Leon,

Granted we're not doing NIS + SSSD on OL8.  Only RHEL6/7 and OL6/7.

But where we do NIS + SSSD,   we're putting NIS in /etc/nsswitch.conf.  Something like:

passwd:     files sss nis
group:      files sss nis
netgroup:   files sss
automount:  sss files

This is from a OL7 server running NIS + sssd (AD backend).

Instead of setting up a NIS domain in sssd.conf file.

Spike

On Wed, Nov 10, 2021 at 3:21 PM Alexey Tikhonov <atikhono@redhat.com> wrote:
On Wed, Nov 10, 2021 at 5:29 PM Leon Castellano
<leon.castellanos@nasa.gov> wrote:
>
> Hello Users,
>
> I'm hoping with your ample expertise you may be able to help me figure out how to fix the issue I'm running into.
>
> A bit of background for context: I'm a sysadmin with NASA out of GSFC where we manage many legacy systems still using NIS. We cannot get rid of NIS or replace it with FreeIPA/LDAP/AD/etc. It would affect systems currently processing data coming down from space craft, labs, etc.
>
> We're currently in the process of adopting Oracle Linux 8 as the default OS for our workstations and servers. As part of this process, I need to be able to:
>
> 1) Bind to NIS for the passwd/group/netgroup DBs
> 2) Use smartcard for SSH/GDM/Console access
>
> Prior to OL8 we've been relying on NIS + PAM + "pam_pkcs11.so" and that has worked well enough for most of our needs.
>
> However, with RH8/OL8 focusing primarily on SSSD, I've been trying to switch us to it.
>
> So far I've managed to get smartcard auth to work when the user is local (files), but when the user is coming from NIS,

In your `sssd.conf`:
```
[domain/nis]
auth_provider = none
```
  --  I guess that's why 'SSS_PAM_AUTHENTICATE' sent by sssd_pam to
sssd_be[nis] fails:
```
[pam] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
...
[pam] [pam_dp_send_req_done] (0x0020): PAM handler failed
[1432158215]: DP target is not configured
```

Who is expected to do auth in your setup?

In the case of local users, everything (matching/mapping of
certificate on the smart card to a user and then verification that the
card really has a private key that corresponds to public certificate)
is done by SSSD.
In the case of IPA/AD users, SSSD performs matching/mapping, but
actual authentication is done by Kerberos PKINIT mechanism.

It looks like you expect the former for your use case (please correct
me if I'm wrong).
But this is only supported for sssd_be[files], I don't know how to mix
'files' and 'nis'. I don't think sssd_be[files] support '+' NIS style
entries in /etc/passwd...



> I am getting the following error from gdm-smartcard (REDACTED = my username) in sssd_pam.log:
>
> (2021-11-09 19:34:12): [pam] [sbus_dispatch] (0x4000): Dispatching.
> (2021-11-09 19:34:12): [pam] [cache_req_search_cache] (0x0400): CR #12: Looking up [REDACTED@nis] in cache
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f410b0
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f5e390
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f410b0 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f5e390 "ldb_kv_timeout"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f410b0 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f5c4f0
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f410b0
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f5c4f0 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f410b0 "ldb_kv_timeout"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f5c4f0 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f410b0
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f43580
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f410b0 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f632e0
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f633b0
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f43580 "ldb_kv_timeout"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f410b0 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f632e0 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f43580
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f64bc0
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f633b0 "ldb_kv_timeout"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f632e0 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f43580 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f64bc0 "ldb_kv_timeout"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f43580 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [cache_req_search_ncache_filter] (0x0400): CR #12: This request type does not support filtering result by negative cache
> (2021-11-09 19:34:12): [pam] [cache_req_search_done] (0x0400): CR #12: Returning updated object [REDACTED@nis]
> (2021-11-09 19:34:12): [pam] [cache_req_create_and_add_result] (0x0400): CR #12: Found 3 entries in domain nis
> (2021-11-09 19:34:12): [pam] [cache_req_done] (0x0400): CR #12: Finished: Success
> (2021-11-09 19:34:12): [pam] [pd_set_primary_name] (0x0400): User's primary name is REDACTED@nis
> (2021-11-09 19:34:12): [pam] [pam_initgr_check_timeout] (0x4000): User [REDACTED] not found in PAM cache.
> (2021-11-09 19:34:12): [pam] [pam_initgr_cache_set] (0x2000): [REDACTED] added to PAM initgroup cache
> (2021-11-09 19:34:12): [pam] [pam_dp_send_req] (0x0100): Sending request with the following data:
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): domain: nis
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): user: REDACTED@nis
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): service: gdm-smartcard
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): tty: /dev/tty1
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): ruser: not set
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): rhost: not set
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): authtok type: 4 (Smart Card PIN)
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available)
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): priv: 1
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): cli_pid: 5348
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): logon name: REDACTED
> (2021-11-09 19:34:12): [pam] [pam_print_data] (0x0100): flags: 528
> (2021-11-09 19:34:12): [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
> (2021-11-09 19:34:12): [pam] [sbus_dispatch] (0x4000): Dispatching.
> (2021-11-09 19:34:12): [pam] [sbus_reply_check] (0x4000): D-Bus error [sbus.Error.Errno]: 1432158215: DP target is not configured
> (2021-11-09 19:34:12): [pam] [pam_dp_send_req_done] (0x0020): PAM handler failed [1432158215]: DP target is not configured
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f43580
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f64bc0
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f43580 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f64bc0 "ldb_kv_timeout"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f43580 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [pam_reply] (0x4000): pam_reply initially called with result [4]: System error. this result might be changed during processing
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f63190
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f43580
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f63190 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f43580 "ldb_kv_timeout"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f63190 "ldb_kv_callback"
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x5598d1f632e0
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Added timed event "ldb_kv_timeout": 0x5598d1f63190
>
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Running timer event 0x5598d1f632e0 "ldb_kv_callback"
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f63190 "ldb_kv_timeout"
> (2021-11-09 19:34:12): [pam] [ldb] (0x10000): Destroying timer event 0x5598d1f632e0 "ldb_kv_callback"
> (2021-11-09 19:34:12): [pam] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
> (2021-11-09 19:34:12): [pam] [pam_reply] (0x0200): blen: 20
> (2021-11-09 19:34:12): [pam] [pam_reply] (0x0200): Returning [4]: System error to the client
> (2021-11-09 19:34:12): [pam] [client_recv] (0x0200): Client disconnected!
> (2021-11-09 19:34:12): [pam] [client_close_fn] (0x2000): Terminated client [0x5598d1f3f0d0][26]
> (2021-11-09 19:34:17): [pam] [pam_initgr_cache_remove] (0x2000): [REDACTED] removed from PAM initgroup cache
> (2021-11-09 19:34:21): [pam] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x5598d1f3e560][24]
> (2021-11-09 19:34:21): [pam] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x5598d1f3c870][25]
> (2021-11-09 19:34:51): [pam] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x5598d1f3e560][24]
> (2021-11-09 19:34:51): [pam] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x5598d1f3c870][25]
> (2021-11-09 19:35:21): [pam] [client_idle_handler] (0x2000): Terminating idle client [0x5598d1f3e560][24]
> (2021-11-09 19:35:21): [pam] [client_close_fn] (0x2000): Terminated client [0x5598d1f3e560][24]
> (2021-11-09 19:35:21): [pam] [client_idle_handler] (0x2000): Terminating idle client [0x5598d1f3c870][25]
> (2021-11-09 19:35:21): [pam] [client_close_fn] (0x2000): Terminated client [0x5598d1f3c870][25]
>
> Here's the journalctl for gdm on debugging mode:
>
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: pam_sss(gdm-smartcard:auth): User info message: Please insert smart card
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: 1 new messages received from PAM
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: username is 'REDACTED'
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: old-username='<unset>' new-username='REDACTED'
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: setting username to 'REDACTED'
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: attempting to load user settings
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: trying to track new user with username REDACTED
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: finding user 'REDACTED' state 1
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: finding user 'REDACTED' state 2
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: Looking for user 'REDACTED' in accounts service
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: received pam message of type 4 with payload 'Please insert smart card'
> Nov 09 19:34:04 gs66-ol8desktop gdm[5045]: GdmSession: changing username from '<unset>' to 'REDACTED'
> Nov 09 19:34:04 gs66-ol8desktop gdm[5045]: GdmSession: selecting user 'REDACTED' for session '(null)' (0x55ca1196c130)
> Nov 09 19:34:04 gs66-ol8desktop gdm[5045]: GdmSession: getting session command for file 'gnome.desktop'
> Nov 09 19:34:04 gs66-ol8desktop gdm[5045]: GdmSession: checking if file 'gnome.desktop' is wayland session: yes
> Nov 09 19:34:04 gs66-ol8desktop gdm[5045]: GdmSession: getting session command for file 'gnome.desktop'
> Nov 09 19:34:04 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: PAM conversation returning 0: Success
> Nov 09 19:34:06 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: 1 new messages received from PAM
> Nov 09 19:34:06 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: username is 'REDACTED'
> Nov 09 19:34:06 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: old-username='REDACTED' new-username='REDACTED'
> Nov 09 19:34:06 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: received pam message of type 1 with payload 'PIN for Smartcard: '
> Nov 09 19:34:09 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: trying to get updated username
> Nov 09 19:34:09 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: PAM conversation returning 0: Success
> Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: pam_sss(gdm-smartcard:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=REDACTED
> Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: pam_sss(gdm-smartcard:auth): received for user REDACTED: 4 (System error)
> Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: authentication returned 7: Authentication failure
> Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: uninitializing PAM
> Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: state NONE
> Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: GdmSessionWorker: Unable to verify user
> Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: Found object path of user 'REDACTED': /org/freedesktop/Accounts/User2579
> Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: finding user 'REDACTED' state 3
> Nov 09 19:34:12 gs66-ol8desktop gdm-smartcard][5348]: accountsservice: ActUserManager: user 'REDACTED' fetched
> Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmSession: stopping conversation gdm-smartcard
> Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmSessionWorkerJob: Stopping job pid:5348
> Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmCommon: sending signal 15 to process 5348
> Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmSessionWorkerJob: child (pid:5348) done (status:0)
> Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmSession: Worker job exited: 0
> Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmSession: Emitting conversation-stopped signal
> Nov 09 19:34:12 gs66-ol8desktop gdm[5045]: GdmManager: session conversation 'gdm-smartcard' stopped
> Nov 09 19:34:14 gs66-ol8desktop gdm[5045]: GdmManager: Session was cancelled
> Nov 09 19:34:14 gs66-ol8desktop gdm[5045]: GdmSession: Stopping all conversations
> Nov 09 19:34:14 gs66-ol8desktop gdm[5045]: GdmManager: trying to open new session
>
> In order for SSSD to know about the NIS users I added a "domain" entry using "proxy" "nis"
>
> Here's my sssd.conf:
>
> [sssd]
> services = nss, pam
> domains = files, nis
> certificate_verification = ocsp_dgst=sha1,soft_ocsp
> debug_level = 10
> use_fully_qualified_domain_name = False
>
> [nss]
>
> [pam]
> pam_cert_auth = True
> pam_cert_db_path = /etc/sssd/pki/linuxIdentity.pem
> debug_level = 10
>
> [domain/files]
> id_provider = files
> debug_level = 10
>
> [domain/nis]
> id_provider = proxy
> auth_provider = none
> proxy_lib_name = nis
> #enumerate = true
> #cache_credentials = true
> debug_level = 10
>
> I know this is working because "getent passwd <user>" works fine to retrieve info about an NIS user, even though I do not have NIS defined in my nsswitch.conf
>
> Here's my nsswitch.conf:
>
> passwd:     sss files systemd
> group:      sss files systemd
> netgroup:   sss files
> automount:  sss files
> services:   sss files
> shadow:     files sss
> hosts:      files dns myhostname
> aliases:    files
> ethers:     files
> gshadow:    files
> networks:   files dns
> protocols:  files
> publickey:  files
> rpc:        files
>
> Here's my /etc/pam.d/gdm-smartcard:
>
> auth        substack      smartcard-auth
> auth        include       postlogin
>
> account     required      pam_nologin.so
> account     sufficient    pam_localuser.so
> account     include       smartcard-auth
>
> #password    include       smartcard-auth
>
> session     required      pam_selinux.so close
> session     required      pam_loginuid.so
> session     optional      pam_console.so
> session     required      pam_selinux.so open
> session     optional      pam_keyinit.so force revoke
> session     required      pam_namespace.so
> session     include       smartcard-auth
> session     include       postlogin
>
> Here's my /etc/pam.d/smartcard-auth:
>
> # Generated by authselect on Tue Nov  9 17:18:21 2021
> # Do not modify this file manually.
>
> auth        required                                     pam_env.so
> auth        [default=1 success=ok]                       pam_succeed_if.so uid >= 1000 quiet
> auth        [success=done default=ignore]                pam_sss.so ignore_authinfo_unavail require_cert_auth
> auth        required                                     pam_deny.so
>
> account     required                                     pam_unix.so
> account     sufficient                                   pam_localuser.so
> account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required                                     pam_permit.so
>
> session     optional                                     pam_keyinit.so revoke
> session     required                                     pam_limits.so
> -session     optional                                    pam_systemd.so
> session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
> session     required                                     pam_unix.so
> session     optional                                     pam_sss.so
>
> Here's my /etc/pam.d/postlogin:
>
> # Generated by authselect on Tue Nov  9 17:18:21 2021
> # Do not modify this file manually.
>
> session     optional                   pam_umask.so silent
> session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
> session     [default=1]                pam_lastlog.so nowtmp showfailed
> session     optional                   pam_lastlog.so silent noupdate showfailed
>
> And my "dconf dump /":
>
> [org/gnome/settings-daemon/plugins/media-keys]
> logout=''
>
> [org/gnome/login-screen]
> enable-smartcard-authentication=true
> enable-password-authentication=true
> enable-fingerprint-authentication=false
>
> [org/gnome/desktop/screensaver]
> lock-delay=uint32 1
> lock-enabled=true
>
> [org/gnome/desktop/session]
> idle-delay=uint32 600
>
> I get the feeling I'm close to cracking this one and it's probably something silly I am missing and truth is this is my first time dealing with SSSD in detail.
>
> Hope one of you smart cookies knows what I'm messing up!
>
> Best regards,
>
> -Leon
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure