[SSSD-users] Stupid question on ldap_user_email

[John Hearns]

I have a test system which authenticates using sssd and an LDAP provider.
So far so good!

In my LDAP object there is the field 'mail' which is my correct email
address.
I know I can get this using an ldapsearch.
However I am asking if there is any clean and small utility which will
print this out?
I am asking as obviously scripts sometimes want to send email.

In sssd.conf there s the fieldldap_user_email
How would this be queried?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: id mapping

[John Hearns]

Emmm.. Do you need the AD Administrator password?  Why?

If you need to join a Linux system to the AD domain you can ask the AD
administratoe to do this.
Or you can have a service account set up on AD which has the permissions to
join to the domain.








On Fri, 11 Jan 2019 at 16:03,  wrote:

>
>
> On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose  wrote:
>
>> On Wed, Jan 09, 2019 at 12:47:34PM -0500, vad...@gmail.com wrote:
>> > Looking for suggestion on ID mapping.
>> >
>> > I need to point to a ID provider over proxy
>> >
>> > I have not found a concrete solution or some hint about how to setup a
>> > proxy to a ID provider and how sssd can point to that proxy for ID
>> mapping.
>>
>> Can you rephrase your question? 'ID provider over proxy' should like you
>> want some more details about SSSD's proxy provider as described in the
>> sssd.conf man page. But this is unrelated to what I associate typically
>> with 'ID mapping'. Please give a bit more details about what you are
>> trying to achieve.
>>
>>
> I am looking for a ID mapping solution. I do see following providers.
>
>“proxy”: Support a legacy NSS provider.
>
>“local”: SSSD internal provider for local users (DEPRECATED).
>
>“files”: FILES provider. See sssd-files(5) for more information
> on how to mirror local users and groups into SSSD.
>
>“ldap”: LDAP provider. See sssd-ldap(5) for more information on
> configuring LDAP.
>
>“ipa”: FreeIPA and Red Hat Enterprise Identity Management
> provider. See sssd-ipa(5) for more information on
>configuring FreeIPA.
>
>“ad”: Active Directory provider. See sssd-ad(5) for more
> information on configuring Active Directory.
>
> I am looking for a suggestion.
>ad - won't work as we will not be provided Administrator
> password
>ldap - won't work as IT says not to use LDAP and use kerberos
> instead for all things UNIX auth
>and to use /etc/passwd for id (yikes, we have 100s of
> servers to manage)
>files - I am not sure how to have a central files for all
> accounts
>local - seems deprecated
>proxy - I am not sure how to set that up, but seems like easier
> for a central ID provider?
>
> Please advise
>
>
>
>
>
>
>
>> bye,
>> Sumit
>>
>> >
>> > All my servers are CentOS 7.
>> >
>> >
>> > --
>> > Asif Iqbal
>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> > A: Because it messes up the order in which people normally read text.
>> > Q: Why is top-posting such a bad thing?
>>
>> > ___
>> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives:
>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
>> ___
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
>>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: realm re-join....

[John Hearns]

Spike,   the machine will always have an account in the AD Realm.
So no, you do not have to leave and re-join. What DOES time out is the password.
sssd should renew the password periodcially (*) when it is running. As
you say you have had > 30 days of downtime

You can use the msktutil  to reset a password
https://fuhm.net/software/msktutil/manpage.html#PASSWORD EXPIRY

(*) you can change this periddicity in sssd - and can turn it down to
a very shirt time, for debugging.
One of the parameters is also 'how soon after startup should I look at
the age of the password









On Mon, 8 Oct 2018 at 15:16, Spike White  wrote:
>
> All,
>
> I had a VM down for a great number of days.  Apparently, it was not 30 days.  
> Because even though it initially didn't correct do AD authentication, I fixed 
> one misconfiguration in /etc/krb5.conf, restarted SSSD and it did.
>
> But that raises a bigger question.  If it's been >30 days and my machine 
> account is no longer valid, how do I rejoin the domain?
>
> Is it:
>realm leave (no flags)
>readlm join (with all my usual flags that I use on the initial realm join)
>
> Spike
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: problem login in with AD account after joined to the AD domain

[John Hearns]

What does  getent passwd  mahdavif   give to you?

Also whatis your settings in /etc/nsswitch.conf



On Mon, 23 Jul 2018 at 17:19, Farshid Mahdavipour 
wrote:

> thanks Jacob,
> I set the log level to 6 in sssd.conf. here is the result:
>
> [root@azrclchefvm01 ~]# tail /var/log/sssd/*
>
> ==> /var/log/sssd/gpo_child.log <==
>
> (Mon Jul 23 13:50:58 2018) [[sssd[gpo_child[69656 [main] (0x0020):
> gpo_child failed!
>
> (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888 [main] (0x0400):
> gpo_child started.
>
> (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888 [main] (0x0400):
> context initialized
>
> (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888 [unpack_buffer]
> (0x0400): cached_gpt_version: -1
>
> (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888 [main] (0x0400):
> performing smb operations
>
> (Mon Jul 23 14:25:36 2018) [[sssd[gpo_child[70888
> [copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://srv_addcp001/SysVol/
> corp.example.com/Policies/{58C277F6-1C0E-4357-BFC7-47D7FC679B19}/GPT.INI
> 
>
> (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888
> [copy_smb_file_to_gpo_cache] (0x0020): smbc_getFunctionOpen failed
> [13][Permission denied]
>
> (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888
> [perform_smb_operations] (0x0020): copy_smb_file_to_gpo_cache failed
> [13][Permission denied]
>
> (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888 [main] (0x0020):
> perform_smb_operations failed.[13][Permission denied].
>
> (Mon Jul 23 14:25:37 2018) [[sssd[gpo_child[70888 [main] (0x0020):
> gpo_child failed!
>
>
>
> ==> /var/log/sssd/krb5_child.log <==
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887
> [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887 [main] (0x0400):
> Will perform online auth
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887 [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [CORP.example.COM]
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887 [validate_tgt]
> (0x0400): TGT verified using key for [AZRCLCHEFVM01$@CORP.example.COM].
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887 [sss_send_pac]
> (0x0040): sss_pac_make_request failed [-1][2].
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887 [validate_tgt]
> (0x0040): sss_send_pac failed, group membership for user with principal
> [MAHDAVIF\@corp.example@corp.example.com] might not be correct.
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887 [switch_creds]
> (0x0200): Switch user to [39599][59900].
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887 [switch_creds]
> (0x0200): Already user [39599].
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887 [k5c_send_data]
> (0x0200): Received error code 0
>
> (Mon Jul 23 14:25:36 2018) [[sssd[krb5_child[70887 [main] (0x0400):
> krb5_child completed successfully
>
>
>
> ==> /var/log/sssd/ldap_child.log <==
>
> (Mon Jul 23 14:24:48 2018) [[sssd[ldap_child[70845 [prepare_response]
> (0x0400): Building response for result [0]
>
> (Mon Jul 23 14:24:48 2018) [[sssd[ldap_child[70845 [main] (0x0400):
> ldap_child completed successfully
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886 [main] (0x0400):
> ldap_child started.
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886 [unpack_buffer]
> (0x0200): Will run as [0][0].
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886 [become_user]
> (0x0200): Trying to become user [0][0].
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886 [become_user]
> (0x0200): Already user [0].
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886
> [ldap_child_get_tgt_sync] (0x0100): Principal name is: [AZRCLCHEFVM01$@
> CORP.example.COM]
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886
> [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886 [prepare_response]
> (0x0400): Building response for result [0]
>
> (Mon Jul 23 14:25:35 2018) [[sssd[ldap_child[70886 [main] (0x0400):
> ldap_child completed successfully
>
>
>
> ==> /var/log/sssd/sssd_corp.example.com.log <==
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): user: mahda...@corp.example.com
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): service: sshd
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): tty: ssh
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): ruser:
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): rhost: 172.17.253.11
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_data]
> (0x0100): authtok type: 0
>
> (Mon Jul 23 14:25:37 2018) [sssd[be[corp.example.com]]] [pam_print_da

[SSSD-users] Re: sss_override and ssh keys

[John Hearns]

Jakub,
again thankyou for your reply. I am still debugging this one. I think I
have narrowed it down to a PAM configuration, after I ran sssd with a high
debug level.
For anyone following this thread:

/usr/sbin/ssshd -ddd

The failure I get is:  PAM: do_pam_account pam_acct_mgmt = 4 (System error)

I think (not sure yet) that the problem is in pam.d/common-account where a
local user is looked for:
account sufficient  pam_localuser.so

I have been getting different behaviour this morning - I suspect because of
sssd cacheing. Am running now with
memcache_timeout = 0


















On 19 July 2018 at 11:18, Jakub Hrozek  wrote:

>
>
> > On 11 Jul 2018, at 15:28, John Hearns  wrote:
> >
> > I have set up an sss_override for my user account
> >
> > johe:*:1234:1234:John Hearns,,,:/home/johe:/bin/bash
> >
> > I also have an entry in the locla /etc/passwd file.
> > When I ssh to a server running sssd my ssh key is accepted.
> >
> > When I have no local /etc/passwd
> > When I ssh to a server running sssd my ssh key is not used and I am
> prompted for a password
>
> Is that a local SSH key stored in the user’s home or in LDAP? If a local
> one, then I think the only important thing is to tell SSH where to look at,
> so the homedir must be correct and of course the user must have the correct
> UID and GID to be allowed to enter that homedir.
>
> >
> > Can anyone explain please?
> >
> > The answer will be along the lines of at what stage in the ssh login the
> override is being 'honoured'
> > However this is a bit of a major problem. I guess also I will be told
> that I have done something wrong.
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/ARZQMHUEUBXR53P7XG5QSFMDU6KHBK3O/
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/DL67YE2ZEIQ5LY2UCIVRRW5U7DLM7LMZ/
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/KK6PJAWE3SNSWOX7T6WR4RTGGVTAOTZO/

[SSSD-users] Re: SSSD on CentOS 7 failing to start when connecting to Samba 4.8.3 AD via LDAP

[John Hearns]

Mark, for information you can increase the mumber of retries by

reconnection_retries = N

However that does not help you with your problem!

On 23 July 2018 at 04:05, Mark Johnson  wrote:

> I've been going around in circles with this for days and I'm stuck.  I'm
> trying to run up a new AD environment with only Samba 4.8.3 servers that
> we'll authenticate user server access against via SSSD/LDAP using a simple
> bind.  All of our servers are either CentOS 6 or 7.
>
> I've created a test environment with a single Samba AD 4.8.3 server as the
> AD server, a Windows 7 client to run RSAT and a CentOS 6 and CentOS 7
> server to test user authentication.  The Samba server is up and running and
> I can manage the directory via RSAT.  I've set up the CentOS 6 server and
> can successfully authenticate user logins on this via using SSSD/LDAP to
> the AD.  However, the issue I have is with the CentOS 7 server.  I've
> basically copied the SSSD config from the CentOS 6 server so everything is
> the same.  However, when I start SSSD on the CentOS 7 server, it binds
> successfully and does an initial searchRequest which it gets a result from
> but after doing the subsequent searchRequests on Configuration,
> ForestDnsZones and DomainDnsZones I just see a RST from the server and the
> whole process starts over again.  Over the third failure, SSSD fails to
> start and stops trying.
>
> Comparing packet captures on the AD server when starting SSSD on both
> servers, the initial ROOT search request and response are identical as is
> the bind request and response.  However, the first wholeSubtree search
> request is where things start looking different.  On the CentOS 6 server,
> it shows a filter in the request of:
> Filter: (&(&(cn=smtp)(ipServiceProtocol=dccp))(objectclass=ipService))
> and there are 4 attributes in the request - objectClass, cn,
> ipServicePort, ipServiceProtocol
>
> Whereas on the CentOS 7 server, the filter looks like this:
> Filter: (&(objectClass=sudoRole)(|(|(|(|(|(|(|(|(|(!(sudoHost=*))(su
> doHost=ALL))(sudoHost=ldaptest7.company.com))(sudoHost=ldapt
> est7))(sudoHost=192.168.193.62))(sudoHost=192.168.192.0/
> 23))(sudoHost=fe80::5054:ff:fef2:26ed))(sudoHost=fe80::/6
> with 13 attributes - objectClass, cn, and a bunch of sudo attributes.
>
> The response from the Samba server to each of these is nearly identical.
> Both servers then send searchRequests for Configuration, ForestDnsZones and
> DomainDnsZones but with the same filter differences above.  This is the
> point of failure for the CentOS 7 server.  The other server gets a
> successful response from the Samba server, but the CentOS 7 server just
> gets an ACK.  When I up the debug level on SSSD on the CentOS 7 server, I
> see a few different errors but I'm not sure which of these show cause or
> effect.  Examples...
>
> (Thu Jul 19 23:40:34 2018) [sssd[be[AD.COMPANY.COM]]]
> [common_parse_search_base] (0x0100): Search base added:
> [SUDO][dc=ad,dc=company,dc=com][SUBTREE][]
> (Thu Jul 19 23:40:34 2018) [sssd[be[AD.COMPANY.COM]]]
> [common_parse_search_base] (0x0100): Search base added:
> [AUTOFS][dc=ad,dc=company,dc=com][SUBTREE][]
> (Thu Jul 19 23:40:34 2018) [sssd[be[AD.COMPANY.COM]]]
> [dp_client_register] (0x0100): Cancel DP ID timeout [0x55941e9a6860]
> (Thu Jul 19 23:40:34 2018) [sssd[be[AD.COMPANY.COM]]] [dp_find_method]
> (0x0100): Target [subdomains] is not initialized
> (Thu Jul 19 23:40:34 2018) [sssd[be[AD.COMPANY.COM]]]
> [dp_req_reply_gen_error] (0x0080): DP Request [Subdomains #0]: Finished.
> Target is not supported with this configuration.
>
> (Thu Jul 19 23:40:44 2018) [sssd[be[AD.COMPANY.COM]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
> (Thu Jul 19 23:40:44 2018) [sssd[be[AD.COMPANY.COM]]]
> [set_server_common_status] (0x0100): Marking server '192.168.192.50' as
> 'resolving name'
> (Thu Jul 19 23:40:44 2018) [sssd[be[AD.COMPANY.COM]]]
> [set_server_common_status] (0x0100): Marking server '192.168.192.50' as
> 'name resolved'
> (Thu Jul 19 23:40:44 2018) [sssd[be[AD.COMPANY.COM]]]
> [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility
> level to [4]
> (Thu Jul 19 23:40:44 2018) [sssd[be[AD.COMPANY.COM]]]
> [sdap_cli_auth_step] (0x0100): expire timeout is 900
> (Thu Jul 19 23:40:44 2018) [sssd[be[AD.COMPANY.COM]]] [simple_bind_send]
> (0x0100): Executing simple bind as: s...@ad.company.com
> (Thu Jul 19 23:40:44 2018) [sssd[be[AD.COMPANY.COM]]]
> [fo_set_port_status] (0x0100): Marking port 389 of server '192.168.192.50'
> as 'working'
> (Thu Jul 19 23:40:44 2018) [sssd[be[AD.COMPANY.COM]]]
> [set_server_common_status] (0x0100): Marking server '192.168.192.50' as
> 'working'
> (Thu Jul 19 23:40:44 2018) [sssd[be[AD.COMPANY.COM]]] [be_run_online_cb]
> (0x0080): Going online. Running callbacks.
> (Thu Jul 19 23:40:44 2018) [sssd[be[AD.COMPANY.COM]]] [be_ptask_enable]
> (0x0080): Task [SUDO Smart Refresh]: already enabled
> (Thu Jul 19 23:40:44 2018) [sssd[be[AD.COMPANY.COM]]

[SSSD-users] Re: sss_override and ssh keys

[John Hearns]

Just an update. The fix for me is setting this in the pam stanza

pam_response_filter = ENV:KRB5CCNAME

On 19 July 2018 at 12:56, John Hearns  wrote:

> Jakub,
> again thankyou for your reply. I am still debugging this one. I think I
> have narrowed it down to a PAM configuration, after I ran sssd with a high
> debug level.
> For anyone following this thread:
>
> /usr/sbin/ssshd -ddd
>
> The failure I get is:  PAM: do_pam_account pam_acct_mgmt = 4 (System error)
>
> I think (not sure yet) that the problem is in pam.d/common-account where a
> local user is looked for:
> account sufficient  pam_localuser.so
>
> I have been getting different behaviour this morning - I suspect because
> of sssd cacheing. Am running now with
> memcache_timeout = 0
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On 19 July 2018 at 11:18, Jakub Hrozek  wrote:
>
>>
>>
>> > On 11 Jul 2018, at 15:28, John Hearns  wrote:
>> >
>> > I have set up an sss_override for my user account
>> >
>> > johe:*:1234:1234:John Hearns,,,:/home/johe:/bin/bash
>> >
>> > I also have an entry in the locla /etc/passwd file.
>> > When I ssh to a server running sssd my ssh key is accepted.
>> >
>> > When I have no local /etc/passwd
>> > When I ssh to a server running sssd my ssh key is not used and I am
>> prompted for a password
>>
>> Is that a local SSH key stored in the user’s home or in LDAP? If a local
>> one, then I think the only important thing is to tell SSH where to look at,
>> so the homedir must be correct and of course the user must have the correct
>> UID and GID to be allowed to enter that homedir.
>>
>> >
>> > Can anyone explain please?
>> >
>> > The answer will be along the lines of at what stage in the ssh login
>> the override is being 'honoured'
>> > However this is a bit of a major problem. I guess also I will be told
>> that I have done something wrong.
>> > ___
>> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives: https://lists.fedoraproject.or
>> g/archives/list/sssd-users@lists.fedorahosted.org/message/AR
>> ZQMHUEUBXR53P7XG5QSFMDU6KHBK3O/
>> ___
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.or
>> g/archives/list/sssd-users@lists.fedorahosted.org/message/DL
>> 67YE2ZEIQ5LY2UCIVRRW5U7DLM7LMZ/
>>
>
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/OG4J7BNRRMUXXQKJWJQZRWKOQ2P6742U/

[SSSD-users] Re: Problem with kinit

[John Hearns]

Jakub, thankyou for your reply.

> If your configuration is using id_provider=ad I would have expected sssd
to prefer the netbiosname$ principal,

Indeed. My reading of kinit is that it should take the first principal in
the list returned by klist. In my case thsi should be ibis$


# klist -k
  11 ibis$@NZWW.NZCORP.NET
  11 ibis$@NZWW.NZCORP.NET
  11 IBIS$@NZWW.NZCORP.NET
  11 IBIS$@NZWW.NZCORP.NET
  11 ibis$@NZWW.NZCORP.NET
  11 host/i...@nzww.nzcorp.net
  11 host/i...@nzww.nzcorp.net
  11 IBIS$@NZWW.NZCORP.NET
  11 host/i...@nzww.nzcorp.net



On 19 July 2018 at 11:09, Jakub Hrozek  wrote:

>
>
> > On 16 Jul 2018, at 11:48, John Hearns  wrote:
> >
> > I have had my head inside the ldap_child.c source code all morning.
> > I am getting these errors logged:
> >
> > [ldap_child_get_tgt_sync] (0x0100): Using keytab
> [MEMORY:/etc/krb5.keytab]
> > [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client
> 'host/
> > i...@nzww.nzcorp.net' not found in Kerberos database
>
> This is expected, in AD the host/fqdn principal cannot be used to get a
> TGT. As you can see below, you are using the netbiosname$@realm principal
> to kinit which works fine.
>
> If your configuration is using id_provider=ad I would have expected sssd
> to prefer the netbiosname$ principal, but if the selection fails or you are
> using the ldap provider, you can help sssd with the ldap_sasl_authid
> parameter.
>
> >
> > However the dialy ksktutil cron job I have running completes OK, and
> msktutil --auto-update tells me the machine password was renewed two days
> ago.
> >
> > Here is what happens when I run kinit from the command line.
> > My workstation is called ibis.  Please someone hit me with a clue stick.
> >
> > # kinit -k
> > kinit: Client 'host/i...@nzww.nzcorp.net' not found in Kerberos
> database while getting initial credentials
> >
> > # kinit -V -k ibis$
> > Using default cache: /tmp/krb5cc_0
> > Using principal: ibis$@NZWW.NZCORP.NET
> > Authenticated to Kerberos v5
> >
> > # kinit -V -k IBIS\$@NZWW.NZCORP.NET
> > Using default cache: /tmp/krb5cc_0
> > Using principal: IBIS$@NZWW.NZCORP.NET
> > Authenticated to Kerberos v5
> >
> >
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/4DY3TSRSJBV5AU2P3CQH2UHH7GHXLOLV/
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/BPEL355LXLAJ4ZI7UVSFHJ5ZG6CUJIWI/
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/JMD7PMTGOQAGYKXDANGWFI72X3I6S3DY/

[SSSD-users] sss_override and ssh keys

[John Hearns]

I have set up an sss_override for my user account

johe:*:1234:1234:John Hearns,,,:/home/johe:/bin/bash

I also have an entry in the locla /etc/passwd file.
When I ssh to a server running sssd my ssh key is accepted.

When I have no local /etc/passwd
When I ssh to a server running sssd my ssh key is not used and I am
prompted for a password

Can anyone explain please?

The answer will be along the lines of at what stage in the ssh login the
override is being 'honoured'
However this is a bit of a major problem. I guess also I will be told that
I have done something wrong.
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/ARZQMHUEUBXR53P7XG5QSFMDU6KHBK3O/

[SSSD-users] Problem with kinit

[John Hearns]

I have had my head inside the ldap_child.c source code all morning.
I am getting these errors logged:

[ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client
'host/
i...@nzww.nzcorp.net' not found in Kerberos database

However the dialy ksktutil cron job I have running completes OK, and
msktutil --auto-update tells me the machine password was renewed two days
ago.

Here is what happens when I run kinit from the command line.
My workstation is called ibis.  Please someone hit me with a clue stick.

# kinit -k
kinit: Client 'host/i...@nzww.nzcorp.net' not found in Kerberos database
while getting initial credentials

# kinit -V -k ibis$
Using default cache: /tmp/krb5cc_0
Using principal: ibis$@NZWW.NZCORP.NET
Authenticated to Kerberos v5

# kinit -V -k IBIS\$@NZWW.NZCORP.NET
Using default cache: /tmp/krb5cc_0
Using principal: IBIS$@NZWW.NZCORP.NET
Authenticated to Kerberos v5
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/4DY3TSRSJBV5AU2P3CQH2UHH7GHXLOLV/

[SSSD-users] Re: problems with sssd-1.9

[JOHE (John Hearns)]

[domain\xxx.pvt]


Is the backslash valid here? I am sure an expert will say yes..


You are well aware that RHEL 5 is out  of support lifetime?

I would imagine that you have some critical applications which run on these 
machines though.





From: Laack, Andrea P 
Sent: 18 July 2018 21:13:47
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] problems with sssd-1.9


I have been tasked with joining a number of redhat/centos 5 servers to a 
domain.  I found sssd-1.9 that would allow id_provider ad.  This is Centos 5.11.



Here is what I got:



[root@testcentos5 db]# /usr/sbin/sssd -i -d9

(Wed Jul 18 13:18:49:136142 2018) [sssd] [ldb] (0x0400): server_sort:Unable to 
register control with rootdse!

(Wed Jul 18 13:18:49:137532 2018) [sssd] [ldb] (0x4000): start ldb transaction 
(nesting: 0)

(Wed Jul 18 13:18:49:137857 2018) [sssd] [ldb] (0x4000): start ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:137962 2018) [sssd] [ldb] (0x4000): commit ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138029 2018) [sssd] [ldb] (0x4000): start ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138161 2018) [sssd] [ldb] (0x4000): commit ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138226 2018) [sssd] [ldb] (0x4000): start ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138343 2018) [sssd] [ldb] (0x4000): commit ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138404 2018) [sssd] [ldb] (0x4000): start ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138502 2018) [sssd] [ldb] (0x4000): commit ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138660 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing config section [sssd]

(Wed Jul 18 13:18:49:138784 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [config_file_version]

(Wed Jul 18 13:18:49:138870 2018) [sssd] [confdb_create_ldif] (0x4000): 
config_file_version: 2

(Wed Jul 18 13:18:49:138945 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [domains]

(Wed Jul 18 13:18:49:139034 2018) [sssd] [confdb_create_ldif] (0x4000): 
domains: xxx.pvt

(Wed Jul 18 13:18:49:139130 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [services]

(Wed Jul 18 13:18:49:139214 2018) [sssd] [confdb_create_ldif] (0x4000): 
services: nss, pam

(Wed Jul 18 13:18:49:139295 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [debug_level]

(Wed Jul 18 13:18:49:139374 2018) [sssd] [confdb_create_ldif] (0x4000): 
debug_level: 9

(Wed Jul 18 13:18:49:139539 2018) [sssd] [confdb_create_ldif] (0x4000): Section 
dn

dn: cn=sssd,cn=config

cn: sssd

config_file_version: 2

domains: xxx.pvt

services: nss, pam

debug_level: 9



(Wed Jul 18 13:18:49:139873 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing config section [nss]

(Wed Jul 18 13:18:49:139972 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [debug_level]

(Wed Jul 18 13:18:49:140046 2018) [sssd] [confdb_create_ldif] (0x4000): 
debug_level: 9

(Wed Jul 18 13:18:49:140113 2018) [sssd] [confdb_create_ldif] (0x4000): Section 
dn

dn: cn=nss,cn=config

cn: nss

debug_level: 9



(Wed Jul 18 13:18:49:140193 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing config section [domain\xxx.pvt]

(Wed Jul 18 13:18:49:140280 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [fallback_homedir]

(Wed Jul 18 13:18:49:140372 2018) [sssd] [confdb_create_ldif] (0x4000): 
fallback_homedir: /home/%u

(Wed Jul 18 13:18:49:140372 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [default_shell]

(Wed Jul 18 13:18:49:140372 2018) [sssd] [confdb_create_ldif] (0x4000): 
default_shell: /bin/bash

(Wed Jul 18 13:18:49:140372 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [ad_domain]

(Wed Jul 18 13:18:49:140377 2018) [sssd] [confdb_create_ldif] (0x4000): 
ad_domain: xxx.pvt

(Wed Jul 18 13:18:49:140453 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [krb5_realm]

(Wed Jul 18 13:18:49:140536 2018) [sssd] [confdb_create_ldif] (0x4000): 
krb5_realm: xxx.PVT

(Wed Jul 18 13:18:49:140613 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [krb5_server]

(Wed Jul 18 13:18:49:140690 2018) [sssd] [confdb_create_ldif] (0x4000): 
krb5_server: c02.xxx.pvt

(Wed Jul 18 13:18:49:140765 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [auth_provider]

(Wed Jul 18 13:18:49:140842 2018) [sssd] [confdb_create_ldif] (0x4000): 
auth_provider: krb5

(Wed Jul 18 13:18:49:141316 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [cache_credentials]

(Wed Jul 18 13:18:49:141640 2018) [sssd] [confdb_create_ldif] (0x4000): 
cache_credentials: True

(Wed Jul 18 13:18:49:141839 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [id_provider]

(Wed Jul 18 13:18:49:141945 2018) [sssd] [confdb_create_ldif] (0x4000): 
id_provider: ad

(Wed Jul 18 13:18:49:142023 2018) [sssd] [confdb_create_ldif] (0x0400): 
P

[SSSD-users] Re: recreate machine keytab file

[John Hearns]

Talking about renewing keys.
In our setup we use a service account which has the rights to join machines
to the domain, the Linux workstations are in s special OU.
I run a cron job which calls msktutil --auto-update every day to renew the
machine password if over 30 days.
As discussed in another thread I am not sure if our setup is using adcli
autmatically from sssd to renew the machine password.

Yesterday the msktutil failed on one machine, as it looked like the
Kerberos ticket for that service account expired.
I did a kinit as that user and everything worked with the msktutil.
Password was over 30 days old and it got renewed.

However I am a bit troubled here - surely I do not have to renew the
service account ticket every N days also. What a ruddy big faff...



On 9 July 2018 at 16:23, John Hodrien  wrote:

> On Mon, 9 Jul 2018, Ondrej Valousek wrote:
>
> Thanks,
>> "net ads keytab create" does work, but it populates my keytab with all
>> accounts (user and computer) that can be found in AD - i.e. pretty
>> dangerous.  I would like to add it some parameter to only will with
>> entries
>> relevant for my computer - i.e. something like:
>>
>> Net ads keytab create --only-obj 
>>
>> Which would add UPN and SPN (both can be easily grabbed from AD) related
>> to my hostname.
>>
>
> It does *what*?!!!
>
> jh
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.or
> g/archives/list/sssd-users@lists.fedorahosted.org/message/UB
> GWXKSGSXVD5FYUK7YYHD6BLETMEXVO/
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/OD6FFJW7GD7I324GMGPAKXIJPRFORNZO/

[SSSD-users] Re: sssd id getent and secondary groups in active directory

[John Hearns]

One stupid question - is there an easy(ish) way to tell how deep a group
heirarachy exists on a particular site?

On 9 July 2018 at 13:36, Jakub Hrozek  wrote:

> On Fri, Jul 06, 2018 at 01:41:38PM +, Ratliff, John wrote:
> >
> >
> > On Fri, 2018-07-06 at 10:55 +0200, Sumit Bose wrote:
> > > On Thu, Jul 05, 2018 at 08:09:55PM +, Ratliff, John wrote:
> > > >
> > >
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_print_server]
> > > (0x2000): Searching 134.68.239.131:389
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > [no filter][CN=jdratlif,OU=Accounts,DC=ads,DC=iu,DC=edu].
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [tokenGroups]
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid =
> > > 15
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_op_add]
> > > (0x2000): New operation 15 timeout 6
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_process_result] (0x2000): Trace: sh[0x564b5d62f090],
> > > connected[1], ops[(nil)], ldap[0x564b5d62d1e0]
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_process_result] (0x2000): Trace: end of ldap_result list
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_process_result] (0x2000): Trace: sh[0x564b5d61dd00],
> > > connected[1], ops[0x564b5d63a360], ldap[0x564b5d5a0c60]
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_process_message] (0x4000): Message type:
> > > [LDAP_RES_SEARCH_ENTRY]
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_parse_entry]
> > > (0x1000): OriginalDN: [CN=jdratlif,OU=Accounts,DC=ads,DC=iu,DC=edu].
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_parse_entry]
> > > (0x1000): Entry has no attributes [0(Success)]!?
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_process_result] (0x2000): Trace: sh[0x564b5d61dd00],
> > > connected[1], ops[0x564b5d63a360], ldap[0x564b5d5a0c60]
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_process_message] (0x4000): Message type:
> > > [LDAP_RES_SEARCH_RESULT]
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0),
> > > no errmsg set
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_op_destructor] (0x2000): Operation 15 finished
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]]
> > > [sdap_get_ad_tokengroups_done] (0x1000): No tokenGroups entries for [
> > > jdrat...@ads.iu.edu]
> > > (Thu Jul  5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [ldb] (0x4000):
> > > start ldb transaction (nesting: 0)
> > >
> > > this makes SSSD assume that the user is not a member of any group.
> > >
> > > Please try to set 'ldap_use_tokengroups=False' (see man sssd-ldap for
> > > details) and check if the group memberships are reported more
> > > reliable.
> > >
> > > Afaik the issue with the tokenGroups might indicate that the used AD
> > > DC
> > > has issues reaching a Global Catalog server.
> >
> > Thank you for the information. I don't know what to do about it at the
> > moment. Adding that parameter makes id freeze when I run it. It seems
> > to be unable to handle it when this parameter exists.
>
> If the group membership is very deep and complex, running id might take
> a very long time because without using tokenGroups, the group hierarchy
> must be traversed from the user "up".
>
> Looking at the debug logs might give a clue about what the sssd is
> doing.
>
> >
> > I'm unclear what you mean by AD DC has issues reaching the global
> > catalog server. Do you mean my sever is having trouble, or the DC
> > itself?
> >
> > One more thing I found interesting. I made another RHEL7 box and used
> > winbind instead of sssd and group membership works fine there.
> >
> > I made another virtual machine and tried realmd/sssd again. I took it
> > off the virtual machine NAT and gave it a public IP and disabled the
> > firewall to make sure that wasn't causing any issues, but there was no
> > change.
> >
> > This still feel like an sssd configuration problem to me, though I'm
> > not sure what to do about it at the moment.
> >
> > Thanks for your assitance.
> >
> > --
> > John Ratliff
> > Research Storage / UITS / Pervasive Technology Institute
> > Indiana University | https://pti.iu.edu
>
>
>
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/2FPUT7P

[SSSD-users] Re: Behaviour of refresh_expired_interval

[John Hearns]

Thankyou Sumit.
I will test with and without tokengroups.

However, please bear with me.  Could you make it more clear what is
happening here

a) an initial run of 'groups abc' takes some time to complete.
OK, that is fine - we know information must be fetched from Active
Directory

b) the next time 'groups abc' is run it returns in less thna 1 second.
OK - I think this mus tbe using cached information

c) after a certain amount of time 'groups abc'  again takes a long time to
return

The documentation says that after  refresh_expired_interval a BACKGROUND
refresh is run.
Surely then you always have an up to date set of cached information?

I think what you are saying is that the groupmemberships are NOT refreshed
in the background.

If so, would it be the useful to set entry_cache_timeout to a very high
level?

To explain, we work in a windowing environment (LightDM). When a window is
opened this can take a long time,
as 'groups abc' is run as part of the login. We dont want  a user to have
random times when opening a window will seem to freeze or take a long time.


















On 4 July 2018 at 16:00, Sumit Bose  wrote:

> On Wed, Jul 04, 2018 at 11:30:21AM +0200, John Hearns wrote:
> > One thing I do note. I have reduced refresh_expired_interval to 40
> seconds,
> > which is clearly a ridiculously low time.
> > However when I look at the cached information I always see Initgroups
> > expiration time:Expired
> >
> > I am not sure what this means.
> >
> > root@ibis:~# sssctl user-show abc
> > Name: abc
> > Cache entry creation date: 06/27/18 17:09:58
> > Cache entry last update time: 07/04/18 11:28:16
> > Cache entry expiration time: 07/04/18 11:29:16
> > Initgroups expiration time: Expired
> > Cached in InfoPipe: No
> >
>
> Yes, this is expected because the groupmemberships are not updated here
> because it would be too expensive. But if you use the AD provider with
> tokenGroups enabled (the default) it should help nonetheless because all
> groups in the cache should be valid and after the single tokenGroups
> LDAP request the user "just" has to be added to all the group it is a
> member of.
>
> Please let me know if it still needs 20s or more to update the group
> memberships with tokenGroups enabled if all groups are still valid.
>
> bye,
> Sumit
>
> >
> >
> >
> > On 4 July 2018 at 11:01, John Hearns  wrote:
> >
> > > Thankyou Sumit. I think you might be trying to tel lme something with
> the
> > > debug_level=6   :-)
> > >
> > > On 4 July 2018 at 09:04, Sumit Bose  wrote:
> > >
> > >> On Tue, Jul 03, 2018 at 02:12:22PM +0200, John Hearns wrote:
> > >> > I have an AD setup where users can be a member of perhaps 130
> groups.
> > >> > When I run 'groups jbloggs' this can take 90 seconds or even longer.
> > >> > I have reduced that time to perhaps 20 seconds by setting
> > >> > ignore_group_members = TRUE
> > >> >
> > >> > Once the information is cached the groups command returns in less
> that
> > >> one
> > >> > second.
> > >> > However, after a length of time the cache seems to be invalidated
> and
> > >> the
> > >> > information is fetched again from the server, taking 20 seconds
> again.
> > >> > The cacheing parameters are set to:
> > >> >
> > >> > entry_cache_timeout = 5400
> > >> > entry_cache_user_timeout = 5400
> > >> > entry_cache_group_timeout = 5400
> > >> > refresh_expired_interval = 4000
> > >> >
> > >> > Surely this means that after 4000 seconds the user and group
> > >> information is
> > >> > refreshed in the background.
> > >> > So a user running the groups command would always see freshly cached
> > >> values?
> > >>
> > >> With 'debug_level=6' or higher in the [domain/...] section of
> sssd.conf
> > >> you
> > >> should be able to see messages like 'Refreshing  in domain
> > >> ' in domain log file when is refresh task is running.
> > >>
> > >> bye,
> > >> Sumit
> > >>
> > >> >
> > >> > Clearly I am not understanding something here.
> > >>
> > >> > ___
> > >> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > >> > To unsubscribe send an emai

[SSSD-users] Re: Behaviour of refresh_expired_interval

[John Hearns]

Testing with tokengroups enabled and disabled a 'groups userabc'
For reference in my sssd.conf
ignore_group_members = TRUE


Using
ldap_group_nesting_level = 0
ldap_use_tokengroups = TRUE
Time taken is 56.5 seconds
The user abc is member of 227 groups

ldap_group_nesting_level = 0
ldap_use_tokengroups = FALSE
Time taken is 20.4 seconds
The user abc is a member of 104 groups


Setting the nesting_level

ldap_group_nesting_level = 5
ldap_use_tokengroups = TRUE
Time taken is  330 seconds!!!
The user abc is member of 227 groups

dap_group_nesting_level = 5
ldap_use_tokengroups = FALSE
Time taken is   314 seconds
The user abc is member of  groups


My reading of the documentation says ldap_use_tokengroups must be false if
the ldap_group_nesting_level is set


Clearly when I get the groups returned in 20 seconds I am not getting a
complete list.
As Penelope Pitstop says:  Hayyullpp!







On 5 July 2018 at 10:37, John Hearns  wrote:

> Thankyou Sumit.
> I will test with and without tokengroups.
>
> However, please bear with me.  Could you make it more clear what is
> happening here
>
> a) an initial run of 'groups abc' takes some time to complete.
> OK, that is fine - we know information must be fetched from Active
> Directory
>
> b) the next time 'groups abc' is run it returns in less thna 1 second.
> OK - I think this mus tbe using cached information
>
> c) after a certain amount of time 'groups abc'  again takes a long time to
> return
>
> The documentation says that after  refresh_expired_interval a BACKGROUND
> refresh is run.
> Surely then you always have an up to date set of cached information?
>
> I think what you are saying is that the groupmemberships are NOT refreshed
> in the background.
>
> If so, would it be the useful to set entry_cache_timeout to a very high
> level?
>
> To explain, we work in a windowing environment (LightDM). When a window is
> opened this can take a long time,
> as 'groups abc' is run as part of the login. We dont want  a user to have
> random times when opening a window will seem to freeze or take a long time.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On 4 July 2018 at 16:00, Sumit Bose  wrote:
>
>> On Wed, Jul 04, 2018 at 11:30:21AM +0200, John Hearns wrote:
>> > One thing I do note. I have reduced refresh_expired_interval to 40
>> seconds,
>> > which is clearly a ridiculously low time.
>> > However when I look at the cached information I always see Initgroups
>> > expiration time:Expired
>> >
>> > I am not sure what this means.
>> >
>> > root@ibis:~# sssctl user-show abc
>> > Name: abc
>> > Cache entry creation date: 06/27/18 17:09:58
>> > Cache entry last update time: 07/04/18 11:28:16
>> > Cache entry expiration time: 07/04/18 11:29:16
>> > Initgroups expiration time: Expired
>> > Cached in InfoPipe: No
>> >
>>
>> Yes, this is expected because the groupmemberships are not updated here
>> because it would be too expensive. But if you use the AD provider with
>> tokenGroups enabled (the default) it should help nonetheless because all
>> groups in the cache should be valid and after the single tokenGroups
>> LDAP request the user "just" has to be added to all the group it is a
>> member of.
>>
>> Please let me know if it still needs 20s or more to update the group
>> memberships with tokenGroups enabled if all groups are still valid.
>>
>> bye,
>> Sumit
>>
>> >
>> >
>> >
>> > On 4 July 2018 at 11:01, John Hearns  wrote:
>> >
>> > > Thankyou Sumit. I think you might be trying to tel lme something with
>> the
>> > > debug_level=6   :-)
>> > >
>> > > On 4 July 2018 at 09:04, Sumit Bose  wrote:
>> > >
>> > >> On Tue, Jul 03, 2018 at 02:12:22PM +0200, John Hearns wrote:
>> > >> > I have an AD setup where users can be a member of perhaps 130
>> groups.
>> > >> > When I run 'groups jbloggs' this can take 90 seconds or even
>> longer.
>> > >> > I have reduced that time to perhaps 20 seconds by setting
>> > >> > ignore_group_members = TRUE
>> > >> >
>> > >> > Once the information is cached the groups command returns in less
>> that
>> > >> one
>> > >> > second.
>> > >> > However, after a length of time the cache seems to be invalidated
>> and
>> > >> the
>> > >> > informat

[SSSD-users] Re: sss_override - when to run it?

[John Hearns]

Sumit, thankyou.
I should say why the sss_override is being run here.
We have around 100 users in a local /etc/passwd file
Those users are also in AD and we would like to exploit AD more, in terms
of gorup memberships etc. Thats why we use sssd
The nsswitch is set tofiles sss

If sss_override is NOT used to create an override for a user,  getent
passwd userxyz returns:
userxyz:*:localuid:localgid
And also the user can log in, do stuff etc etc.

However at login time kinit is run to get a Kerberos ticket. It turns out
that the ticket file $KRB5CCNAME is generated using the Active Directory
uid/gid
(ie the ones generated from the SID)
If you do an ls on this Kerberos ticket file it returns that it is owned
by  userxyz
But if you stat the file the uid is  longaduserid   not localuid

I hope this makes sense.
I therefore want to make sure that the sss_overrides is run when the system
boots up.
Also there is the case of having the /var/lib/sss/db on a tmpfs for
performance (we dont do that)
Again sss_override would have to be run at boot time.


Sorry for the long response. I  hope this helps someone in furture.
In short - kinit is run early int h login sequence, and you get the wrong
ownership on the Kerberos ticket file if you do not run sss_override
in the case where there are locally defined users in the passwd fie.






















On 4 July 2018 at 14:43, Sumit Bose  wrote:

> On Wed, Jul 04, 2018 at 09:06:50AM +0200, John Hearns wrote:
> > Sumit, thankyou.
> > What I have done is to write a Python script which loops over all local
> > users.
> > The script calls sss_override user-set for each user. Then the script
> runs
> > user-export to create a file as you suggest.
> >
> > I have edited the sssd.service unit file, and placed the changed copy in
> > /etc/systemd/system/sssd.service
> > This has an added Post Start action to read in the file using
> user-import.
> > These are the lines I added:
> >
> >
> > ExecStartPost=-/usr/sbin/sss_override user-import /etc/sssd/overrides
> > TimeoutStartSec=180
>
> ok, this should do no harm, but as said, as long as the cache file is on
> a disk and is not removed during reboots or on other circumstances this
> should not be needed.
>
> bye,
> Sumit
>
> >
> >
> >
> >
> > On 4 July 2018 at 08:41, Sumit Bose  wrote:
> >
> > > On Thu, Jun 14, 2018 at 02:33:22PM +0200, John Hearns wrote:
> > > > We have an existing set of users in a local passwd file
> > > > I want to run sss_override to create mappings from the AD SID
> numbers to
> > > > the existing uid numbers.
> > > >
> > > > What is the concensus on running sss_override?
> > > > I can script it to either parse through the existing passwd file and
> make
> > > > an override entry per user,
> > > > or to parse the file and create an import file which is run once with
> > > > import-user
> > > >
> > > > But when is a good time to run this?
> > > >
> > > > In a daily cron job
> > > >
> > > > When sssd is started, which would involve editing the systemd unit
> file
> > > >
> > > > Creating a new systemd service which depends on sssd.service . This
> > > service
> > > > runs sss_override and then restarts sssd.service
> > > >
> > > > Or am I misunderstanding something?
> > > >
> > > > I am assuming here we have on-disk sssd databases. If the databases
> are
> > > on
> > > > a tmpfs then clearly the sss_override must be run at boot time by
> one of
> > > > the above methods also.
> > >
> > > As long as the cache file in /var/lib/sss/db is not removed it should
> be
> > > sufficient to run sss_override for each user once and then the override
> > > data should stay in the cache.
> > >
> > > I once got a report that the link between the original user data and
> the
> > > override data got lost, but I wasn't able to reproduce this so far.
> > >
> > > It is always a good idea to call user-export/group-export to have a
> > > backup file around.
> > >
> > > HTH
> > >
> > > bye,
> > > Sumit
> > >
> > >
> > > > ___
> > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > > To unsubscribe send an email to sssd-users-leave@lists.
> fedorahosted.org
> > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > > List Guidelines: https://fe

[SSSD-users] Re: Behaviour of refresh_expired_interval

[John Hearns]

One thing I do note. I have reduced refresh_expired_interval to 40 seconds,
which is clearly a ridiculously low time.
However when I look at the cached information I always see Initgroups
expiration time:Expired

I am not sure what this means.

root@ibis:~# sssctl user-show abc
Name: abc
Cache entry creation date: 06/27/18 17:09:58
Cache entry last update time: 07/04/18 11:28:16
Cache entry expiration time: 07/04/18 11:29:16
Initgroups expiration time: Expired
Cached in InfoPipe: No




On 4 July 2018 at 11:01, John Hearns  wrote:

> Thankyou Sumit. I think you might be trying to tel lme something with the
> debug_level=6   :-)
>
> On 4 July 2018 at 09:04, Sumit Bose  wrote:
>
>> On Tue, Jul 03, 2018 at 02:12:22PM +0200, John Hearns wrote:
>> > I have an AD setup where users can be a member of perhaps 130 groups.
>> > When I run 'groups jbloggs' this can take 90 seconds or even longer.
>> > I have reduced that time to perhaps 20 seconds by setting
>> > ignore_group_members = TRUE
>> >
>> > Once the information is cached the groups command returns in less that
>> one
>> > second.
>> > However, after a length of time the cache seems to be invalidated and
>> the
>> > information is fetched again from the server, taking 20 seconds again.
>> > The cacheing parameters are set to:
>> >
>> > entry_cache_timeout = 5400
>> > entry_cache_user_timeout = 5400
>> > entry_cache_group_timeout = 5400
>> > refresh_expired_interval = 4000
>> >
>> > Surely this means that after 4000 seconds the user and group
>> information is
>> > refreshed in the background.
>> > So a user running the groups command would always see freshly cached
>> values?
>>
>> With 'debug_level=6' or higher in the [domain/...] section of sssd.conf
>> you
>> should be able to see messages like 'Refreshing  in domain
>> ' in domain log file when is refresh task is running.
>>
>> bye,
>> Sumit
>>
>> >
>> > Clearly I am not understanding something here.
>>
>> > ___
>> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives: https://lists.fedoraproject.or
>> g/archives/list/sssd-users@lists.fedorahosted.org/message/M4
>> R23YDHWUMUZPE4QZW2CFCYVU3WTXUO/
>> ___
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.or
>> g/archives/list/sssd-users@lists.fedorahosted.org/message/GY
>> L5YCE73YNOBPV6JNY2F5WVSBBRMCEC/
>>
>
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/P3WAZ36XA2RL7MLNFMVKBAB2DDVK2SSE/

[SSSD-users] Re: Behaviour of refresh_expired_interval

[John Hearns]

Thankyou Sumit. I think you might be trying to tel lme something with the
debug_level=6   :-)

On 4 July 2018 at 09:04, Sumit Bose  wrote:

> On Tue, Jul 03, 2018 at 02:12:22PM +0200, John Hearns wrote:
> > I have an AD setup where users can be a member of perhaps 130 groups.
> > When I run 'groups jbloggs' this can take 90 seconds or even longer.
> > I have reduced that time to perhaps 20 seconds by setting
> > ignore_group_members = TRUE
> >
> > Once the information is cached the groups command returns in less that
> one
> > second.
> > However, after a length of time the cache seems to be invalidated and the
> > information is fetched again from the server, taking 20 seconds again.
> > The cacheing parameters are set to:
> >
> > entry_cache_timeout = 5400
> > entry_cache_user_timeout = 5400
> > entry_cache_group_timeout = 5400
> > refresh_expired_interval = 4000
> >
> > Surely this means that after 4000 seconds the user and group information
> is
> > refreshed in the background.
> > So a user running the groups command would always see freshly cached
> values?
>
> With 'debug_level=6' or higher in the [domain/...] section of sssd.conf you
> should be able to see messages like 'Refreshing  in domain
> ' in domain log file when is refresh task is running.
>
> bye,
> Sumit
>
> >
> > Clearly I am not understanding something here.
>
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/M4R23YDHWUMUZPE4QZW2CFCYVU3WTXUO/
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/GYL5YCE73YNOBPV6JNY2F5WVSBBRMCEC/
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/LBG3C5FR3QTQ3UTJL623UOVBX7YI642B/

[SSSD-users] Re: sss_override - when to run it?

[John Hearns]

Sumit, thankyou.
What I have done is to write a Python script which loops over all local
users.
The script calls sss_override user-set for each user. Then the script runs
user-export to create a file as you suggest.

I have edited the sssd.service unit file, and placed the changed copy in
/etc/systemd/system/sssd.service
This has an added Post Start action to read in the file using user-import.
These are the lines I added:


ExecStartPost=-/usr/sbin/sss_override user-import /etc/sssd/overrides
TimeoutStartSec=180




On 4 July 2018 at 08:41, Sumit Bose  wrote:

> On Thu, Jun 14, 2018 at 02:33:22PM +0200, John Hearns wrote:
> > We have an existing set of users in a local passwd file
> > I want to run sss_override to create mappings from the AD SID numbers to
> > the existing uid numbers.
> >
> > What is the concensus on running sss_override?
> > I can script it to either parse through the existing passwd file and make
> > an override entry per user,
> > or to parse the file and create an import file which is run once with
> > import-user
> >
> > But when is a good time to run this?
> >
> > In a daily cron job
> >
> > When sssd is started, which would involve editing the systemd unit file
> >
> > Creating a new systemd service which depends on sssd.service . This
> service
> > runs sss_override and then restarts sssd.service
> >
> > Or am I misunderstanding something?
> >
> > I am assuming here we have on-disk sssd databases. If the databases are
> on
> > a tmpfs then clearly the sss_override must be run at boot time by one of
> > the above methods also.
>
> As long as the cache file in /var/lib/sss/db is not removed it should be
> sufficient to run sss_override for each user once and then the override
> data should stay in the cache.
>
> I once got a report that the link between the original user data and the
> override data got lost, but I wasn't able to reproduce this so far.
>
> It is always a good idea to call user-export/group-export to have a
> backup file around.
>
> HTH
>
> bye,
> Sumit
>
>
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/TMGIPZGSONS6Q62RGKFBI5EDZ7GPCEUU/
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/R3L7BBZGZ5URRV7VYSBIUMRSKVZRYIMJ/
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/VGGBZZJLEZINWOJJTY7WEEQ4LVGVFZ2N/

[SSSD-users] Re: Logging of scheduled tasks - password renewal

[John Hearns]

Thankyou Sumit. Indeed I do have adcli installed, and I am investigating
this issue usign the higher log level which you suggest.

I think this is a problem with domain names.
When I use msktutil to renew the machine password I must explicitly run
msktutil ..auto-update --computer-name  myhostname

This is because  the DNS domain of my workstation does not match the Active
Directory realm name




On 4 July 2018 at 08:48, Sumit Bose  wrote:

> On Mon, Jun 25, 2018 at 05:12:25PM +0200, John Hearns wrote:
> > After 30 days of running sssd I found that my test workstation no longer
> > connected to the domain.
> > The machine account password had timed out.
> > I now run a daily cron job using msktutil wihch will auto-update the
> > password.
> >
> > However I should not have to do this. sssd should update the machine
> > password.
> >
> > I can see entries in the logs such that the machine account password
> > renewal task is enabled.
> > Then:
> >
> > [be_ptask_execute] (0x0400): Task [AD machine account password renewal]:
> > executing task, timeout 60 seconds
> >
> > How though can I see if this taks is successful or not?
> > I realise that if the machine account is less than 30 days old the task
> > probably silently completes OK without any logging.
>
> Do you have adcli installed?
>
> If you set 'debug_level=7' or higher in the [domain/...] section of
> sssd.conf you should be able to find the debug output of adcli in the
> logs, it will start with '--- adcli output start---'.
>
> HTH
>
> bye,
> Sumit
>
> >
> > The version of sssd is 16.1 running on Ubuntu
> >
> >
> > John Hearns
>
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/2F77SPP4CXHS4YMKCMHIA5EJHI424VNV/
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/EHQHLPX24S45CM4ELUUDG7NHQHWQK7TE/
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/37DC57E5CBCUE2UKPHLDTRRYOQKQ3TKE/

[SSSD-users] Re: Who and w not nss aware?

[John Hearns]

Thanks Sumit.  Rather bizzarely my workstation has no /var/run/utmp file.
I rebooted yesterday - you would think a file like that would be created at
boot time if it did not exist. Weird!


On 4 July 2018 at 08:54, Sumit Bose  wrote:

> On Thu, Jun 28, 2018 at 10:11:28AM +0200, John Hearns wrote:
> > It seems bizarre, but the who and w utilities say there are no users on
> my
> > system.
> > My account  is an Active Direcotry account and sssd is running.
> >
> > johe@ibis:~$ who
> >
> > johe@ibis:~$ w
> >  10:09:26 up 16:47,  0 users,  load average: 0.60, 0.59, 0.48
> > USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
> >
> > I guess this is known behaviour?
>
> I would suggest to run the commands with strace to see what the
> command tries to do. Iirc the user name is actually read from the utmp
> file and SSSD is not called at all here. So the issue might already
> happen earlier that the needed entry isn't written to utmp.
>
> HTH
>
> bye,
> Sumit
>
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/L6PADDSQWYL2KIGBYKTJWM6OHW4FTML3/
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/TC6LM5BZMIK6QK5RV3MSKBKZ5VBGRT3O/
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/EEOEEZRY4242PIQTMBHPOL56PTRZBCQJ/

[SSSD-users] Re: Who and w not nss aware?

[John Hearns]

AAARHHH In the Nae of the Wee Man what posessed Poettering to place a
strange file name in /lib/systemd/system which stops you grepping in that
rather vital directory...

Looks like the utmp file should be created by the service
systemd-update-utmp.service
Iwill investigate on my system, clearly this is not one for this list, sorry




On 4 July 2018 at 09:11, John Hearns  wrote:

> Thanks Sumit.  Rather bizzarely my workstation has no /var/run/utmp file.
> I rebooted yesterday - you would think a file like that would be created
> at boot time if it did not exist. Weird!
>
>
> On 4 July 2018 at 08:54, Sumit Bose  wrote:
>
>> On Thu, Jun 28, 2018 at 10:11:28AM +0200, John Hearns wrote:
>> > It seems bizarre, but the who and w utilities say there are no users on
>> my
>> > system.
>> > My account  is an Active Direcotry account and sssd is running.
>> >
>> > johe@ibis:~$ who
>> >
>> > johe@ibis:~$ w
>> >  10:09:26 up 16:47,  0 users,  load average: 0.60, 0.59, 0.48
>> > USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
>> >
>> > I guess this is known behaviour?
>>
>> I would suggest to run the commands with strace to see what the
>> command tries to do. Iirc the user name is actually read from the utmp
>> file and SSSD is not called at all here. So the issue might already
>> happen earlier that the needed entry isn't written to utmp.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>> > ___
>> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives: https://lists.fedoraproject.or
>> g/archives/list/sssd-users@lists.fedorahosted.org/message/L6
>> PADDSQWYL2KIGBYKTJWM6OHW4FTML3/
>> ___
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.or
>> g/archives/list/sssd-users@lists.fedorahosted.org/message/TC
>> 6LM5BZMIK6QK5RV3MSKBKZ5VBGRT3O/
>>
>
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/TVMMDJNWDTRW6U23FSNV5KYBL3RWADJR/

[SSSD-users] Re: Who and w not nss aware?

[John Hearns]

Ending this one.  On an Ubuntu system /var/run is a link to /run . That
link was missing on my  system.
But WH  var things go into /var Not the root partition FFS.
' speaking as someone who builds HPC clusters. You might just have an NFS
mounted root partition, which is identical for thousands of compute nodes.
You might liek to have yiur /var as a local tmpfs in RAM, on a local
storage device, or as a uniqeuly named writeable NFS share on the
provisioning node.
Why in the heck assume that VARiable things should go elsewhere than VAR


On 4 July 2018 at 09:17, John Hearns  wrote:

> AAARHHH In the Nae of the Wee Man what posessed Poettering to place a
> strange file name in /lib/systemd/system which stops you grepping in that
> rather vital directory...
>
> Looks like the utmp file should be created by the service
> systemd-update-utmp.service
> Iwill investigate on my system, clearly this is not one for this list,
> sorry
>
>
>
>
> On 4 July 2018 at 09:11, John Hearns  wrote:
>
>> Thanks Sumit.  Rather bizzarely my workstation has no /var/run/utmp file.
>> I rebooted yesterday - you would think a file like that would be created
>> at boot time if it did not exist. Weird!
>>
>>
>> On 4 July 2018 at 08:54, Sumit Bose  wrote:
>>
>>> On Thu, Jun 28, 2018 at 10:11:28AM +0200, John Hearns wrote:
>>> > It seems bizarre, but the who and w utilities say there are no users
>>> on my
>>> > system.
>>> > My account  is an Active Direcotry account and sssd is running.
>>> >
>>> > johe@ibis:~$ who
>>> >
>>> > johe@ibis:~$ w
>>> >  10:09:26 up 16:47,  0 users,  load average: 0.60, 0.59, 0.48
>>> > USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
>>> >
>>> > I guess this is known behaviour?
>>>
>>> I would suggest to run the commands with strace to see what the
>>> command tries to do. Iirc the user name is actually read from the utmp
>>> file and SSSD is not called at all here. So the issue might already
>>> happen earlier that the needed entry isn't written to utmp.
>>>
>>> HTH
>>>
>>> bye,
>>> Sumit
>>>
>>> > ___
>>> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>>> > To unsubscribe send an email to sssd-users-leave@lists.fedorah
>>> osted.org
>>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> > List Guidelines: https://fedoraproject.org/wiki
>>> /Mailing_list_guidelines
>>> > List Archives: https://lists.fedoraproject.or
>>> g/archives/list/sssd-users@lists.fedorahosted.org/message/L6
>>> PADDSQWYL2KIGBYKTJWM6OHW4FTML3/
>>> ___
>>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedoraproject.or
>>> g/archives/list/sssd-users@lists.fedorahosted.org/message/TC
>>> 6LM5BZMIK6QK5RV3MSKBKZ5VBGRT3O/
>>>
>>
>>
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/QLAIAKH3DGCQTF4RWTXVF3CX55665LFO/

[SSSD-users] Re: Logging of scheduled tasks - password renewal

[John Hearns]

Sumit,
thankyou for the advice here.
I reduced the password age value, and with the higher logging level the
password renewal using adcli was successful.
Thanks again.

On 4 July 2018 at 10:03, John Hearns  wrote:

> Thankyou Sumit. Indeed I do have adcli installed, and I am investigating
> this issue usign the higher log level which you suggest.
>
> I think this is a problem with domain names.
> When I use msktutil to renew the machine password I must explicitly run
> msktutil ..auto-update --computer-name  myhostname
>
> This is because  the DNS domain of my workstation does not match the
> Active Directory realm name
>
>
>
>
> On 4 July 2018 at 08:48, Sumit Bose  wrote:
>
>> On Mon, Jun 25, 2018 at 05:12:25PM +0200, John Hearns wrote:
>> > After 30 days of running sssd I found that my test workstation no longer
>> > connected to the domain.
>> > The machine account password had timed out.
>> > I now run a daily cron job using msktutil wihch will auto-update the
>> > password.
>> >
>> > However I should not have to do this. sssd should update the machine
>> > password.
>> >
>> > I can see entries in the logs such that the machine account password
>> > renewal task is enabled.
>> > Then:
>> >
>> > [be_ptask_execute] (0x0400): Task [AD machine account password renewal]:
>> > executing task, timeout 60 seconds
>> >
>> > How though can I see if this taks is successful or not?
>> > I realise that if the machine account is less than 30 days old the task
>> > probably silently completes OK without any logging.
>>
>> Do you have adcli installed?
>>
>> If you set 'debug_level=7' or higher in the [domain/...] section of
>> sssd.conf you should be able to find the debug output of adcli in the
>> logs, it will start with '--- adcli output start---'.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>> >
>> > The version of sssd is 16.1 running on Ubuntu
>> >
>> >
>> > John Hearns
>>
>> > ___
>> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives: https://lists.fedoraproject.or
>> g/archives/list/sssd-users@lists.fedorahosted.org/message/2F
>> 77SPP4CXHS4YMKCMHIA5EJHI424VNV/
>> ___
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.or
>> g/archives/list/sssd-users@lists.fedorahosted.org/message/EH
>> QHLPX24S45CM4ELUUDG7NHQHWQK7TE/
>>
>
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/3NYQAUGJNSAUUSVDWLLC722J6JXVQZCY/

[SSSD-users] Re: one user can't be looked up

[JOHE (John Hearns)]

Peter,

are you running the name serive cacheing daemon, nscd ?


From: Sumit Bose 
Sent: 04 July 2018 08:44:49
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: one user can't be looked up

On Thu, Jun 28, 2018 at 07:46:29PM -0700, Peter Moody wrote:
> are there any logs I can provide to help anyone figure out why this is
> happening? I've (re-)confirmed that this behavior is present in 1.16.1

Can you send your sssd.conf for a start.

bye,
Sumit

> On Mon, Jun 18, 2018 at 9:04 PM Peter Moody  wrote:
> >
> > (apologies if this gets sent twice, there was apparently an issue with
> > my subscription to the sssd-users list)
> >
> > this is admittedly low priority since this is all just a test network
> > at this point, but we're looking to deploy sssd at work so I'd like to
> > make sure all the kinks I know about are well understood/fixed
> >
> > I have an openldap install with the following users (pmoody, peter)
> > with uidNumbers (1001, 1002) respectively.
> >
> > sssd works for both users from freebsd 11.2 prelease (sssd-1.11.7_11,
> > whew, that's old).
> >
> > sssd works for pmoody from debian stretch (1.15.0-3). it does *not*
> > work for the user peter.
> >
> > this is what happens for the user peter.
> >
> > pmoody@deb:~$ sudo sss_cache -E
> > pmoody@deb:~$ getent passwd pmoody
> > pmoody:*:1001:500:Peter Moody:/home/pmoody:/bin/bash
> > pmoody@deb:~$ getent passwd peter
> > pmoody:*:1001:500:Peter Moody:/home/pmoody:/bin/bash
> > pmoody@deb:~$
> >
> > I've tried version 1.16.1-1, same results.
> >
> > These are the ldap entries for the aforementioned users:
> >
> > # peter, people, x.com
> > dn: uid=peter,ou=people,dc=x,dc=com
> > cn: peter
> > givenName: peter
> > sn: moody
> > uid: peter
> > uidNumber: 1002
> > homeDirectory: /home/peter
> > objectClass: top
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: inetOrgPerson
> > objectClass: organizationalPerson
> > gidNumber: 500
> > loginShell: /usr/local/bin/fish
> >
> > # pmoody, people, x.com
> > dn: uid=pmoody,ou=people,dc=x,dc=com
> > cn: Peter Moody
> > givenName: Peter
> > sn: Moody
> > uid: pmoody
> > uidNumber: 1001
> > homeDirectory: /home/pmoody
> > objectClass: top
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: inetOrgPerson
> > objectClass: organizationalPerson
> > loginShell: /usr/local/bin/fish
> > gidNumber: 500
> >
> > on the debian box that exhibits this error, I see the following in the logs:
> >
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [ldb] (0x4000): cancel
> > ldb transaction (nesting: 2)
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]]
> > [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such
> > object](32)[ldb_wait from ldb_modify with LDB_WAIT_ALL: No such object
> > (32)]
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]]
> > [sysdb_set_cache_entry_attr] (0x0400): No such entry
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sysdb_set_entry_attr]
> > (0x0080): Cannot set attrs for
> > name=pe...@x.com,cn=users,cn=x.com,cn=sysdb, 2 [No such file or
> > directory]
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sysdb_store_user]
> > (0x0040): Cache update failed: 2
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [ldb] (0x4000): cancel
> > ldb transaction (nesting: 1)
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sysdb_store_user]
> > (0x0400): Error: 2 (No such file or directory)
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sdap_save_user]
> > (0x0020): Failed to save user [pe...@x.com]
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sdap_save_users]
> > (0x0040): Failed to store user 0. Ignoring.
> >
> > it kind of looks like what was reported here :
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fthread%2FP6F7D5BOFYOWOCUXZTUQK26RQYPD5U24%2F%3Fsort%3Ddate&data=01%7C01%7Cjohe%40novozymes.com%7Cd689e6eff1704daa9c3a08d5e179ad4f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=pbQ%2FiXL0eEb99wuI7g1WZKcLtJmVDKcQyuPOIXqIk5c%3D&reserved=0
> >
> > but I don't see a resolution to that report.
> >
> > any suggestions on what I can do to fix this? logs/configs I can
> > provide to help isolate the problem?
> >
> > Cheers,
> > peter
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cd689e6eff1704daa9c3a08d5e179ad4f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=poOvagU%2BW5FyPDcWjKLqBOESU6%2FFuJRgF%2BlxC161HJg%3D&reserved=0
> List Guidelines: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7C

[SSSD-users] Behaviour of refresh_expired_interval

[John Hearns]

I have an AD setup where users can be a member of perhaps 130 groups.
When I run 'groups jbloggs' this can take 90 seconds or even longer.
I have reduced that time to perhaps 20 seconds by setting
ignore_group_members = TRUE

Once the information is cached the groups command returns in less that one
second.
However, after a length of time the cache seems to be invalidated and the
information is fetched again from the server, taking 20 seconds again.
The cacheing parameters are set to:

entry_cache_timeout = 5400
entry_cache_user_timeout = 5400
entry_cache_group_timeout = 5400
refresh_expired_interval = 4000

Surely this means that after 4000 seconds the user and group information is
refreshed in the background.
So a user running the groups command would always see freshly cached values?

Clearly I am not understanding something here.
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/M4R23YDHWUMUZPE4QZW2CFCYVU3WTXUO/

[SSSD-users] Logging of scheduled tasks - password renewal

[John Hearns]

After 30 days of running sssd I found that my test workstation no longer
connected to the domain.
The machine account password had timed out.
I now run a daily cron job using msktutil wihch will auto-update the
password.

However I should not have to do this. sssd should update the machine
password.

I can see entries in the logs such that the machine account password
renewal task is enabled.
Then:

[be_ptask_execute] (0x0400): Task [AD machine account password renewal]:
executing task, timeout 60 seconds

How though can I see if this taks is successful or not?
I realise that if the machine account is less than 30 days old the task
probably silently completes OK without any logging.

The version of sssd is 16.1 running on Ubuntu


John Hearns
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/2F77SPP4CXHS4YMKCMHIA5EJHI424VNV/

[SSSD-users] Re: sss_override user-export is empty

[John Hearns]

Asif please try using the -n option also

sss_override user-add mwvande -n mwvande -u 4311

Also you perhaps need the group option   -g 4311   (I assume here the users
group is 4311)

On 24 June 2018 at 05:04,  wrote:

> I made a change in UID for a user with sss_override but user-export to a
> file does not export anything. I am using sssd version 1.15.2. Is this a
> bug or may be I am doing something wrong? I followed the steps from this
> https://jhrozek.wordpress.com/2016/02/15/sssd-local-overrides/
>
> I ran these as root
> # sssd --version
> 1.15.2
> # sss_override user-add mwvande -u 4311
> # systemctl restart sssd
> # sss_override user-export foo
> # cat foo
> (no output)
>
> I also tried it without the restart
>
> # sss_override user-add mwvande -u 4311
> # sss_override user-export foo
> # cat foo
> (no output)
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/OP6PWABJVAKWJ7PI3ALK7FNXJNC6VLMT/
>
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/KKYT7GT2FIK43MQOG4NXYNWTYJOSQZV6/

[SSSD-users] Who and w not nss aware?

[John Hearns]

It seems bizarre, but the who and w utilities say there are no users on my
system.
My account  is an Active Direcotry account and sssd is running.

johe@ibis:~$ who

johe@ibis:~$ w
 10:09:26 up 16:47,  0 users,  load average: 0.60, 0.59, 0.48
USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT

I guess this is known behaviour?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/L6PADDSQWYL2KIGBYKTJWM6OHW4FTML3/

[SSSD-users] sss_override - when to run it?

[John Hearns]

We have an existing set of users in a local passwd file
I want to run sss_override to create mappings from the AD SID numbers to
the existing uid numbers.

What is the concensus on running sss_override?
I can script it to either parse through the existing passwd file and make
an override entry per user,
or to parse the file and create an import file which is run once with
import-user

But when is a good time to run this?

In a daily cron job

When sssd is started, which would involve editing the systemd unit file

Creating a new systemd service which depends on sssd.service . This service
runs sss_override and then restarts sssd.service

Or am I misunderstanding something?

I am assuming here we have on-disk sssd databases. If the databases are on
a tmpfs then clearly the sss_override must be run at boot time by one of
the above methods also.
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/TMGIPZGSONS6Q62RGKFBI5EDZ7GPCEUU/

[SSSD-users] Re: sss_override user-export is empty

[JOHE (John Hearns)]

Have you used the -n option ?


sss_overriide user-add mwvande -n mwvande -u 4311 -g4311


I also added a group option there, you might need it.


From: vad...@gmail.com 
Sent: 24 June 2018 05:04:21
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] sss_override user-export is empty

I made a change in UID for a user with sss_override but user-export to a file 
does not export anything. I am using sssd version 1.15.2. Is this a bug or may 
be I am doing something wrong? I followed the steps from this 
https://jhrozek.wordpress.com/2016/02/15/sssd-local-overrides/

I ran these as root
# sssd --version
1.15.2
# sss_override user-add mwvande -u 4311
# systemctl restart sssd
# sss_override user-export foo
# cat foo
(no output)

I also tried it without the restart

# sss_override user-add mwvande -u 4311
# sss_override user-export foo
# cat foo
(no output)


--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: 
pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/ZVMZKXFBMIXFQO2VXL37TAJLRV6LGA6I/

[SSSD-users] Re: Files provider - does not start properly ?

[JOHE (John Hearns)]

Thanks for looking Jakub. I think the wonders of Office 365 have blocked 
sending attachments from this address.

Way to go for getting help .. not.



From: Jakub Hrozek 
Sent: 12 June 2018 16:08:41
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Files provider - does not start properly ?

I’m sorry, but I don’t see any attachment..

> On 12 Jun 2018, at 11:15, JOHE (John Hearns)  wrote:
>
> Thankyou. Logs are attached.
>
>
> From: Jakub Hrozek 
> Sent: 12 June 2018 10:28:39
> To: End-user discussions about the System Security Services Daemon
> Subject: [SSSD-users] Re: Files provider - does not start properly ?
>
> Yes, just please make sure they don’t contain some confidential data (host 
> names etc..)
>
> > On 12 Jun 2018, at 10:09, JOHE (John Hearns)  wrote:
> >
> > Hi Jakub. I have the logs available. What is the best way to upload?
> > I guess just attach them here as a reply!
> > From: Jakub Hrozek 
> > Sent: 11 June 2018 20:30:59
> > To: End-user discussions about the System Security Services Daemon
> > Subject: [SSSD-users] Re: Files provider - does not start properly ?
> >
> >
> >
> > > On 11 Jun 2018, at 16:01, JOHE (John Hearns)  wrote:
> > >
> > > I am trying out the files providerwith sssd version 16.1 on Ubuntu Xenial.
> > >
> > > In the configuration file I set enable_files_domain = True
> > >
> > > sssd_implicit_files.log then says :
> > > [sssd[be[implicit_files]]] [id_callback] (0x0010): The Monitor returned 
> > > an error [org.freedesktop.DBus.Error.NoReply]
> >
> > Can you set the full set of logs, from both the domain log file and the 
> > sssd.log file? There was one user who reported issues with the files 
> > provider on fedora but we could never pin the issue down.
> >
> > >
> > > Any ideas please?
> > >
> > > Also rather confusingly /etc/nsswitch.conf still has to be set with:  
> > >   passwd  files sss
> >
> > Fedora switched the default to “sss files” in F-26. I wouldn’t recommend 
> > just “sss” because sssd doesn’t handle root by design (if sssd is 
> > misbehaving you really want to be able to log in as root to fix things..)
> >
> > > The simpl eminded amongst us (me) thought that from the description of 
> > > the sssd files provider, the passwd and group file would be read at 
> > > startup, therefore all you would need is sss in the nsswitch.conf
> > > Clearly there is a huge hole of comprehension. Between my ears.
> > >
> > >
> > >
> > >
> > >
> > > ___
> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > > Fedora Code of Conduct: 
> > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
> > > List Guidelines: 
> > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=IORN3ztfDoKQx%2BSnGODR2Pm54UZNe6m1Y%2FcwI1w64iU%3D&reserved=0
> > > List Archives: 
> > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fmessage%2FZ45SFIFRWFRVXUBWV2OMMITLC4ODR6W4%2F&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=SZU9mFU7b8cEv%2BjhHz4RRQyqCsoHWUIrWiY0DYImnLc%3D&reserved=0
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: 
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
> > List Guidelines: 
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes

[SSSD-users] Re: Files provider - does not start properly ?

[JOHE (John Hearns)]

Thankyou. Logs are attached.




From: Jakub Hrozek 
Sent: 12 June 2018 10:28:39
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Files provider - does not start properly ?

Yes, just please make sure they don’t contain some confidential data (host 
names etc..)

> On 12 Jun 2018, at 10:09, JOHE (John Hearns)  wrote:
>
> Hi Jakub. I have the logs available. What is the best way to upload?
> I guess just attach them here as a reply!
> From: Jakub Hrozek 
> Sent: 11 June 2018 20:30:59
> To: End-user discussions about the System Security Services Daemon
> Subject: [SSSD-users] Re: Files provider - does not start properly ?
>
>
>
> > On 11 Jun 2018, at 16:01, JOHE (John Hearns)  wrote:
> >
> > I am trying out the files providerwith sssd version 16.1 on Ubuntu Xenial.
> >
> > In the configuration file I set enable_files_domain = True
> >
> > sssd_implicit_files.log then says :
> > [sssd[be[implicit_files]]] [id_callback] (0x0010): The Monitor returned an 
> > error [org.freedesktop.DBus.Error.NoReply]
>
> Can you set the full set of logs, from both the domain log file and the 
> sssd.log file? There was one user who reported issues with the files provider 
> on fedora but we could never pin the issue down.
>
> >
> > Any ideas please?
> >
> > Also rather confusingly /etc/nsswitch.conf still has to be set with:
> > passwd  files sss
>
> Fedora switched the default to “sss files” in F-26. I wouldn’t recommend just 
> “sss” because sssd doesn’t handle root by design (if sssd is misbehaving you 
> really want to be able to log in as root to fix things..)
>
> > The simpl eminded amongst us (me) thought that from the description of the 
> > sssd files provider, the passwd and group file would be read at startup, 
> > therefore all you would need is sss in the nsswitch.conf
> > Clearly there is a huge hole of comprehension. Between my ears.
> >
> >
> >
> >
> >
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: 
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
> > List Guidelines: 
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=IORN3ztfDoKQx%2BSnGODR2Pm54UZNe6m1Y%2FcwI1w64iU%3D&reserved=0
> > List Archives: 
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fmessage%2FZ45SFIFRWFRVXUBWV2OMMITLC4ODR6W4%2F&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=SZU9mFU7b8cEv%2BjhHz4RRQyqCsoHWUIrWiY0DYImnLc%3D&reserved=0
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
> List Guidelines: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=IORN3ztfDoKQx%2BSnGODR2Pm54UZNe6m1Y%2FcwI1w64iU%3D&reserved=0
> List Archives: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fmessage%2FNG2XM5WHSK2EP3K5TLOLWYKHJF7IY6QV%2F&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=0tyEaVEA9vz0aKN9LnJ%2FEX%2BZCkvieob%2BQVA%2BmXLWEvg%3D&reserved=0
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 

[SSSD-users] Re: Files provider - does not start properly ?

[JOHE (John Hearns)]

Hi Jakub. I have the logs available. What is the best way to upload?

I guess just attach them here as a reply!


From: Jakub Hrozek 
Sent: 11 June 2018 20:30:59
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Files provider - does not start properly ?



> On 11 Jun 2018, at 16:01, JOHE (John Hearns)  wrote:
>
> I am trying out the files providerwith sssd version 16.1 on Ubuntu Xenial.
>
> In the configuration file I set enable_files_domain = True
>
> sssd_implicit_files.log then says :
> [sssd[be[implicit_files]]] [id_callback] (0x0010): The Monitor returned an 
> error [org.freedesktop.DBus.Error.NoReply]

Can you set the full set of logs, from both the domain log file and the 
sssd.log file? There was one user who reported issues with the files provider 
on fedora but we could never pin the issue down.

>
> Any ideas please?
>
> Also rather confusingly /etc/nsswitch.conf still has to be set with:  
>   passwd  files sss

Fedora switched the default to “sss files” in F-26. I wouldn’t recommend just 
“sss” because sssd doesn’t handle root by design (if sssd is misbehaving you 
really want to be able to log in as root to fix things..)

> The simpl eminded amongst us (me) thought that from the description of the 
> sssd files provider, the passwd and group file would be read at startup, 
> therefore all you would need is sss in the nsswitch.conf
> Clearly there is a huge hole of comprehension. Between my ears.
>
>
>
>
>
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
> List Guidelines: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=IORN3ztfDoKQx%2BSnGODR2Pm54UZNe6m1Y%2FcwI1w64iU%3D&reserved=0
> List Archives: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fmessage%2FZ45SFIFRWFRVXUBWV2OMMITLC4ODR6W4%2F&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=SZU9mFU7b8cEv%2BjhHz4RRQyqCsoHWUIrWiY0DYImnLc%3D&reserved=0
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
List Guidelines: 
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=IORN3ztfDoKQx%2BSnGODR2Pm54UZNe6m1Y%2FcwI1w64iU%3D&reserved=0
List Archives: 
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fmessage%2FNG2XM5WHSK2EP3K5TLOLWYKHJF7IY6QV%2F&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=0tyEaVEA9vz0aKN9LnJ%2FEX%2BZCkvieob%2BQVA%2BmXLWEvg%3D&reserved=0
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/FD2AOA2WQ4TY4AD6CJAH3ZMWU3OPSIJ2/

[SSSD-users] Re: Files provider - does not start properly ?

[John Hearns]

Jakub, thankyou. Wil do with the logs.

Not being able to log in as root at the terminal... I am hyperventilating.
Arrghhh...

On 11 June 2018 at 20:30, Jakub Hrozek  wrote:

>
>
> > On 11 Jun 2018, at 16:01, JOHE (John Hearns)  wrote:
> >
> > I am trying out the files providerwith sssd version 16.1 on Ubuntu
> Xenial.
> >
> > In the configuration file I set enable_files_domain = True
> >
> > sssd_implicit_files.log then says :
> > [sssd[be[implicit_files]]] [id_callback] (0x0010): The Monitor returned
> an error [org.freedesktop.DBus.Error.NoReply]
>
> Can you set the full set of logs, from both the domain log file and the
> sssd.log file? There was one user who reported issues with the files
> provider on fedora but we could never pin the issue down.
>
> >
> > Any ideas please?
> >
> > Also rather confusingly /etc/nsswitch.conf still has to be set with:
> passwd  files sss
>
> Fedora switched the default to “sss files” in F-26. I wouldn’t recommend
> just “sss” because sssd doesn’t handle root by design (if sssd is
> misbehaving you really want to be able to log in as root to fix things..)
>
> > The simpl eminded amongst us (me) thought that from the description of
> the sssd files provider, the passwd and group file would be read at
> startup, therefore all you would need is sss in the nsswitch.conf
> > Clearly there is a huge hole of comprehension. Between my ears.
> >
> >
> >
> >
> >
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/Z45SFIFRWFRVXUBWV2OMMITLC4ODR6W4/
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/NG2XM5WHSK2EP3K5TLOLWYKHJF7IY6QV/
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/QWOXHVWQDPGZCOZKHWE72GBJQ43NW2DZ/

[SSSD-users] Files provider - does not start properly ?

[JOHE (John Hearns)]

I am trying out the files providerwith sssd version 16.1 on Ubuntu Xenial.


In the configuration file I set enable_files_domain = True


sssd_implicit_files.log then says :

[sssd[be[implicit_files]]] [id_callback] (0x0010): The Monitor returned an 
error [org.freedesktop.DBus.Error.NoReply]


Any ideas please?


Also rather confusingly /etc/nsswitch.conf still has to be set with:
passwd  files sss

The simpl eminded amongst us (me) thought that from the description of the sssd 
files provider, the passwd and group file would be read at startup, therefore 
all you would need is sss in the nsswitch.conf

Clearly there is a huge hole of comprehension. Between my ears.





___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/Z45SFIFRWFRVXUBWV2OMMITLC4ODR6W4/

[SSSD-users] Refreshing tickets with msktutil

[JOHE (John Hearns)]

sssd version 1.15.0 running on Ubuntu Xenial.
In my setup sssd is not automatically refreshing computer account tickets after 
30 days, for some reason.

I found te msktutil package, which has a cron job which runs msktutil 
--auto-update each day.
So far so good.

However  msktutil --auto-update fails but  msktutil --update works OK.
Can anyone drop me a hint please why this might be so?
Snippets from the verbose output below.

/usr/sbin/msktutil --verbose --auto-update
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab
 -- create_fake_krb5_conf: Created a fake krb5.conf file: 
/tmp/.msktkrb5.conf-V1URdr
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: and$
 -- try_machine_keytab_princ: Trying to authenticate for and$ from local 
keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed 
(Preauthentication failed)
 -- try_machine_keytab_princ: Authentication with keytab failed





/usr/sbin/msktutil --verbose --update
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab
 -- create_fake_krb5_conf: Created a fake krb5.conf file: 
/tmp/.msktkrb5.conf-QXmuHN
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: and$
 -- try_machine_keytab_princ: Trying to authenticate for and$ from local 
keytab...
 -- switch_default_ccache: Using the local credential cache: 
FILE:/tmp/.mskt_krb5_ccache-ZChBdy
 -- finalize_exec: Authenticated using method 1






___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/M6PRA5MJYZLF4BBGAGM4RXMJSNK2VRJ6/

[SSSD-users] Re: Strange behaviour with groups

[John Hearns]

Jakub, a genuine thankyou for the response.

I have logs of course, at a high debug level. I find that they are very
verbose.
Do you have a suggestion please as to
(a)  which of the logs to look at for this problem?  I guess sssd_nss.log
(b) any particular patterns I should look out for?



On 1 June 2018 at 14:37, Jakub Hrozek  wrote:

> On Fri, Jun 01, 2018 at 11:31:55AM +, JOHE (John Hearns) wrote:
> > I am seeing some very strange behaviour.
> >
> > Very often when I issue the command 'groups   username' then only the
> local groups in /etc/group are returned.
> >
> > Issue the command again then the list with the local groups plus the AD
> groups is returned.
> >
> > In /etc/nsswitch.conf group:  files sss
> >
> > I am altering the parameter ad_enable_gc to  False but this happened
> with is set to True also.
> >
> >
> > Any ideas please?
>
> Not without logs that capture the issue, sorry.
>
> See https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/XSOSASZDGEELE7EXD5Z3BYU24GTP7CEG/
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/JQZZRTKAYJFUHL7DZQFC4LUBANUIPSNI/

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

[John Hearns]

To explain, I just sent a reply from my personal Googlemail.

I am now getting this logged:
May 03 10:05:02 client1 [sssd[ldap_child[2481]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Client
'host/client1@ADTEST.PRIVATE' not
May 03 10:05:02 client1 [sssd[ldap_child[2481]: Client
'host/client1@ADTEST.PRIVATE' not found in Kerberos database


I know the case is important in Kerberos, but client1 is certainly in the
Computers section of the adtest.private AD domain.



On 3 May 2018 at 09:59, John Hearns  wrote:

> Jakub, thankyou for your reply.
>
> Client OS is Ubuntu Xenial. Yes, I know...   pats favourite labrador
> goodbye. Sound of drawer opening and  service revolver being loaded...
>
> I did realise that the option p_auth_disable_tls_never_use_in_production
> = true
> the problem I have is that there is a CA cert on the Active Directory
> controller. But I cannot see if there is an SSL certificate.
> I may well be misunderstanding things.
>
> >Please don’t use this, not only it is very insecure, but also it doesn’t
> make any sense, this option is only useful if you use auth_provider=ldap.
> With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
>
> Aha. Thankyou for that information.
> I then have to ask the assembled choir (as I am not at the pearly gates) -
> does AD in the default configuration have SSL certificate capability?
> I have installed the Active Directory Certificate Services role
>
>
>
>
>
>
>
>
> On 3 May 2018 at 09:43, Jakub Hrozek  wrote:
>
>>
>>
>> > On 2 May 2018, at 17:54, JOHE (John Hearns)  wrote:
>> >
>> > I would appreciate some pointers.
>> > I have a sandbox setup running on VMs.  There is an AD controller using
>> the VM image which Microsoft has available for testing.
>> > I have created a domain called ad.test
>> >
>> > On my client machine I am continually getting this error:
>> > [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information (Server
>> not found in Kerberos database)
>> >
>>
>> I find it easier to debug this kind of an issue with:
>> KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base
>> -b “”
>>
>> Also, what version and on what OS are you running?
>>
>> >
>> > On the client   klist-k | uniq returns
>> >
>> > KVNO Principal
>> >  
>> --
>> >3 CLIENT1$@ADTEST.PRIVATE
>> >3 host/CLIENT1@ADTEST.PRIVATE
>> >3 host/client1@ADTEST.PRIVATE
>> >3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE
>> >3 RestrictedKrbHost/client1@ADTEST.PRIVATE
>> >
>> > The funny thing is ONLY   kinit -k CLIENT1$\@ADTEST.PRIVATE   will work.
>>
>> This is expected, only the client$@realm principal is a user/computer
>> principal, the rest are service principals.
>>
>> > I do get a tgt:
>> > Ticket cache: FILE:/tmp/krb5cc_0
>> > Default principal: CLIENT1$@ADTEST.PRIVATE
>> >
>> > Just in the sandbox I am also setting:
>> > ldap_auth_disable_tls_never_use_in_production = true
>>
>> Please don’t use this, not only it is very insecure, but also it doesn’t
>> make any sense, this option is only useful if you use auth_provider=ldap.
>> With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
>>
>> >
>> > Any pointers please?  I have cranked debug up to 8 and this error
>> message seems to be the crucial one.
>> >
>> > By the way, why does the debug level not go up to 11?
>>
>> Because 9 is the highest?
>> ___
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>>
>
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/OBY2O2WE4BXXKZTHJEVLTPZVZBAYUMCG/

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

[John Hearns]

Jakub, thankyou for your reply.

Client OS is Ubuntu Xenial. Yes, I know...   pats favourite labrador
goodbye. Sound of drawer opening and  service revolver being loaded...

I did realise that the option p_auth_disable_tls_never_use_in_production =
true
the problem I have is that there is a CA cert on the Active Directory
controller. But I cannot see if there is an SSL certificate.
I may well be misunderstanding things.

>Please don’t use this, not only it is very insecure, but also it doesn’t
make any sense, this option is only useful if you use auth_provider=ldap.
With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.

Aha. Thankyou for that information.
I then have to ask the assembled choir (as I am not at the pearly gates) -
does AD in the default configuration have SSL certificate capability?
I have installed the Active Directory Certificate Services role








On 3 May 2018 at 09:43, Jakub Hrozek  wrote:

>
>
> > On 2 May 2018, at 17:54, JOHE (John Hearns)  wrote:
> >
> > I would appreciate some pointers.
> > I have a sandbox setup running on VMs.  There is an AD controller using
> the VM image which Microsoft has available for testing.
> > I have created a domain called ad.test
> >
> > On my client machine I am continually getting this error:
> > [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error:
> Unspecified GSS failure.  Minor code may provide more information (Server
> not found in Kerberos database)
> >
>
> I find it easier to debug this kind of an issue with:
> KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base
> -b “”
>
> Also, what version and on what OS are you running?
>
> >
> > On the client   klist-k | uniq returns
> >
> > KVNO Principal
> >  
> --
> >3 CLIENT1$@ADTEST.PRIVATE
> >3 host/CLIENT1@ADTEST.PRIVATE
> >3 host/client1@ADTEST.PRIVATE
> >3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE
> >3 RestrictedKrbHost/client1@ADTEST.PRIVATE
> >
> > The funny thing is ONLY   kinit -k CLIENT1$\@ADTEST.PRIVATE   will work.
>
> This is expected, only the client$@realm principal is a user/computer
> principal, the rest are service principals.
>
> > I do get a tgt:
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: CLIENT1$@ADTEST.PRIVATE
> >
> > Just in the sandbox I am also setting:
> > ldap_auth_disable_tls_never_use_in_production = true
>
> Please don’t use this, not only it is very insecure, but also it doesn’t
> make any sense, this option is only useful if you use auth_provider=ldap.
> With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
>
> >
> > Any pointers please?  I have cranked debug up to 8 and this error
> message seems to be the crucial one.
> >
> > By the way, why does the debug level not go up to 11?
>
> Because 9 is the highest?
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/CI2AURT3VFBLEUH7MGFMNO3CVSARLL25/

[SSSD-users] Strange behaviour with groups

[JOHE (John Hearns)]

I am seeing some very strange behaviour.

Very often when I issue the command 'groups   username' then only the local 
groups in /etc/group are returned.

Issue the command again then the list with the local groups plus the AD groups 
is returned.

In /etc/nsswitch.conf group:  files sss

I am altering the parameter ad_enable_gc to  False but this happened with is 
set to True also.


Any ideas please?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/OAULBOFUXLR4OPUTLX6Y5QVBYOFF7FUM/

[SSSD-users] Long groups resolution time

[JOHE (John Hearns)]

I am still having a lot of problems with group resolution in sssd.

User logins can take anything up to two minutes, or longer.

When I time the commandgroups  username  for a selected username thish can 
take two or more minutes to return.

I have this set:


ldap_schema = ad
ldap_group_nesting_level = 0
ldap_groups_use_matching_rule_in_chain = True
ldap_initgroups_use_matching_rule_in_chain = True

How can one tell what the appropriate ldap_schema is for our AD controllers?



Also the information is not cached for long enough. I set

enum_cache_timeout = 1200
entry_cache_timeout = 5400
entry_cache_user_timeout = 5400
entry_cache_group_timeput = 5400

I really do not see groups information being cached for 90 minutes


___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/A6DDF2LU75ERIB7JIETCQ23IJLZM7RQN/

[SSSD-users] Cacheing of group entries

[JOHE (John Hearns)]

Another thing which is driving me batty

I log in via ssh.  there is a long pause while the 'groups' utility is run.
When I get a prompt I can type  'id  myusername' and get an instant response.
Five minutes later I open a new terminal on my desktop, and it hangs, again in 
the groups utility

I have set enum_cache_timeout to be 1200.  Should I be looking at other 
cacehing parameters please?
>From my nss stanza:

[nss]
filter_users = root, postfix, lightdm
filter_groups = root
enum_cache_timeout = 1200
entry_negative_timeout = 600


___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/7C2NGKJNUJE4YZVSY4RZWYW3UBB2RJQK/

[SSSD-users] Lightdm and the fail whale

[JOHE (John Hearns)]

Is anyone else using lighdm with sssd?

Specifically on Ubuntu Xenial.  I have sssd working, as I can ssh into the 
workstation using an account and password.


The display manager is very flaky indeed, and takes a lot to get it to open a 
desktop session.

I see this in the lightdm logs:

[+296.15s] DEBUG: Authenticate result for user johe: Success
[+296.15s] DEBUG: User johe authorized, but no account of that name exists


I have seen one report of this problem, and the only fix seems to be a restart 
of the lightdm service. Or a reboot.


Also in the syslog I see

May 23 11:08:31 ibis lightdm[7408]: ** (process:7673): WARNING **: Failed to 
open CK session: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The 
name org.freedesktop.ConsoleKit was not provided by any .service files
May 23 11:08:31 ibis lightdm[7408]: Failed to write utmpx: No such file or 
directory

May 23 11:08:36 ibis gnome-session-binary[8547]: CRITICAL: We failed, but the 
fail whale is dead. Sorry
May 23 11:08:37 ibis lightdm[7408]: Failed to write utmpx: No such file or 
directory

Has anyone seen similar output?





___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/5D6XMCTE6TGJHINFOKGMHOG3J4DJ62Q4/

[SSSD-users] Re: Help with AD password

[JOHE (John Hearns)]

Thankyou Sumit.   I am increasing the log level and am looking at the logs as a 
login attempt is made.


I am sure there is something simple I need to adjust here.


From: Sumit Bose 
Sent: 17 May 2018 10:35:09
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: Help with AD password

On Thu, May 17, 2018 at 08:22:27AM +, JOHE (John Hearns) wrote:
> I recently posted to this list regarding a very slow response when getting 
> the groups for a user.
>
> The fix was to set
>
> ldap_schema = rfc2307bis
>
>
> Now 'groups' and 'id' return very quickly.  As an aside, is there an easy way 
> to tell if rfc30172 or rfc3072bis are in operation on a given AD domain?
>
>
> The problem is now that my account cannot log in... My account is valid, and 
> I can do 'id johe' and 'getent passwd johe' where johe is my account name. I 
> just can't log in with my password.
>
> I am almost 100% sure my password is valid, as I can LDAP bind to the AD 
> controller and perform ldap searches.
>
>
> Any help on debugging this issue is welcome.
>
> BTW my sAMAccountName is JOHE  but I think this is not case sensitive, from 
> what I can see in the sssd logs.

Please have a look at
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.pagure.org%2FSSSD.sssd%2Fusers%2Ftroubleshooting.html&data=01%7C01%7Cjohe%40novozymes.com%7Ca5aa5f9ffd85454921f908d5bbd1211f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=EuZ72a8oJKi9%2FtbmzHpP7aDdc7bGV3%2FNsBLdLaN5HvE%3D&reserved=0.

In your case the most interesting log files would be sssd_pam.log and
sssd_your.domain.name.log (and krb5_child.log if you use Kerberors
authentication). To get the most details here add debug_level=9 to the
[pam] and [domain/...] sections of sssd.conf.

bye,
Sumit

>
>
>
>

> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Help with AD password

[JOHE (John Hearns)]

I recently posted to this list regarding a very slow response when getting the 
groups for a user.

The fix was to set

ldap_schema = rfc2307bis


Now 'groups' and 'id' return very quickly.  As an aside, is there an easy way 
to tell if rfc30172 or rfc3072bis are in operation on a given AD domain?


The problem is now that my account cannot log in... My account is valid, and I 
can do 'id johe' and 'getent passwd johe' where johe is my account name. I just 
can't log in with my password.

I am almost 100% sure my password is valid, as I can LDAP bind to the AD 
controller and perform ldap searches.


Any help on debugging this issue is welcome.

BTW my sAMAccountName is JOHE  but I think this is not case sensitive, from 
what I can see in the sssd logs.




___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Cache flushing after password change

[JOHE (John Hearns)]

I know I could look this one up in the docs somewhere...

If I have a Linux workstation which is using AD for the authentication provider.

If I change my password using a Windows machine, what then happens when I log 
into Linux if the Linux machine has

cached my credentials?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] System is busy - mouse and keyboard not useable

[JOHE (John Hearns)]

I have set up sssd authentication on a Ubuntu Xenial workstation, with the 
Lightdm windowing manager.


When the sssd service starts the sssd_be process is taking 100% CPU. I am not 
that concerned with this.

However I see that when I am using the windowing system the mouse 'goes away' 
and sometimes the keyboard too,

ie there is no mouse pointer and the keyboard does not respond.  This says to 
me that the OS is very busy doing things,

and does not have time to service interrupts from the keyboard/mouse.

Has anyone else seen this behaviour?


I increased  the nss stanza to have  enum_cache_timeout = 1200

Clearly this will not help with the first enumeration - but it does keep the 
data for longer in the cache.


Also when sssd first starts up it seems to look at every account in the local 
/etc/passwd file and request information about it.

We have several hundred locally defined users in the passwd file at the moment.

Is this expected behaviour?  I would have though that only if an account 
actually makes a login attempt or uses a service then the information would be 
collected from AD/IPA/LDAP   I may be wrong and I am sure I will learn 
something here.




___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

[JOHE (John Hearns)]

Jakub,

thankyou for your reply.  I have (almost!) got things working now.

I have removed the ldap parameters in the sssd.conf


I had a mixup with the AD controller hostname - it is ad.adtest.private and I 
think this was significant.

Now I am retrieving the user information from AD.

Still having problems with PAM, so I am sure I will be back (sorry!)






From: JOHE (John Hearns)
Sent: 03 May 2018 11:06:02
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] Re: Server not found in Kerberos database and debug 
level 11


>> By the way, why does the debug level not go up to 11?

> Because 9 is the highest?

http://knowyourmeme.com/memes/these-go-to-11-spinal-tap

[http://i0.kym-cdn.com/entries/icons/facebook/000/003/182/Spinal_Tap_05.jpg]<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>

These go to 11 / Spinal Tap | Know Your 
Meme<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>
knowyourmeme.com
Origin Background The movie This Is Spinal Tap was made to be a humorous 
mockumentary of rock n’ roll culture. To this day it is considered to be one of




From: Jakub Hrozek 
Sent: 03 May 2018 09:43:33
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 
11



> On 2 May 2018, at 17:54, JOHE (John Hearns)  wrote:
>
> I would appreciate some pointers.
> I have a sandbox setup running on VMs.  There is an AD controller using the 
> VM image which Microsoft has available for testing.
> I have created a domain called ad.test
>
> On my client machine I am continually getting this error:
> [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: 
> Unspecified GSS failure.  Minor code may provide more information (Server not 
> found in Kerberos database)
>

I find it easier to debug this kind of an issue with:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”

Also, what version and on what OS are you running?

>
> On the client   klist-k | uniq returns
>
> KVNO Principal
>  
> --
>3 CLIENT1$@ADTEST.PRIVATE
>3 host/CLIENT1@ADTEST.PRIVATE
>3 host/client1@ADTEST.PRIVATE
>3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE
>3 RestrictedKrbHost/client1@ADTEST.PRIVATE
>
> The funny thing is ONLY   kinit -k CLIENT1$\@ADTEST.PRIVATE   will work.

This is expected, only the client$@realm principal is a user/computer 
principal, the rest are service principals.

> I do get a tgt:
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: CLIENT1$@ADTEST.PRIVATE
>
> Just in the sandbox I am also setting:
> ldap_auth_disable_tls_never_use_in_production = true

Please don’t use this, not only it is very insecure, but also it doesn’t make 
any sense, this option is only useful if you use auth_provider=ldap. With 
id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.

>
> Any pointers please?  I have cranked debug up to 8 and this error message 
> seems to be the crucial one.
>
> By the way, why does the debug level not go up to 11?

Because 9 is the highest?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

[JOHE (John Hearns)]

>> By the way, why does the debug level not go up to 11?

> Because 9 is the highest?

http://knowyourmeme.com/memes/these-go-to-11-spinal-tap

[http://i0.kym-cdn.com/entries/icons/facebook/000/003/182/Spinal_Tap_05.jpg]<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>

These go to 11 / Spinal Tap | Know Your 
Meme<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>
knowyourmeme.com
Origin Background The movie This Is Spinal Tap was made to be a humorous 
mockumentary of rock n’ roll culture. To this day it is considered to be one of




From: Jakub Hrozek 
Sent: 03 May 2018 09:43:33
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 
11



> On 2 May 2018, at 17:54, JOHE (John Hearns)  wrote:
>
> I would appreciate some pointers.
> I have a sandbox setup running on VMs.  There is an AD controller using the 
> VM image which Microsoft has available for testing.
> I have created a domain called ad.test
>
> On my client machine I am continually getting this error:
> [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: 
> Unspecified GSS failure.  Minor code may provide more information (Server not 
> found in Kerberos database)
>

I find it easier to debug this kind of an issue with:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”

Also, what version and on what OS are you running?

>
> On the client   klist-k | uniq returns
>
> KVNO Principal
>  
> --
>3 CLIENT1$@ADTEST.PRIVATE
>3 host/CLIENT1@ADTEST.PRIVATE
>3 host/client1@ADTEST.PRIVATE
>3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE
>3 RestrictedKrbHost/client1@ADTEST.PRIVATE
>
> The funny thing is ONLY   kinit -k CLIENT1$\@ADTEST.PRIVATE   will work.

This is expected, only the client$@realm principal is a user/computer 
principal, the rest are service principals.

> I do get a tgt:
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: CLIENT1$@ADTEST.PRIVATE
>
> Just in the sandbox I am also setting:
> ldap_auth_disable_tls_never_use_in_production = true

Please don’t use this, not only it is very insecure, but also it doesn’t make 
any sense, this option is only useful if you use auth_provider=ldap. With 
id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.

>
> Any pointers please?  I have cranked debug up to 8 and this error message 
> seems to be the crucial one.
>
> By the way, why does the debug level not go up to 11?

Because 9 is the highest?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

[JOHE (John Hearns)]

Jakub, thankyou for your reply.

Client OS is Ubuntu Xenial. Yes, I know...   pats favourite labrador goodbye. 
Sound of drawer opening and  service revolver being loaded...

I did realise that the option p_auth_disable_tls_never_use_in_production = true
the problem I have is that there is a CA cert on the Active Directory 
controller. But I cannot see if there is an SSL certificate.
I may well be misunderstanding things.

>Please don’t use this, not only it is very insecure, but also it doesn’t make 
>any sense, this option is only useful if you use auth_provider=ldap. With 
>id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.

Aha. Thankyou for that information.
I then have to ask the assembled choir (as I am not at the pearly gates) - does 
AD in the default configuration have SSL certificate capability?
[https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif]



From: Jakub Hrozek 
Sent: 03 May 2018 09:43:33
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 
11



> On 2 May 2018, at 17:54, JOHE (John Hearns)  wrote:
>
> I would appreciate some pointers.
> I have a sandbox setup running on VMs.  There is an AD controller using the 
> VM image which Microsoft has available for testing.
> I have created a domain called ad.test
>
> On my client machine I am continually getting this error:
> [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: 
> Unspecified GSS failure.  Minor code may provide more information (Server not 
> found in Kerberos database)
>

I find it easier to debug this kind of an issue with:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”

Also, what version and on what OS are you running?

>
> On the client   klist-k | uniq returns
>
> KVNO Principal
>  
> --
>3 CLIENT1$@ADTEST.PRIVATE
>3 host/CLIENT1@ADTEST.PRIVATE
>3 host/client1@ADTEST.PRIVATE
>3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE
>3 RestrictedKrbHost/client1@ADTEST.PRIVATE
>
> The funny thing is ONLY   kinit -k CLIENT1$\@ADTEST.PRIVATE   will work.

This is expected, only the client$@realm principal is a user/computer 
principal, the rest are service principals.

> I do get a tgt:
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: CLIENT1$@ADTEST.PRIVATE
>
> Just in the sandbox I am also setting:
> ldap_auth_disable_tls_never_use_in_production = true

Please don’t use this, not only it is very insecure, but also it doesn’t make 
any sense, this option is only useful if you use auth_provider=ldap. With 
id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.

>
> Any pointers please?  I have cranked debug up to 8 and this error message 
> seems to be the crucial one.
>
> By the way, why does the debug level not go up to 11?

Because 9 is the highest?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Server not found in Kerberos database and debug level 11

[JOHE (John Hearns)]

I would appreciate some pointers.

I have a sandbox setup running on VMs.  There is an AD controller using the VM 
image which Microsoft has available for testing.

I have created a domain called ad.test


On my client machine I am continually getting this error:

[sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (Server not 
found in Kerberos database)



On the client   klist-k | uniq returns


KVNO Principal
 --
   3 CLIENT1$@ADTEST.PRIVATE
   3 host/CLIENT1@ADTEST.PRIVATE
   3 host/client1@ADTEST.PRIVATE
   3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE
   3 RestrictedKrbHost/client1@ADTEST.PRIVATE


The funny thing is ONLY   kinit -k CLIENT1$\@ADTEST.PRIVATE   will work.

I do get a tgt:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: CLIENT1$@ADTEST.PRIVATE


Just in the sandbox I am also setting:

ldap_auth_disable_tls_never_use_in_production = true


Any pointers please?  I have cranked debug up to 8 and this error message seems 
to be the crucial one.


By the way, why does the debug level not go up to 11?


















___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: Realm says Necessary packages are not installed

[JOHE (John Hearns)]

Thankyou Sumit. the problem was indeed packagekit

I solved it by apt instal lpackagekit



From: Sumit Bose 
Sent: 25 April 2018 19:27
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: Realm says Necessary packages are not installed

On Wed, Apr 25, 2018 at 02:55:33PM +, JOHE (John Hearns) wrote:
> Following a lovely day of fun and games with my physical workstation, where I 
> borked the authentication so much that I had to boot it from a sysrescue 
> thumb drive 
> (https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.system-rescue-cd.org%2F&data=01%7C01%7Cjohe%40novozymes.com%7C9da285313dcb4ae9d04f08d5aad1d132%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=jxoj%2FAOIVuLRZf0D24eaW%2Btor3RaTxgcIzJluhBlE6E%3D&reserved=0
>I sleep with one of these under my pillow)
>
>
> I have decided to experiment with some VMs (Vagrant / Virtualbox / Ubuntu)
>
> When I run realm join   domainname   I get:
>
> realmd[7008]:  ! Necessary packages are not installed: sssd-tools sssd 
> libnss-sss libpam-sss adcli

By default realmd tries to lookup and install packages with package-kit.
I guess this is not available on your system. Please try to set

[service]
automatic-install = no

in /etc/realmd.conf, see man realmd.conf for details.

HTH

bye,
Sumit

>
>
> Those packages definitely are installed...
>
> I guess others have seen this message?  Yeah, Google is my friend
>
>
> SystemRescueCd - System Rescue Cd 
> Homepage<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.system-rescue-cd.org%2F&data=01%7C01%7Cjohe%40novozymes.com%7C9da285313dcb4ae9d04f08d5aad1d132%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=jxoj%2FAOIVuLRZf0D24eaW%2Btor3RaTxgcIzJluhBlE6E%3D&reserved=0>
> https://emea01.safelinks.protection.outlook.com/?url=www.system-rescue-cd.org&data=01%7C01%7Cjohe%40novozymes.com%7C9da285313dcb4ae9d04f08d5aad1d132%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=OHo9bCnxdcdUBjM9LMF3bCD0NL04hESXMTKDULWktU0%3D&reserved=0
> About SystemRescueCd. Description: SystemRescueCd is a Linux system rescue 
> disk available as a bootable CD-ROM or USB stick for administrating or 
> repairing your system and data after a crash.
>
>
>
>
>

> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Realm says Necessary packages are not installed

[JOHE (John Hearns)]

Following a lovely day of fun and games with my physical workstation, where I 
borked the authentication so much that I had to boot it from a sysrescue thumb 
drive (http://www.system-rescue-cd.org/   I sleep with one of these under my 
pillow)


I have decided to experiment with some VMs (Vagrant / Virtualbox / Ubuntu)

When I run realm join   domainname   I get:

realmd[7008]:  ! Necessary packages are not installed: sssd-tools sssd 
libnss-sss libpam-sss adcli


Those packages definitely are installed...

I guess others have seen this message?  Yeah, Google is my friend


SystemRescueCd - System Rescue Cd Homepage
www.system-rescue-cd.org
About SystemRescueCd. Description: SystemRescueCd is a Linux system rescue disk 
available as a bootable CD-ROM or USB stick for administrating or repairing 
your system and data after a crash.





___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: Existing UID ranges

[John Hearns]

Sumit, thankyou. I will look at that tool.

On 19 April 2018 at 17:11, Sumit Bose  wrote:

> On Thu, Apr 19, 2018 at 02:14:30PM +0200, John Hearns wrote:
> > Hello all.  I am currently working on a new project to configure sssd
> > authentication, for Ubuntu clients.
> > And hello to Lachlan Musicman - did not expect to see you here!
> >
> > I think this question must be asked many times. So forgive me.
> > We have an existing set of Unix usernames/uids which are pushed out onto
> > the client workstations vi a configuration management system. Ie there
> are
> > local /etc/passwd files which are updated when new users joint he
> company.
> > the uid range is 1000 to 3000
> >
> > If we start to use sssd with AD authentication and the AD RID mapping,
> then
> > different UIDs will be reported.
> > We do not wish to use the Posix attributes - the whole point is to reduce
> > the manual steps needed when new accounts are created.
> >
> > So my questions are:
> >
> > a) is there any way to map AD RID style UIDs to existing UIDs   (I have
> > tried to search for this)
> >
> > b) other orgnisations have faced this.  Is the only answer a script to
> > chown each users files if they are transitioned over to AD?
> >
> >
> > Also a question about pam_mkhomedirI have used this successfully in
> the
> > past, on a BeeGFS filesystem where all the clients have read/write
> access.
> > If the workstation is an NFS client, then creating a new home directory
> for
> > a user should not be possible, given that root squash is configured on
> the
> > NFS share.
> > Is there a smart way to get pam_mkhomedir to work on an NFS client
> system?
> > Or perhaps the user needs to log into the NFS server system one time only
> > (assuming logins are encouraged directly to servers like that anyway)
> >
> > Thanks for any thoughts and insights.
>
> Maybe https://jhrozek.wordpress.com/2016/02/15/sssd-local-overrides/ is
> what you are looking for?
>
> HTH
>
> bye,
> Sumit
>
> > John Hearns
>
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Existing UID ranges

[John Hearns]

Hello all.  I am currently working on a new project to configure sssd
authentication, for Ubuntu clients.
And hello to Lachlan Musicman - did not expect to see you here!

I think this question must be asked many times. So forgive me.
We have an existing set of Unix usernames/uids which are pushed out onto
the client workstations vi a configuration management system. Ie there are
local /etc/passwd files which are updated when new users joint he company.
the uid range is 1000 to 3000

If we start to use sssd with AD authentication and the AD RID mapping, then
different UIDs will be reported.
We do not wish to use the Posix attributes - the whole point is to reduce
the manual steps needed when new accounts are created.

So my questions are:

a) is there any way to map AD RID style UIDs to existing UIDs   (I have
tried to search for this)

b) other orgnisations have faced this.  Is the only answer a script to
chown each users files if they are transitioned over to AD?


Also a question about pam_mkhomedirI have used this successfully in the
past, on a BeeGFS filesystem where all the clients have read/write access.
If the workstation is an NFS client, then creating a new home directory for
a user should not be possible, given that root squash is configured on the
NFS share.
Is there a smart way to get pam_mkhomedir to work on an NFS client system?
Or perhaps the user needs to log into the NFS server system one time only
(assuming logins are encouraged directly to servers like that anyway)

Thanks for any thoughts and insights.
John Hearns
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org