Hello Sumit! Ah, thanks alot! I was wondering why this worked on the FreeIPA server (ipa1.linux.intern), but there i have SSSD 1.12. I will try with a newer client on another client and join the FreeIPA domain. About the original UID change problem: i will try that again and post the correct logfiles with the appropriate loglevel.
Thanks! Gregor 2014-09-11 12:58 GMT+02:00 Sumit Bose <sb...@redhat.com>: > On Wed, Sep 10, 2014 at 08:19:15AM +0200, Gregor Bregenzer wrote: >> Hello Sumit, >> i think maybe there is a different problem i just discovered by >> accident. As stated in the first email, i have an AD trust with >> FreeIPA that receives all POSIX attributes from AD, but i get >> different values: >> On the FreeIPA server that has the AD trust (ipa1.linux.intern) i get >> the correct GID (=10000, this is the AD group linuxusers) that is set >> in AD, but on the client (linux1.linux.intern) i get another one ( = >> 10005): >> >> ipa1.linux.intern >> ~~~~ >> [root@ipa1 httpd]# getent passwd user1@aaa >> user1@aaa.intern:*:10005: >> 10000:user1:/home/aaa.intern/user1:/bin/bash >> >> -bash-4.2$ id >> uid=10005(user1@aaa.intern) gid=10000(linuxusers@aaa.intern) >> groups=10000(linuxusers@aaa.intern),1933000004(ad_users) >> ~~~~ >> >> linux1.linux.intern >> ~~~~~~~~ >> [root@linux1 sssd]# getent passwd user1@aaa >> user1@aaa.intern:*:10005:10005::/home/user1@aaa.intern:/bin/bash >> >> [user1@aaa.intern@linux1 ~]$ id >> uid=10005(user1@aaa.intern) gid=10005(user1@aaa.intern) >> Gruppen=10005(user1@aaa.intern),1933000004(ad_users) > > Since you are using SSSD-1.9.x on the client this behaviour is expected. > In this version SSSD could only handle users from a trusted AD domain as > users with User Private Groups (UPG), hence POSIX UID and GID are the > same. The additional group memberships are only available after the user > logged in. For this the PAC from the Kerberos ticket is evaluated. But > the PAC does not contain any information about POSIX attributes and only > contains groups the user is member of from the AD point of view. If > user1 is not a member of the linuxuser AD group SSSD cannot resolve this > membership. > > Nevertheless I think this is not related to the UID change you reported > earlier. > > bye, > Sumit > >> >> Logfile on ipa1.linux.intern sssd_nss.log >> (Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0400): >> Running command [17] with input [user1@aaa.intern]. >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains] >> (0x0200): name 'user1@aaa.intern' matched expression for domain >> 'aaa.intern', user is user1 │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): >> Requesting info for [user1] from [aaa.intern] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str] >> (0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search] >> (0x0100): Requesting info for [user1@aaa.intern] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed >> event "ltdb_callback": 0x7fe19e562700 >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed >> event "ltdb_timeout": 0x7fe19e562830 >> │ >> 03│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running >> timer event 0x7fe19e562700 "ltdb_callback" >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying >> timer event 0x7fe19e562830 "ltdb_timeout" >> │va >> r/│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer >> event 0x7fe19e562700 "ltdb_callback" >> │ >> │(Wed Sep 10 08:14:42 2014) [sssd[nss]] [check_cache] (0x0400): >> Cached entry is valid, returning.. >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search] >> (0x0400): Returning info for user [user1@aaa.intern] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000): >> Idle timer re-set for client [0x7fe19e563d40][21] >> │ >> >> ---------- >> Logfile on linux1.linux.intern sssd_nss.log >> >> (Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains] >> (0x0200): name 'user1@aaa' matched expression for domain 'aaa.intern', >> user is user1 │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam] (0x0100): >> Requesting info for [user1] from [aaa.intern] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str] >> (0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search] >> (0x0100): Requesting info for [user1@aaa.intern] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed >> event "ltdb_callback": 0x20e2c20 >> │ >> (W│ >> >> │ >> 00│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed >> event "ltdb_timeout": 0x20e2590 >> │ >> (W│ >> >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running >> timer event 0x20e2c20 "ltdb_callback" >> │ >> (W│ >> >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying >> timer event 0x20e2590 "ltdb_timeout" >> │ >> (W│ >> >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer >> event 0x20e2c20 "ltdb_callback" >> │ >> (W│ >> >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_issue_request] >> (0x0400): Issuing request for [0x432730:1:user1@aaa.intern] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_get_account_msg] >> (0x0400): Creating request for [aaa.intern][4097][1][name=user1] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_add_timeout] (0x2000): >> 0x20d72e0 >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_internal_get_send] >> (0x0400): Entering request [0x432730:1:user1@aaa.intern] >> │ >> 01│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_remove_timeout] >> (0x2000): 0x20d72e0 >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_dispatch] (0x4000): >> dbus conn: 20DB0F0 >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_dispatch] (0x4000): >> Dispatching. >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_get_reply] (0x1000): >> Got reply from Data Provider - DP error code: 0 errno: 0 error >> message: Success >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str] >> (0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search] >> (0x0100): Requesting info for [user1@aaa.intern] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed >> event "ltdb_callback": 0x20e8530 >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed >> event "ltdb_timeout": 0x20e85e0 >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running >> timer event 0x20e8530 "ltdb_callback" >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying >> timer event 0x20e85e0 "ltdb_timeout" >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer >> event 0x20e8530 "ltdb_callback" >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search] >> (0x0400): Returning info for user [user1@aaa.intern] >> │ >> 02│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_req_destructor] >> (0x0400): Deleting request: [0x432730:1:user1@aaa.intern] >> │ >> :/│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000): >> Idle timer re-set for client [0x20e44a0][20] >> │ >> │(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000): >> Idle timer re-set for client [0x20e44a0][20] >> │ >> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [client_recv] (0x0200): >> Client disconnected! >> │/v >> ar│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [client_destructor] >> (0x2000): Terminated client [0x20e44a0][20] >> >> ~~~~ >> >> >> I think i need to get this one right before the HBAC rule - right? >> >> >> Here is my ipa1.linux.intern sssd.conf: >> ~~~~~~~~~ >> [domain/linux.intern] >> debug_level=9 >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = linux.intern >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = ipa1.linux.intern >> chpass_provider = ipa >> ipa_server = ipa1.linux.intern >> ipa_server_mode = True >> ldap_tls_cacert = /etc/ipa/ca.crt >> [sssd] >> debug_level=9 >> services = nss, sudo, pam, ssh, pac >> config_file_version = 2 >> subdomains_provider = ipa >> domains = linux.intern >> [nss] >> debug_level=9 >> homedir_substring = /home >> >> [pam] >> debug_level=9 >> [sudo] >> >> [autofs] >> >> [ssh] >> >> [pac] >> debug_level=9 >> [ifp] >> >> ~~~~~~~~~~~~~~ >> >> Here's my linux1.linux.intern sssd.conf >> ~~~~~ >> [domain/linux.intern] >> debug_level=9 >> cache_credentials = False >> krb5_store_password_if_offline = False >> ipa_domain = linux.intern >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = linux1.linux.intern >> chpass_provider = ipa >> ipa_dyndns_update = True >> ipa_server = _srv_, ipa1.linux.intern >> ldap_tls_cacert = /etc/ipa/ca.crt >> use_fully_qualified_domains = True >> # For the SUDO integration >> sudo_provider = ldap >> ldap_uri = ldap://ipa1.linux.intern >> ldap_sudo_search_base = ou=sudoers,dc=linux,dc=intern >> ldap_sasl_mech = GSSAPI >> ldap_sasl_authid = host/linux1.linux.intern >> ldap_sasl_realm = LINUX.INTERN >> krb5_server = ipa1.linux.intern >> >> [sssd] >> debug_level=9 >> services = nss, pam, ssh, sudo >> config_file_version = 2 >> #default_domain_suffix=aaa.intern >> domains = linux.intern >> [nss] >> debug_level=9 >> override_homedir = /home/%u >> override_shell = /bin/bash >> [pam] >> debug_level=9 >> [sudo] >> >> [autofs] >> >> [ssh] >> debug_level=9 >> [pac] >> debug_level=9 >> >> ~~~~ >> >> >> I used the following command to create the AD trust: >> >> ipa trust-add --type=ad aaa.intern --admin Administrator >> --password --range-type ipa-ad-trust-posix >> >> Do you need any other debug information? >> >> >> Thanks! >> Gregor >> >> 2014-09-08 9:17 GMT+02:00 Sumit Bose <sb...@redhat.com>: >> > On Sun, Sep 07, 2014 at 11:41:16PM +0200, Gregor Bregenzer wrote: >> >> Hi! >> >> >> >> I have an AD trust with FreeIPA 4.0.1 and defined a HBAC rule for a >> >> specific user group (=ad_users which is an posix group that has an >> >> external group as member) to login on a specific client >> >> (=linux1.linux.intern). >> >> >> >> The problem is: once i disable the rule and the AD user is not allowed >> >> to login anymore, the user on the client gets another uid and gid via >> >> sssd. >> >> >> >> I use the posix attributes from AD, which will get received by sssd >> >> perfectly. >> >> The client is running on CentOS 6.5 and uses sssd 1.9.2.129.el6_5.4 >> >> AD domain = aaa.intern >> >> IPA domain = linux.intern >> >> AD-User: user1 (uid=1005,gid=10005) >> >> >> >> Here an example: >> >> ---------------------------- >> >> 1.) disable the hbac rule and the default allow_all rule: >> >> 2.) check the uid/gid on the client (=linux1.linux.intern) and it looks >> >> fine: >> >> >> >> [root@linux1 sssd]# getent passwd user1@aaa >> >> user1@aaa.intern:*:10005:10005::/home/user1@aaa.intern:/bin/bash >> >> >> >> 3.) Login with ssh to client as user1. It will be denied upon correct >> >> password input and ssh sessions closes. Up until now everything as >> >> expected. But now: >> >> >> >> 4.) check for the uid/gid on the client - something totally different. >> >> It now also receives the Firstname and Lastname from AD, latter is >> >> empty: >> >> >> >> [root@linux1 sssd]# getent passwd user1@aaa >> >> user1@aaa.intern:*:11601:11601:user1:/home/user1@aaa.intern:/bin/bash >> >> >> >> 5.) Enable the hbac rule and login works, but the unexpected uid/gid >> >> stays the same: >> >> >> >> login as: user1@aaa >> >> user1@aaa@192.168.0.100's password: >> >> login as: user1@aaa >> >> user1@aaa@192.168.0.100's password: >> >> Last failed login: Sun Sep 7 23:19:49 CEST 2014 from 192.168.0.26 on >> >> ssh:notty >> >> There were 2 failed login attempts since the last successful login. >> >> Creating home directory for user1@aaa. >> >> Last login: Sun Sep 7 23:21:02 2014 from 192.168.0.26 >> >> [user1@aaa.intern@linux1 ~]$ id >> >> uid=11601(user1@aaa.intern) gid=11601(user1@aaa.intern) >> >> Gruppen=11601(user1@aaa.intern),1933000004(ad_users) >> >> [user1@aaa.intern@linux1 ~]$ >> >> --------------------------------- >> >> >> >> Anyone have a clue what might be the problem? >> > >> > I would expect some kind of collision, but to be sure I need the SSSD >> > log files. Please try to reproduce the switch and send me the log file, >> > if possilbe with debug_level=9. >> > >> > bye, >> > Sumit >> > >> >> >> >> Here's the sssd.conf: >> >> [root@linux1 sssd]# cat /etc/sssd/sssd.conf >> >> [domain/linux.intern] >> >> debug_level=6 >> >> cache_credentials = False >> >> krb5_store_password_if_offline = False >> >> ipa_domain = linux.intern >> >> id_provider = ipa >> >> auth_provider = ipa >> >> access_provider = ipa >> >> ipa_hostname = linux1.linux.intern >> >> chpass_provider = ipa >> >> ipa_dyndns_update = True >> >> ipa_server = _srv_, ipa1.linux.intern >> >> ldap_tls_cacert = /etc/ipa/ca.crt >> >> use_fully_qualified_domains = True >> >> # For the SUDO integration >> >> sudo_provider = ldap >> >> ldap_uri = ldap://ipa1.linux.intern >> >> ldap_sudo_search_base = ou=sudoers,dc=linux,dc=intern >> >> ldap_sasl_mech = GSSAPI >> >> ldap_sasl_authid = host/linux1.linux.intern >> >> ldap_sasl_realm = LINUX.INTERN >> >> krb5_server = ipa1.linux.intern >> >> entry_cache_sudo_timeout = 30 >> >> [sssd] >> >> debug_level=6 >> >> services = nss, pam, ssh, sudo >> >> config_file_version = 2 >> >> default_domain_suffix=aaa.intern >> >> domains = linux.intern >> >> [nss] >> >> debug_level=9 >> >> override_homedir = /home/%u >> >> override_shell = /bin/bash >> >> [pam] >> >> debug_level=6 >> >> [sudo] >> >> debug_level=6 >> >> [autofs] >> >> >> >> [ssh] >> >> debug_level=6 >> >> [pac] >> >> >> >> >> >> >> >> Thanks! >> >> Gregor >> >> >> >> -- >> >> Manage your subscription for the Freeipa-users mailing list: >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> Go To http://freeipa.org for more info on the project >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project