[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation
On Thu, Mar 12, 2020 at 03:13:57PM -, Hristina Marosevic wrote: > > On Fri, Mar 06, 2020 at 12:44:35PM -, Hristina Marosevic wrote: > > > > Hi, > > > > no [pam] is not needed for your use case, access via ssh. > > > > > > This command looks for certificates from a Smartcard connected to the > > local system. However p11_child is used to validate the certificates for > > the ssh key generation as well. You should add debug_level = 9 to the > > [ssh] section of sssd.conf and then check sssd_ssh.log and p11_child.log > > after calling sss_ssh_authorized_keys. > > > > HTH > > > > bye, > > Sumit > > > I can not find a file named p11_child.log (i searched everything from the > root directory) > The only thing related to p11_child is executable /usr/libexec/sssd/p11_child > - should I use it to generate log? > Can you please help me with this? Hi, the file should be in the SSSD log directory, so typically /var/log/sssd/p11_child.log. Since it does not exists, p11_child was not called to validate the certificates. In this case sssd_ssh.log is the only source of information. Feel free to send the file or the part of the log file which covers the time where sss_ssh_authorized_keys was called. bye, Sumit > > BR, > Hristina > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation
> On Fri, Mar 06, 2020 at 12:44:35PM -, Hristina Marosevic wrote: > > Hi, > > no [pam] is not needed for your use case, access via ssh. > > > This command looks for certificates from a Smartcard connected to the > local system. However p11_child is used to validate the certificates for > the ssh key generation as well. You should add debug_level = 9 to the > [ssh] section of sssd.conf and then check sssd_ssh.log and p11_child.log > after calling sss_ssh_authorized_keys. > > HTH > > bye, > Sumit I can not find a file named p11_child.log (i searched everything from the root directory) The only thing related to p11_child is executable /usr/libexec/sssd/p11_child - should I use it to generate log? Can you please help me with this? BR, Hristina ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation
On Fri, Mar 06, 2020 at 12:44:35PM -, Hristina Marosevic wrote: > Hello, > > I added: "certificate_verification = no_ocsp, no_verification" in [sssd] part > of the sssd configuration and I didn't add the CA certs because the > certification validation is disabled, but I am getting the same error > "certificate is not valid" in the sssd_ssh.log > SSSD version that I am using is (yum package version): > 1.16.4-21.0.1.el7_7.1 > Somewhere on the internet, I saw this in the [pam] part of the sssd > configuration: "pam_cert_auth = True" - should I add this line in my config > file? Hi, no [pam] is not needed for your use case, access via ssh. > and I found the following command for the p11_child log (by you): > /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre --nssdb=/etc/pki/nssdb This command looks for certificates from a Smartcard connected to the local system. However p11_child is used to validate the certificates for the ssh key generation as well. You should add debug_level = 9 to the [ssh] section of sssd.conf and then check sssd_ssh.log and p11_child.log after calling sss_ssh_authorized_keys. HTH bye, Sumit > > The output on my machine was: > $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre --nssdb=/etc/pki/nssdb > (Fri Mar 6 13:33:30:652007 2020) [[sssd[p11_child[8855 [main] (0x0400): > p11_child started. > (Fri Mar 6 13:33:30:652310 2020) [[sssd[p11_child[8855 [main] (0x2000): > Running in [pre-auth] mode. > (Fri Mar 6 13:33:30:652517 2020) [[sssd[p11_child[8855 [main] (0x2000): > Running with effective IDs: [0][0]. > (Fri Mar 6 13:33:30:652758 2020) [[sssd[p11_child[8855 [main] (0x2000): > Running with real IDs [0][0]. > (Fri Mar 6 13:33:30:710650 2020) [[sssd[p11_child[8855 [do_card] > (0x4000): Default Module List: > (Fri Mar 6 13:33:30:710904 2020) [[sssd[p11_child[8855 [do_card] > (0x4000): common name: [NSS Internal PKCS #11 Module]. > (Fri Mar 6 13:33:30:711013 2020) [[sssd[p11_child[8855 [do_card] > (0x4000): dll name: [(null)]. > (Fri Mar 6 13:33:30:76 2020) [[sssd[p11_child[8855 [do_card] > (0x4000): Dead Module List: > (Fri Mar 6 13:33:30:711218 2020) [[sssd[p11_child[8855 [do_card] > (0x4000): DB Module List: > (Fri Mar 6 13:33:30:711320 2020) [[sssd[p11_child[8855 [do_card] > (0x4000): common name: [NSS Internal Module]. > (Fri Mar 6 13:33:30:711434 2020) [[sssd[p11_child[8855 [do_card] > (0x4000): dll name: [(null)]. > (Fri Mar 6 13:33:30:711564 2020) [[sssd[p11_child[8855 [do_card] > (0x4000): common name: [Policy File]. > (Fri Mar 6 13:33:30:711768 2020) [[sssd[p11_child[8855 [do_card] > (0x4000): dll name: [(null)]. > (Fri Mar 6 13:33:30:711890 2020) [[sssd[p11_child[8855 [do_card] > (0x4000): Description [NSS User Private Key and Certificate Services > Mozilla Foundation ] Manufacturer [Mozilla Foundation >] flags [1]. > (Fri Mar 6 13:33:30:712016 2020) [[sssd[p11_child[8855 [do_card] > (0x4000): Description [NSS Internal Cryptographic Services > Mozilla Foundation ] Manufacturer [Mozilla > Foundation ] flags [9]. > (Fri Mar 6 13:33:30:712335 2020) [[sssd[p11_child[8855 [do_card] > (0x0040): No removable slots found. > (Fri Mar 6 13:33:30:712448 2020) [[sssd[p11_child[8855 [main] (0x0040): > do_work failed. > (Fri Mar 6 13:33:30:712595 2020) [[sssd[p11_child[8855 [main] (0x0020): > p11_child failed! > > > BR, > Hristina > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Change primary group
On Thu, Mar 12, 2020 at 09:26:49AM +0100, Jannis Mann wrote: > Hi, > > I've sssd running with ldap provider and therefore use a binding account. > > In general everything works. I've a question regarding the primary group. > > When I login with any user who I permitted to in the sssd.conf all users > have the Domain Users gorup as primary group. > > So if I create a file with User a ownership is UserA:Domain\ Users > Same goes for UserB etc. > > Can I have influence on the primary group of the sssd users? Because this > seems quite insecure for me. Because I use different permissions for > different users (configured via sudoers files). But if every user is in the > same group.. Hi, recent versions of SSSD have the option 'auto_private_groups', please check the sssd.conf man page if this option is available for your version and if yes you can find more details their as well. If this option is not listed in your man page you can check https://mzidek.fedorapeople.org/sssd/2.2.3/man/sssd.conf.5.html if it might be worth to upgrade? HTH bye, Sumit > > Thanks for your input! > > Jannis > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Change primary group
Hi, I've sssd running with ldap provider and therefore use a binding account. In general everything works. I've a question regarding the primary group. When I login with any user who I permitted to in the sssd.conf all users have the Domain Users gorup as primary group. So if I create a file with User a ownership is UserA:Domain\ Users Same goes for UserB etc. Can I have influence on the primary group of the sssd users? Because this seems quite insecure for me. Because I use different permissions for different users (configured via sudoers files). But if every user is in the same group.. Thanks for your input! Jannis ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
