Am Thu, Oct 07, 2021 at 04:47:09PM +0300 schrieb Alexander Bokovoy via FreeIPA-users: > On to, 07 loka 2021, m57n2 via FreeIPA-users wrote: > > Hi, > > thanks for the answer. > > > > To clarify: > > > > 1. "What doesn't work?" > > > > => Command "sss_cache -E" on client host... doesn't have impact on > > possibility to logon with cached credentials. I can login again with > > debug info: "Authenticated with cached credentials." << which come from > > "pam_verbosity = 3" parameter inside sssd.conf > > > > //of course I have disabled both (master and replica) IPA services by > > "ipactl stop" before testing off-line login. > > 'sss_cache -E' invalidates entries, it does not remove them completely. > Man page for sss_cache says about it quite clearly: > > Invalidated records are forced to be reloaded from server as soon as > related SSSD backend is online. > > So if you are offline, the database will still be present and if you > have cached credentials, you'll be able to login with the data stored in > the database content. > > You certainly should not use sss_cache to imitate offline mode. > > If you have removed the cache with 'sssctl cache-remove', then you'd be > unable to login at all when an SSSD backend is offline. > > > > > > > 2. "What are you expecting?" > > As an linux env admin(s) we are going to implement IdM/IPA solution for > > "ux" part of our mixed win-linux hosts env. We realized that "SSH key > > management with local accounts" is... let's say "not scalable" ;-) > > > > ...but in the other hand I need to be sure that in case of admin/user > > account modification or IPA server unavailability => user will not have > > a possibility to logon (there are some users from AD which should have > > acces to shell and they will be added via IPA<=>AD trust [final step of > > our deployment]. //I mean that this "off-line logon" is ...expectetd > > behavior, but I want to have full control over it. > > As long as SSSD backend provider is offline, it will rely on the data it > has in the local cache to allow or deny access, if you have enabled the > ability to handle offline cached authentication. This pretty much > corresponds to a similar behavior within Active Directory environment as > well. > > If there is no cached information about a specific user locally, then > login will not succeed in offline state of SSSD backend. > > > > > I know that there is no possibility to turn of caching due to > > sofisticated architecture of sssd daemon > > (https://sssd.io/docs/architecture.html) but, as i described above, we > > need to know "what is going on under the hood". > > > > 3. Is there only solution for that - is a ...removing all files from > > '/var/lib/sss/db' from each client-host on which particular user has > > had an access? > > Either disable offline cached authentication or remove those databases > with 'sssctl cache-remove'. > > You have krb5_store_password_if_offline = True > > this is what triggers offline cached authentication.
Hi, I agree with all above, only the option is called 'cache_credentials'. The option 'krb5_store_password_if_offline' can be used to even store the clear text password in the kernel keyring until the system gets online again to request a Kerberos ticket automatically. bye, Sumit > > > > > > > > Regards, > > M. > > > > > > Sent with ProtonMail Secure Email. > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > > > czwartek, 7 października 2021 14:51, Rob Crittenden <[email protected]> > > napisał(a): > > > > > m57n2 via FreeIPA-users wrote: > > > > > > > Hello, > > > > > > > > I have had set up a test-bed environment consist of: > > > > > > > > IPA server [master] - OL8.4 > > > > > > > > IPA server [replica] - OL8.4 > > > > > > > > IPA client1 - OL8.4 > > > > > > > > IPA client2 - OL8.4 > > > > > > > > IPA client3 - Ubuntu20.04LTS > > > > > > > > //I've installed "master" manually and the rest of hosts via ansible > > > > > > > > playbooks. > > > > > > > > All works fine: user created on IPA directory [let's say: "adminux"] can > > > > > > > > succesfully login on clients with SUDO priviliges. > > > > > > > > Now I started to test offline [sssd] login ....and it works [too]fine => > > > > > > > > user can log into system even though it was disabled on IPA server! > > > > > > > > I started to tune-up sssd.conf parameters: > > > > ------------------------------------------ > > > > > > > > root@cl3:~# vim /etc/sssd/sssd.conf > > > > > > > > [domain/ux.example.com] > > > > > > > > id_provider = ipa > > > > > > > > ipa_server = srv, idm1.ux.example.com > > > > > > > > ipa_domain = ux.example.com > > > > > > > > ipa_hostname = cl3.ux.example.com > > > > > > > > auth_provider = ipa > > > > > > > > chpass_provider = ipa > > > > > > > > access_provider = ipa > > > > > > > > cache_credentials = True > > > > > > > > ldap_tls_cacert = /etc/ipa/ca.crt > > > > > > > > dyndns_update = True > > > > > > > > dyndns_iface = ens33 > > > > > > > > krb5_store_password_if_offline = True > > > > > > > > *entry_cache_timeout = 60 > > > > > > > > * > > > > > > > > account_cache_expiration = 1 > > > > > > > > [sssd] > > > > > > > > services = nss, pam, ssh, sudo > > > > > > > > domains = ux.example.com > > > > > > > > [nss] > > > > > > > > homedir_substring = /home > > > > > > > > *enum_cache_timeout = 10 > > > > > > > > * > > > > > > > > entry_cache_nowait_percentage = 0 > > > > > > > > [pam] > > > > > > > > *pam_verbosity = 3 > > > > > > > > * > > > > > > > > offline_credentials_expiration = 1 > > > > > > > > [sudo] > > > > > > > > [sudo] > > > > > > > > [autofs] > > > > > > > > [ssh] > > > > > > > > [pac] > > > > > > > > [ifp] > > > > > > > > [secrets] > > > > > > > > [session_recording] > > > > ------------------- > > > > > > > > I was also trying to erase sssd cache with command: > > > > > > > > #sss_cache -E > > > > > > > > ...but it doesn't work in my test env! > > > > > > What doesn't work? What are you expecting? > > > > > > > I'll appreciate any suggestions "How can I control off-line logon > > > > > > > > cache in case of user creation, user deletion, user rights change and > > > > > > > > so on..." ? > > > > > > If its offline then the client will not see user creation, deletion, etc > > > > > > because it's offline, right? > > > > > > rob > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
