[SSSD-users] Re: Starting SSSD without root

2021-04-01 Thread Pawel Polawski 
Hi David,

Plan for the full support of SSSD running as a non-root user is in scope of
interest of the SSSD dev team.
I can't provide you a precise time frame for this but some preparation
already started.
This transition is not trivial as by design SSSD was alway running as a
root.
Keep in mind that on top of the code changes a lot of testing needs to be
done to confirm that the final
result will be secure and perform well.

After fast check those are some of already existing upstream issues related
to SSSD running without root:
https://github.com/SSSD/sssd/issues/3412
https://github.com/SSSD/sssd/issues/5508
https://github.com/SSSD/sssd/issues/5536
https://github.com/SSSD/sssd/issues/5443

Best regards,
Pawel

On Thu, Apr 1, 2021 at 6:06 PM David Mather  wrote:

> We are also trying to run as a non-root user with minimal capabilities in
> production. Has anymore work been done on this since?
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>


-- 

Paweł Poławski

Senior Software Engineer

Red Hat 

ppola...@redhat.com
@RedHat    Red Hat
  Red Hat


___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD-users] Re: Help with pam_sss_gss.so

2021-04-01 Thread Pawel Polawski 
Hi Sam,

Can you provide me a complete set of logs from both machines? The one where
pam_sss_gss.so is working fine and the problematic one?
I will take a look at them and will try to figure out what the issue is.

You can send it to me directly at ppola...@redhat.com.

Best regards,
Pawel

On Thu, Apr 1, 2021 at 3:04 PM Sam Morris  wrote:

> Whoops, I forgot to include the sudo output!
>
> pam_sss_gss: Initializing GSSAPI authentication with SSSD
> pam_sss_gss: Switching euid from 0 to 123456789
> pam_sss_gss: Trying to establish security context
> pam_sss_gss: SSSD User name: sam.mor...@example.net
> pam_sss_gss: User domain: example.net
> pam_sss_gss: User principal: sam.mor...@example.net
> pam_sss_gss: Target name: h...@myself.ipa.example.net
> pam_sss_gss: Using ccache: FILE:/run/user/123456789/krb5cc
> pam_sss_gss: Acquiring credentials for principal [sam.mor...@example.net]
> pam_sss_gss: Communication error [3, 32]: Error in service module; Broken
> pipe
> pam_sss_gss: Switching euid from 123456789 to 0
> pam_sss_gss: System error [32]: Broken pipe
> [sudo] password for sam.mor...@example.net: ^C
>
> If I run 'klist' at this point, I can see that I've picked up tickets for
> krb5tgt/ipa.example@example.net and host/
> myself.ipa.example@ipa.example.net; so I think the PAM module is
> working, but sssd_pam doesn't like what it sends and closes the connection
> down.
>
> --
> Sam Morris 
> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>


-- 

Paweł Poławski

Senior Software Engineer

Red Hat 

ppola...@redhat.com
@RedHat    Red Hat
  Red Hat


___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD-users] Re: Starting SSSD without root

2021-04-01 Thread David Mather 
We are also trying to run as a non-root user with minimal capabilities in 
production. Has anymore work been done on this since?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD-users] Re: Help with pam_sss_gss.so

2021-04-01 Thread Sam Morris 
Whoops, I forgot to include the sudo output!

pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 123456789
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: sam.mor...@example.net
pam_sss_gss: User domain: example.net
pam_sss_gss: User principal: sam.mor...@example.net
pam_sss_gss: Target name: h...@myself.ipa.example.net
pam_sss_gss: Using ccache: FILE:/run/user/123456789/krb5cc
pam_sss_gss: Acquiring credentials for principal [sam.mor...@example.net]
pam_sss_gss: Communication error [3, 32]: Error in service module; Broken pipe
pam_sss_gss: Switching euid from 123456789 to 0
pam_sss_gss: System error [32]: Broken pipe
[sudo] password for sam.mor...@example.net: ^C

If I run 'klist' at this point, I can see that I've picked up tickets for 
krb5tgt/ipa.example@example.net and 
host/myself.ipa.example@ipa.example.net; so I think the PAM module is 
working, but sssd_pam doesn't like what it sends and closes the connection down.

--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD-users] Help with pam_sss_gss.so

2021-04-01 Thread Sam Morris 
I have two Debian systems, and using pam_sss_gss.so for sudo works fine on one 
of them, but not the other.

Both have SSSD 2.4.1 installed and are joined to FreeIPA domains.On the system 
where it works, the user is defined in the FreeIPA domain.

On the system where it doesn't work, my user is an AD trust user.

Here's what I get from sssd_pam.log:

(2021-04-01 10:54:52): [pam] [server_common_rotate_logs] (0x0010): Debug level 
changed to 0x07f0
(2021-04-01 10:54:52): [pam] [sbus_issue_request_done] (0x0400): 
sssd.service.rotateLogs: Success
(2021-04-01 10:55:00): [pam] [accept_fd_handler] (0x0400): Client 
[0x55b162023b40][19] connected to privileged pipe!
(2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Received client 
version [3].
(2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Offered version 
[3].
(2021-04-01 10:55:00): [pam] [cache_req_send] (0x0400): CR #6: New request 
'User by name'
(2021-04-01 10:55:00): [pam] [cache_req_process_input] (0x0400): CR #6: Parsing 
input name [sam.mor...@example.net]
(2021-04-01 10:55:00): [pam] [sss_parse_name_for_domains] (0x0200): name 
'sam.mor...@example.net' matched expression for domain 'example.net', user is 
sam.morris
(2021-04-01 10:55:00): [pam] [cache_req_set_name] (0x0400): CR #6: Setting name 
[sam.morris]
(2021-04-01 10:55:00): [pam] [cache_req_select_domains] (0x0400): CR #6: 
Performing a single domain search
(2021-04-01 10:55:00): [pam] [cache_req_search_domains] (0x0400): CR #6: Search 
will check the cache and check the data provider
(2021-04-01 10:55:00): [pam] [cache_req_set_domain] (0x0400): CR #6: Using 
domain [example.net]
(2021-04-01 10:55:00): [pam] [cache_req_prepare_domain_data] (0x0400): CR #6: 
Preparing input data for domain [example.net] rules
(2021-04-01 10:55:00): [pam] [cache_req_search_send] (0x0400): CR #6: Looking 
up sam.mor...@example.net
(2021-04-01 10:55:00): [pam] [cache_req_search_ncache] (0x0400): CR #6: 
Checking negative cache for [sam.mor...@example.net]
(2021-04-01 10:55:00): [pam] [cache_req_search_ncache] (0x0400): CR #6: 
[sam.mor...@example.net] is not present in negative cache
(2021-04-01 10:55:00): [pam] [cache_req_search_cache] (0x0400): CR #6: Looking 
up [sam.mor...@example.net] in cache
(2021-04-01 10:55:00): [pam] [cache_req_search_send] (0x0400): CR #6: Returning 
[sam.mor...@example.net] from cache
(2021-04-01 10:55:00): [pam] [cache_req_search_ncache_filter] (0x0400): CR #6: 
This request type does not support filtering result by negative cache
(2021-04-01 10:55:00): [pam] [cache_req_create_and_add_result] (0x0400): CR #6: 
Found 1 entries in domain example.net
(2021-04-01 10:55:00): [pam] [cache_req_done] (0x0400): CR #6: Finished: Success
(2021-04-01 10:55:00): [pam] [pam_cmd_gssapi_init_done] (0x0400): Trying GSSAPI 
auth: User[sam.mor...@example.net], Domain[example.net], 
UPN[sam.mor...@example.net], Target[h...@myself.ipa.example.net]
(2021-04-01 10:55:00): [pam] [pam_cmd_gssapi_init_done] (0x0400): Returning 
[0]: Success
(2021-04-01 10:55:00): [pam] [client_recv] (0x0400): Invalid data from client, 
closing connection!
(2021-04-01 10:55:00): [pam] [accept_fd_handler] (0x0400): Client 
[0x55b162039780][19] connected to privileged pipe!
(2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Received client 
version [3].
(2021-04-01 10:55:00): [pam] [sss_cmd_get_version] (0x0200): Offered version 
[3].
(2021-04-01 10:55:00): [pam] [client_recv] (0x0400): Invalid data from client, 
closing connection!

There's nothing particularly special about the PAM & SSSD setup; 
/etc/pam.d/sudo starts with "auto sufficient pam_sss_gss.so", and sssd.conf in 
the [pam] sectiion has "pam_gssapi_services = sudo".

I can use strace to see exactly what data is being received by sssd_pam from 
pam_sss_gss.so but I don't know what sensitive data might be within so I don't 
want to post it here. I can provide it privately if it would help.

-- 
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD-users] Re: struggling with reuse of pam_sss kerberos ticket

2021-04-01 Thread Calvin Chiang 
thanks Alexey! i ddint realize it coudl be configured in the config file
thought it was just a build option.
I'll give it a try and post back.

KRB5CCNAME doesnt seem to be configured anyway so i'll assume it'll default
to /tmp/krb5cc_UID

On Wed, 31 Mar 2021 at 10:06, Alexey Tikhonov  wrote:

> On Wed, Mar 31, 2021 at 9:58 AM Alexey Tikhonov 
> wrote:
> >
> > On Wed, Mar 31, 2021 at 9:38 AM Calvin Chiang 
> wrote:
> > >
> > > Ex-windows admin wrapping my head around PAM/SSSD has been quite tough!
> > >
> > > I have successfully managed to to get pam_sss working with
> > >
> > > login for specific appliction rstudio server (/etc/pam.d/rstudio)
> > > containerized ubuntu
> > > ldap/krb5 auth
> > > against Microsoft Active Directory
> > > without domain join realmd. (so all hand-configured. ouch)
> > >
> > > the problem is with reuse of the ticket. i cant work out how it works..
> > >
> > > I would like to configure pam_mount and ODBC to use the same kerberos
> ticket that was generated by the pam_sss modules
> > >
> > > so
> > >
> > > pam_sss creates a ticket with the follwoing naming which cannot be
> used by the "mount" command:
> > >
> > > /tmp/krb5cc_uid_
> > >
> > > however if i manually use kinit, it creates a ticket with the naming
> below, which can be easily reuse from the "mount" command:
> > >
> > > /tmp/krb5cc_uid
> > >
> > > the naming that pam_sss uses seems to be standard but again i just
> cant work out how that should be "discoverable" by any other services
> looking for a ticket, when it has the wrong naming..
> >
> > Hi,
> >
> > if the only thing you need is to change a template, then please see
> > `man sssd-krb5 : krb5_ccname_template` option.
> >
> > (I'm sorry I'm not fluent in kerberos enough to comment on other parts
> > of your email)
>
> and about discoverability - it exports standard `KRB5CCNAME` env variable
>
>
> >
> >
> >
> > >
> > > some links..:
> > >
> > > this seems to be where the pam_sss naming is defined - by a build flag
> --with-default-ccname-template
> > >
> > > https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337
> > >
> > > i want to integrate it into pam_mount to mount a cifs drive, which (i
> think) is SMB so will be able to use the cifs.upcall library.
> > >
> > > And the way cifs.upcall resolves tickets is somehwere here in
> get_cachename_from_process_env
> > >
> > > https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260
> > >
> > > i also want to get MSSQL ODBC driver to use the ticket as well...
> > >
> > > ___
> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > To unsubscribe send an email to
> sssd-users-le...@lists.fedorahosted.org
> > > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > > Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure