On 27 Dec 2015, at 19:50, Peter Tulpen ptulpen@emailn.de wrote:
Sorry for the late response, the mail was stuck in the moderation queue during the Christmas break.
Hello, Since we were forced to use Kerberos on our isilon nfsshare, we see several issues and have several use cases, which might all becovered by sssd, but this is toconfusing for me to cope What I already understood is, that I have to forget aboutpublic/private key, because of this issue: https://fedorahosted.org/freeipa/ticket/4000 Also we have the home directories on the kerberized server,so we get an infinite loop
I'm not sure I understand, is the homedir mounted before the user authenticates?
The 3 use cases:
Login in linux directly with username andpassword (ticket creation needed) and login to other servers via sshpassswordless with this ticket (this works already)
Login into windows with a smartcard (withgetting a valid TGT) and loggin into the servers via putty (or somethingsimilar). Also from here, logon to other servers (works only when there isalready a ticket)
Services with a default user, which tickets getrefreshed infinitely (I think I have to use keytabs, but the refreshing doesnot work)
So can I achieve, that in every case sssd refreshes the tickets. Or do I have to combine sssd with something like krenew?
Please take a look at options like krb5_renew_interval, do these help?
Do I have to switch Kerberos on or of in the ssh config (Ifind different opinions about that online) I attached the ssh krb and sssd configs Best regards , Peter
Versendet mit Emailn.de - Freemail
- Unbegrenzt Speicherplatz
- Eigenes Online-Büro
- 24h besten Mailempfang
- Spamschutz, Adressbuch
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hello, The server with the home directories is mounted before with this line: linfile1:/ifs/data /media/linfile1 nfs defaults,sec=krb5,auto 0 0, but of course only accessible when a user is logged in with a corresponding ticket I already set the interval (to who didn’t know this: the krb5_renew_interval is necessary!)
The reneval seems to work in some cases and in some not I also have now different ticket caches, like /tmp/krb5cc_59406_KO7sqV and /tmp/krb5cc_59406 The one without the random suffix seems not to be refreshed
@Baldwin: It was a requirement by our security department. Before using Kerberos, everything went fine with onefs and sssd (and sssd is in my opinion the easiest solution) We are using Version 7.2 and the AD provider of isilon.
Best regards, Peter
--- Ursprüngliche Nachricht --- Von: Jakub Hrozek jhrozek@redhat.com Datum: 04.01.2016 07:10:40 An: Peter Tulpen ptulpen@emailn.de, End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Betreff: [SSSD-users] Re: several kerberos issues
On 27 Dec 2015, at 19:50, Peter Tulpen ptulpen@emailn.de wrote:
Sorry for the late response, the mail was stuck in the moderation queue during the Christmas break.
Hello, Since we were forced to use Kerberos on our isilon nfsshare, we see
several issues and have several use cases, which might all becovered by sssd, but this is toconfusing for me to cope
What I already understood is, that I have to forget aboutpublic/private
key, because of this issue: https://fedorahosted.org/freeipa/ticket/4000
Also we have the home directories on the kerberized server,so we get
an infinite loop
I'm not sure I understand, is the homedir mounted before the user authenticates?
The 3 use cases:
Login in linux directly with username andpassword (ticket
creation needed) and login to other servers via sshpassswordless with this ticket (this works already)
Login into windows with a smartcard (withgetting a valid TGT)
and loggin into the servers via putty (or somethingsimilar). Also from here, logon to other servers (works only when there isalready a ticket)
Services with a default user, which tickets getrefreshed infinitely
(I think I have to use keytabs, but the refreshing doesnot work)
So can I achieve, that in every case sssd refreshes the tickets. Or
do I have to combine sssd with something like krenew?
Please take a look at options like krb5_renew_interval, do these help?
Do I have to switch Kerberos on or of in the ssh config (Ifind different
opinions about that online)
I attached the ssh krb and sssd configs Best regards , Peter
Versendet mit Emailn.de - Freemail
- Unbegrenzt Speicherplatz
- Eigenes Online-Büro
- 24h besten Mailempfang
- Spamschutz, Adressbuch
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Wed, Jan 06, 2016 at 12:58:53PM +0100, Peter Tulpen wrote:
Hello, The server with the home directories is mounted before with this line: linfile1:/ifs/data /media/linfile1 nfs defaults,sec=krb5,auto 0 0, but of course only accessible when a user is logged in with a corresponding ticket I already set the interval (to who didn’t know this: the krb5_renew_interval is necessary!)
The reneval seems to work in some cases and in some not
I wonder if sssd goes offline in the meantime..when renewal does not work, does it help to lock the screen and log back for instance?
I also have now different ticket caches, like /tmp/krb5cc_59406_KO7sqV and /tmp/krb5cc_59406 The one without the random suffix seems not to be refreshed
I don't think this should happen, the non-random ccache should not be used. Does klist really print /tmp/krb5cc_59406 without the random suffix as your ccache? Can you catch that issue with logs enabled?
Also, what is your IPA client OS and version? (Newer sssd/RHEL versions default to keyring ccache..)
@Baldwin: It was a requirement by our security department. Before using Kerberos, everything went fine with onefs and sssd (and sssd is in my opinion the easiest solution) We are using Version 7.2 and the AD provider of isilon.
Best regards, Peter
--- Ursprüngliche Nachricht --- Von: Jakub Hrozek jhrozek@redhat.com Datum: 04.01.2016 07:10:40 An: Peter Tulpen ptulpen@emailn.de, End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Betreff: [SSSD-users] Re: several kerberos issues
On 27 Dec 2015, at 19:50, Peter Tulpen ptulpen@emailn.de wrote:
Sorry for the late response, the mail was stuck in the moderation queue during the Christmas break.
Hello, Since we were forced to use Kerberos on our isilon nfsshare, we see
several issues and have several use cases, which might all becovered by sssd, but this is toconfusing for me to cope
What I already understood is, that I have to forget aboutpublic/private
key, because of this issue: https://fedorahosted.org/freeipa/ticket/4000
Also we have the home directories on the kerberized server,so we get
an infinite loop
I'm not sure I understand, is the homedir mounted before the user authenticates?
The 3 use cases:
Login in linux directly with username andpassword (ticket
creation needed) and login to other servers via sshpassswordless with this ticket (this works already)
Login into windows with a smartcard (withgetting a valid TGT)
and loggin into the servers via putty (or somethingsimilar). Also from here, logon to other servers (works only when there isalready a ticket)
Services with a default user, which tickets getrefreshed infinitely
(I think I have to use keytabs, but the refreshing doesnot work)
So can I achieve, that in every case sssd refreshes the tickets. Or
do I have to combine sssd with something like krenew?
Please take a look at options like krb5_renew_interval, do these help?
Do I have to switch Kerberos on or of in the ssh config (Ifind different
opinions about that online)
I attached the ssh krb and sssd configs Best regards , Peter
Versendet mit Emailn.de - Freemail
- Unbegrenzt Speicherplatz
- Eigenes Online-Büro
- 24h besten Mailempfang
- Spamschutz, Adressbuch
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hello, sssd does not go offline, at least when I type service sssd status everything seems to be ok. When I do an su and type klist, or login locally, I get the ticket without the suffix. When I login via ssh and type klist, I get the ticket without the suffix.
In most cases ssh is used.
I dont use FreeIPA, my machines are joined into AD via "net ads join" Distribution is Opensuse 13.1
--- Ursprüngliche Nachricht --- Von: Jakub Hrozek jhrozek@redhat.com Datum: 06.01.2016 14:15:38 An: sssd-users@lists.fedorahosted.org Betreff: [SSSD-users] Re: several kerberos issues
On Wed, Jan 06, 2016 at 12:58:53PM +0100, Peter Tulpen wrote:
Hello, The server with the home directories is mounted before with this line:
linfile1:/ifs/data /media/linfile1 nfs defaults,sec=krb5,auto 0 0, but of course only accessible when a user is logged in with a corresponding ticket
I already set the interval (to who didn’t know this: the krb5_renew_interval
is necessary!)
The reneval seems to work in some cases and in some not
I wonder if sssd goes offline in the meantime..when renewal does not work, does it help to lock the screen and log back for instance?
I also have now different ticket caches, like /tmp/krb5cc_59406_KO7sqV
and /tmp/krb5cc_59406
The one without the random suffix seems not to be refreshed
I don't think this should happen, the non-random ccache should not be used. Does klist really print /tmp/krb5cc_59406 without the random suffix as your ccache? Can you catch that issue with logs enabled?
Also, what is your IPA client OS and version? (Newer sssd/RHEL versions default to keyring ccache..)
@Baldwin: It was a requirement by our security department. Before using Kerberos, everything went fine with onefs and sssd (and
sssd is in my opinion the easiest solution)
We are using Version 7.2 and the AD provider of isilon.
Best regards, Peter
--- Ursprüngliche Nachricht --- Von: Jakub Hrozek jhrozek@redhat.com Datum: 04.01.2016 07:10:40 An: Peter Tulpen ptulpen@emailn.de, End-user discussions
about the System Security Services Daemon sssd-users@lists.fedorahosted.org
Betreff: [SSSD-users] Re: several kerberos issues
On 27 Dec 2015, at 19:50, Peter Tulpen ptulpen@emailn.de
wrote:
Sorry for the late response, the mail was stuck in the moderation
queue
during the Christmas break.
Hello, Since we were forced to use Kerberos on our isilon nfsshare,
we see
several issues and have several use cases, which might all becovered
by sssd,
but this is toconfusing for me to cope
What I already understood is, that I have to forget aboutpublic/private
key, because of this issue: https://fedorahosted.org/freeipa/ticket/4000
Also we have the home directories on the kerberized server,so
we get
an infinite loop
I'm not sure I understand, is the homedir mounted before the user
authenticates?
The 3 use cases:
Login in linux directly with username andpassword
(ticket
creation needed) and login to other servers via sshpassswordless
with this
ticket (this works already)
Login into windows with a smartcard (withgetting
a valid TGT)
and loggin into the servers via putty (or somethingsimilar). Also
from here,
logon to other servers (works only when there isalready a ticket)
Services with a default user, which tickets getrefreshed
infinitely
(I think I have to use keytabs, but the refreshing doesnot work)
So can I achieve, that in every case sssd refreshes the tickets.
Or
do I have to combine sssd with something like krenew?
Please take a look at options like krb5_renew_interval, do these
help?
Do I have to switch Kerberos on or of in the ssh config (Ifind
different
opinions about that online)
I attached the ssh krb and sssd configs Best regards , Peter
Versendet mit Emailn.de - Freemail
- Unbegrenzt Speicherplatz
- Eigenes Online-Büro
- 24h besten Mailempfang
- Spamschutz, Adressbuch
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Thu, Jan 07, 2016 at 02:30:22PM +0100, Peter Tulpen wrote:
Hello, sssd does not go offline, at least when I type service sssd status everything seems to be ok. When I do an su and type klist, or login locally, I get the ticket without the suffix. When I login via ssh and type klist, I get the ticket without the suffix.
In most cases ssh is used.
I guess those authentications that end up with a non-random path go through libkrb5 directly (like kinit). The default value for default_ccache_name is probably FILE:/tmp/krb5cc_%{uid}.
You can configure the ccname with krb5_ccname_template for sssd or default_ccache_name for krb5.conf.
Hello, on my testserver it seems to work using the same pattern /tmp/krb5cc_%{uid} I have only the keytabs with this pattern and will monitor if this helps (what does not yet work is the loggin in using kerberos via putty)
on another server I saw now what you already suggested before, that the sssd just crashed, the error is kernel: [3040338.242609] sssd_be[139339]: segfault at 8 ip 000000000041342d sp 00007ffd6af68220 error 4 in sssd_be[400000+8c000] I attached the logs, maybe you can see there something
--- Ursprüngliche Nachricht --- Von: Jakub Hrozek jhrozek@redhat.com Datum: 08.01.2016 10:25:48 An: sssd-users@lists.fedorahosted.org Betreff: [SSSD-users] Re: several kerberos issues
On Thu, Jan 07, 2016 at 02:30:22PM +0100, Peter Tulpen wrote:
Hello, sssd does not go offline, at least when I type service sssd status everything
seems to be ok.
When I do an su and type klist, or login locally, I get the ticket without
the suffix.
When I login via ssh and type klist, I get the ticket without the suffix.
In most cases ssh is used.
I guess those authentications that end up with a non-random path go through libkrb5 directly (like kinit). The default value for default_ccache_name is probably FILE:/tmp/krb5cc_%{uid}.
You can configure the ccname with krb5_ccname_template for sssd or default_ccache_name for krb5.conf. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On (13/01/16 09:38), Peter Tulpen wrote:
Hello, on my testserver it seems to work using the same pattern /tmp/krb5cc_%{uid} I have only the keytabs with this pattern and will monitor if this helps (what does not yet work is the loggin in using kerberos via putty)
on another server I saw now what you already suggested before, that the sssd just crashed, the error is kernel: [3040338.242609] sssd_be[139339]: segfault at 8 ip 000000000041342d sp 00007ffd6af68220 error 4 in sssd_be[400000+8c000] I attached the logs, maybe you can see there something
I cannot see any attached log files.
Which version of sssd do you have?
Do you know how to generate stack trace from coredump?
LS
Hello, on this system I have 1.9.6 on opensuse 13.1 can i attach the dumping to a service (It took some time to crash, this was not at startup)
--- Ursprüngliche Nachricht --- Von: Lukas Slebodnik lslebodn@redhat.com Datum: 13.01.2016 09:57:42 An: Peter Tulpen ptulpen@emailn.de, End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Betreff: [SSSD-users] Re: several kerberos issues
On (13/01/16 09:38), Peter Tulpen wrote:
Hello, on my testserver it seems to work using the same pattern /tmp/krb5cc_%{uid}
I have only the keytabs with this pattern and will monitor if this helps
(what does not yet work is the loggin in using kerberos via putty)
on another server I saw now what you already suggested before, that
the sssd just crashed, the error is kernel: [3040338.242609] sssd_be[139339]: segfault at 8 ip 000000000041342d sp 00007ffd6af68220 error 4 in sssd_be[400000+8c000]
I attached the logs, maybe you can see there something
I cannot see any attached log files.
Which version of sssd do you have?
Do you know how to generate stack trace from coredump?
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On (13/01/16 15:01), Peter Tulpen wrote:
Hello, on this system I have 1.9.6 on opensuse 13.1 can i attach the dumping to a service (It took some time to crash, this was not at startup)
Could you try to retest with latest sssd-1-12 (1.12.5) or latest sssd-1-13(1.13.3) ?
It's very likely that crash is already fixed.
You might use alternative repositories for opensuse e.g. https://build.opensuse.org/package/show?project=network%3Aldap&package=s... https://build.opensuse.org/package/show?project=spins%3Ainvis%3Astable&p...
LS
Hello, I upgraded yesterday to 1.13.3 and at least until now the service runs stable, so thank you for the tip.
My struggle still is is that i can only login via ssh+kerberos to the machine when I already have a valid kerberos ticket on the machine
--- Ursprüngliche Nachricht --- Von: Lukas Slebodnik lslebodn@redhat.com Datum: 13.01.2016 15:29:16 An: Peter Tulpen ptulpen@emailn.de, End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Betreff: Re: [SSSD-users] Re: several kerberos issues
On (13/01/16 15:01), Peter Tulpen wrote:
Hello, on this system I have 1.9.6 on opensuse 13.1 can i attach the dumping to a service (It took some time to crash, this
was not at startup)
Could you try to retest with latest sssd-1-12 (1.12.5) or latest sssd-1-13(1.13.3) ?
It's very likely that crash is already fixed.
You might use alternative repositories for opensuse e.g. https://build.opensuse.org/package/show?project=network%3Aldap&package=s...
https://build.opensuse.org/package/show?project=spins%3Ainvis%3Astable&p...
LS
Hi Peter,
Just curious on why you were forced to use kerberos on your nfs share? Which version of OneFS are you running? We also have Isilon and we are validating sssd for our environment.
Best, Baldwin
Sent from my iPhone
On Dec 23, 2015, at 4:35 AM, Peter Tulpen ptulpen@emailn.de wrote:
Hello,
Since we were forced to use Kerberos on our isilon nfs share, we see several issues and have several use cases, which might all be covered by sssd, but this is to confusing for me to cope
What I already understood is, that I have to forget about public/private key, because of this issue: https://fedorahosted.org/freeipa/ticket/4000
Also we have the home directories on the kerberized server, so we get an infinite loop
The 3 use cases:
Login in linux directly with username and password (ticket creation needed) and login to other servers via ssh passswordless with this ticket (this works already)
Login into windows with a smartcard (with getting a valid TGT) and loggin into the servers via putty (or something similar). Also from here, logon to other servers (works only when there is already a ticket)
Services with a default user, which tickets get refreshed infinitely (I think I have to use keytabs, but the refreshing does not work)
So can I achieve, that in every case sssd refreshes the tickets . Or do I have to combine sssd with something like krenew?
Do I have to switch Kerberos on or of in the ssh config (I find different opinions about that online)
I attached the ssh krb and sssd configs
Best regards and happy holidays,
Peter
Versendet mit Emailn.de - Freemail
- Unbegrenzt Speicherplatz
- Eigenes Online-Büro
- 24h besten Mailempfang
- Spamschutz, Adressbuch
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org