SSSD 1.16 for RHEL 6
by TomK
Hi All,
Earlier I've asked if there is a 1.16.X release of SSSD for RHEL 6. I
was given the link in this post.
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
I have some additional questions:
1) How much testing has this version gone through vs the official RHEL 6
/ 7 releases of SSSD 1.16. Does RH perform alot more testing for SSSD
or does RH perform only a few more tests before certifying an SSSD
release for a RHEL release? In other words, how much testing has gone
into the above version.
2) Is there a 1.16 release available specifically for RHEL 6 from
additional repos? What is the repo?
--
Thx,
TK.
2 months
SSSD.Service not starting
by Manjot Singh
● sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2020-01-29 14:12:32 EST; 9s ago
Process: 23217 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 23217 (code=exited, status=4)
Jan 29 14:12:32 pop-os systemd[1]: sssd.service: Service RestartSec=100ms expired, scheduling restart.
Jan 29 14:12:32 pop-os systemd[1]: sssd.service: Scheduled restart job, restart counter is at 5.
Jan 29 14:12:32 pop-os systemd[1]: Stopped System Security Services Daemon.
Jan 29 14:12:32 pop-os systemd[1]: sssd.service: Start request repeated too quickly.
Jan 29 14:12:32 pop-os systemd[1]: sssd.service: Failed with result 'exit-code'.
Jan 29 14:12:32 pop-os systemd[1]: Failed to start System Security Services Daemon.
2 months
Is it possible to utilize dyndns with samba_dlz?
by Z Z
I have working Samba AD server with linux and windows members. Windows
machines are fine with the dynamic DNS updates. I'd like to have that for
my linux machines too.
I'm already using SSSD to join them to the AD domain, so I'm wondering if
it's possible to use dyndns with the samba_dlz module? Has anyone tried it
yet?
2 months
Is there an RFC or detailed design document describing SSSD's ID Mapping algorithm?
by Jeff Thornsen
The reason I ask is because I use a bunch of storage appliances that offer Secure-NFS (NETAPP, EMC UNITY, etc.), but they only support NIS, IDMU, RFC2307, and RFC2307bis style Identity Mapping, all of which require manual assignment of UID/GID numbers to objects in LDAP, which is untenable for large environments. Microsoft even removed Unix Attribute editor from their LDAP GUI for the RFC2307 attributes in Windows Server 2016 to push people away from using rfc2307.
I would like to be able to provide a link to an RFC or design document describing the SSSD ID Mapping algorithm so that these 3rd party vendors can incorporate an identical identity mapping algorithm into their products, so that I can use their Secure-NFS product in conjunction with sssd and have the uid and gid numbers match up with the other Linux hosts in our environment.
2 months, 1 week
Re: best way to check if a host is in a net group
by Charles Hedrick
I’d like to return to a discussion from a few months ago. I complained that I couldn’t find members of some netgroups. Here’s an example. I did “getent netgroup lcsrcf” and got no members. This is on Centos 8.1
It makes the right LDAP queries, and gets the right results.
Here’s the final section of the log:
Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [sdap_process_result] (0x2000): Trace: sh[0x5617e2787d10], connected[1], ops[0x5617e27f5d60], ldap[0x\
5617e27c7da0]
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [sdap_get_generic_op_finished] (0x2000): Total count [0]
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [sdap_op_destructor] (0x2000): Operation 14 finished
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_members_process] (0x2000): Found 184 members in current search base
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracting netgroup members of netgroup 0
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 1 netgroup members
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x4000): Extracting user members of netgroup 0
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 0 user members
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x4000): Extracting host members of netgroup 0
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 0 host members
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_save_netgroup] (0x2000): Storing netgroup studentdb
(Thu Jan 23 10:14:25 2020) [sssd[be[cs.rutgers.edu]]] [ipa_save_netgroup] (0x1000): Adding original DN [ipaUniqueID=a5eacc30-c406-11e7-9045-000c29dbd083,cn\
=ng,cn=alt,dc=cs,dc=rutgers,dc=edu] to attributes of [studentdb].
Here’s what a check the works looks like:
Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [sysdb_set_entry_attr] (0x0200): Entry [name=dcsilab_random,cn=Netgroups,cn=cs.rutgers.edu,cn=sysdb] \
has set [cache] attrs.
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracting netgroup members of netgroup 5
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 0 netgroup members
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x4000): Extracting user members of netgroup 5
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 0 user members
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x4000): Extracting host members of netgroup 5
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Extracted 6 host members
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_netgr_process_all] (0x2000): Putting together triples of netgroup 5
(Thu Jan 23 09:58:02 2020) [sssd[be[cs.rutgers.edu]]] [ipa_save_netgroup] (0x2000): Storing netgroup dcsilab_linuxclients__3
Note that the first search was for net group lcsrcf, yer it stores the value as studentdb. Is it getting confused? studentdb is an indirect member of lcsrcf.
> On Nov 4, 2019, at 11:24 AM, Charles Hedrick <hedrick(a)rutgers.edu> wrote:
>
> the query that generated that was
>
> ./test lcsrcf ilab1.cs.rutgers.edu
>
> We have 242 net groups in a complex multi-level setup. It’s historical, and doesn’t make a lot of sense. Lots of redundancy and dead systems. I’m attaching an LDAP dump
>
> <ng.out>
>
>> On Nov 4, 2019, at 11:18 AM, Charles Hedrick <hedrick(a)rutgers.edu> wrote:
>>
>> <sssd_cs.rutgers.edu.log>
>>
>>> On Nov 1, 2019, at 9:03 AM, Sumit Bose <sbose(a)redhat.com> wrote:
>>>
>>> On Thu, Oct 31, 2019 at 02:02:51PM +0000, Charles Hedrick wrote:
>>>> I need to support netgroup checks in a service, written in C. I’m asking the SSSD list because we’re using SSSD, which means that net group operations are routed to the SSSD provider.
>>>>
>>>> I found that innetgr doesn’t work if there are nested net groups. The man page doesn’t suggest that this would happen, though various online discussions seem to suggest it. As far as I can tell, using the usual libc routines, I’d have to do a recursive enumeration of the netgroup. This seems pretty silly, since the host's memberOf attribute shows what net groups it’s a member of, whether direct or indirect. You could also enumerate using the compat tree, which lets a single LDAP query get all members of the netgroup.
>>>
>>> Hi,
>>>
>>> it would be good if you can share some logs which covered the failed
>>> attempt. Iirc nested netgroups are handled by SSSD and glibc together.
>>> I.e. SSSD will not resolve a nested netgroup automatically but just
>>> returns the name and the glibc ask for the members of the nested group
>>> if needed.
>>>
>>> bye,
>>> Sumit
>>>
>>>>
>>>> For the moment I’m doing LDAP operations. My application already needs to do GSSAPI-authenticated LDAP operations, so I have an LDAP connection already. A netgroup check require two queries, which could reasonably be cached. Lookup the netgroup by name to find the unique ID. Look up the host and see if the unique ID matches any memberOf attributes.
>>>>
>>>> But not all applications would be set up so this is easy. Is there a reasonable way to check netgroup membership using normal libc calls?
>>>>
>>>>
>>>> _______________________________________________
>>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>>
>
2 months, 1 week
restrict sudo su -
by Jannis Mann
Hi,
I've implemented sssd with id, auth and access provider as ldap. So I am
using a binding account and didn't joined the domain with the server.
In general everything works. Only members of mentioned SG within the
sssd.conf can login to the server, just as I wish to.
However, as sudo user I can run something as following
sudo su - UserThatIsNotAllowed
So I (a sudo user) can switch to any user that is within the search base
I've specified in the sssd.conf
But these users are not allowed to use the server.
I understand that not the user himself is logging in but I actually don't
want sudo users to be able to switch to users that aren't allowed on the
server.
I'd like that it is only allowed to switch to users that are allowed on the
server on local accounts of course.
Is this a normal behaviour? Can it be changed?
Thank you!
Jannis
2 months, 2 weeks
sssd-ldap, ppolicy, ldap_account_expire_policy with SSHD
by Chris Paul
Is it possible to use sssd-ldap (1.16.4-21, CentOS 7.7) with FreeIPA server (4.6.5-11, CentOS 7.7) and have password policy (ldap_access_order=ppolicy) and also account expiration (ldap_account_expire_policy = ipa)? It’s implied that IPA works as why else would “ipa” be an option to ldap_account_expire_policy?
I’m trying this in my lab; can’t get it to work.
Also not perfectly clear from the manual is how to use pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew. In the manual, it is written: "Also 'ldap_pwd_policy' must be set to an appropriate password policy.”
What should ldap_pwd_policy be set to for an IPA server?
The docs also say, “for ldap_account_expire_policy=rhds, ipa, 389ds: use the value of ldap_ns_account_lock to check if access is allowed or not.”
On my FreeIPA server, I don’t see the ldap_ns_account_lock attribute set for expired accounts.
Either my reading is deficient or the documentation is. I’d be happy to contribute if I understood. Does anyone have any tips?
thanks,
Chris Paul
2 months, 2 weeks
No group information displaying and slow persformance while implementing sssd ldap authentication
by capricorn cap
Hi!
I am trying to authentticate my ubuntu users via Active directory and also autofs mounting. May be I am doing something wrong or missing some key attributes but I checked it from last couple of days and decided to write.
I have configured my sssd.conf and using ldaps for communication. After troubleshooting my issue now I am able to get the result for my output like getent passwd AD-username and id AD-username
I am logged on to ubuntu machine with local account and running id AD-Username and getent passwd AD-username and it takes ages to get reply back.
uid=1348(AD-username) gid=100(users) groups=100(users)
when I trun getend group groupname then nothing happens.
I have attached my sssd.conf file.
I am using Ubuntu 18.04
Version: 1.16.1-1ubuntu1.4
Version: 1.16.1-1ubuntu1.4
[sssd]
config_file_version = 2
services = nss, pam, sudo, autofs
domains = mycompany.local
default_domain_suffix = mycompany.local
[nss]
debug_level = 9
filter_groups = root
filter_users = root
reconnection_retries = 3
#If want override the shell for all users uncomment follow line
#override_shell = /bin/bash
[pam]
debug_level = 9
[sudo]
debug_level = 3
[autofs]
[domain/mycompany.local]
debug_level = 9
enumerate = false
case_sensitive = false
cache_credentials = true
min_id = 100
#ldap_id_mapping = True
#ldap_user_primary_group = primaryGroupID
case_sensitive = false
### --- Providers --- ###
id_provider = ldap
auth_provider = ldap
access_provider = simple
chpass_provider = ldap
### --- LDAP GENERAL --- ###
ldap_id_use_start_tls = false
ldap_schema = rfc2307
ldap_tls_cacertdir = /etc/ldap/cacerts
#ldap_tls_cacert = /etc/ssl/dc01.cer
### LDAP user search settings ###
ldap_user_search_base = DC=mycompany,DC=local
# LDAP group search settings
ldap_group_search_base = DC=mycompany,DC=local
# LDAP Class settings
### --- LDAP Class settings --- ####
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
#ldap_user_principal = userPrincipalName
ldap_user_home_directory = unixHomeDirectory
ldap_user_member_of = memberOf
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_member = memberUid
ldap_network_timeout = 3
#ldap_access_filter = (&(objectclass=shadowaccount)(objectclass=posixaccount))
ad_server = dc01.mycompany.local
### --- LDAP connection settings --- ###
ldap_uri = ldaps://dc01.mycompany.local:636
ldap_default_bind_dn = CN=serviceaccount,OU=ServiceAccounts,DC=mycompany,DC=local
ldap_default_authtok_type = password
ldap_default_authtok = mypassword
# Access settings via simple
# simple_allow_groups = lusers
simple_allow_groups = Users
## Temp TEst
ldap_opt_timeout = 20
dns_resolver_timeout = 10
### AutoFS
autofs_provider = ldap
ldap_autofs_entry_key = cn
ldap_autofs_entry_object_class = nisObject
ldap_autofs_entry_value = nisMapEntry
ldap_autofs_map_name = nisMapName
ldap_autofs_map_object_class = nisMap
ldap_autofs_search_base = ou=automount,DC=mycompany,dc=local
Thanks
2 months, 2 weeks
