(sorry for top-osting, but using a webmail client for now).
Here's my config (some obfuscation done):
[sssd]
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam, ssh, sudo
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LOCAL,LDAP
domains = LDAP
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root,ldap,named,avahi,haldaemon,messagebus,dbus,vcsa,ntp
reconnection_retries = 3
# The entry_cache_nowait_percentage indicates the percentage of the
# entry_cache_timeout to wait before updating the cache out-of-band.
# (NSS requests will still be returned from cache until the full
# entry_cache_timeout). Setting this value to 0 turns this feature
# off (default).
# entry_cache_nowait_percentage = 300
[sudo]
[pam]
reconnection_retries = 3
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
access_provider = ldap
ldap_access_filter = memberOf=cn=xxxx
ldap_uri = ldap://server1.fqdn, ldap://server2.fqdn
ldap_search_base = dc=xxxx
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_timeout = 5
ldap_referrals = false
ldap_user_ssh_public_key = sshPublicKey
ldap_sudo_search_base = ou=SudoEntries,dc=xxx
ldap_sudorule_runasuser = sudoRunAs
cache_credentials = true
enumerate = true
entry_cache_timeout = 5400
Franky
----- Original Message -----
From: "Jakub Hrozek" <jhrozek(a)redhat.com>
To: sssd-users(a)lists.fedorahosted.org
Sent: Tuesday, October 6, 2015 2:48:02 PM
Subject: Re: [SSSD-users] sssd nss call fails if group has "@" in it
On Tue, Oct 06, 2015 at 02:34:58PM +0200, Lukas Slebodnik wrote:
On (06/10/15 14:17), liedekef(a)telenet.be wrote:
>Hi,
>
>it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64,
I'm hitting a bug with nss if a group contains "@" in it's cn (auth done
via LDAP):
>
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set
for client [0x13ac330][20]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set
for client [0x13ac330][20]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command
[33] with input [sudo_sasfdr@FFF-AP-dev].
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x41df60:domains@LDAP]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get
domains request for [LDAP][FFF-AP-dev]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x41df60:domains@LDAP]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1397ab0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from
Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is
not configured
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13a07b0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13a07b0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x139bbc0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x139bbc0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13a07b0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13a07b0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13ab1d0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13a07b0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name
received [sudo_sasfdr@FFF-AP-dev]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x41df60:domains@LDAP]
>
>At first I thought it was an LDAP issue, but changing the name to
sudo_sasfdr_FFF-AP-dev worked just fine.
>The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem, but
maybe now the "@" is considered a domain-delimiter?
>
>Currently as a workaround, I switched back to LDAP for sudo-queries (it's either
that or change over 200 groups in LDAP and the master provisioning system), since it seems
so far only sudo rules are impacted for now.
>
>If anybody can point me to a config param to get the old behaviour back , I wouldvery
much appreciate it.
>Or, if it is no longer supported, then I need to start writing ldap-renames ...
>
>With friendly regards,
>
Could you share your configuration file?
We would need to know which data provider you have configured ...
sssd uses "@" as a separator for name and domain.
you can find more details in manual page sssd.conf -> re_expression
So you can just use different regular expression to avoid such
problems. But I wonder how it could work with 1.11.x
This is something that should work, we use the configuration in the
'legacy client' scenario where the FQDNs are already present in the
compat tree and we need to avoid splitting them, but rather match
against the compat tree..
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users