Hi, I did some testing of sssd-13.2 version in Ubuntu-16.04 (ldap_idmapping = false) Login with fqdn in cross realm and Kerberos NFS automount seems to work almost out-of-the-box. This is great. I have still some questions:
In my setup, I have configured only for one domain - the domain where I join machine. SRV discovery can figure out all domains and figure out AD structure;
1. Is it still necessary make an explicit list of all domains in the 'domains' statement?
[sssd] .. domains = a.c.realm, n.c.realm, s.c.realm, c.realm ...
2. I tried login with setup for UPN/sAMAccountName login- without success. Is login with cross realm's UPN or short sAMAccoutName supported in this sssd version?
In database for default domain cache_a.c.realm.db user object has following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
3. Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it); However after manually creating this directory I can see many fails in log:
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed. [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: [2]: No such file or directory .... ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
Default value for option 'krb5_canonicalize' is FALSE; I set 'canonicalize' to 'true' in krb5.conf - is it enough? I understand from docs localauth plugin needs it.
4. ldbsearch
Can I somehow (I do not think about log with high debug level) see all configured and default options for SSSD?
Best, Longina
On Thu, Dec 17, 2015 at 02:42:39PM +0000, Longina Przybyszewska wrote:
Hi, I did some testing of sssd-13.2 version in Ubuntu-16.04 (ldap_idmapping = false) Login with fqdn in cross realm and Kerberos NFS automount seems to work almost out-of-the-box. This is great. I have still some questions:
In my setup, I have configured only for one domain - the domain where I join machine. SRV discovery can figure out all domains and figure out AD structure;
Is it still necessary make an explicit list of all domains in the 'domains' statement?
[sssd] .. domains = a.c.realm, n.c.realm, s.c.realm, c.realm ...
no, only domains which are configured explicitly in the [domain/...] sections must be listed here. For all other domains listed here you should get 'Unknown domain' messages in the logs.
I tried login with setup for UPN/sAMAccountName login- without success. Is login with cross realm's UPN or short sAMAccoutName supported in this sssd version?
In database for default domain cache_a.c.realm.db user object has following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
The plain sAMAccoutName 'user1' will not work because use_fully_qualified_names = true. What should work is 'DOM\user1' where DOM is the NetBIOS domain name of n.c.realm domain. Additionally I would expect that user1@REALM should work.
Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
no, SSSD expects the directory to be present, it should be create during the package installation.
However after manually creating this directory I can see many fails in log:
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed. [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: [2]: No such file or directory .... ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put krb5_confd_path in the right [domain/..] section?
Default value for option 'krb5_canonicalize' is FALSE; I set 'canonicalize' to 'true' in krb5.conf - is it enough? I understand from docs localauth plugin needs it.
The AD provider has krb5_use_enterprise_principal=true which implicitly set krb5_canonicalize=true as well.
ldbsearch
Can I somehow (I do not think about log with high debug level) see all configured and default options for SSSD?
I'm afraid the answer is currently no.
bye, Sumit
Best, Longina
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Thank you for the answers. There are still some issues:
I tried login with setup for UPN/sAMAccountName login- without success. Is login with cross realm's UPN or short sAMAccoutName supported in this
sssd version?
In database for default domain cache_a.c.realm.db user object has
following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
The plain sAMAccoutName 'user1' will not work because use_fully_qualified_names = true. What should work is 'DOM\user1' where DOM is the NetBIOS domain name of n.c.realm domain. Additionally I would expect that user1@REALM should work.
Right. user1@n.c.realm and DOM\user1 login works.
Login as user1@REALM (and user1@realm) does not work.
getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000::/home/user1:/bin/bash
The best would be able to login with sAMAccountName; The next best with upn, then with fqdn.
I tried without success the following setup for login with short names : [nss] subdomain_inherit = ldap_user_principal
[domain/..] .. ldap_user_principal = sAMAccountName
Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
no, SSSD expects the directory to be present, it should be create during the package installation.
This is the content of /var/lib/sss/pubconf :
ls /var/lib/sss/pubconf/ kdcinfo A.C.REALM krb5.conf.d krb5.include.d
'krb5.conf.d' I have created manually ; After removing everything in /var/lib/sss/{db,mc,pubconf}/* and restarting sssd 'krb5.include.d' disappeared.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the
temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: [2]: No such file or directory ....
ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put krb5_confd_path in the right [domain/..] section?
Yes. ... [domain/a.c.realm] ... krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
Default value for option 'krb5_canonicalize' is FALSE; I set 'canonicalize' to 'true' in krb5.conf - is it enough? I understand from docs
localauth plugin needs it.
The AD provider has krb5_use_enterprise_principal=true which implicitly set krb5_canonicalize=true as well.
I do have 'id_provider = ad' in sssd.conf.
From the log: sssd_a.c.realm.log ... [sssd[be[a.c.realm]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE [sssd[be[a.c.realm]]] [dp_get_options] (0x0400): Option krb5_canonicalize is FALSE [sssd[be[a.c.realm]]] [dp_copy_options_ex] (0x0400): Option krb5_canonicalize is FALSE [sssd[be[a.c.realm]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_canonicalize is FALSE [sssd[be[a.c.realm]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [a1test@c.realm@a.c.realm] [2]: No such file or directory. ..
However , have found in krb5_child.log: [[sssd[krb5_child[12000]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] [[sssd[krb5_child[12000]]]] [main] (0x0400): Will perform ticket renewal [[sssd[krb5_child[12000]]]] [renew_tgt_child] (0x1000): Renewing a ticket [[sssd[krb5_child[12000]]]] [sss_child_krb5_trace_cb] (0x4000): [12000] 1451929488.830638: Retrieving a1test@C.REALM -> krbtgt/C.REALM@C.REALM from FILE:/tmp/krb5cc_10009_q4a2wo with result: 0/Success
[[sssd[krb5_child[12000]]]] [sss_child_krb5_trace_cb] (0x4000): [12000] 1451929488.830681: Get cred via TGT krbtgt/C.REALM@C.REALM after requesting krbtgt/C.REALM@C.REALM (canonicalize off)
Best, Longina
On Wed, Jan 06, 2016 at 01:11:50PM +0000, Longina Przybyszewska wrote:
Thank you for the answers. There are still some issues:
I tried login with setup for UPN/sAMAccountName login- without success. Is login with cross realm's UPN or short sAMAccoutName supported in this
sssd version?
In database for default domain cache_a.c.realm.db user object has
following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
The plain sAMAccoutName 'user1' will not work because use_fully_qualified_names = true. What should work is 'DOM\user1' where DOM is the NetBIOS domain name of n.c.realm domain. Additionally I would expect that user1@REALM should work.
Right. user1@n.c.realm and DOM\user1 login works.
Login as user1@REALM (and user1@realm) does not work.
hm, that's odd, can you send me the logs when trying to login with user1@REALM?
getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000::/home/user1:/bin/bash
'user1@n.c.realm@a.c.realm' looks odd, do you map the user name to an attribute other than sAMAccoutName?
The best would be able to login with sAMAccountName; The next best with upn, then with fqdn.
I tried without success the following setup for login with short names : [nss] subdomain_inherit = ldap_user_principal
[domain/..] .. ldap_user_principal = sAMAccountName
this won't work because ldap_user_principal value is used as a Kerberos principal without further processing.
You might want to try the 'default_domain_suffix' option, see man sssd.conf for details.
Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
no, SSSD expects the directory to be present, it should be create during the package installation.
This is the content of /var/lib/sss/pubconf :
ls /var/lib/sss/pubconf/ kdcinfo A.C.REALM krb5.conf.d krb5.include.d
'krb5.conf.d' I have created manually ; After removing everything in /var/lib/sss/{db,mc,pubconf}/* and restarting sssd 'krb5.include.d' disappeared.
yes, as said, SSSD does not create the directory for the krb5 config snippets.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the
temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: [2]: No such file or directory ....
ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put krb5_confd_path in the right [domain/..] section?
Yes. ... [domain/a.c.realm] ... krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
I still cannot reproduce this with my Fedora builds. Maybe it is an issue in the Ubuntu build, I'll try to reproduce on Ubuntu.
Default value for option 'krb5_canonicalize' is FALSE; I set 'canonicalize' to 'true' in krb5.conf - is it enough? I understand from docs
localauth plugin needs it.
The AD provider has krb5_use_enterprise_principal=true which implicitly set krb5_canonicalize=true as well.
I do have 'id_provider = ad' in sssd.conf.
From the log: sssd_a.c.realm.log ... [sssd[be[a.c.realm]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE [sssd[be[a.c.realm]]] [dp_get_options] (0x0400): Option krb5_canonicalize is FALSE [sssd[be[a.c.realm]]] [dp_copy_options_ex] (0x0400): Option krb5_canonicalize is FALSE [sssd[be[a.c.realm]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_canonicalize is FALSE [sssd[be[a.c.realm]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [a1test@c.realm@a.c.realm] [2]: No such file or directory. ..
However , have found in krb5_child.log: [[sssd[krb5_child[12000]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
this is the important one.
[[sssd[krb5_child[12000]]]] [main] (0x0400): Will perform ticket renewal [[sssd[krb5_child[12000]]]] [renew_tgt_child] (0x1000): Renewing a ticket [[sssd[krb5_child[12000]]]] [sss_child_krb5_trace_cb] (0x4000): [12000] 1451929488.830638: Retrieving a1test@C.REALM -> krbtgt/C.REALM@C.REALM from FILE:/tmp/krb5cc_10009_q4a2wo with result: 0/Success
[[sssd[krb5_child[12000]]]] [sss_child_krb5_trace_cb] (0x4000): [12000] 1451929488.830681: Get cred via TGT krbtgt/C.REALM@C.REALM after requesting krbtgt/C.REALM@C.REALM (canonicalize off)
Best, Longina _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On (08/01/16 11:23), Sumit Bose wrote:
On Wed, Jan 06, 2016 at 01:11:50PM +0000, Longina Przybyszewska wrote:
Thank you for the answers. There are still some issues:
I tried login with setup for UPN/sAMAccountName login- without success. Is login with cross realm's UPN or short sAMAccoutName supported in this
sssd version?
In database for default domain cache_a.c.realm.db user object has
following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
The plain sAMAccoutName 'user1' will not work because use_fully_qualified_names = true. What should work is 'DOM\user1' where DOM is the NetBIOS domain name of n.c.realm domain. Additionally I would expect that user1@REALM should work.
Right. user1@n.c.realm and DOM\user1 login works.
Login as user1@REALM (and user1@realm) does not work.
hm, that's odd, can you send me the logs when trying to login with user1@REALM?
getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000::/home/user1:/bin/bash
'user1@n.c.realm@a.c.realm' looks odd, do you map the user name to an attribute other than sAMAccoutName?
The best would be able to login with sAMAccountName; The next best with upn, then with fqdn.
I tried without success the following setup for login with short names : [nss] subdomain_inherit = ldap_user_principal
[domain/..] .. ldap_user_principal = sAMAccountName
this won't work because ldap_user_principal value is used as a Kerberos principal without further processing.
You might want to try the 'default_domain_suffix' option, see man sssd.conf for details.
Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
no, SSSD expects the directory to be present, it should be create during the package installation.
This is the content of /var/lib/sss/pubconf :
ls /var/lib/sss/pubconf/ kdcinfo A.C.REALM krb5.conf.d krb5.include.d
'krb5.conf.d' I have created manually ; After removing everything in /var/lib/sss/{db,mc,pubconf}/* and restarting sssd 'krb5.include.d' disappeared.
yes, as said, SSSD does not create the directory for the krb5 config snippets.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the
temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: [2]: No such file or directory ....
ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put krb5_confd_path in the right [domain/..] section?
Yes. ... [domain/a.c.realm] ... krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
Why do you want to use different directory? Why it cannot be standard directory /var/lib/sss/pubconf/krb5.include.d ? This directory is owned by sssd-krb5-common on debian (sssd-1.13.3)
it shoudl be allowed in apparmor to write to this directory profile /usr/lib/@{multiarch}/sssd/* { /var/lib/sss/pubconf/krb5.include.d/ rw, }
But it needn't be allowed to write into your custom directory /var/lib/sss/pubconf/krb5.conf.d
LS
-----Oprindelig meddelelse----- Fra: Lukas Slebodnik [mailto:lslebodn@redhat.com] Sendt: 8. januar 2016 12:15 Til: End-user discussions about the System Security Services Daemon Emne: [SSSD-users] Re: localauth plugin and some other questions
On (08/01/16 11:23), Sumit Bose wrote:
On Wed, Jan 06, 2016 at 01:11:50PM +0000, Longina Przybyszewska wrote:
Thank you for the answers. There are still some issues:
I tried login with setup for UPN/sAMAccountName login- without
success.
Is login with cross realm's UPN or short sAMAccoutName supported
in this
sssd version?
In database for default domain cache_a.c.realm.db user object has
following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
The plain sAMAccoutName 'user1' will not work because use_fully_qualified_names = true. What should work is 'DOM\user1' where DOM is the NetBIOS domain name of n.c.realm domain. Additionally I would expect that user1@REALM should work.
Right. user1@n.c.realm and DOM\user1 login works.
Login as user1@REALM (and user1@realm) does not work.
hm, that's odd, can you send me the logs when trying to login with user1@REALM?
getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000::/home/user1:/bin/bash
'user1@n.c.realm@a.c.realm' looks odd, do you map the user name to an attribute other than sAMAccoutName?
The best would be able to login with sAMAccountName; The next best with upn, then with fqdn.
I tried without success the following setup for login with short names : [nss] subdomain_inherit = ldap_user_principal
[domain/..] .. ldap_user_principal = sAMAccountName
this won't work because ldap_user_principal value is used as a Kerberos principal without further processing.
You might want to try the 'default_domain_suffix' option, see man sssd.conf for details.
Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
no, SSSD expects the directory to be present, it should be create during the package installation.
This is the content of /var/lib/sss/pubconf :
ls /var/lib/sss/pubconf/ kdcinfo A.C.REALM krb5.conf.d krb5.include.d
'krb5.conf.d' I have created manually ; After removing everything in /var/lib/sss/{db,mc,pubconf}/* and restarting sssd 'krb5.include.d'
disappeared.
yes, as said, SSSD does not create the directory for the krb5 config snippets.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the
temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]:
[2]: No such file or directory ....
ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put krb5_confd_path in the right [domain/..] section?
Yes. ... [domain/a.c.realm] ... krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
Why do you want to use different directory?
I think it was suggested name - in one of previous sssd versions - but not sure now.
Why it cannot be standard directory /var/lib/sss/pubconf/krb5.include.d ? This directory is owned by sssd-krb5-common on debian (sssd-1.13.3)
it shoudl be allowed in apparmor to write to this directory profile /usr/lib/@{multiarch}/sssd/* { /var/lib/sss/pubconf/krb5.include.d/ rw, }
But it needn't be allowed to write into your custom directory /var/lib/sss/pubconf/krb5.conf.d
I changed the krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d and the localauth snippet is written to it. It is allowed in apparmor in Ubuntu sssd-13.2 - as you have written. Thank you.
Longina
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd- users@lists.fedorahosted.org
-----Oprindelig meddelelse----- Fra: Sumit Bose [mailto:sbose@redhat.com] Sendt: 8. januar 2016 11:23 Til: End-user discussions about the System Security Services Daemon Emne: [SSSD-users] Re: localauth plugin and some other questions
On Wed, Jan 06, 2016 at 01:11:50PM +0000, Longina Przybyszewska wrote:
Thank you for the answers. There are still some issues:
I tried login with setup for UPN/sAMAccountName login- without
success.
Is login with cross realm's UPN or short sAMAccoutName supported in
this
sssd version?
In database for default domain cache_a.c.realm.db user object has
following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
The plain sAMAccoutName 'user1' will not work because use_fully_qualified_names = true. What should work is 'DOM\user1' where DOM is the NetBIOS domain name of n.c.realm domain. Additionally I would expect that user1@REALM should work.
Right. user1@n.c.realm and DOM\user1 login works.
Login as user1@REALM (and user1@realm) does not work.
hm, that's odd, can you send me the logs when trying to login with user1@REALM?
getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000::/home/user1:/bin/bash
'user1@n.c.realm@a.c.realm' looks odd, do you map the user name to an attribute other than sAMAccoutName?
I use " id_provider = ad" and do not map specifically user name to any attribute..
Attributes in AD: uid = user1 userPrincipalName = user1@realm sAMAccountName = user1
SSSD defaults: ldap_user_name = uid ldap_user_principal = krbPrincipalName
krb5_use_enterprise_principal = true
There is no krbPrincipalName attribute in user object in AD .
Sssd.conf:
[nss] debug_level = 9 filter_groups = root filter_users = root
[sssd] debug_level = 9
domains = a.c.realm config_file_version = 2 services = nss, pam,ssh
[pam] pam_verbosity = 3 debug_level = 9
[domain/a.c.realm] debug_level = 9
ldap_use_tokengroup = false dyndns_update = true dyndns_update_ptr = true
id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad
krb5_realm = A.C.REALM krb5_use_fast = try krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d
ad_domain = a.c.realm ad_site = SITE ad_hostname = adm-lnx438.a.c.realm
use_fully_qualified_names = true ldap_id_mapping = false
The best would be able to login with sAMAccountName; The next best with upn, then with fqdn.
I tried without success the following setup for login with short names : [nss] subdomain_inherit = ldap_user_principal
[domain/a.c.realm] .. ldap_user_principal = sAMAccountName
this won't work because ldap_user_principal value is used as a Kerberos principal without further processing.
You might want to try the 'default_domain_suffix' option, see man sssd.conf for details.
Manual says, that 'default_domain_suffix' is usable if all users are located in trusted domain while computer's are in primary domain. With this option, users can login with short names. Our users are in several trusted domains; what should be the value of 'default_domain_suffix' ?
Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
no, SSSD expects the directory to be present, it should be create during the package installation.
This is the content of /var/lib/sss/pubconf :
ls /var/lib/sss/pubconf/ kdcinfo A.C.REALM krb5.conf.d krb5.include.d
'krb5.conf.d' I have created manually ; After removing everything in /var/lib/sss/{db,mc,pubconf}/* and restarting sssd 'krb5.include.d'
disappeared.
yes, as said, SSSD does not create the directory for the krb5 config snippets.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the
temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]:
[2]: No such file or directory ....
ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put krb5_confd_path in the right [domain/..] section?
Yes. ... [domain/a.c.realm] ... krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
I still cannot reproduce this with my Fedora builds. Maybe it is an issue in the Ubuntu build, I'll try to reproduce on Ubuntu.
I changed the krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d and the localauth snippet is written to it.
Longina
HI, Sorry for delay... In attachments sssd_nss.log and default domain log sssd_a.c.realm .
Login with UPN (mail name) does not work here:
root@adm-lnx438:/tmp# getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000:XXXXX XXXXX:/home/user1:/bin/bash
my sssd.conf: [nss] debug_level = 9 filter_groups = root filter_users = root
[sssd] debug_level = 9
domains = a.c.realm config_file_version = 2 services = nss,pam,ssh
[pam] pam_verbosity = 3 debug_level = 9
[domain/a.c.realm] debug_level = 9
ad_domain = a.c.realm ad_site = SITE ad_hostname = adm-lnx438.a.c.realm
id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad
dyndns_update = true dyndns_update_ptr = false
krb5_realm = A.C.REALM krb5_use_fast = try krb5_lifetime = 10h krb5_renewable_lifetime = 7d krb5_renew_interval = 1h krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d ###
use_fully_qualified_names = true ldap_id_mapping = false ldap_use_tokengroup = false ad_gpo_access_control = disabled
best, Longina
On Wed, Jan 06, 2016 at 01:11:50PM +0000, Longina Przybyszewska wrote:
Thank you for the answers. There are still some issues:
I tried login with setup for UPN/sAMAccountName login- without
success.
Is login with cross realm's UPN or short sAMAccoutName supported
in
this
sssd version?
In database for default domain cache_a.c.realm.db user object has
following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
The plain sAMAccoutName 'user1' will not work because use_fully_qualified_names = true. What should work is 'DOM\user1' where DOM is the NetBIOS domain name of n.c.realm domain.
Additionally I would expect that user1@REALM should work.
Right. user1@n.c.realm and DOM\user1 login works.
Login as user1@REALM (and user1@realm) does not work.
hm, that's odd, can you send me the logs when trying to login with user1@REALM?
getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000::/home/user1:/bin/bash
'user1@n.c.realm@a.c.realm' looks odd, do you map the user name to an attribute other than sAMAccoutName?
I use " id_provider = ad" and do not map specifically user name to any attribute..
Attributes in AD: uid = user1 userPrincipalName = user1@realm sAMAccountName = user1
SSSD defaults: ldap_user_name = uid ldap_user_principal = krbPrincipalName
krb5_use_enterprise_principal = true
There is no krbPrincipalName attribute in user object in AD .
Sssd.conf:
[nss] debug_level = 9 filter_groups = root filter_users = root
[sssd] debug_level = 9
domains = a.c.realm config_file_version = 2 services = nss, pam,ssh
[pam] pam_verbosity = 3 debug_level = 9
[domain/a.c.realm] debug_level = 9
ldap_use_tokengroup = false dyndns_update = true dyndns_update_ptr = true
id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad
krb5_realm = A.C.REALM krb5_use_fast = try krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d
ad_domain = a.c.realm ad_site = SITE ad_hostname = adm-lnx438.a.c.realm
use_fully_qualified_names = true ldap_id_mapping = false
The best would be able to login with sAMAccountName; The next best with upn, then with fqdn.
I tried without success the following setup for login with short names : [nss] subdomain_inherit = ldap_user_principal
[domain/a.c.realm] .. ldap_user_principal = sAMAccountName
this won't work because ldap_user_principal value is used as a Kerberos principal without further processing.
You might want to try the 'default_domain_suffix' option, see man sssd.conf for details.
Manual says, that 'default_domain_suffix' is usable if all users are located in trusted domain while computer's are in primary domain. With this option, users can login with short names. Our users are in several trusted domains; what should be the value of 'default_domain_suffix' ?
Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
no, SSSD expects the directory to be present, it should be create during the package installation.
This is the content of /var/lib/sss/pubconf :
ls /var/lib/sss/pubconf/ kdcinfo A.C.REALM krb5.conf.d krb5.include.d
'krb5.conf.d' I have created manually ; After removing everything in /var/lib/sss/{db,mc,pubconf}/* and restarting sssd 'krb5.include.d'
disappeared.
yes, as said, SSSD does not create the directory for the krb5 config
snippets.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the
temp file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ]
for domain-realm mappings failed.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]:
[2]: No such file or directory ....
ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put krb5_confd_path in the right [domain/..] section?
Yes. ... [domain/a.c.realm] ... krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
I still cannot reproduce this with my Fedora builds. Maybe it is an issue in the Ubuntu build, I'll try to reproduce on Ubuntu.
I changed the krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d and the localauth snippet is written to it.
Longina _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd- users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org