Migrating to new LDAP server in sssd.conf
by Vjay
Hi Friends,
As a security requirement, we have to migrate LDAP servers from one active directory domain to other active directory domain. Old active directory LDAP servers are providing unix attributes for linux servers(centos 7) while new active directory LDAP servers don't so we have to migrate unix attribute management to sssd, which will change userid and groupid of all users.
Does SSSD provide feature to keep / store userid and groupid from old domain of users so we don't have change file ownership on linux server side for the files owned by active directory users?
Regards,
Vjay
2 days, 14 hours
Re: [External] - Re: How to authenticate machine with Kerberos to Active Directory?
by Spike White
Wes,
In addition, make sure all your DNS entries are correct. Forward and
reverse.
Cannot find host in Kerberos database can arise from:
1. missing entry in your /etc/krb5.conf file (James spoke to this
clearly)
2. missing machine account in AD, (unlikely, because your AD
join succeeded)
3. missing DNS entries or
4. not able to determine your AD domain (kerberos realm) from your DNS
domain. (unlikely, because your AD join succeeded).
Spike
On Thu, Jul 30, 2020 at 11:18 AM Wesley Taylor <wesley.taylor(a)numerica.us>
wrote:
> Sorry I asked this question in the wrong place, but thank you for the
> awesome
> answer James!
>
>
> Public Content
>
> -----Original Message-----
> From: James Ralston <ralston(a)pobox.com>
> Sent: Wednesday, July 29, 2020 11:05 PM
> To: End-user discussions about the System Security Services Daemon
> <sssd-users(a)lists.fedorahosted.org>
> Subject: [External] - [SSSD-users] Re: How to authenticate machine with
> Kerberos to Active Directory?
>
> CAUTION: This email originated from outside of the organization. Do not
> click
> links or open attachments unless you recognize the sender and know the
> content
> is safe.
>
>
> On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor <wesley.taylor(a)numerica.us>
> wrote:
>
> > I have a program I am trying to set up which tries to authenticate
> > with the principal host\machine-FQDN@REALM using Kerberos.
> >
> > However, when I run kinit -k, the machine isn't found in the Kerberos
> > database.
>
> "kinit -k" (with no arguments) defaults to attempting to obtain a TGT for
> (e.g.) host/mymachine.example.org(a)EXAMPLE.ORG, which only works if you
> set
> userPrincipalName to host/mymachine.example.org(a)EXAMPLE.ORG
> when you joined the host to Active Directory.
>
> Running "kinit -k MYMACHINE\$" (that is, using the value of the
> sAMAccountName
> attribute as the argument to "kinit -k") should always work.
>
> > From what I have read, SSSD is responsible for being the glue between
> > MIT Kerberos (what Linux uses) and Microsoft Kerberos (which Active
> > Directory uses).
>
> This has nothing to do with sssd; it's all about setting userPrincipalName
> correctly when you join the host to AD if you want "kinit -k" (with no
> arguments) to work.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
> unsubscribe
> send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fdocs.f...
> List Guidelines:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Ffedora...
> List Archives:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists....
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
1 week
offline auth and system upgrades
by xcorvis@gmail.com
I've been using sssd + AD to do auth for a few years now. Offline authentication is enabled and works normally. In that time I've upgraded my Ubuntu laptop several times, and each time I noticed that after the update, I cannot log in unless I'm on the corp network with direct access to AD. That hasn't really been a problem until now. I'm working from home over vpn all the time and don't have to option of going in to get on the corp network.
I know the workaround is to use a local account, get on the VPN, authenticate with my AD account and populate the cache, but IT doesn't like me creating local users and it's a pain. I haven't tried the latest update yet (19.10 -> 20.04, sssd currently 2.2.0).
Since something in the upgrade process is presumably destroying the cache, I was wondering if there's a "nice" way around this? Ubuntu upgrades for sssd seem like they're just upgrading sssd via apt, so I'm wondering why these major updates seem to operate differently from minor ones, and if that's intentional.
Thanks!
1 week
Re: How to authenticate machine with Kerberos to Active Directory?
by James Ralston
On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor <wesley.taylor(a)numerica.us> wrote:
> I have a program I am trying to set up which tries to authenticate
> with the principal host\machine-FQDN@REALM using Kerberos.
>
> However, when I run kinit -k, the machine isn't found in the Kerberos
> database.
"kinit -k" (with no arguments) defaults to attempting to obtain a TGT
for (e.g.) host/mymachine.example.org(a)EXAMPLE.ORG, which only works if
you set userPrincipalName to host/mymachine.example.org(a)EXAMPLE.ORG
when you joined the host to Active Directory.
Running "kinit -k MYMACHINE\$" (that is, using the value of the
sAMAccountName attribute as the argument to "kinit -k") should always
work.
> From what I have read, SSSD is responsible for being the glue
> between MIT Kerberos (what Linux uses) and Microsoft Kerberos (which
> Active Directory uses).
This has nothing to do with sssd; it's all about setting
userPrincipalName correctly when you join the host to AD if you want
"kinit -k" (with no arguments) to work.
1 week
How to authenticate machine with Kerberos to Active Directory?
by Wesley Taylor
Hello,
I have a program I am trying to set up which tries to authenticate with the
principal host\machine-FQDN@REALM using Kerberos.
However, when I run kinit -k, the machine isn't found in the Kerberos
database.
The reason I think this question belongs here is I used realm join to
configure Kerberos, SSSD, and PAM automagically to work with an Active
Directory based domain controller. All my domain user accounts are able to
get tickets just fine, but the default Kerberos keytab cannot. From what I
have read, SSSD is responsible for being the glue between MIT Kerberos (what
Linux uses) and Microsoft Kerberos (which Active Directory uses).
I am just scratching my head here on how I can get access to the principal
used by the machine itself to get Kerberos tickets. Is there a good way to
go about this? Is SSSD responsible for this information, or is my domain
controller configured incorrectly for this kind of setup?
Thank you,
Wes
Public Content
1 week
Does sssd use initgroups?
by Spike White
All,
sssd front-end, AD back-end. Does sssd use initgroups to use initial
group membership?
I was recently debugging a sssd connection problem in the
/var/log/sssd/sssd* logs (debug level 9). and I thought I saw a reference
to initgroups. or getgrouplist().
my /etc/nsswitch.conf file has:
passwd: files systemd sss
group: files systemd sss
Should I also have a line with:
initgroups: files systemd sss
Spike White
1 week, 1 day
id_provider=ldap with auth_provider=proxy
by Jonathon Anderson
I'm working a RHEL7.6 case (02704264, if that's useful to anyone)
where the tech is claiming that our domain setup of id_provider=ldap
with auth_provider=proxy doesn't work. This is counter to our past and
current experience, but I'm afraid of this being a red herring that
will block us from troubleshooting the hanging issue we're
experiencing.
The tech is citing table 7.1 at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...,
which lists "Available Combinations of Identity and Authentication
Providers" and, since this combination isn't listed, they're saying
this combination doesn't work.
We use auth_provider=proxy to dispatch auth through a Duo authentication proxy.
Can someone confirm whether there's any reason this shouldn't work?
Again, it *does* work, but we're experiencing a failure mode where
sssd becomes unresponsive after some time or event, as yet
undetermined.
Thanks for your help.
~jonathon
1 week, 2 days
Announcing SSSD 2.3.1
by Pavel Březina
# SSSD 2.3.1
The SSSD team is proud to announce the release of version 2.3.1 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/sssd-2_3_1
See the full release notes at:
https://sssd.io/docs/users/relnotes/notes_2_3_1
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### New features
- Domains can be now explicitly enabled or disabled using `enable` option in
domain section. This can be especially used in configuration snippets.
- New configuration options `memcache_size_passwd`, `memcache_size_group`,
`memcache_size_initgroups` that can be used to control memory cache size.
### Notable bug fixes
- Fixed several regressions in GPO processing introduced in sssd-2.3.0
- Fixed regression in PAM responder: failures in cache only lookups are
no longer considered fatal
- Fixed regression in proxy provider: `pwfield=x` is now default value
only for `sssd-shadowutils` target
### Packaging changes
- `libwbclient` is now deprecated and is not being built by default (use
`--with-libwibclient` to build it)
### Documentation Changes
- Added option `memcache_size_passwd`
- Added option `memcache_size_group`
- Added option `memcache_size_initgroups`
- Added option `enable` in domain sections
- Minor text improvements
1 week, 6 days
users unable to log in when root partition is full
by Gidon
Hi.
We have been using sssd for quite a while to join our servers to active directory.
However when root partition (using installation default partition scheme) fills up, active directory users are not able to login, and we are forced to use local users to login and clear the partition.
Obviously Ideally, we shouldn't reach this situation at all, but mistakes \ issues happen, and when it does administrative users (from active directory) should still be able to login and resolve the issue.
Therefor I am in search of a solution that will allow active directory users to still be able to login in when the system partition is full.
I found this thread https://bugzilla.redhat.com/show_bug.cgi?id=849538#c16 (that also points to https://github.com/SSSD/sssd/issues/2254)
and the recommended solution is to put /var/lib/sss on a separate partition, which I have. However, even then the issue persists.
Any other suggestions?
2 weeks
sssd backend lookup fails with empty cache
by Jerry Morey
Hi,
I have a weird situation when a user launches a Slurm interactive job on a new compute node with empty sssd cache. I'm not sure if its an issue with Slurm or SSSD/NSS. Below is the output of the Slurm session originated on node ip-0A0B0004 and starting interactive node ip-0A0B0006 by user1 with uid 705601104:
>[user1@ip-0A0B0004 ~]$ srun -p lowmem -w lowmem-2 --pty bash
/usr/bin/id: cannot find name for group ID 705600513
/usr/bin/id: cannot find name for user ID 705601104
[I have no name!@ip-0A0B0006 ~]$
From this node I can successfully id user1 or any other AD user (this populates my cache and subsequent Slurm sessions for any user will resolve):
[I have no name!@ip-0A0B0006 ~]$ id user1
uid=705601104(user1) gid=705600513 groups=705600513,705601103(group1)
[I have no name!@ip-0A0B0006 ~]$
Here is the relevant session from my sssd_nss.log:
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #0: New request 'User by ID'
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #0: Performing a multi-domain search
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #0: Search will check the cache and check the data provider
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #0: Using domain [jmorey.net]
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #0: Looking up UID:705601104@jmorey.net
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [UID:705601104@jmorey.net]
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: [UID:705601104@jmorey.net] is not present in negative cache
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #0: Looking up [UID:705601104@jmorey.net] in cache
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #0: Object [UID:705601104@jmorey.net] was not found in cache
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #0: Looking up [UID:705601104@jmorey.net] in data provider
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x562848473820:1:705601104@jmorey.net]
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [jmorey.net][0x1][BE_REQ_USER][idnumber=705601104:-]
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x562848473820:1:705601104@jmorey.net]
(Fri Jul 10 22:47:58 2020)
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #0: Data Provider Error: 3, 0, Success
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_common_dp_recv] (0x0400): CR #0: Due to an error we will return cached data
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #0: Looking up [UID:705601104@jmorey.net] in cache
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #0: Object [UID:705601104@jmorey.net] was not found in cache
(Fri Jul 10 22:47:58 2020) [sssd[nss]] [cache_req_process_result] (0x0400): CR #0: Finished: Not found
To my inexperienced eye it looks like it is communicating with the backend but receives some kind of error so it reverts to the cache, which is empty. The other oddity is the 'User by id' request that is trying to resolve based on the uid not the name. While this is happening I can successfully resolve user1 using SSH to the same node.
The SSH session:
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #6: New request 'User by name'
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_process_input] (0x0400): CR #6: Parsing input name [user1]
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'user1' matched without domain, user is user1
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_set_name] (0x0400): CR #6: Setting name [user1]
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #6: Performing a multi-domain search
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #6: Search will check the cache and check the data provider
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #6: Using domain [jmorey.net] (Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #6: Preparing input data for domain [jmorey.net] rules
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #6: Looking up user1(a)jmorey.net
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #6: Checking negative cache for [user1(a)jmorey.net]
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #6: [user1(a)jmorey.net] is not present in negative cache
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #6: Looking up [user1(a)jmorey.net] in cache
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #6: Object [user1(a)jmorey.net] was not found in cache
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #6: Looking up [user1(a)jmorey.net] in data provider
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x564629422820:1:user1@jmorey.net@jmorey.net]
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [jmorey.net][0x1][BE_REQ_USER][name=user1@jmorey.net:-]
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x564629422820:1:user1@jmorey.net@jmorey.net]
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #6: Looking up [user1(a)jmorey.net] in cache
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #6: This request type does not support filtering result by negative cache
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_search_done] (0x0400): CR #6: Returning updated object [user1(a)jmorey.net]
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #6: Found 1 entries in domain jmorey.net
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x564629422820:1:user1@jmorey.net@jmorey.net]
(Mon Jul 13 20:30:27 2020) [sssd[nss]] [cache_req_done] (0x0400): CR #6: Finished: Success
Here is my sssd.conf:
[sssd]
config_file_version = 2
services = nss,pam
domains = jmorey.net
[nss]
filter_users = root
filter_groups = root
debug_level = 7
[pam]
[domain/jmorey.net]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
debug_level = 7
dns_discovery_domain = jmorey.net
enumerate = False
cache_credentials = True
case_sensitive = false
ldap_schema = ad
ldap_uri = ldaps://jmorey-novo-ad.jmorey.net
ldap_user_search_base = cn=Users,dc=jmorey,dc=net
ldap_group_search_base = cn=group1,cn=Users,dc=jmorey,dc=net
ldap_referrals = False
ldap_tls_reqcert = never
ldap_use_tokengroups = True
ldap_id_mapping = True
override_homedir = /mnt/exports/shared/home/%u
fallback_homedir = /shared/home/%u
default_shell = /bin/bash
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter = (|(memberOf=cn=group1,cn=Users,dc=jmorey,dc=net))
ldap_default_bind_dn = cn=user 1,cn=Users,dc=jmorey,dc=net
ldap_default_authtok_type = password
ldap_default_authtok =
thanks,
Jerry
2 weeks, 3 days
