen, though various online discussions seem to suggest it. As far as I can tell, using the usual libc routines, I’d have to do a recursive enumeration of the netgroup. This seems pretty silly, since the host's memberOf attribute shows what net groups it’s a member of, whether direct or indirect. You could also enumerate using the compat tree, which lets a single LDAP query get all members of the netgroup.
>>>
>>> Hi,
>>>
>>> it would be good if you can share some logs which covered the failed
>>> attempt. Iirc nested netgroups are handled by SSSD and glibc together.
>>> I.e. SSSD will not resolve a nested netgroup automatically but just
>>> returns the name and the glibc ask for the members of the nested group
>>> if needed.
>>>
>>> bye,
>>> Sumit
>>>
>>>>
>>>> For the moment I’m doing LDAP operations. My application already needs to do GSSAPI-authenticated LDAP operations, so I have an LDAP connection already. A netgroup check require two queries, which could reasonably be cached. Lookup the netgroup by name to find the unique ID. Look up the host and see if the unique ID matches any memberOf attributes.
>>>>
>>>> But not all applications would be set up so this is easy. Is there a reasonable way to check netgroup membership using normal libc calls?
>>>>
>>>>
>>>> _______________________________________________
>>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>>
>
10 months, 1 week
restrict sudo su -
by Jannis Mann
Hi,
I've implemented sssd with id, auth and access provider as ldap. So I am
using a binding account and didn't joined the domain with the server.
In general everything works. Only members of mentioned SG within the
sssd.conf can login to the server, just as I wish to.
However, as sudo user I can run something as following
sudo su - UserThatIsNotAllowed
So I (a sudo user) can switch to any user that is within the search base
I've specified in the sssd.conf
But these users are not allowed to use the server.
I understand that not the user himself is logging in but I actually don't
want sudo users to be able to switch to users that aren't allowed on the
server.
I'd like that it is only allowed to switch to users that are allowed on the
server on local accounts of course.
Is this a normal behaviour? Can it be changed?
Thank you!
Jannis
10 months, 2 weeks
sssd-ldap, ppolicy, ldap_account_expire_policy with SSHD
by Chris Paul
Is it possible to use sssd-ldap (1.16.4-21, CentOS 7.7) with FreeIPA server (4.6.5-11, CentOS 7.7) and have password policy (ldap_access_order=ppolicy) and also account expiration (ldap_account_expire_policy = ipa)? It’s implied that IPA works as why else would “ipa” be an option to ldap_account_expire_policy?
I’m trying this in my lab; can’t get it to work.
Also not perfectly clear from the manual is how to use pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew. In the manual, it is written: "Also 'ldap_pwd_policy' must be set to an appropriate password policy.”
What should ldap_pwd_policy be set to for an IPA server?
The docs also say, “for ldap_account_expire_policy=rhds, ipa, 389ds: use the value of ldap_ns_account_lock to check if access is allowed or not.”
On my FreeIPA server, I don’t see the ldap_ns_account_lock attribute set for expired accounts.
Either my reading is deficient or the documentation is. I’d be happy to contribute if I understood. Does anyone have any tips?
thanks,
Chris Paul
10 months, 2 weeks
