7:17 a.m.
Hi,
it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64, I'm
hitting a bug with nss if a group contains "@" in it's cn (auth done via
LDAP):
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for
client [0x13ac330][20]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for
client [0x13ac330][20]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33]
with input [sudo_sasfdr@FFF-AP-dev].
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for
[0x41df60:domains@LDAP]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get
domains request for [LDAP][FFF-AP-dev]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x41df60:domains@LDAP]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1397ab0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data
Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not
configured
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13a07b0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13a07b0
"ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x139bbc0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x139bbc0
"ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13a07b0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13a07b0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13ab1d0
"ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13a07b0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name
received [sudo_sasfdr@FFF-AP-dev]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request:
[0x41df60:domains@LDAP]
At first I thought it was an LDAP issue, but changing the name to sudo_sasfdr_FFF-AP-dev
worked just fine.
The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem, but maybe
now the "@" is considered a domain-delimiter?
Currently as a workaround, I switched back to LDAP for sudo-queries (it's either that
or change over 200 groups in LDAP and the master provisioning system), since it seems so
far only sudo rules are impacted for now.
If anybody can point me to a config param to get the old behaviour back , I wouldvery much
appreciate it.
Or, if it is no longer supported, then I need to start writing ldap-renames ...
With friendly regards,
Franky
7:34 a.m.
On (06/10/15 14:17), liedekef(a)telenet.be wrote:
Hi,
it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64, I'm
hitting a bug with nss if a group contains "@" in it's cn (auth done via
LDAP):
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for
client [0x13ac330][20]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for
client [0x13ac330][20]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33]
with input [sudo_sasfdr@FFF-AP-dev].
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for
[0x41df60:domains@LDAP]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get
domains request for [LDAP][FFF-AP-dev]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x41df60:domains@LDAP]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1397ab0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data
Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not
configured
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13a07b0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13a07b0
"ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x139bbc0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x139bbc0
"ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13a07b0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13a07b0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13ab1d0
"ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13a07b0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name
received [sudo_sasfdr@FFF-AP-dev]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request:
[0x41df60:domains@LDAP]
At first I thought it was an LDAP issue, but changing the name to sudo_sasfdr_FFF-AP-dev
worked just fine.
The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem, but maybe
now the "@" is considered a domain-delimiter?
Currently as a workaround, I switched back to LDAP for sudo-queries (it's either that
or change over 200 groups in LDAP and the master provisioning system), since it seems so
far only sudo rules are impacted for now.
If anybody can point me to a config param to get the old behaviour back , I wouldvery much
appreciate it.
Or, if it is no longer supported, then I need to start writing ldap-renames ...
With friendly regards,
Could you share your configuration file?
We would need to know which data provider you have configured ...
sssd uses "@" as a separator for name and domain.
you can find more details in manual page sssd.conf -> re_expression
So you can just use different regular expression to avoid such
problems. But I wonder how it could work with 1.11.x
LS
7:48 a.m.
On Tue, Oct 06, 2015 at 02:34:58PM +0200, Lukas Slebodnik wrote:
On (06/10/15 14:17), liedekef(a)telenet.be wrote:
>Hi,
>
>it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64,
I'm hitting a bug with nss if a group contains "@" in it's cn (auth done
via LDAP):
>
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set
for client [0x13ac330][20]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set
for client [0x13ac330][20]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command
[33] with input [sudo_sasfdr@FFF-AP-dev].
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x41df60:domains@LDAP]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get
domains request for [LDAP][FFF-AP-dev]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x41df60:domains@LDAP]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1397ab0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from
Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is
not configured
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13a07b0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13a07b0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x139bbc0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x139bbc0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13a07b0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13a07b0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13ab1d0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13a07b0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name
received [sudo_sasfdr@FFF-AP-dev]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x41df60:domains@LDAP]
>
>At first I thought it was an LDAP issue, but changing the name to
sudo_sasfdr_FFF-AP-dev worked just fine.
>The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem, but
maybe now the "@" is considered a domain-delimiter?
>
>Currently as a workaround, I switched back to LDAP for sudo-queries (it's either
that or change over 200 groups in LDAP and the master provisioning system), since it seems
so far only sudo rules are impacted for now.
>
>If anybody can point me to a config param to get the old behaviour back , I wouldvery
much appreciate it.
>Or, if it is no longer supported, then I need to start writing ldap-renames ...
>
>With friendly regards,
>
Could you share your configuration file?
We would need to know which data provider you have configured ...
sssd uses "@" as a separator for name and domain.
you can find more details in manual page sssd.conf -> re_expression
So you can just use different regular expression to avoid such
problems. But I wonder how it could work with 1.11.x
This is something that should work, we use the configuration in the
'legacy client' scenario where the FQDNs are already present in the
compat tree and we need to avoid splitting them, but rather match
against the compat tree..
8:39 a.m.
(sorry for top-posting, but using a webmail client for now ...)
Here's my config:
----- Original Message -----
From: "Jakub Hrozek" <jhrozek(a)redhat.com>
To: sssd-users(a)lists.fedorahosted.org
Sent: Tuesday, October 6, 2015 2:48:02 PM
Subject: Re: [SSSD-users] sssd nss call fails if group has "@" in it
On Tue, Oct 06, 2015 at 02:34:58PM +0200, Lukas Slebodnik wrote:
On (06/10/15 14:17), liedekef(a)telenet.be wrote:
>Hi,
>
>it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64,
I'm hitting a bug with nss if a group contains "@" in it's cn (auth done
via LDAP):
>
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set
for client [0x13ac330][20]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set
for client [0x13ac330][20]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command
[33] with input [sudo_sasfdr@FFF-AP-dev].
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x41df60:domains@LDAP]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get
domains request for [LDAP][FFF-AP-dev]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x41df60:domains@LDAP]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1397ab0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from
Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is
not configured
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13a07b0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13a07b0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x139bbc0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x139bbc0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13a07b0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13a07b0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13ab1d0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13a07b0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name
received [sudo_sasfdr@FFF-AP-dev]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x41df60:domains@LDAP]
>
>At first I thought it was an LDAP issue, but changing the name to
sudo_sasfdr_FFF-AP-dev worked just fine.
>The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem, but
maybe now the "@" is considered a domain-delimiter?
>
>Currently as a workaround, I switched back to LDAP for sudo-queries (it's either
that or change over 200 groups in LDAP and the master provisioning system), since it seems
so far only sudo rules are impacted for now.
>
>If anybody can point me to a config param to get the old behaviour back , I wouldvery
much appreciate it.
>Or, if it is no longer supported, then I need to start writing ldap-renames ...
>
>With friendly regards,
>
Could you share your configuration file?
We would need to know which data provider you have configured ...
sssd uses "@" as a separator for name and domain.
you can find more details in manual page sssd.conf -> re_expression
So you can just use different regular expression to avoid such
problems. But I wonder how it could work with 1.11.x
This is something that should work, we use the configuration in the
'legacy client' scenario where the FQDNs are already present in the
compat tree and we need to avoid splitting them, but rather match
against the compat tree..
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
8:40 a.m.
(sorry for top-osting, but using a webmail client for now).
Here's my config (some obfuscation done):
[sssd]
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam, ssh, sudo
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LOCAL,LDAP
domains = LDAP
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root,ldap,named,avahi,haldaemon,messagebus,dbus,vcsa,ntp
reconnection_retries = 3
# The entry_cache_nowait_percentage indicates the percentage of the
# entry_cache_timeout to wait before updating the cache out-of-band.
# (NSS requests will still be returned from cache until the full
# entry_cache_timeout). Setting this value to 0 turns this feature
# off (default).
# entry_cache_nowait_percentage = 300
[sudo]
[pam]
reconnection_retries = 3
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
access_provider = ldap
ldap_access_filter = memberOf=cn=xxxx
ldap_uri = ldap://server1.fqdn, ldap://server2.fqdn
ldap_search_base = dc=xxxx
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_timeout = 5
ldap_referrals = false
ldap_user_ssh_public_key = sshPublicKey
ldap_sudo_search_base = ou=SudoEntries,dc=xxx
ldap_sudorule_runasuser = sudoRunAs
cache_credentials = true
enumerate = true
entry_cache_timeout = 5400
Franky
----- Original Message -----
From: "Jakub Hrozek" <jhrozek(a)redhat.com>
To: sssd-users(a)lists.fedorahosted.org
Sent: Tuesday, October 6, 2015 2:48:02 PM
Subject: Re: [SSSD-users] sssd nss call fails if group has "@" in it
On Tue, Oct 06, 2015 at 02:34:58PM +0200, Lukas Slebodnik wrote:
On (06/10/15 14:17), liedekef(a)telenet.be wrote:
>Hi,
>
>it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64,
I'm hitting a bug with nss if a group contains "@" in it's cn (auth done
via LDAP):
>
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set
for client [0x13ac330][20]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set
for client [0x13ac330][20]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command
[33] with input [sudo_sasfdr@FFF-AP-dev].
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x41df60:domains@LDAP]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get
domains request for [LDAP][FFF-AP-dev]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x41df60:domains@LDAP]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1397ab0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from
Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is
not configured
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13a07b0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13a07b0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x139bbc0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x139bbc0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13a07b0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13a07b0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13ab1d0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13a07b0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name
received [sudo_sasfdr@FFF-AP-dev]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x41df60:domains@LDAP]
>
>At first I thought it was an LDAP issue, but changing the name to
sudo_sasfdr_FFF-AP-dev worked just fine.
>The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem, but
maybe now the "@" is considered a domain-delimiter?
>
>Currently as a workaround, I switched back to LDAP for sudo-queries (it's either
that or change over 200 groups in LDAP and the master provisioning system), since it seems
so far only sudo rules are impacted for now.
>
>If anybody can point me to a config param to get the old behaviour back , I wouldvery
much appreciate it.
>Or, if it is no longer supported, then I need to start writing ldap-renames ...
>
>With friendly regards,
>
Could you share your configuration file?
We would need to know which data provider you have configured ...
sssd uses "@" as a separator for name and domain.
you can find more details in manual page sssd.conf -> re_expression
So you can just use different regular expression to avoid such
problems. But I wonder how it could work with 1.11.x
This is something that should work, we use the configuration in the
'legacy client' scenario where the FQDNs are already present in the
compat tree and we need to avoid splitting them, but rather match
against the compat tree..
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
11:02 a.m.
On Tue, Oct 06, 2015 at 03:40:45PM +0200, liedekef(a)telenet.be wrote:
(sorry for top-osting, but using a webmail client for now).
Here's my config (some obfuscation done):
[sssd]
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam, ssh, sudo
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LOCAL,LDAP
domains = LDAP
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root,ldap,named,avahi,haldaemon,messagebus,dbus,vcsa,ntp
reconnection_retries = 3
# The entry_cache_nowait_percentage indicates the percentage of the
# entry_cache_timeout to wait before updating the cache out-of-band.
# (NSS requests will still be returned from cache until the full
# entry_cache_timeout). Setting this value to 0 turns this feature
# off (default).
# entry_cache_nowait_percentage = 300
Since you do not have re_expression tuned, any query in the form of
foo@bar gets split into (name=foo, domain=bar) and if there's no domain
bar, then sssd just shortcuts and returns ENOENT.
Can you try adding::
re_expression = (?P<name>.+)
to the [sssd] section? That essentially tells sssd that the whole input
string is a username. The downside is that you won't be able to use
multiple domains..
[sudo]
[pam]
reconnection_retries = 3
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
access_provider = ldap
ldap_access_filter = memberOf=cn=xxxx
ldap_uri = ldap://server1.fqdn, ldap://server2.fqdn
ldap_search_base = dc=xxxx
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_timeout = 5
ldap_referrals = false
ldap_user_ssh_public_key = sshPublicKey
ldap_sudo_search_base = ou=SudoEntries,dc=xxx
ldap_sudorule_runasuser = sudoRunAs
cache_credentials = true
enumerate = true
entry_cache_timeout = 5400
Franky
----- Original Message -----
From: "Jakub Hrozek" <jhrozek(a)redhat.com>
To: sssd-users(a)lists.fedorahosted.org
Sent: Tuesday, October 6, 2015 2:48:02 PM
Subject: Re: [SSSD-users] sssd nss call fails if group has "@" in it
On Tue, Oct 06, 2015 at 02:34:58PM +0200, Lukas Slebodnik wrote:
> On (06/10/15 14:17), liedekef(a)telenet.be wrote:
> >Hi,
> >
> >it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64,
I'm hitting a bug with nss if a group contains "@" in it's cn (auth done
via LDAP):
> >
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer
re-set for client [0x13ac330][20]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer
re-set for client [0x13ac330][20]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [33] with input [sudo_sasfdr@FFF-AP-dev].
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x41df60:domains@LDAP]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending
get domains request for [LDAP][FFF-AP-dev]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x41df60:domains@LDAP]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn:
0x1397ab0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply
from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target
is not configured
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13a07b0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event
0x13ab1d0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13a07b0 "ltdb_timeout"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x13ab1d0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x139bbc0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event
0x13ab1d0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x139bbc0 "ltdb_timeout"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x13ab1d0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13a07b0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13ab1d0
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event
0x13a07b0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13ab1d0 "ltdb_timeout"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x13a07b0 "ltdb_callback"
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid
name received [sudo_sasfdr@FFF-AP-dev]
> >(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x41df60:domains@LDAP]
> >
> >At first I thought it was an LDAP issue, but changing the name to
sudo_sasfdr_FFF-AP-dev worked just fine.
> >The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem,
but maybe now the "@" is considered a domain-delimiter?
> >
> >Currently as a workaround, I switched back to LDAP for sudo-queries (it's
either that or change over 200 groups in LDAP and the master provisioning system), since
it seems so far only sudo rules are impacted for now.
> >
> >If anybody can point me to a config param to get the old behaviour back , I
wouldvery much appreciate it.
> >Or, if it is no longer supported, then I need to start writing ldap-renames ...
> >
> >With friendly regards,
> >
> Could you share your configuration file?
> We would need to know which data provider you have configured ...
>
> sssd uses "@" as a separator for name and domain.
> you can find more details in manual page sssd.conf -> re_expression
> So you can just use different regular expression to avoid such
> problems. But I wonder how it could work with 1.11.x
This is something that should work, we use the configuration in the
'legacy client' scenario where the FQDNs are already present in the
compat tree and we need to avoid splitting them, but rather match
against the compat tree..
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
11:25 a.m.
On Tue, Oct 6, 2015 at 6:02 PM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
On Tue, Oct 06, 2015 at 03:40:45PM +0200, liedekef(a)telenet.be wrote:
> (sorry for top-osting, but using a webmail client for now).
> Here's my config (some obfuscation done):
>
> [sssd]
> config_file_version = 2
>
> # Number of times services should attempt to reconnect in the
> # event of a crash or restart before they give up
> reconnection_retries = 3
>
> # If a back end is particularly slow you can raise this timeout here
> sbus_timeout = 30
> services = nss, pam, ssh, sudo
>
> # SSSD will not start if you do not configure any domains.
> # Add new domain configurations as [domain/<NAME>] sections, and
> # then add the list of domains (in the order you want them to be
> # queried) to the "domains" attribute below and uncomment it.
> # domains = LOCAL,LDAP
>
> domains = LDAP
> [nss]
> # The following prevents SSSD from searching for the root user/group in
> # all domains (you can add here a comma-separated list of system
accounts that
> # are always going to be /etc/passwd users, or that you want to filter
out).
> filter_groups = root
> filter_users = root,ldap,named,avahi,haldaemon,messagebus,dbus,vcsa,ntp
> reconnection_retries = 3
>
> # The entry_cache_nowait_percentage indicates the percentage of the
> # entry_cache_timeout to wait before updating the cache out-of-band.
> # (NSS requests will still be returned from cache until the full
> # entry_cache_timeout). Setting this value to 0 turns this feature
> # off (default).
> # entry_cache_nowait_percentage = 300
Since you do not have re_expression tuned, any query in the form of
foo@bar gets split into (name=foo, domain=bar) and if there's no domain
bar, then sssd just shortcuts and returns ENOENT.
Can you try adding::
re_expression = (?P<name>.+)
to the [sssd] section? That essentially tells sssd that the whole input
string is a username. The downside is that you won't be able to use
multiple domains..
That seems to do the trick. Although it seems weirs that in version 1.11 it
worked just fine (as in 1.9 btw). I'll continue to test this.
Thanks already.
Franky
3118
days inactive
3118
days old
sssd-users@lists.fedorahosted.org
6 comments
3 participants
participants (3)
-
Franky Van Liedekerke -
Jakub Hrozek -
Lukas Slebodnik