sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
3 months, 2 weeks
kcm, gssproxy and klist
by Winberg Adam
With KCM and gssproxy we often see a long list of credentials when doing a 'klist':
[user.u@lxserv2114 ~]$ klist
Ticket cache: KCM:17098:66803
Default principal: user.u@AD
Valid starting Expires Service principal
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
and so on...
The actual gssproxy credentials at /var/lib/gssproxy/clients/ does not correspond with this output, it only contains what could be expected - a TGT and maybe some service tickets.
The ever growing 'klist' list of credentials is a problem, after a while the user can no longer get any new credentials and therefore has no access to its NFS homedir (sec=krb5). I'm guessing it's the 'max_uid_ccaches' option in sssd-kcm that prevents this.
What is going on here - have we configured gssproxy/kcm wrong or is this a bug?
Regards
Adam
5 months
sssd: AD range retrieval fails when enumeration is enabled
by R Davies
Hi,
When enumeration is enabled (required due to legacy application), and where
a group has > 1500 members, and AD's MaxValRange is at the default 1500,
then sssd fails to show more than 1500 group members. Group lookups are no
longer accurate.
A further interesting aspect is that if the sssd cache is expired (sssctl
cache-expiry -E), then the correct group membership is shown until such
time as enumeration is processed again (i.e. at most
ldap_enumeration_refresh_timeout + memcache_timeout)
src/providers/ldap/sdap.c's sdap_parse_entry() states:
/* This attribute contained range values and needs more to
> * be retrieved
> */
> /* TODO: return the set of attributes that need additional retrieval
> * For now, we'll continue below and treat it as regular values.
> */
As enumeration is enabled the subsequent ASQ/deref work is never
undertaken. As such sssd only ever processes the initial range retrieved
members (0-1499) (NB that nested groups members are evaluated).
We have looked at the relevant source code, but can't find a way to trigger
Attribute Scope Queries (ASQ)/deref. Indeed, no manner of sssd
configuration settings (other than disabling enumeration - which we sadly
cannot do) appears to change this behaviour. Increasing MaxValRange on AD
defeats the purpose of having MaxValRange.
Has anyone run into this before? Or, should I raise a new issue?
Many Thanks.
R.
9 months, 2 weeks
ID Views for IPA ID Views for AD users inconsistent resolution
by Louis Abel
I didn't get a response in #sssd, so I figured I'll try here at the mail list.
# rpm -q sssd ipa-server
sssd-1.16.0-19.el7_5.5.x86_64
ipa-server-4.5.4-10.el7_5.3.x86_64
I've been scratching my head trying to resolve this particular issue. I'm having issues with AD users where when they login, they'll get the UID/GID assigned in the ID views correctly, but only some of the time. Other times, they won't get the id view assigned to them. This is all done in the default trust view. What makes this issue even more interesting is that out of my 6 domain controllers, sometimes it'll be one server out of the six that does it, sometimes it's two. But it's never the same ones, so it's difficult to track the particular issue down. What's even more interesting is this is not occurring with some users (like my own). I have yet to see it occur with my account or even the rest of my team's accounts. One of the things I tried to do is delete the ID views of the offending users and recreate them to no avail.
I put SSSD into debug mode on the IPA servers and tried to get some relevant logs and such to try and figure this out. Below is my SSSD configuration, ldb info, and debug logs (removing private information where possible). I'm trying to determine if this is either a bug within SSSD or if this is a misconfiguration on my part.
$ ldbsearch -H cache_ipa.example.com.ldb name=user.name(a)ad.example.com originalADuidNumber uidNumber originalADgidNumber gidNumber
asq: Unable to register control with rootdse!
# record 1
dn: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb
originalADuidNumber: 55616902
originalADgidNumber: 55616902
uidNumber: 55616902
gidNumber: 55616902
$ ipa idoverrideuser-show "Default Trust View" user.name(a)ad.example.com
Anchor to override: user.name(a)ad.example.com
UID: 40001
GID: 40001
Home directory: /home/user.name
Login shell: /bin/bash
$ ldbsearch -H timestamps_ipa.example.com.ldb | less
dn: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb
objectCategory: user
originalModifyTimestamp: 20180823172515.0Z
entryUSN: 92632390
initgrExpireTimestamp: 1535133621
lastUpdate: 1535128235
dataExpireTimestamp: 1535133635
distinguishedName: name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb
## DEBUG LOGS
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb] has set [ts_cache] attrs.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_print_server] (0x2000): Searching 172.20.23.190:389
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_add] (0x2000): New operation 32 timeout 6
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1080], connected[1], ops[(nil)], ldap[0x55f30a5d0f90]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a645310], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaanchoruuid=:SID:S-1-5-21-922099545-2851689246-2917073205-16902,cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaAnchorUUID]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaOriginalUid]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a645310], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_destructor] (0x2000): Operation 32 finished
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_done] (0x4000): Found override for object with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-16902))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [uidNumber] with [40001] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x0080): Override attribute for [gidNumber] has more [2] than one value, using only the first.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [gidNumber] with [40001] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [homeDirectory] with [/home/user.name] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_apply_default_override] (0x4000): Override [loginShell] with [/bin/bash] for [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a6819a0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a681a60
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a6819a0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a681a60 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a6819a0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [safe_original_attributes] (0x4000): Original object does not have [sshPublicKey] set.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a683c50
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a683d10
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a683c50 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a683d10 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a683c50 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_ldb_msg_difference] (0x2000): Replaced/extended attr [uidNumber] of entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a68d1c0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a68d280
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a68d1c0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a68d280 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a68d1c0 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=user.name(a)ad.example.com,cn=users,cn=ad.example.com,cn=sysdb] has set [cache, ts_cache] attrs.
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a68d330
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a688900
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a68d330 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a689320
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a6893e0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a688900 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a68d330 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a689320 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55f30a634920
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55f30a6349e0
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a6893e0 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a689320 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Running timer event 0x55f30a634920 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Destroying timer event 0x55f30a6349e0 "ltdb_timeout"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ldb] (0x4000): Ending timer event 0x55f30a634920 "ltdb_callback"
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Processing group 0/1
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Fetching group S-1-5-21-922099545-2851689246-2917073205-20676
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_print_server] (0x2000): Searching 172.20.23.190:389
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=chotel,dc=com].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_add] (0x2000): New operation 33 timeout 6
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a63f270], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f30a5d1940], connected[1], ops[0x55f30a63f270], ldap[0x55f30a5ce320]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_op_destructor] (0x2000): Operation 33 finished
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-922099545-2851689246-2917073205-20676))].
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_initgr_get_overrides_step] (0x1000): Processing group 1/1
(Fri Aug 24 16:30:12 2018) [sssd[be[ipa.example.com]]] [ipa_get_ad_memberships_send] (0x0400): External group information still valid.
## /etc/sssd/sssd.conf
[domain/ipa.example.com]
cache_credentials = True
krb5_store_password_if_offline = True
# krb5_realm = IPA.EXAMPLE.COM
ipa_domain = ipa.example.com
ipa_hostname = entl01.ipa.example.com
# Server Specific Settings
ipa_server = entl01.ipa.example.com
ipa_server_mode = True
subdomain_homedir = %o
fallback_homedir = /home/%u
default_shell = /bin/bash
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
domains = ipa.example.com
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,tomcat,activemq,informix,oracle,xdba,grid,dbadmin,weblogic,operator,postgres,devolog
memcache_timeout = 600
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
9 months, 3 weeks
Starting SSSD without root
by Tero Saarni
Hi,
I'm trying to run SSSD inside docker container without root user. The
container is executed in OpenShift cluster which does not allow running as root
inside container.
SSSD requires root and checks for this specifically.
Is there any workaround for this?
I believe the limitation is implemented for security reasons, in order to have
most critical parts executed as root and have it drop privileges for other
parts but this now completely blocks using SSSD in the above environment.
--
Tero
1 year, 1 month
file provider with multiple kerberos realms
by Techie
Main goal is to authenticate against multiple Kerberos Realms, AD domains
without joining the Linux box to AD.
We have an AD forest with 2 trusted domains and as a result 2 kerberos
realms, 1 per domain. On RHEL5,6,7 I used pam_krb5 for authentication and
passwd/group files for the user store. This allowed me to authenticate
against AD for users in the passwd file that match the KBR5 principal. In
system-auth/password-auth I would stack pam entries for each KRB5 REALM
Parent: EXAMPLE.COM
Domain1: ADA.EXAMPLE.COM
Domain2:ADB.EXAMPLE.COM
passwd user: joe_doe
krb5 principal: joe_doe(a)ADA.EXAMPLE.COM
passwd user: joe_blow
krb5 principal: joe_blow(a)ADB.EXAMPLE.COM
system-auth
auth sufficient pam_krb5.so realm=ADA.EXAMPLE.COM use_first_pass
auth sufficient pam_krb5.so realm=ADB.EXAMPLE.COM use_first_pass
In this case either joe_doe or joe_blow can log in via AD credentials and
pam would iterate through the stacked pam_krb5 entries to locate the
matching krb5 principal
I am trying to replicate this on redhat enterprise linux 8. I am aware
pam_krb5 is not an option and that sssd is the default for this use case.
What I cannot figure out is how to authenticate against multiple Domains in
SSSD. If I define 1 domain in sssd.conf with id_provider = files. I can
authenticate fine against the single domain/kerberos5 realm.
If I add multiple domains, sssd does not iterate through them, it fails if
it does not find the user in the first domain.
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = ADA.EXAMPLE.COM,ADB.EXAMPLE.COM
[pam]
#pam_local_domains = all
[domain/ADA.EXAMPLE.COM]
id_provider = files
auth_provider=krb5
krb5_server = adadc.ada.example.com
krb5_kpasswd = adadc.ada.example.com
krb5_realm = ADA.EXAMPLE.COM
dns_discovery_domain =ADA.EXAMPLE.COM
krb5_validate = false
[domain/ADB.EXAMPLE.COM
id_provider = files
auth_provider=krb5
krb5_server = adbdc.adb.example.com
krb5_kpasswd = adbdc.adb.example.com
krb5_realm =ADB.EXAMPLE.COM
dns_discovery_domain = ADB.EXAMPLE.COM
krb5_validate = false
Is what I am attempting possible without joining AD and using the provider
of AD? I would like to avoid this at all costs.
Thanks
1 year, 5 months
sssd-krb5, krb5_ccachedir, DIR-cache-store...
by Jostein Fossheim
We are working with several kerberos-REALMS and are trying to get our clients to store their kerberos tickets in a DIRECTORY. This seems to work nicely for clients not authenticating at login, with the following configuration set in /etc/krb5.conf.
...
[libdefaults]
...
default_ccache_name = DIR:/tmp/krb5cc_%{uid}
...
user@server:~$ klist
Ticket cache: DIR::/tmp/krb5cc_888/tkt
Default principal: user@REALM
Valid starting Expires Service principal
09/22/19 17:35:50 09/23/19 17:35:48 krbtgt/user@REALM
Each ticket is stored in a separate file.
For clients using sssd for login, I want to set up the same behavior. But when I attempt to login the system creates an "/tmp/krb5cc_${UiD}" - but here the directory don't get the excutable bit set (that is the directory get 0600-permission), and the login fails.
In the man-page from Debian-buster (sssd-version: 1.16.3), there are to settings that seems to regulate this behaviour :
krb5_ccachedir (string)
Directory to store credential caches. All the substitution sequences of krb5_ccname_template can be used here, too, except %d and %P. The directory is created as private and owned by the user, with permissions set to 0700.
Default: /tmp
krb5_ccname_template (string)
Location of the user's credential cache. Three credential cache types are currently supported: "FILE", "DIR" and "KEYRING:persistent". The cache can be specified either as TYPE:RESIDUAL, or as an absolute path, which implies the "FILE" type. In the template, the following sequences are substituted:
[...]
If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe way.
When using KEYRING types, the only supported mechanism is "KEYRING:persistent:%U", which uses the Linux kernel keyring to store credentials on a per-UID basis. This is also the recommended choice, as it is the most secure and predictable method.
The default value for the credential cache name is sourced from the profile stored in the system wide krb5.conf configuration file in the [libdefaults] section. The option name is default_ccache_name. See krb5.conf(5)'s PARAMETER EXPANSION paragraph for additional information on the expansion format defined by krb5.conf.
NOTE: Please be aware that libkrb5 ccache expansion template from krb5.conf(5) uses different expansion sequences than SSSD.
Default: (from libkrb5)
...
I have tried to both set and unset, the two parameters in question like this:
krb5_ccachedir = /tmp/krb5cc_%U
krb5_ccname_template = DIR: %d
krb5_ccname_template = DIR:%d/krb5cc_%U_XXXXXX
But the configuration-options seems to be ignored, no matter what I do, and I have the same behavior: A non-executable directory is created and the user is unable to login.
If I set the +x bit on the directory manually as the root-user, everything works.
1 year, 5 months
Re: sssd upgrade from 2.2.3-20 to 2.3.0-9 breaks sudo
by Alexey Tikhonov
On Mon, Nov 30, 2020 at 9:37 PM Mote, Todd <moter(a)austin.utexas.edu> wrote:
>
> > Could you please set "debug_level = 9" in "[sudo]" section of /etc/sssd.conf, restart sssd and provide /var/log/sssd_sudo.log (sanitized if needed)?
>
> Here ya go.
[sbus_dbus_request_name] (0x0020): Unable to request name on the system bus [3]
This error code (3) stands for `DBUS_RELEASE_NAME_REPLY_NOT_OWNER ` here.
This is expected if you didn't disable systemd sssd-sudo service.
Did you have it enabled when you upgraded?
>
> I did verify on a clean install that only removing "sudo" as a service from the sssd.conf file does in fact allow it to work again. Enabling the socket does not seem to be required.
>
> Todd
>
>
> -----Original Message-----
> From: Alexey Tikhonov <atikhono(a)redhat.com>
> Sent: Monday, November 30, 2020 1:58 PM
> To: End-user discussions about the System Security Services Daemon <sssd-users(a)lists.fedorahosted.org>
> Subject: [SSSD-users] Re: sssd upgrade from 2.2.3-20 to 2.3.0-9 breaks sudo
>
> On Mon, Nov 30, 2020 at 8:43 PM Mote, Todd <moter(a)austin.utexas.edu> wrote:
> >
> > Hi all
> >
> >
> >
> > I updated my RHEL 8 test box today and got sssd-2.3.0-9.el8.x86_64 as an update from sssd-2.2.3-20.el8.x86_64. Prior to the upgrade everything worked fine. Immediately after upgrade sssd fails to restart the critical service [sudo], and fails to start sssd at all, as noted in journalctl -xe.
>
> Could you please set "debug_level = 9" in "[sudo]" section of /etc/sssd.conf, restart sssd and provide /var/log/sssd_sudo.log (sanitized if needed)?
>
> >
> >
> >
> > Are there things that needs to be done to affect a successful upgrade from 2.2.3 to 2.3.0? a conf file change perhaps? I saw mentions of “required conf file changes” in other issues reported in github.
> >
> >
> >
> > Downgrading back to 2.2.3 and removing the database returns sssd to starting and working.
> >
> > Removing “sudo” as a service from sssd.conf allows sssd to start with 2.3.0-9 installed.
> >
> >
> >
> > I attempted to use “systemctl enable sssd-sudo” like the man page suggests and the result in the journal is “Dependency failed for SSSD Sudo Service responder socket.”
> >
> >
> >
> > I also noted this in the sssd-sudo man page: “It's important to note
> > that on platforms where systemd is supported there's no need to add
> > the "sudo" provider
> >
> > to the list of services, as it became optional. However, sssd-sudo.socket must be enabled instead.”
> >
> > having enabled the sockect and removed “sudo” from the list of services, it does seem to work and retrieve rules from AD for the user.
> >
> >
> >
> > Is all of this correct? Is removing “sudo” as a service the answer to this or is it just a workaround? If it is the solution, is there any documentation about changes to configurations from version to version like sudo no longer allowing the service to start if it’s explicitly listed as a service?
> >
> >
> >
> > Just trying to figure out the scope of what will need to change on my fleet. The evidence so far seems to point to just removing “sudo” as a service in sssd.conf. Is that enough? Should “systemctl enable sssd-sudo” be run as well?
> >
> >
> >
> > Thanks in advance for your insights.
> >
> >
> >
> > Todd
> >
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
> > unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> > .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=04%
> > 7C01%7Cmoter%40austin.utexas.edu%7Cf01f8e8df12c460005a208d8956a3d92%7C
> > 31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637423630815484265%7CUnknow
> > n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLC
> > JXVCI6Mn0%3D%7C1000&sdata=oceNDHl05MPSDYn52tAb5Mnsqb0bnHKlAO1tpoaU
> > hrE%3D&reserved=0 List Guidelines:
> > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo
> > raproject.org%2Fwiki%2FMailing_list_guidelines&data=04%7C01%7Cmote
> > r%40austin.utexas.edu%7Cf01f8e8df12c460005a208d8956a3d92%7C31d7e2a5bdd
> > 8414e9e97bea998ebdfe1%7C1%7C0%7C637423630815484265%7CUnknown%7CTWFpbGZ
> > sb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3
> > D%7C1000&sdata=WbMFjIprD%2BbYocMn0uoTgOscDL%2Fp4jlH7icPneGL3v8%3D&
> > amp;reserved=0 List Archives:
> > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> > s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted
> > .org&data=04%7C01%7Cmoter%40austin.utexas.edu%7Cf01f8e8df12c460005
> > a208d8956a3d92%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C6374236308
> > 15484265%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
> > CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Yl5fnjkNmK37oRoQFQhA1Sj
> > XigQNO0orE4IY%2FRe%2FjgA%3D&reserved=0
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
> List Guidelines: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
> List Archives: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...
> >> This message is from an external sender. Learn more about why this <<
> >> matters at https://links.utexas.edu/rtyclf. <<
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1 year, 5 months
Re: sssd upgrade from 2.2.3-20 to 2.3.0-9 breaks sudo
by Alexey Tikhonov
On Mon, Nov 30, 2020 at 8:43 PM Mote, Todd <moter(a)austin.utexas.edu> wrote:
>
> Hi all
>
>
>
> I updated my RHEL 8 test box today and got sssd-2.3.0-9.el8.x86_64 as an update from sssd-2.2.3-20.el8.x86_64. Prior to the upgrade everything worked fine. Immediately after upgrade sssd fails to restart the critical service [sudo], and fails to start sssd at all, as noted in journalctl -xe.
Could you please set "debug_level = 9" in "[sudo]" section of
/etc/sssd.conf, restart sssd and provide /var/log/sssd_sudo.log
(sanitized if needed)?
>
>
>
> Are there things that needs to be done to affect a successful upgrade from 2.2.3 to 2.3.0? a conf file change perhaps? I saw mentions of “required conf file changes” in other issues reported in github.
>
>
>
> Downgrading back to 2.2.3 and removing the database returns sssd to starting and working.
>
> Removing “sudo” as a service from sssd.conf allows sssd to start with 2.3.0-9 installed.
>
>
>
> I attempted to use “systemctl enable sssd-sudo” like the man page suggests and the result in the journal is “Dependency failed for SSSD Sudo Service responder socket.”
>
>
>
> I also noted this in the sssd-sudo man page: “It's important to note that on platforms where systemd is supported there's no need to add the "sudo" provider
>
> to the list of services, as it became optional. However, sssd-sudo.socket must be enabled instead.”
>
> having enabled the sockect and removed “sudo” from the list of services, it does seem to work and retrieve rules from AD for the user.
>
>
>
> Is all of this correct? Is removing “sudo” as a service the answer to this or is it just a workaround? If it is the solution, is there any documentation about changes to configurations from version to version like sudo no longer allowing the service to start if it’s explicitly listed as a service?
>
>
>
> Just trying to figure out the scope of what will need to change on my fleet. The evidence so far seems to point to just removing “sudo” as a service in sssd.conf. Is that enough? Should “systemctl enable sssd-sudo” be run as well?
>
>
>
> Thanks in advance for your insights.
>
>
>
> Todd
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1 year, 5 months
sssd upgrade from 2.2.3-20 to 2.3.0-9 breaks sudo
by Mote, Todd
Hi all
I updated my RHEL 8 test box today and got sssd-2.3.0-9.el8.x86_64 as an update from sssd-2.2.3-20.el8.x86_64. Prior to the upgrade everything worked fine. Immediately after upgrade sssd fails to restart the critical service [sudo], and fails to start sssd at all, as noted in journalctl -xe.
Are there things that needs to be done to affect a successful upgrade from 2.2.3 to 2.3.0? a conf file change perhaps? I saw mentions of "required conf file changes" in other issues reported in github.
Downgrading back to 2.2.3 and removing the database returns sssd to starting and working.
Removing "sudo" as a service from sssd.conf allows sssd to start with 2.3.0-9 installed.
I attempted to use "systemctl enable sssd-sudo" like the man page suggests and the result in the journal is "Dependency failed for SSSD Sudo Service responder socket."
I also noted this in the sssd-sudo man page: "It's important to note that on platforms where systemd is supported there's no need to add the "sudo" provider
to the list of services, as it became optional. However, sssd-sudo.socket must be enabled instead."
having enabled the sockect and removed "sudo" from the list of services, it does seem to work and retrieve rules from AD for the user.
Is all of this correct? Is removing "sudo" as a service the answer to this or is it just a workaround? If it is the solution, is there any documentation about changes to configurations from version to version like sudo no longer allowing the service to start if it's explicitly listed as a service?
Just trying to figure out the scope of what will need to change on my fleet. The evidence so far seems to point to just removing "sudo" as a service in sssd.conf. Is that enough? Should "systemctl enable sssd-sudo" be run as well?
Thanks in advance for your insights.
Todd
1 year, 5 months
