[SSSD-users] Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
On Mon, Oct 07, 2019 at 07:49:56PM +0200, Michael Ströder wrote: > On 10/7/19 5:00 PM, Spike White wrote: > > sssd internally is inventing the fiction of a group with the same group > > name as the user name and the same gidNumber as the user's uidNumber. > > So with auto_private_groups = true, id would return the same whether you > > set gidNumber on the user account or not. (sssd is ignoring that field > > for primary group when auto_private_group == true). > > Just curious: What happens if there's a group entry with same gidNumber > value like used a user's uidNumber? Hi, this depends on the value of auto_private_group. 'true' means 'Create user's private group unconditionally from user's UID number. The GID number is ignored in this case.'. While with 'hybrid' 'A primary group is autogenerated for user entries whose UID and GID numbers have the same value and at the same time the GID number does not correspond to a real group object in LDAP.'. Please see man sssd.conf for details. HTH bye, Sumit > > Ciao, Michael. > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
On 10/7/19 5:00 PM, Spike White wrote: > sssd internally is inventing the fiction of a group with the same group > name as the user name and the same gidNumber as the user's uidNumber. > So with auto_private_groups = true, id would return the same whether you > set gidNumber on the user account or not. (sssd is ignoring that field > for primary group when auto_private_group == true). Just curious: What happens if there's a group entry with same gidNumber value like used a user's uidNumber? Ciao, Michael. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users]Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
On Mon, Oct 7, 2019, at 11:00 AM, Spike White wrote: > James, > [Moved response below] > > On Mon, Oct 7, 2019 at 9:51 AM James Cassell > wrote: > > On Mon, Oct 7, 2019, at 10:32 AM, Spike White wrote: > > > James, > > > > > > Let me see if I understand your statement. Suppose my desired UID for > > > admspike_white is 1234. So using POSIX attributes, you had assigned > > > uidNumber == 1234 and gidNumber == 1234 on the user account > > > admspike_white in AD. For each user you had done this. > > > > > > But you had not do the step further and created an actual group object > > > with name 'admspike_white' and gidNumber == 1234. > > > > > > If that's correct, to my mind: > > > > > > 1. without auto_private_groups, your user's account reference to > > > gidNumber == 1234 is a "dangling reference". A reference to a group > > > object that does not exist in your AD deployment. > > > 2. with auto_private_groups, sssd takes the uidNumber (of 1234), > > > invents the fiction of a group with the same name and gidNumber of > > > 1234. id admspike_white reports this fiction as the primary group. In > > > this case, the gidNumber == 1234 would be ignored by sssd (except it'd > > > be reported as one of the supplemental groups in the 'id' command). > > > > > > Do I have this right? > > > > > > > > > All correct except with auto_private_groups, the primary gid shows as the > > gidNumber, but it resolves the group name to the username, so there is no > > nameless group. ...iirc, without the gidNumber, the user failed to resolve > > at all. > > > Yeah ok. But it's not really "resolving" the group name. That is, it's > not looking up in AD for a group with that gidNumber and returning the > name of that group. > By resolving, I meant from an nss perspective. > sssd internally is inventing the fiction of a group with the same group > name as the user name and the same gidNumber as the user's uidNumber. > So with auto_private_groups = true, id would return the same whether > you set gidNumber on the user account or not. (sssd is ignoring that > field for primary group when auto_private_group == true). > Just tested it. Without auto_private_groups = True, sssd fails entirely to resolve users without gidNumber set. Instead,`id user-no-gid` returns "no such user" With `auto_private_groups = True`, it behaves as you describe, "creating" a group named for the user. V/r, James Cassell > Spike > > > > V/r, > > James Cassell > > > > > > > Spike > > > > > > > > > On Fri, Oct 4, 2019 at 11:17 AM Goetz, Patrick G > > wrote: > > > > > > > > > > > > On 10/4/19 8:21 AM, James Cassell wrote: > > > > > We had previously assigned POSIX attributes to all users in AD. We > > assigned a uidNumber to each user and also a gidNumber that is the same > > number as the uidNumber for each given user. > > > > > > > > Wait, you did this in AD? How? I thought all the SIDs need to be > > > > unique because everything in AD is in a single namespace. > > > > > > > > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
James, Yeah ok. But it's not really "resolving" the group name. That is, it's not looking up in AD for a group with that gidNumber and returning the name of that group. sssd internally is inventing the fiction of a group with the same group name as the user name and the same gidNumber as the user's uidNumber. So with auto_private_groups = true, id would return the same whether you set gidNumber on the user account or not. (sssd is ignoring that field for primary group when auto_private_group == true). Spike On Mon, Oct 7, 2019 at 9:51 AM James Cassell wrote: > On Mon, Oct 7, 2019, at 10:32 AM, Spike White wrote: > > James, > > > > Let me see if I understand your statement. Suppose my desired UID for > > admspike_white is 1234. So using POSIX attributes, you had assigned > > uidNumber == 1234 and gidNumber == 1234 on the user account > > admspike_white in AD. For each user you had done this. > > > > But you had not do the step further and created an actual group object > > with name 'admspike_white' and gidNumber == 1234. > > > > If that's correct, to my mind: > > > > 1. without auto_private_groups, your user's account reference to > > gidNumber == 1234 is a "dangling reference". A reference to a group > > object that does not exist in your AD deployment. > > 2. with auto_private_groups, sssd takes the uidNumber (of 1234), > > invents the fiction of a group with the same name and gidNumber of > > 1234. id admspike_white reports this fiction as the primary group. In > > this case, the gidNumber == 1234 would be ignored by sssd (except it'd > > be reported as one of the supplemental groups in the 'id' command). > > > > Do I have this right? > > > > > All correct except with auto_private_groups, the primary gid shows as the > gidNumber, but it resolves the group name to the username, so there is no > nameless group. ...iirc, without the gidNumber, the user failed to resolve > at all. > > > V/r, > James Cassell > > > > Spike > > > > > > On Fri, Oct 4, 2019 at 11:17 AM Goetz, Patrick G > wrote: > > > > > > > > > On 10/4/19 8:21 AM, James Cassell wrote: > > > > We had previously assigned POSIX attributes to all users in AD. We > assigned a uidNumber to each user and also a gidNumber that is the same > number as the uidNumber for each given user. > > > > > > Wait, you did this in AD? How? I thought all the SIDs need to be > > > unique because everything in AD is in a single namespace. > > > > > > > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users]Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
On Mon, Oct 7, 2019, at 10:32 AM, Spike White wrote: > James, > > Let me see if I understand your statement. Suppose my desired UID for > admspike_white is 1234. So using POSIX attributes, you had assigned > uidNumber == 1234 and gidNumber == 1234 on the user account > admspike_white in AD. For each user you had done this. > > But you had not do the step further and created an actual group object > with name 'admspike_white' and gidNumber == 1234. > > If that's correct, to my mind: > > 1. without auto_private_groups, your user's account reference to > gidNumber == 1234 is a "dangling reference". A reference to a group > object that does not exist in your AD deployment. > 2. with auto_private_groups, sssd takes the uidNumber (of 1234), > invents the fiction of a group with the same name and gidNumber of > 1234. id admspike_white reports this fiction as the primary group. In > this case, the gidNumber == 1234 would be ignored by sssd (except it'd > be reported as one of the supplemental groups in the 'id' command). > > Do I have this right? > All correct except with auto_private_groups, the primary gid shows as the gidNumber, but it resolves the group name to the username, so there is no nameless group. ...iirc, without the gidNumber, the user failed to resolve at all. V/r, James Cassell > Spike > > > On Fri, Oct 4, 2019 at 11:17 AM Goetz, Patrick G > wrote: > > > > > > On 10/4/19 8:21 AM, James Cassell wrote: > > > We had previously assigned POSIX attributes to all users in AD. We > > assigned a uidNumber to each user and also a gidNumber that is the same > > number as the uidNumber for each given user. > > > > Wait, you did this in AD? How? I thought all the SIDs need to be > > unique because everything in AD is in a single namespace. > > > > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
James, Let me see if I understand your statement. Suppose my desired UID for admspike_white is 1234. So using POSIX attributes, you had assigned uidNumber == 1234 and gidNumber == 1234 on the user account admspike_white in AD. For each user you had done this. But you had not do the step further and created an actual group object with name 'admspike_white' and gidNumber == 1234. If that's correct, to my mind: 1. without auto_private_groups, your user's account reference to gidNumber == 1234 is a "dangling reference". A reference to a group object that does not exist in your AD deployment. 2. with auto_private_groups, sssd takes the uidNumber (of 1234), invents the fiction of a group with the same name and gidNumber of 1234. id admspike_white reports this fiction as the primary group. In this case, the gidNumber == 1234 would be ignored by sssd (except it'd be reported as one of the supplemental groups in the 'id' command). Do I have this right? Spike On Fri, Oct 4, 2019 at 11:17 AM Goetz, Patrick G wrote: > > > On 10/4/19 8:21 AM, James Cassell wrote: > > We had previously assigned POSIX attributes to all users in AD. We > assigned a uidNumber to each user and also a gidNumber that is the same > number as the uidNumber for each given user. > > Wait, you did this in AD? How? I thought all the SIDs need to be > unique because everything in AD is in a single namespace. > > > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
On 10/4/19 8:21 AM, James Cassell wrote: > We had previously assigned POSIX attributes to all users in AD. We assigned a > uidNumber to each user and also a gidNumber that is the same number as the > uidNumber for each given user. Wait, you did this in AD? How? I thought all the SIDs need to be unique because everything in AD is in a single namespace. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users]Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
On Fri, Oct 4, 2019, at 9:00 AM, Alex Perl wrote: > Hi James, > > Thanks for the update. > Not sure, how auto_private_groups can resolve GID, if for RH6/SSSD1.13 > this attribute has no impact. It does the work quit well for RH7.3 and > up, without any additional settings. > > Can you please elaborate more: "In my example, we assigned uid=gid > attributes unique to each user." > We had previously assigned POSIX attributes to all users in AD. We assigned a uidNumber to each user and also a gidNumber that is the same number as the uidNumber for each given user. Without auto_private_groups, I would have expected `id user` to return a user's primary group name equal to the user name. This did not happen, however, without turning on auto_private_groups; instead, a bare (correct) number was shown for the primary gid, but no name was resolved for that gid. This was on RHEL 7.7, but I'm guessing the behavior is the same on RHEL 6; I'll find out for sure soon. V/r, James Cassell ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
Hi James, Thanks for the update. Not sure, how auto_private_groups can resolve GID, if for RH6/SSSD1.13 this attribute has no impact. It does the work quit well for RH7.3 and up, without any additional settings. Can you please elaborate more: "In my example, we assigned uid=gid attributes unique to each user." ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users]Re: Is there a way to work without AD posix attributes in RH6 and get groups associated not globally?
On Thu, Oct 3, 2019, at 9:15 PM, Alex Perl wrote: > Implemented AD/KRB/SSSD with both RH6 and RH7. > > RH7 no issues, as we are using auto_private_groups that was added to 1.16.1. > > In RH6 the issue ( sssd 1.13 ) is, that all users getting the same > groups and it is a clear security gap. > > The only way to avoid this, based on the KB articles, is to use AD > posix attributes. If we don't waht to use this setup, is there any > other recommended way ? > In my experience, even with AD POSIX attributes where a GID is assigned to the user, the group name does not resolve without auto_private_groups unless there is an associated an AD group with the same GID. In my example, we assigned uid=gid attributes unique to each user. Probably the best way to close the security gap on RH6 is to enforce a umask of 077. > The example of user/group representation, where all users getting the > same gid=273200513(domain users) : > > id username uid=2755191114(ncircle) gid=273200513(domain users) > groups=273200513(domain users) V/r, James Cassell ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org