Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
Unfortunately sudo package included in amzn linux does not work with sudo rules provided via SSS however it is in the feature requests list. To workaround this you can replace it with the CentOS one: http://mirror.centos.org/centos/6.7/os/x86_64/Packages/sudo-1.8.6p3-19.el6.x86_64.rpm From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on behalf of Alexander Bokovoy <aboko...@redhat.com> Sent: 21 September 2015 20:40 To: Gustavo Mateus Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat) On Mon, 21 Sep 2015, Gustavo Mateus wrote: >Hi Alexander, > >Thank you very much for your help. >Would it be possible for you to point me in the right direction on how to >integrate this with sudo rules? Please don't send emails personally unless asked to do that. Your problem can be tracked with public mailing list. >my sssd.conf looks like this: > >[sssd] >services = nss, pam, ssh, sudo >config_file_version = 2 >domains = default >re_expression = (?P.+) > >[domain/default] >cache_credentials = True >id_provider = ldap >auth_provider = ldap >ldap_uri = ldap://ipaserver.my.domain.com >ldap_search_base = cn=accounts,dc=my,dc=domain,dc=com >ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt >ldap_user_ssh_public_key = ipaSshPubKey >sudo_provider = ldap >ldap_sudo_search_base = ou=sudoers,dc=my,dc=domain,dc=com >ldap_sudo_full_refresh_interval=86400 >ldap_sudo_smart_refresh_interval=3600 >debug_level=8 > >[ssh] > >[sudo] >debug_level=8 > > >and nsswitch.conf has this: > >sudoers:files sss > > > >My goal is to have freeipa as a replacement for the current openldap and >hope that amazon linux supports it fully in the future. While they don't >support it, I want to use as much as I can of centralized management that >freeipa+sssd provides. SSSD has own plugin for sudo integration that makes possible to cache sudo rules via SSSD itself as opposed to use of sudo's LDAP plugin which tries to talk to LDAP server directly. You need to understand what features are provided by Amazon Linux's sudo package. It may well be missing support for sudo plugins. I don't have access to Amazon Linux source code, thus I cannot check whether their sudo package supports external plugins. So even if your sssd version includes sudo plugin, it may probably be simply unused by your sssd version. Again, I have no idea how Amazon's Linux AMI is built, thus it may miss this capability. At this point I'd suggest you to investigate yourself and contact Amazon support for finding out exactly what is happening there. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
I used compat because that is what ipa-advise provided me. I did not pay attention to that part. And yes, that did the trick :) Thank you very much Gustavo On Sun, Sep 20, 2015 at 8:51 AM, Jakub Hrozekwrote: > On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote: > > On Sat, 19 Sep 2015, Jakub Hrozek wrote: > > > > > >>On 18 Sep 2015, at 19:17, Gustavo Mateus > wrote: > > >> > > >>That only shows this: > > >> > > >># extended LDIF > > >># > > >># LDAPv3 > > >># base
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
On Mon, Sep 21, 2015 at 10:40:07PM +0300, Alexander Bokovoy wrote: > At this point I'd suggest you to investigate yourself and contact Amazon > support for finding out exactly what is happening there. It would be nice if Amazon actually packaged all the functionality RHEL packages for several years :-) But maybe there are some issues preventing them -- filing a support case and asking them might go a long way. I'm sure if Amazon approached us on this (or the -devel) list we'd be glad to work with them on any technical issues.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
On Mon, 21 Sep 2015, Jakub Hrozek wrote: On Mon, Sep 21, 2015 at 10:40:07PM +0300, Alexander Bokovoy wrote: At this point I'd suggest you to investigate yourself and contact Amazon support for finding out exactly what is happening there. It would be nice if Amazon actually packaged all the functionality RHEL packages for several years :-) But maybe there are some issues preventing them -- filing a support case and asking them might go a long way. I'm sure if Amazon approached us on this (or the -devel) list we'd be glad to work with them on any technical issues.. According to Amazon, they have issues with packaging Samba. I'd let them to respond themselves, given they are the only ones who can respond on why they are so insisting on not packaging Samba while providing one of key infrastructure parts of AWS via Samba AD. https://forums.aws.amazon.com/thread.jspa?threadID=164971 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
On Mon, 21 Sep 2015, Gustavo Mateus wrote: Hi Alexander, Thank you very much for your help. Would it be possible for you to point me in the right direction on how to integrate this with sudo rules? Please don't send emails personally unless asked to do that. Your problem can be tracked with public mailing list. my sssd.conf looks like this: [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = default re_expression = (?P.+) [domain/default] cache_credentials = True id_provider = ldap auth_provider = ldap ldap_uri = ldap://ipaserver.my.domain.com ldap_search_base = cn=accounts,dc=my,dc=domain,dc=com ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt ldap_user_ssh_public_key = ipaSshPubKey sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=my,dc=domain,dc=com ldap_sudo_full_refresh_interval=86400 ldap_sudo_smart_refresh_interval=3600 debug_level=8 [ssh] [sudo] debug_level=8 and nsswitch.conf has this: sudoers:files sss My goal is to have freeipa as a replacement for the current openldap and hope that amazon linux supports it fully in the future. While they don't support it, I want to use as much as I can of centralized management that freeipa+sssd provides. SSSD has own plugin for sudo integration that makes possible to cache sudo rules via SSSD itself as opposed to use of sudo's LDAP plugin which tries to talk to LDAP server directly. You need to understand what features are provided by Amazon Linux's sudo package. It may well be missing support for sudo plugins. I don't have access to Amazon Linux source code, thus I cannot check whether their sudo package supports external plugins. So even if your sssd version includes sudo plugin, it may probably be simply unused by your sssd version. Again, I have no idea how Amazon's Linux AMI is built, thus it may miss this capability. At this point I'd suggest you to investigate yourself and contact Amazon support for finding out exactly what is happening there. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
On Sat, Sep 19, 2015 at 06:32:40AM -0700, Gustavo Mateus wrote: > I've already included that in the IPA permissions. > Anonymous access to ipaSshPubKey is marked as public already. Read and > Search is allowed. as your ldapsearch proved, it's still not working. If you search the server logs, you might see what exact attributes were requested and whether they were permitted. (Requesting just the single attribute might make the server logs a bit more readable) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
On Sat, Sep 19, 2015 at 07:47:55PM +0300, Alexander Bokovoy wrote: > On Sat, 19 Sep 2015, Jakub Hrozek wrote: > > > >>On 18 Sep 2015, at 19:17, Gustavo Mateuswrote: > >> > >>That only shows this: > >> > >># extended LDIF > >># > >># LDAPv3 > >># base
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
> On 18 Sep 2015, at 19:17, Gustavo Mateuswrote: > > That only shows this: > > # extended LDIF > # > # LDAPv3 > # base
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
I've already included that in the IPA permissions. Anonymous access to ipaSshPubKey is marked as public already. Read and Search is allowed. On Sat, Sep 19, 2015 at 4:36 AM, Jakub Hrozekwrote: > > > On 18 Sep 2015, at 19:17, Gustavo Mateus > wrote: > > > > That only shows this: > > > > # extended LDIF > > # > > # LDAPv3 > > # base
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
On Thu, Sep 17, 2015 at 10:33:41AM -0700, Gustavo Mateus wrote: > When I use id_provider=ipa I get: > > [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2] Ah, I think they simply don't package the IPA backend. Time to file an RFE with Amazon? :-) > > > Adding a [ssh] section with just "debug_level = 10"on it, I get: > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client > creds: euid[174221] egid[174221] pid[6295]. > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client > connected! > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > Received client version [0]. > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): > Offered version [0]. > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): > Requested domain [] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): > Parsing name [admin][] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain > not provided! > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains] > (0x0200): name 'admin' matched without domain, user is admin > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] > (0x0400): Requesting SSH user public keys for [admin] from [] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x40aba0:1:admin@default] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): > Creating request for [default][1][1][name=admin] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0 > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): > Entering request [0x40aba0:1:admin@default] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000): > 0xd32ba0 > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: > 0xd310f0 > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): > Dispatching. > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next] > (0x0400): Requesting SSH user public keys for [admin@default] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain > not provided! > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event > "ltdb_callback": 0xd3f3b0 > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event > "ltdb_timeout": 0xd3f470 > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event > 0xd3f3b0 "ltdb_callback" > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer > event 0xd3f470 "ltdb_timeout" > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event > 0xd3f3b0 "ltdb_callback" > > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x40aba0:1:admin@default] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0xd34eb0][17] > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client > disconnected! > (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000): > Terminated client [0xd34eb0][17] > > > > > ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb > name=admin): > > > asq: Unable to register control with rootdse! > # record 1 > dn: name=admin,cn=users,cn=default,cn=sysdb > createTimestamp: 1442509579 > fullName: Administrator > gecos: Administrator > gidNumber: 174220 > homeDirectory: /home/admin > loginShell: /bin/bash > name: admin > objectClass: user > uidNumber: 174220 > originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com > originalModifyTimestamp: 20150829000451Z > entryUSN: 1428 > lastUpdate: 1442509579 > dataExpireTimestamp: 1442514979 > distinguishedName: name=admin,cn=users,cn=default,cn=sysdb The communication between the ssh responder and the back end went fine. I think I should have been more careful the first time around, looks like the backend cannot find the attribute in LDAP (some ACI problems, maybe?) >From your earlier logs: (Wed Sep 16 18:13:36 2015) [sssd[be[default]]] [sdap_attrs_add_ldap_attr]
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
That only shows this: # extended LDIF # # LDAPv3 # base
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote: > Hi, > > I have an IPA server running on redhat and I'm trying find the best way to > get my amazon linux instances to use it for authentication, ssh key > management and sudo rules. > > I'm now trying to use SSSD to achieve those goals. Authentication is > working but I'm having problems to get the user public ssh keys using > /usr/bin/sss_ssh_authorizedkeys. > > > This is my sssd.conf: > > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > domains = default > re_expression = (?P.+) > > [domain/default] > debug_level = 8 > cache_credentials = True > id_provider = ldap > auth_provider = ldap > ldap_uri = ldap://ipa.my.domain.com > ldap_search_base = cn=compat,dc=my,dc=domain,dc=com > ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt > ldap_user_ssh_public_key = ipaSshPubKey > > > The original configuration was done using ipa-advise ipa-advise > config-redhat-sssd-before-1-9. Is there any particular reason do keep doing this versus joining the client to the domain and using id_provider=ipa ? > I just hanged the services parameter to > include "ssh, sudo" and "ldap_user_ssh_public_key" I don't think sudo would work unless you authenticate the LDAP connection. > > When I run it on the client I get no response or error. Even running it in > debug mode: > > /usr/bin/sss_ssh_authorizedkeys admin --debug 10 I would check if: - debug_level in the [ssh] section reveals anything. Is the ssh responder being contacted, are there any errors? - check with ldbsearch (ldb-tools package) if there ssh key attribute is really fetched from IPA LDAP and is stored along the user entry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)
When I use id_provider=ipa I get: [sssd[be[default]]] [main] (0x0010): Could not initialize backend [2] Adding a [ssh] section with just "debug_level = 10"on it, I get: (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [get_client_cred] (0x4000): Client creds: euid[174221] egid[174221] pid[6295]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [accept_fd_handler] (0x0400): Client connected! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing name [admin][] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain not provided! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [admin] from [] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40aba0:1:admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): Creating request for [default][1][1][name=admin] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xd32ba0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40aba0:1:admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0xd32ba0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0xd310f0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400): Requesting SSH user public keys for [admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_parse_name] (0x0100): Domain not provided! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0xd3f3b0 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xd3f470 (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Running timer event 0xd3f3b0 "ltdb_callback" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0xd3f470 "ltdb_timeout" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0xd3f3b0 "ltdb_callback" (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40aba0:1:admin@default] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xd34eb0][17] (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Thu Sep 17 17:27:12 2015) [sssd[ssh]] [client_destructor] (0x2000): Terminated client [0xd34eb0][17] ldbsearch shows this (ldbsearch -H /var/lib/sss/db/cache_default.ldb name=admin): asq: Unable to register control with rootdse! # record 1 dn: name=admin,cn=users,cn=default,cn=sysdb createTimestamp: 1442509579 fullName: Administrator gecos: Administrator gidNumber: 174220 homeDirectory: /home/admin loginShell: /bin/bash name: admin objectClass: user uidNumber: 174220 originalDN: uid=admin,cn=users,cn=compat,dc=my,dc=domain,dc=com originalModifyTimestamp: 20150829000451Z entryUSN: 1428 lastUpdate: 1442509579 dataExpireTimestamp: 1442514979 distinguishedName: name=admin,cn=users,cn=default,cn=sysdb # returned 1 records # 1 entries # 0 referrals Thanks, Gustavo On Thu, Sep 17, 2015 at 12:25 AM, Jakub Hrozekwrote: > On Wed, Sep 16, 2015 at 11:28:49AM -0700, Gustavo Mateus wrote: > > Hi, > > > > I have an IPA server running on redhat and I'm trying find the best way > to > > get my amazon linux instances to use it for authentication, ssh key > > management and sudo rules. > > > > I'm now trying to use SSSD to achieve those goals. Authentication is > > working but I'm having problems to get the user public ssh keys using > > /usr/bin/sss_ssh_authorizedkeys. > > > > > > This is my sssd.conf: > > > > [sssd] > > services = nss, pam, ssh, sudo > > config_file_version = 2 > > domains = default > >