SSSD team, A curious issue after walking through the implementation of the socket activated responders.
System is a new RHEL 7.7 host with SSSD v1.16.4-21 using the AD providers. Essentially user resolution (NSS), user login (PAM) and sssctl (IFP) worked when specifying the responders in the SSSD.conf file. [root@darkvixen241 ~]# id msteele uid=1727401116(msteele) gid=1727401151(primary_unix_g) groups=1727401151(primary_unix_g),1727402106(darkvixen_hpc_admin_g),1727401607(darkvixen_hpc_g),1727402101(darkvixen100_g),1727401603(darkvixen101_g),1727401604(darkvixen102_g),1727401174(darkvixen240_g),1727401175(darkvixen241_g),1727401145(marketing_g),1727402105(bioinf_lab_g),1727400513(domain users) [root@darkvixen241 ~]# sssctl user-checks msteele user: msteele action: acct service: system-auth SSSD nss user lookup result: - user name: msteele - user id: 1727401116 - group id: 1727401151 - gecos: Ming Steele - home directory: /home/dvc.darkvixen.com/msteele - shell: /bin/bash SSSD InfoPipe user lookup result: - name: msteele - uidNumber: 1727401116 - gidNumber: 1727400513 - gecos: Ming Steele - homeDirectory: /home/msteele - loginShell: /bin/bash testing pam_acct_mgmt pam_acct_mgmt: Success PAM Environment: - no env - After implementing the desired socket activated responders I cannot login as users via SSH, but can su as them from a root session. User resolution and sssctl still work. [root@darkvixen241 ~]# systemctl list-units -a -t socket | grep sssd- sssd-autofs.socket loaded active listening SSSD AutoFS Service responder socket sssd-kcm.socket loaded active listening SSSD Kerberos Cache Manager responder socket sssd-nss.socket loaded active running SSSD NSS Service responder socket sssd-pac.socket loaded active listening SSSD PAC Service responder socket sssd-pam-priv.socket loaded active listening SSSD PAM Service responder private socket sssd-pam.socket loaded active listening SSSD PAM Service responder socket sssd-secrets.socket loaded active listening SSSD Secrets Service responder socket sssd-ssh.socket loaded active listening SSSD SSH Service responder socket sssd-sudo.socket loaded active listening SSSD Sudo Service responder socket [root@darkvixen241 ~]# id msteele uid=1727401116(msteele) gid=1727401151(primary_unix_g) groups=1727401151(primary_unix_g),1727402106(darkvixen_hpc_admin_g),1727401607(darkvixen_hpc_g),1727402101(darkvixen100_g),1727401603(darkvixen101_g),1727401604(darkvixen102_g),1727401174(darkvixen240_g),1727401175(darkvixen241_g),1727401145(marketing_g),1727402105(bioinf_lab_g),1727400513(domain users) [root@darkvixen241 ~]# sssctl user-checks msteele user: msteele action: acct service: system-auth SSSD nss user lookup result: - user name: msteele - user id: 1727401116 - group id: 1727401151 - gecos: Ming Steele - home directory: /home/dvc.darkvixen.com/msteele - shell: /bin/bash SSSD InfoPipe user lookup result: - name: msteele - uidNumber: 1727401116 - gidNumber: 1727400513 - gecos: Ming Steele - homeDirectory: /home/msteele - loginShell: /bin/bash testing pam_acct_mgmt pam_acct_mgmt: Authentication service cannot retrieve authentication info PAM Environment: - no env - My sssd.conf is provided below: [sssd] config_file_version = 2 # services = nss,pam,pac,ssh,autofs,sudo domains = dvc.darkvixen.com [nss] filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,operator,games,ftp,nobody,systemd-network,dbus,polkitd,sshd,postfix,chrony,sssd,apache,rpc,rpcuser,nfsnobody filter_groups = root,bin,daemon,sys,adm,tty,disk,lp,mem,kmem,wheel,cdrom,mail,man,dialout,floppy,games,tape,video,ftp,lock,audio,nobody,users,utmp,utempter,input,systemd-journal,systemd-network,dbus,polkitd,ssh_keys,sshd,postdrop,postfix,chrony,printadmin,cgred,sssd,apache,rpc,rpcuser,nfsnobody [pam] pam_account_expired_message = "Account expired, please contact help desk." pam_account_locked_message = "Account locked, please contact help desk." pam_verbosity = 3 [pac] [ssh] [autofs] [sudo] [ifp] [domain/dvc.darkvixen.com] id_provider = ad access_provider = ad cache_credentials = true override_homedir = /home/%d/%u override_shell = /bin/bash override_gid = 1727401151 ad_access_filter = DOM:DVC.DARKVIXEN.COM: (|(memberOf=CN=DARKVIXEN241_G,OU=LDAP,OU=SVS,DC=dvc,DC=darkvixen,DC=com)(memberOf=CN=DARKVIXEN_HPC_ADMIN_G,OU=CLUSTERS,OU=SVS,DC=dvc,DC=darkvixen,DC=com)) Nothing remarkable shows up in the logs after issuing "sssctl debug-level 7" and curiously there are no sssd_pam or sssd_pac log files created. Any assistance would be appreciated, -- lawrence -- Lawrence Kearney w: www.lawrencekearney.com l: www.linkedin.com/in/lawrencekearney
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org