finger <user> cmd not working unless enumerate = true - sssd-users - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

finger <user> cmd not working unless enumerate = true

Re: Network coming up slowly...

TGT for cross realm?

Joakim Tjernlund

Tuesday, 6 September 2016 Tue, 6 Sep '16

12:36 p.m.

I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4 Jocke

Reply

Show replies by date

Ryan Novosielski

Tuesday, 6 September Tue, 6 Sep

12:57 p.m.

My recollection is that finger used a terribly inefficient way of getting information, at least one time, and asked for information on every user despite the fact that it was only going to need one. I recall installing something called finger-ldap, because in the pre-SSSD days, finger could cause a lot of trouble on large LDAP directories because it would ask for the entire contents of the directory. I wouldn't be surprised if this was related. You might want to look into the same solution. ________________________________________ From: Joakim Tjernlund <Joakim.Tjernlund(a)infinera.com> Sent: Tuesday, September 6, 2016 1:36 PM To: sssd-users(a)lists.fedorahosted.org Subject: [SSSD-users] finger <user> cmd not working unless enumerate = true I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4 Jocke _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org

Reply

Michael Ströder

Thursday, 15 September Thu, 15 Sep

4:59 a.m.

New subject: finger <user> cmd not working unless enumerate = true

Ryan Novosielski wrote:

My recollection is that finger used a terribly inefficient way of getting information, at least one time, and asked for information on every user despite the fact that it was only going to need one. I recall installing something called finger-ldap, because in the pre-SSSD days, finger could cause a lot of trouble on large LDAP directories because it would ask for the entire contents of the directory. I wouldn't be surprised if this was related. You might want to look into the same solution.

Or one could simply drop support for finger and query the user's entry from the LDAP server directly. Doing this over TLS would also protect against some of the attacks possible with finger. Ciao, Michael.

Reply

Lukas Slebodnik

Tuesday, 6 September Tue, 6 Sep

1:51 p.m.

New subject: finger <user> cmd not working unless enumerate = true

On (06/09/16 17:36), Joakim Tjernlund wrote:

I just get no such user unless I enumerate the domain, is that really needed ? sssd-1.13.4

It's very difficult to say without log files. https://fedorahosted.org/sssd/wiki/Troubleshooting LS

Reply

Joakim Tjernlund

Wednesday, 7 September Wed, 7 Sep

1:22 a.m.

New subject: finger <user> cmd not working unless enumerate = true

On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote:

On (06/09/16 17:36), Joakim Tjernlund wrote: > > I just get no such user unless I enumerate the domain, is that really needed ? > sssd-1.13.4 > It's very difficult to say without log files. https://fedorahosted.org/sssd/wiki/Troubleshooting

I only get a hit in sssd_nss.log when I do "finger <user>" (Wed Sep 7 08:21:41 2016) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[1001] egid[100] pid[21947]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_getpwent] (0x0100): Requesting info for all accounts (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0x2641510][24]

Reply

Lukas Slebodnik

2:24 a.m.

New subject: finger <user> cmd not working unless enumerate = true

On (07/09/16 06:22), Joakim Tjernlund wrote:

On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote: > On (06/09/16 17:36), Joakim Tjernlund wrote: > > > > I just get no such user unless I enumerate the domain, is that really needed ? > > sssd-1.13.4 > > > It's very difficult to say without log files. > > https://fedorahosted.org/sssd/wiki/Troubleshooting > I only get a hit in sssd_nss.log when I do "finger <user>"

maybe data were already cached. "finger user" works for me without enumeration. LS

Reply

Joakim Tjernlund

3:23 a.m.

New subject: finger <user> cmd not working unless enumerate = true

On Wed, 2016-09-07 at 09:24 +0200, Lukas Slebodnik wrote:

On (07/09/16 06:22), Joakim Tjernlund wrote: > > On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote: > > > > On (06/09/16 17:36), Joakim Tjernlund wrote: > > > > > > > > > I just get no such user unless I enumerate the domain, is that really needed ? > > > sssd-1.13.4 > > > > > It's very difficult to say without log files. > > > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > I only get a hit in sssd_nss.log when I do "finger <user>" > maybe data were already cached.

if it were cached I would get data from "finger user" but all I get is "No such user"

"finger user" works for me without enumeration.

Strange, why is my log complaining that enumeration is disabled ? > > LS > _______________________________________________ > sssd-users mailing list > sssd-users(a)lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org

Reply

Joakim Tjernlund

5:04 a.m.

New subject: finger <user> cmd not working unless enumerate = true

On Wed, 2016-09-07 at 09:24 +0200, Lukas Slebodnik wrote:

On (07/09/16 06:22), Joakim Tjernlund wrote: > > On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote: > > > > On (06/09/16 17:36), Joakim Tjernlund wrote: > > > > > > > > > I just get no such user unless I enumerate the domain, is that really needed ? > > > sssd-1.13.4 > > > > > It's very difficult to say without log files. > > > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > I only get a hit in sssd_nss.log when I do "finger <user>" > maybe data were already cached. "finger user" works for me without enumeration.

stop sssd and rm -f /var/lib/sss/db/* start sssd Now I think finger will stop for to0. Jocke

Reply

Stephen Gallagher

3:22 p.m.

New subject: finger <user> cmd not working unless enumerate = true

On 09/07/2016 02:22 AM, Joakim Tjernlund wrote:

On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote: > On (06/09/16 17:36), Joakim Tjernlund wrote: >> >> I just get no such user unless I enumerate the domain, is that really needed ? >> sssd-1.13.4 >> > It's very difficult to say without log files. > > https://fedorahosted.org/sssd/wiki/Troubleshooting > I only get a hit in sssd_nss.log when I do "finger <user>" (Wed Sep 7 08:21:41 2016) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[1001] egid[100] pid[21947]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_getpwent] (0x0100): Requesting info for all accounts (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all domains! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x2641510][24] (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0x2641510][24]

Definitely looks like it's trying to run setpwent(), which doesn't work without enumeration. I'm guessing that whatever implementation of `finger` you have is doing things really, really wrong.

Reply

Joakim Tjernlund

Thursday, 8 September Thu, 8 Sep

1:47 a.m.

New subject: finger <user> cmd not working unless enumerate = true

On Wed, 2016-09-07 at 16:22 -0400, Stephen Gallagher wrote:

On 09/07/2016 02:22 AM, Joakim Tjernlund wrote: > > On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote: > > > > On (06/09/16 17:36), Joakim Tjernlund wrote: > > > > > > > > > I just get no such user unless I enumerate the domain, is that really needed ? > > > sssd-1.13.4 > > > > > It's very difficult to say without log files. > > > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > I only get a hit in sssd_nss.log when I do "finger <user>" > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[1001] egid[100] > pid[21947]. > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > [0x2641510][24] > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > [0x2641510][24] > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > [0x2641510][24] > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > [0x2641510][24] > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all > domains! > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > [0x2641510][24] > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > [0x2641510][24] > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_getpwent] (0x0100): Requesting info for all accounts > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all > domains! > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > [0x2641510][24] > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > [0x2641510][24] > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0x2641510][24] Definitely looks like it's trying to run setpwent(), which doesn't work without enumeration. I'm guessing that whatever implementation of `finger` you have is doing things really, really wrong.

I got netkit-fingerd-0.17, is there another one? Also finger -m <user> works as that does not need setpwent() Jocke

Reply

Sumit Bose

3:09 a.m.

New subject: finger <user> cmd not working unless enumerate = true

On Thu, Sep 08, 2016 at 06:47:22AM +0000, Joakim Tjernlund wrote:

On Wed, 2016-09-07 at 16:22 -0400, Stephen Gallagher wrote: > On 09/07/2016 02:22 AM, Joakim Tjernlund wrote: > > > > On Tue, 2016-09-06 at 20:51 +0200, Lukas Slebodnik wrote: > > > > > > On (06/09/16 17:36), Joakim Tjernlund wrote: > > > > > > > > > > > > I just get no such user unless I enumerate the domain, is that really needed ? > > > > sssd-1.13.4 > > > > > > > It's very difficult to say without log files. > > > > > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > > > > I only get a hit in sssd_nss.log when I do "finger <user>" > > > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[1001] egid[100] > > pid[21947]. > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > > [0x2641510][24] > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > > [0x2641510][24] > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > > [0x2641510][24] > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > > [0x2641510][24] > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all > > domains! > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > > [0x2641510][24] > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > > [0x2641510][24] > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_getpwent] (0x0100): Requesting info for all accounts > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0100): Received setpwent request > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [nss_cmd_setpwent_send] (0x0040): Enumeration disabled on all > > domains! > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > > [0x2641510][24] > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client > > [0x2641510][24] > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! > > (Wed Sep 7 08:21:41 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0x2641510][24] > > > Definitely looks like it's trying to run setpwent(), which doesn't work without > enumeration. I'm guessing that whatever implementation of `finger` you have is > doing things really, really wrong. > I got netkit-fingerd-0.17, is there another one? Also finger -m <user> works as that does not need setpwent()

It looks like Fedora uses bsd-finger (https://admin.fedoraproject.org/pkgdb/package/rpms/finger/). When run with ltrace I see that getpwnam("user") is called first and the setpwent() and getpwent() are called to find other matching users. Maybe the netkit-fingerd command skips the first getpwnam() when called without -m? HTH bye, Sumit > > Jocke > _______________________________________________ > sssd-users mailing list > sssd-users(a)lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org

Reply

2772

days inactive

2781

days old

sssd-users@lists.fedorahosted.org

Manage subscription

10 comments

6 participants

tags (0)

participants (6)

Joakim Tjernlund
Lukas Slebodnik
Michael Ströder
Ryan Novosielski
Stephen Gallagher
Sumit Bose