sssd-krb5, krb5_ccachedir, DIR-cache-store...
by Jostein Fossheim
We are working with several kerberos-REALMS and are trying to get our clients to store their kerberos tickets in a DIRECTORY. This seems to work nicely for clients not authenticating at login, with the following configuration set in /etc/krb5.conf.
...
[libdefaults]
...
default_ccache_name = DIR:/tmp/krb5cc_%{uid}
...
user@server:~$ klist
Ticket cache: DIR::/tmp/krb5cc_888/tkt
Default principal: user@REALM
Valid starting Expires Service principal
09/22/19 17:35:50 09/23/19 17:35:48 krbtgt/user@REALM
Each ticket is stored in a separate file.
For clients using sssd for login, I want to set up the same behavior. But when I attempt to login the system creates an "/tmp/krb5cc_${UiD}" - but here the directory don't get the excutable bit set (that is the directory get 0600-permission), and the login fails.
In the man-page from Debian-buster (sssd-version: 1.16.3), there are to settings that seems to regulate this behaviour :
krb5_ccachedir (string)
Directory to store credential caches. All the substitution sequences of krb5_ccname_template can be used here, too, except %d and %P. The directory is created as private and owned by the user, with permissions set to 0700.
Default: /tmp
krb5_ccname_template (string)
Location of the user's credential cache. Three credential cache types are currently supported: "FILE", "DIR" and "KEYRING:persistent". The cache can be specified either as TYPE:RESIDUAL, or as an absolute path, which implies the "FILE" type. In the template, the following sequences are substituted:
[...]
If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe way.
When using KEYRING types, the only supported mechanism is "KEYRING:persistent:%U", which uses the Linux kernel keyring to store credentials on a per-UID basis. This is also the recommended choice, as it is the most secure and predictable method.
The default value for the credential cache name is sourced from the profile stored in the system wide krb5.conf configuration file in the [libdefaults] section. The option name is default_ccache_name. See krb5.conf(5)'s PARAMETER EXPANSION paragraph for additional information on the expansion format defined by krb5.conf.
NOTE: Please be aware that libkrb5 ccache expansion template from krb5.conf(5) uses different expansion sequences than SSSD.
Default: (from libkrb5)
...
I have tried to both set and unset, the two parameters in question like this:
krb5_ccachedir = /tmp/krb5cc_%U
krb5_ccname_template = DIR: %d
krb5_ccname_template = DIR:%d/krb5cc_%U_XXXXXX
But the configuration-options seems to be ignored, no matter what I do, and I have the same behavior: A non-executable directory is created and the user is unable to login.
If I set the +x bit on the directory manually as the root-user, everything works.
1 month, 1 week
sssd with samba
by Edouard Guigné
Dear sssd users,
I would like to get informations about the use of sssd with samba
(centos 7, samba 4.8.3).
I need it because I configured a samba share, accessible with sssd.
The authentication is against a windows AD.
My /etc/nsswitch.cnf is configured only with sssd :
/passwd: files sss//
//shadow: files sss//
//group: files sss/
For an other purpose, I set an sftpd access also configured with sssd
against the AD.
I followed some discussions on the samba user list about samba + sssd.
I would like to understand if there are some issues with sssd and samba
4.8.3 on centos 7 ?
Or is it with next RHEL 8 ?
/The RHEL 8 documentation states this: //
////
//"Red Hat only supports running Samba as a server with the winbindd //
//service to provide domain users and groups to the local system. Due to //
//certain limitations, such as missing Windows access control list (ACL) //
//support and NT LAN Manager (NTLM) fallback, SSSD is not supported." //
////
//https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers////
////
//What's confusing is that the RHEL 7 documentation says: //
////
//"Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this //
//functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer //
//need to run Winbind and SSSD in parallel to access SMB shares. For //
//example, accessing the Access Control Lists (ACLs) no longer requires //
//Winbind on SSSD clients." //
////
//and //
////
//"4.2.2. Determining Whether to Use SSSD or Winbind for SMB Shares //
//For most SSSD clients, using SSSD is recommended:" //
////
//and most worrisome, in my use case: //
////
//"In environments with direct Active Directory integration where the //
//clients use SSSD for general Active Directory user mappings, using //
//Winbind for the SMB ID mapping instead of SSSD can result in //
//inconsistent mapping."
/
In my case, running samba 4.8.3 with SSSD on centos 7 do I need to :
- enable and start winbind service , in conjunction to sssd ?
- or only sssd is enough with samba ?
- Do I have to fear issues in next release of sssd for the support of
samba ? especially for acls support ?/
/
A nsswitch.conf like :
passwd: files sss winbind
shadow: files sss winbind
group: files sss winbind
or
passwd: files winbind sss
shadow: files winbind sss
group: files winbind sss
Does not seem to work... I test and this is not stable.
Best Regards,
Edouard
2 months
SSSD and PKI: capability of checking trust/validation/revocation
by Hristina Marosevic
Hello,
I am using SSSD with LDAP directory which provides public keys for each user entry to SSSD.
I am not sure if it is possible to configure SSSD not just to accept the private key (provided by the user during the login) and authenticate the user from LDAP (where his public ke is stored), but also to check the:
- trust (validation of the CA used for signing the user's certificate i.e. public key)
- validity of a user certificate with its public key (its "from" - "to" dates)
- revocation status (configuration of SSSD with CRL lists or OCSP)
or should I manage this on the LDAP side or on application level or somewhere else?
I would be grateful if you share your ideas about the possible solutions of this situation!
BR,
Hristina
9 months, 4 weeks
Heads up. Moving to github. (Date to be set)
by Pavel Březina
SSSD repository is currently spread over multiple places. We use Pagure
[1][2] to manage upstream issues and documentation and Github [3] as our
main development platform.
We chose to move only to a single platform to reduce number of tools we
use and to have everything at one place. We decided to move from Pagure
to Github.
This is only a heads up. Precise date will be set soon and I will notify
you on sssd-users and sssd-devel mailing lists.
There are several steps that needs to be done in order to achieve this
change but the most significant for our users and contributors is: We
will no longer accept new issues and pull request in Pagure and we will
kindly ask you to use Github instead.
Thank you.
Best regards,
Pavel.
[1] https://pagure.io/SSSD/sssd
[2] https://pagure.io/SSSD/docs
[3] https://github.com/SSSD/sssd
9 months, 4 weeks
sssd and TLS/SSL after AD Microsoft Patch
by Arnau Bria
Dear all,
we're preparing our sssd service to be fully compliant with the patch the
Microsfot will release soon and that will make AD reject any communication
that is not encrypted. ( *ADV190023
<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023>*
).
We run Scientific Linux 7.4.
openldap-2.4.44-5.el7.x86_64
sssd-ldap-1.14.0-43.el7.x86_64
Our current conf was using TLS like:
> id_provider = ldap
> auth_provider = ldap
[...]
> ldap_tls_cacert = /etc/sssd/root-ca
> ldap_tls_reqcert = allow
> ldap_id_use_start_tls = True
ldap_uri = ldap://ldap:3268
reqcert allow is a security risk, so I consider this conf as a none valid
one *(based on my exprience I can say that we have never used an encrypted
channel. Unfortunately I don't have access to the AD server to see the logs
and I have not sniffed the network to confirm/deny my assumption)*.
I'm now working in two solutions in order to enforce encryption: enforce
TLS or use SSL.
*SSL*
According to https://docs.pagure.org/SSSD.sssd/users/faq.html if I want
to use SSL I need to use ldaps:
This means that if sssd.conf has ldap_uri = ldap://<server>, it will
> attempt to encrypt the communication channel with TLS (transport layer
> security). If sssd.conf has ldap_uri = ldaps://<server>, then SSL will be
> used instead of TLS
So the conf now looks like:
ldaps_uri = ldaps://ldap:3269
then, after deleting all cache and restating service the authentication
service does not work:
# id bria
> id: bria: no such user
following the above guide I found that I had to configure openldap so it
recognizes the RootCA , so I had to create a mozilla db and add the CA in
order to make ldap work:
# grep ^TLS /etc/openldap/ldap.conf
> TLS_CACERTDIR /etc/openldap/cacerts
# certutil -L -d /etc/openldap/cacerts
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
> CA CT,C,c
then sssd works again.
> # id bria
> uid=14925(bria)
*TLS*
Same happens if I want to enforce TLS:
ldap_tls_cacert = /etc/sssd/root-ca
> ldap_tls_reqcert = demand
> ldap_id_use_start_tls = True
the cacert is valid cert but it still needs the openldap cacerts db to be
valid in order to talk to the ldap server.
Why is then ldap_tls_cacert = /etc/sssd/root-ca even needed? I can comment
the line and sssd works perfectly.
Is this dependency between sssd and openldap documented in some other place
than the FAQ?
As te logs, even with debug level set to 9, are not saying that much in
regards the SSL/TLS, can anyone confirm that this is how sssd has to be
configured in order to ensure encryption in the communication?
TIA,
--
Arnau Bria
9 months, 4 weeks
SSSD performance
by Jannis Mann
Hi,
I just want to check wether the performance of sssd is alright or if there
is room for improvement.
I am using a binding account to query the Active Directory.
I've configured a nesting level of 1.
When I login the first time or run the id command it takes around 5 secs to
finish when the user is member of ~100 (nested) groups in the AD.
It takes around 10 secs if the user is member of ~200 (nested) groups.
So you can say the loading time is increasing linearly to the membership of
groups.
Unfortunately I need to use a nesting level of 1. I've set group members to
false and enumeration off.
Are these values in an acceptable area? What experiences did you make?
Thank you :)
JM
10 months
sshPublicKey is not available for kolbrich@example.com - but it is
by Kevin Olbrich
Hi!
I'm new to SSSD and I try to connect SSSD to my AD to manage SSH access.
I set up the attribute and class on AD schema master and I can fill
keys using ADUC.
I've also enabled the checkbox for GC sync. My client system is debian buster.
I've joined a machine this way:
realm discover EXAMPLE.COM
realm join EXAMPLE.COM
My /etc/sssd/sssd.conf:
[sssd]
domains = example.com
services = nss, sudo, ssh, pam, autofs
config_file_version = 2
debug_level = 9
[ssh]
debug_level = 9
ssh_use_certificate_keys = false
[domain/example.com]
debug_level = 9
ad_domain = example.com
krb5_realm = example.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = domänen-benutzer
SSHD config contains:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
I can successfully login using my AD account using my password. This
works flawless.
When I try to retrieve my SSH keys, it does not work:
root@slde0009 ~ # sss_ssh_authorizedkeys --debug 9 kolbrich
root@slde0009 ~ #
Passwd works:
root@slde0009 ~ # getent passwd kolbrich
kolbrich:*:1753601104:1753600513:Kevin
Olbrich:/home/kolbrich@example.com:/bin/bash
sssd_example.com.log contains:
(Wed Mar 25 14:36:53 2020) [sssd[be[example.com]]]
[sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for
[kolbrich(a)example.com].
LDAP looks fine:
root@slde0009 ~ # ldapsearch -H ldap://192.168.81.1 -D
administrator(a)example.com -b "dc=example,dc=com" -W -x
'(objectClass=ldapPublicKey)' 'sshPublicKey'
[...]
# Kevin Olbrich, Users, DIT, MyBusiness, example.com
dn: CN=Kevin Olbrich,OU=Users,OU=DIT,OU=MyBusiness,DC=example,DC=com
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClO6Jdbj7HffLDmAoXr/KU7IYn
kL/DvJBodE2UdhzROkc6YNSq7Y4xcfS3wHLH8OtPupbIDURwH/XZw2dflwcjxkHgyDPIQzzA988VJ
pZeT7DJ8AXx0VzZ0MfbIvksVja6eFgSbkvfU54zKloFFU0ml7UMh7WPwzY0kzhzjkiWnRLiTbERgg
IeeuQCF5HZvqpIr15ss1R0DLWMsLDL32FmM7tqYQRR5DkbD1T8ALIH3VaTcJhkaiqgW6V27Ps6gK/
lEQU9JKFNxfhqF+OsK+pngnC0uppw/r265rymfsHa1SfWQxhYRuxZxafldCnZYgMs9KzGK76pziDH
v3rGErCL ko(a)sv01.de
[...]
There are some howtos for this scenario but they work at this point :-P
What am I doing wrong here?
Thank you in advance!
Kind regards
Kevin
10 months
Re: SSSD Filter
by Andreas Schoon
Hi Sumit,
I've seen the gpo option in the man-pages, but I've got a problem to use it.
I'm supporting several Red-hat/Centos systems for different Teams.
We talk about more than 500 Systems for more than 10 Teams with various
access-rights.
For auditing reasons I'd like to map the system-access-rights to AD-Groups.
Then I'm able to generate audit-reports.
If it's only possible to do this with sssd via gpo, I have to create al
lot of gpo's.
I don't want to use the IDM (IPA) to keep it simple, if it's possible.
Or is this the only/prefered way?
Kind regards
Andreas
On 19.03.2020 16:49, Sumit Bose wrote:
> On Thu, Mar 19, 2020 at 04:12:05PM +0100, Andreas Schoon wrote:
>> Hi,
>>
>> I'm using the sssd (centos7) combined with microsoft ad (2016) and I'm
>> searching for a service-based filter-option.
>>
>> My plan is to grand access to the service, based on groupmembership in ad.
> Hi,
>
> please use sssd-users(a)lists.fedorahosted.org next time.
>
> Please check the ad_gpo_access_control option and the following in man
> sssd-ad. sshd is is by default in ad_gpo_map_remote_interactive and you
> can add the PAM service name of radius e.g. to ad_gpo_map_service.
>
> HTH
>
> bye,
> Sumit
>
>> Is there any way to do this?
>>
>> Example:
>>
>> Member of ad-Group : sssh_user can connect via ssh to the server, Member
>> of ad-Group : rad_user can use the radius-deamon on the server
>>
>> [sshd]
>>
>> ad_access_filter =
>> FOREST:xxx.yy:(memberOf:1.2.840.113556.1.4.1941:=CN=ssh_user,OU=linux,OU=Test,DC=xxx,DC=yy)
>>
>> [radiusd]
>>
>> ad_access_filter =
>> FOREST:xxx.yy:(memberOf:1.2.840.113556.1.4.1941:=CN=rad_user,OU=linux,OU=Test,DC=xxx,DC=yy)
>>
>>
>> I can't see a solution in the manpages ...
>>
>> In the Past I've combined the Groups and used the top one for the
>> filter, but that's not secure ...
>>
>> Kind Regards
>>
>> Andreas
>>
>>
>>
>> --
>> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
>> https://www.avast.com/antivirus
--
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
10 months
Change primary group
by Jannis Mann
Hi,
I've sssd running with ldap provider and therefore use a binding account.
In general everything works. I've a question regarding the primary group.
When I login with any user who I permitted to in the sssd.conf all users
have the Domain Users gorup as primary group.
So if I create a file with User a ownership is UserA:Domain\ Users
Same goes for UserB etc.
Can I have influence on the primary group of the sssd users? Because this
seems quite insecure for me. Because I use different permissions for
different users (configured via sudoers files). But if every user is in the
same group..
Thanks for your input!
Jannis
10 months, 1 week
