May 2024 - sssd-users - Fedora Mailing-Lists

Offline auth with id provider files auth provider krb5

by Techie

Hi Trying to use cached creds with local users in the passwd file authenticating via kerberos. I have id_provider set to files and auth_provider set to krb5(AD DC). Online authentication works fine however when I disconnect the network authentication fails. The computer is not joined to a domain, I am only leveraging the domain/realm for authentication purposes Relevant entries [pam] offline_credentials_expiration = 7 [domain] cache_credentials=true account_cache_expiration=8 id_provider=files auth_provider=krb5 krb5_server=srva.example.com krb5_kpasswd=srva.example.com krb5_realm=EXAMPLE.COM dns_discovery_domain=EXAMPLE.COM krb5_store_password_if_offline=true Is this a supported configuration for offline logins with cached credentials? Thanks

7 hours, 48 minutes

2
5
0 / 0

Clarification about ldap_sasl_authid string from sssd-ldap man page?

by Spike White

sssd professionals, When the sssd-ldap man page refers to "hostname", is it referring to the short name or the FQDN? I know nebiosname is short, with a '$' on the end. From sssd-ldap man page: ldap_sasl_authid (string) Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, this represents the Kerberos principal used for authentication to the directory. This option can either contain the full principal (for example host/myhost(a)EXAMPLE.COM) or just the principal name (for example host/myhost). By default, the value is not set and the following principals are used: hostname@REALM netbiosname$@REALM host/hostname@REALM *$@REALM host/*@REALM host/* If none of them are found, the first principal in keytab is returned. Default: host/hostname@REALM Spike White

1 day, 1 hour

2
2
0 / 0

[SSSD] Announcing SSSD 2.9.5

by Pavel Březina

# SSSD 2.9.5 The SSSD team is announcing the release of version 2.9.5 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.9.5 See the full release notes at: https://sssd.io/release-notes/sssd-2.9.5.html RPM packages will be made available for Fedora shortly. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users # SSSD 2.9.5 Release Notes ## Highlights ### Configuration changes * Added `failover_primary_timout` configuration option. This can be used to configure how often SSSD tries to reconnect to a primary server after a successful connection to a backup server. This was previously hardcoded to 31 seconds which is kept as the default value.

5 days, 4 hours

1
0
0 / 0

Re: [Freeipa-users] SSSD OCSP verfification failed

by Rob Crittenden

Cross posting this to sssd-users. rob Alvarez, Angelo CIV USN JOINT TYPHOON WARCEN (USA) via FreeIPA-users wrote: > Aloha. We are trying to get OCSP verification working with RHEL 8 SSSD. > The OCSP responder CA is not in the trust chain of the CA that issued > the smart card certificates. I was able to get openssl ocsp > verification to work using -verify_other and -trust_other options. > > [root@c27nmgmtjtprlh1 PKI]# openssl ocsp -issuer DOD_ID_CA-63.pem > -verify_other NAWEPRLHRD12.pem -trust_other -cert ~alvareza/alvarez.pem > -url http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx -respout -text > WARNING: no nonce in response > Response verify OK > /home/alvareza/alvarez.pem: good > This Update: May 9 00:00:00 2024 GMT > Next Update: May 15 06:16:18 2024 GMT > > > > I tried to perform OCSP verification with the SSSD p11_child helper, but > it does not work. Does anyone know if the Direct Trust model for OCSP > works with RHEL 8 SSSD? > [root@c27nmgmtjtprlh1 pki]# /usr/libexec/sssd/p11_child --dumpable=1 > --debug-microseconds=0 --debug-timestamps=1 --debug-fd=22 > --debug-level=9 --verification --verify > ocsp_dgst=sha1,ocsp_default_responder=http://repeater1.xxxxx.xxxxx.xxxx.xxxx.xxxx > --ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem --certificate=$(cat > /home/alvareza/alvarez.pem | grep -v BEGIN | grep -v END | tr -d "\n") > set_debug_file_from_fd failed. > (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0400): p11_child > started. > (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running in > [verify] mode. > (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running > with effective IDs: [0][0]. > (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x2000): Running > with real IDs [0][0]. > (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts] > (0x4000): Using sha1 for OCSP. > (2024-05-09 8:07:24): [p11_child[2817468]] [parse_cert_verify_opts] > (0x4000): Using OCSP default responder > [http://repeater1.prlh.nadsuswe.nads.navy.mil] > (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x4000): Using > OCSP URL [http://repeater1.prlh.nadsuswe.nads.navy.mil]. > (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): No nonce > in OCSP response. This might indicate a replay attack or an OCSP > responder which does not support nonces. Accepting response. > (2024-05-09 8:07:24): [p11_child[2817468]] [do_ocsp] (0x0020): > OCSP_basic_verify() failed to verify OCSP response. > (2024-05-09 8:07:24): [p11_child[2817468]] [do_verification] (0x0040): > do_ocsp failed. > (2024-05-09 8:07:24): [p11_child[2817468]] [do_work] (0x0400): > Certificate is NOT valid. > 22 > (2024-05-09 8:07:24): [p11_child[2817468]] [main] (0x0020): p11_child > failed (22) > > > > v/r > > > > Angelo Alvarez, CISSP > > N6 > > Joint Typhoon Warning Center > > Work: 808.471.3645 > > Mobile: 808.389.9474 > > Email: angelo.alvarez(a)navy.mil <mailto:angelo.alvarez@navy.mil> > > SiPR Email: angelo.alvarez(a)navy.smil.mil > <mailto:angelo.alvarez@navy.smil.mil> > > > > !No contaban on mi astucia! El Chapulin Colorado > > > > > > > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue >

1 week, 4 days

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users May 2024