[SSSD-users] Re: Advantages of signed SASL bindings vs unsigned SASL bindings....
On Tue, Oct 13, 2020 at 5:04 PM Spike White wrote: > > Yes, correct. So that MS hotfix: > > Addresses an issue that incorrectly reports Lightweight Directory Access > Protocol (LDAP) sessions as unsecure sessions in Event ID 2889. This occurs > when the LDAP session is authenticated and sealed with a Simple > Authentication and Security Layer (SASL) method. > > is for W2019. Isn't it[1] for windows 10? At first I thought it was for the server, and "blindly" downloaded it. I only realized it was for windows 10 when I tried to install it. So what are they changing on the client-side to get rid of the log on the server? 1. https://support.microsoft.com/en-us/help/4559003/windows-10-update-kb4559003 ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] DNS updates, chicken-and-egg problem during join?
Hi, I'm verifying under which conditions sssd will perform successful dns updates on a DNS server backed by AD. In this scenario, I have a standalone computer, that has an IP obviously, but no DNS record yet. My goal was to have the join process also add a DNS record for this computer. After tracing calls to nsupdate, it looks like what sssd does is use the output of `hostname -f`, and I don't see a fault with that reasoning, except that to have that return an fqdn I need either to be in DNS already, or hack /etc/hosts. Otherwise, it sends the short name with a dot suffix, and that won't be accepted: update delete g-client1. in A update add g-client1. 3600 in A 10.51.0.8 send update delete g-client1. in send I was wondering if sssd couldn't assume that the domain part is the same as the realm? I understand there might be many considerations here, like multiple domains, forests, etc, and maybe that's why this isn't done. But perhaps there is a way to have the simple case work? Or is there a config option I missed? The other trick I see is to set the hostname to the fqdn, so that `hostname` returns the full thing. It's not technically correct I suppose, but gets the job done. Is that what people also do? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: realmd: socket activation and sssd.conf's services= line
Hello James, thanks for the reply On Tue, Sep 8, 2020 at 3:45 PM James Cassell wrote: > > At the moment I'm just disabling adding the services line. Is this too > > horrible? > > In my experience on RHEL 8, some of the services are unreliable when > activated in this manner. The services line never fails. I believe the > .service (or .socket) files on RHEL 8 are written to avoid any collision. > Specially, I think the socket activated version is a no op if the services > line one is running. Do you have some pointers to such issues, like bug reports or mailing list posts? Debian and Ubuntu use the upstream systemd service files as is, with no changes, and we do see conflicts when services= is used together with socket activation. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] realmd: socket activation and sssd.conf's services= line
Hi, This is more of a realmd question than sssd, but closely related. Debian and Ubuntu defaulted to socket activated systemd services for all the sssd-* daemons. So they are started on demand. realmd currently always adds a "services = nss, pam" line (or augments it if it's there already). sssd will then start nss and pam, but so will systemd, and that creates a (apparently harmless) conflict and logs errors to the logs. I don't know if there is a way for realmd to detect this scenario and not add that services line, or if there should be a command-line option for it? Or maybe something in realm-.conf even? At the moment I'm just disabling adding the services line. Is this too horrible? --- a/service/realm-sssd-config.c +++ b/service/realm-sssd-config.c @@ -154,8 +154,6 @@ g_strfreev (already); /* Setup a default sssd section */ - if (!realm_ini_config_have (config, "section", "services")) - realm_ini_config_set (config, "sssd", "services", "nss, pam", NULL); if (!realm_ini_config_have (config, "sssd", "config_file_version")) realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL); --- a/tests/test-sssd-config.c +++ b/tests/test-sssd-config.c @@ -90,7 +90,7 @@ gconstpointer unused) { const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one"; - const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; + const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; GError *error = NULL; gchar *output; gboolean ret; @@ -140,7 +140,7 @@ test_add_domain_only (Test *test, gconstpointer unused) { - const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n"; + const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n"; GError *error = NULL; gchar *output; gboolean ret; ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] why does krb5_validate default to false?
Hi, I'm wondering why krb5_validate defaults to false in sssd-krb5, and apparently it's the same default in the mit kerberos libraries (via verify_ap_req_nofail). It should solve the KDC impersonation attack, at the expense of a slightly more complicated setup (create the host principal, extract key, create keytab). Is it because of this added difficulty in setting up things, or does it not work on very common scenarios/applications? Or just one of those hard to do transitions? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Heads up. Moving to github on April 8
hello, On Thu, Apr 9, 2020 at 9:33 AM Pavel Březina wrote: > Issue tracker was opened on github. > > Old issues will be kept in Pagure so we can communicate with original > reporters (Github does not support Fedora Account so we can not simply > migrate them). Unfortunately 'New issue' button is still available on > Pagure - there does not seem to be a way how to disable new issues > without making the issues read only. But please, report new issues > against Github. If pagure has this feature, could you perhaps add a template for issues on pagure that basically says to open them in github instead? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: sssd backend not workin on ubuntu 18.04
Hello, On Tue, Aug 13, 2019 at 1:01 PM Charles Hedrick wrote: > > On our Ubuntu 18.04 servers, sssd won’t start. Logging shows that it can’t > find any DNS servers. Restarting sssd fixes it. Sounds like https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1723350 ? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: socket activated services and "implicit" sssd.conf?
Hello On Sat, Aug 3, 2019 at 2:17 PM Jakub Hrozek wrote: > > On Thu, Aug 01, 2019 at 07:50:09PM +0300, Timo Aaltonen wrote: > > > > Hi, > > > > As discussed on irc, the fallback config enables 'services=nss', and > > check_socket_activated_responder() bails out if there's no conffile. > > > > So both should be fixed to allow sssd to start without extra noise when > > socket activation is enabled and no conffile around (the default case > > when the package is installed). > > Can you file tickets? Sure, I filed this ticket: https://pagure.io/SSSD/sssd/issue/4054 Thanks! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] socket activated services and "implicit" sssd.conf?
Hi there, I'm trying to update the sssd package in ubuntu to 2.2.0, and while the upstream tests pass, and our integration tests pass too, I get this warning (error?) with the socket services right after installation: (https://pastebin.ubuntu.com/p/ZzW8BG2fpm/) root@eoan-sssd2:~# systemctl status sssd-autofs.service ● sssd-autofs.service - SSSD AutoFS Service responder Loaded: loaded (/lib/systemd/system/sssd-autofs.service; indirect; vendor preset: enabled) Active: inactive (dead) Docs: man:sssd.conf(5) root@eoan-sssd2:~# systemctl status sssd-nss.socket ● sssd-nss.socket - SSSD NSS Service responder socket Loaded: loaded (/lib/systemd/system/sssd-nss.socket; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2019-08-01 12:49:07 UTC; 16min ago Docs: man:sssd.conf(5) Listen: /var/lib/sss/pipes/nss (Stream) Aug 01 12:49:07 eoan-sssd2 systemd[1]: Starting SSSD NSS Service responder socket. Aug 01 12:49:07 eoan-sssd2 sssd_check_socket_activated_responders[3012]: (Thu Aug 1 12:49:07:354960 2019) [sssd] [check_socket_activated_responder] (0x0020): ini_config_file_open() failed [2][No such file or directory] Aug 01 12:49:07 eoan-sssd2 sssd_check_socket_activated_responders[3012]: (Thu Aug 1 12:49:07:355071 2019) [sssd] [main] (0x0010): Misconfiguration found for the nss responder. Aug 01 12:49:07 eoan-sssd2 sssd_check_socket_activated_responders[3012]: The nss responder has been configured to be socket-activated but it's still mentioned in the services' line in /etc/sssd/sssd.conf. Aug 01 12:49:07 eoan-sssd2 sssd_check_socket_activated_responders[3012]: Please, consider either adjusting your services' line in /etc/sssd/sssd.conf or disabling the nss's socket by calling: Aug 01 12:49:07 eoan-sssd2 sssd_check_socket_activated_responders[3012]: "systemctl disable sssd-nss.socket" Aug 01 12:49:07 eoan-sssd2 systemd[1]: sssd-nss.socket: Control process exited, code=exited, status=2/INVALIDARGUMENT Aug 01 12:49:07 eoan-sssd2 systemd[1]: sssd-nss.socket: Failed with result 'exit-code'. Aug 01 12:49:07 eoan-sssd2 systemd[1]: Failed to listen on SSSD NSS Service responder socket. There is no /etc/sssd/sssd.conf file present, so I think it assumes some defaults. What are these? After install I get these services running: 1871 ?Ss 0:00 /usr/sbin/sssd -i --logger=files 1872 ?S 0:00 \_ /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files 1873 ?S 0:00 \_ /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files So here is my assumption: there is an implicit sssd.conf configuration that is taken in since there is no actual sssd.conf file, and that just starts sssd_nss, and at the *same* *time* we are trying to use socket activation, which then says "why are you starting the socket listener, since you are already starting nss?" I'm guessing only debian-based systems see this, because we start the services right after installation, and don't have a default sssd.conf file shipped with the package. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: 1.16.2 test failure: sss_nss_idmap-tests
> > Thank you for figuring out the linker option which caused the issue and > for the suggestions. > > I've opened https://pagure.io/SSSD/sssd/issue/3801 to track the issue > and also created https://github.com/SSSD/sssd/pull/632. Thanks. I commented in the PR. The test now passes on Ubuntu with -Wl,-Bsymbolic-functions enabled. \o/ ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/HPPLNT4Y4JG4UY4OCO3FDFOCRMJTWA2S/
[SSSD-users] Re: 1.16.2 test failure: sss_nss_idmap-tests
On Tue, Aug 7, 2018 at 8:04 AM Sumit Bose wrote: > > On Mon, Jul 23, 2018 at 10:01:26AM +0200, Jakub Hrozek wrote: > > Unfortunately these tests don’t have an option to raise the debug level so > > stepping throught them with gdb is the only option I’m afraid.. > > I think I didn't properly mock sss_nss_make_request_timeout() here. > Instead of the provided call which just mock the results the original > one is used which tries to talk to SSSD which either does not run or > does not know about the test user, hence the return code 0x02 (ENOENT). > > If you run the test with strace you should see that the test program > tries to connect to /var/lib/sss/pipes/nss which is not expected. I'll > try to fix this. Indeed it does try that connect a few times: 11933 connect(3, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110) = -1 ENOENT (No such file or directory) But something is still unexplained: the same test works just fine in debian, and doesn't try to connect to that socket. I might try updating nss. I have 3.36, and debian has 3.38. Thanks! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/ZFCUBBCBXO54VBPDU5SLKL2OCWOW5FTL/
[SSSD-users] Re: 1.16.2 test failure: sss_nss_idmap-tests
What I figured out so far is that this is a test that is enabled if you have cmocka installed, and this is the first time I had that. On Fri, Jul 20, 2018 at 2:22 PM Andreas Hasenack wrote: > > Hi, > > I'm building 1.16.2 with just > https://pagure.io/SSSD/sssd/c/a2cc554f438c220b3cc73eb93879dd87795a86cd?branch=master > applied (without it, it doesn't build in Ubuntu currently) and I'm > seeing this test failure: > > [==] Running 2 test(s). > [ RUN ] test_getsidbyname > [ ERROR ] --- 0x2 != 0 > [ LINE ] --- ../src/tests/cmocka/sss_nss_idmap-tests.c:121: error: > Failure! > [ FAILED ] test_getsidbyname > [ RUN ] test_getorigbyname > [ ERROR ] --- 0x2 != 0 > [ LINE ] --- ../src/tests/cmocka/sss_nss_idmap-tests.c:140: error: > Failure! > [ FAILED ] test_getorigbyname > [==] 2 test(s) run. > [ PASSED ] 0 test(s). > [ FAILED ] 2 test(s), listed below: > [ FAILED ] test_getsidbyname > [ FAILED ] test_getorigbyname > > 2 FAILED TEST(S) > FAIL sss_nss_idmap-tests (exit status: 2) > > I tried with samba 4.7.6 and 4.8.2 installed, and also with > --with-smb-idmap-interface-version 5 and 6, same result. Debian is at > 1.16.2 and the tests pass there just fine, so I think I'm looking at > some dependency problem. > ldb is 1.3.1 > tdb is 1.3.15 > > Any pointers? Maybe a way to run just that test, so I can add > debugging statements? > > Thanks! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/UB32RZUSGRALDIPPDUSJIT6CSTCSM3F6/
[SSSD-users] 1.16.2 test failure: sss_nss_idmap-tests
Hi, I'm building 1.16.2 with just https://pagure.io/SSSD/sssd/c/a2cc554f438c220b3cc73eb93879dd87795a86cd?branch=master applied (without it, it doesn't build in Ubuntu currently) and I'm seeing this test failure: [==] Running 2 test(s). [ RUN ] test_getsidbyname [ ERROR ] --- 0x2 != 0 [ LINE ] --- ../src/tests/cmocka/sss_nss_idmap-tests.c:121: error: Failure! [ FAILED ] test_getsidbyname [ RUN ] test_getorigbyname [ ERROR ] --- 0x2 != 0 [ LINE ] --- ../src/tests/cmocka/sss_nss_idmap-tests.c:140: error: Failure! [ FAILED ] test_getorigbyname [==] 2 test(s) run. [ PASSED ] 0 test(s). [ FAILED ] 2 test(s), listed below: [ FAILED ] test_getsidbyname [ FAILED ] test_getorigbyname 2 FAILED TEST(S) FAIL sss_nss_idmap-tests (exit status: 2) I tried with samba 4.7.6 and 4.8.2 installed, and also with --with-smb-idmap-interface-version 5 and 6, same result. Debian is at 1.16.2 and the tests pass there just fine, so I think I'm looking at some dependency problem. ldb is 1.3.1 tdb is 1.3.15 Any pointers? Maybe a way to run just that test, so I can add debugging statements? Thanks! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/VLOM5TMYWX35MM7QIKLBA42N5XKWK2RR/
[SSSD-users] Re: Ubuntu 16.04.4 LTS 4.4.0-108+ and sssd freezes virtual server
On Fri, Mar 16, 2018 at 7:48 PM, David Hunterwrote: > *Guest OS*: Ubuntu 16.04.4 LTS (kernel versions 4.4.0-108 to current 116) > > *Virtualization env*: VMWare ESXi 6.0 > > *Host hardware*: Dell R720 > > > Using SSSD to bind linux servers to the AD domain for authentication. This > was working fine right up to 4.4.0-104. After the update to -108,-109,-112, > or -116, if sssd is enabled OR if it is disabled but then started after a > successful boot and you perform a lookup (i.e. id some_domain_user), the > entire system will freeze, and you have to force a reboot. There's even a > blip in the syslog when it happens. > > > Hi this bug sounds similar: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1746806 ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: nsupdate
On Tue, Mar 13, 2018 at 8:40 AM, Roger Martensson < roger.martens...@gmail.com> wrote: > Hi > > Den 13 mars 2018 12:09 skrev "Max DiOrio": > >> Is your dns server set to secure updates only? >> > > Yes it is and as is should be. > > I've filed a bugreport on the package at Ubunts launchpad so hopefully it > gets resolved before release of 18.04. > > This one, right? https://bugs.launchpad.net/bugs/1755439 ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: Ubuntu Xenial failures
You should file a bug in Ubuntu, specially if downgrading to the previous package fixes the problem for you. On Dec 18, 2017 18:10, "Jay McCanta"wrote: > After an update to Ubuntu Xenial, sssd_pam always fails with a system > error(4) error. > > Dec 18 20:07:22 sv5cismfgcr01 sshd[27263]: pam_sss(sshd:auth): > authentication success; logname= uid=0 euid=0 tty=ssh ruser= > rhost=192.168.11.129 user=mccanta > Dec 18 20:07:22 sv5cismfgcr01 sshd[27263]: pam_sss(sshd:account): Access > denied for user mccanta: 4 (System error) > > I have debug_level 10 logs I can send. Didn't want to post thos to the > mailing list. > > Jay > > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org