[SSSD-users] Re: sssd losing track of uid after existing kvm

, January 9, 2024 1:15 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: sssd losing track of uid after existing kvm Hi, On Tue, Jan 9, 2024 at 4:50 PM Charles Hedrick wrote: > > We want to use user-mode kvm for students. I've set up a VM. It u

[SSSD-users] sssd losing track of uid after existing kvm

We want to use user-mode kvm for students. I've set up a VM. It uses 9p to mount the user's home directory. After connecting  to the VM with "virsh console", and then exiting, sssd on the host (not in the VM, in the main host) loses track of the user's UID. "getent passwd UNAME" works "getent

[SSSD-users] fallout from DNS failure

We just had to restart sssd on a large number of machines because we had a period of DNS failure. We’re using IPA as the backend. Faiures occurred on Centos 7 and 8 and Ubuntu 18. I don’t necessarily expect everything to work when DNS is dead, but I did expect it t recover. For the moment

[SSSD-users] Re: best way to check if a host is in a net group

confused? studentdb is an indirect member of lcsrcf. > On Nov 4, 2019, at 11:24 AM, Charles Hedrick wrote: > > the query that generated that was > > ./test lcsrcf ilab1.cs.rutgers.edu > > We have 242 net groups in a complex multi-level setup. It’s historical, and > doe

[SSSD-users] Re: sssd - ssh and ticket renewal

On Nov 4, 2019, at 11:48 AM, Sumit Bose mailto:sb...@redhat.com>> wrote: Is my assumption that one should be able to ssh to a server and have that server refresh tickets (like on a workstation) a valid one? If so, where should I concentrate my efforts to get this working? Hi, please have

[SSSD-users] Re: best way to check if a host is in a net group

well. ilab1.cs.rutgers.edu was one of them. I would have expected it to return yes, but it returned 0. If I check the next level down in the hierarchy, I get success. I’m going to email you the SSSD log file separately, as I’m not sure whether there’s anteing in it that shouldn’t be public. &g

[SSSD-users] best way to check if a host is in a net group

I need to support netgroup checks in a service, written in C. I’m asking the SSSD list because we’re using SSSD, which means that net group operations are routed to the SSSD provider. I found that innetgr doesn’t work if there are nested net groups. The man page doesn’t suggest that this would

[SSSD-users] Re: another ubuntu 18 sssd issue: cron

Cute. I wondered why the problem didn’t happen on Centos. That explains it, but wasn’t at all the explanation I was expecting. On Aug 26, 2019, at 9:41 AM, Jakub Hrozek mailto:jhro...@redhat.com>> wrote: Fedora/RHEL includes 'sss' in nsswitch.conf by default precisely for this reason.

[SSSD-users] another ubuntu 18 sssd issue: cron

After converting a system to sssd with an IPA backend, we found that cron was not recognizing our users. It appears (based on using lsof to see what .so files are open) that cron is reading nsswitch.conf at startup, and doesn’t notice the change when sssd setup adds sss to the user map in

[SSSD-users] Re: sssd backend not workin on ubuntu 18.04

ain, but we > now think this might be due to a hostname capitalization problem. > > On 8/13/19 11:00 AM, Charles Hedrick wrote: >> On our Ubuntu 18.04 servers, sssd won’t start. Logging shows that it can’t >> find any DNS servers. Restarting sssd fixes it. >> >&

[SSSD-users] Re: sssd backend not workin on ubuntu 18.04

after the security update, i have a version of systemd for which there’s no version of libnss-resolve that will install. > On Aug 13, 2019, at 1:02 PM, Andreas Hasenack wrote: > > Hello, > > On Tue, Aug 13, 2019 at 1:01 PM Charles Hedrick wrote: >> >> On our Ubunt

[SSSD-users] sssd backend not workin on ubuntu 18.04

On our Ubuntu 18.04 servers, sssd won’t start. Logging shows that it can’t find any DNS servers. Restarting sssd fixes it. /etc/resolv.conf is a symlink to ../run/systemd/resolve/stub-resolv.conf If I replace that with a hardcoded resolv.conf with the right name server, sssd comes up. Network

[SSSD-users] Re: problems with two-factor password prompts

. For the offline case you’d want the user’s cache entry to include a bit saying whether 2FA was used. That way you know whether to look for the delimiter. > On Mar 18, 2019, at 1:06 PM, Sumit Bose wrote: > > On Mon, Mar 18, 2019 at 04:40:48PM +, Charles Hedrick wrote: >> Sometime ar

[SSSD-users] problems with two-factor password prompts

Sometime around Centos 7.5, pam auth was changed to skip pam_unix except for local accounts. The goal was to allow pam_sss to give multiple prompts for multiple factors. This is nice in principle, but we’re having to back out. I thought sss maintainers and other might want to know why. We use

[SSSD-users] Re: unexpected owner for credentials

PAM is just going to mnake the system > even more brittle. > > The proper migration is to remove users from /etc/passwd, and use an ID View > to > "correct" any posix data on the target machines, until you can rebuild new > ones > with the central names. > > Sim

[SSSD-users] Re: unexpected owner for credentials

any posix data on the target machines, until you can rebuild new > ones > with the central names. > > Simo. > > On Mon, 2018-04-09 at 16:32 +, Charles Hedrick wrote: >> I’m trying to support an odd configuration. >> >> We have an IPA system, which is

[SSSD-users] Re: unexpected owner for credentials

, Apr 09, 2018 at 04:32:00PM +0000, Charles Hedrick wrote: >> I’m trying to support an odd configuration. >> >> We have an IPA system, which is used in the normal way for systems run by >> staff. But we have hundreds of systems run by faculty and grad students. I’d >

[SSSD-users] unexpected owner for credentials

I’m trying to support an odd configuration. We have an IPA system, which is used in the normal way for systems run by staff. But we have hundreds of systems run by faculty and grad students. I’d like to encourage them to integrate with our system. However their usernames and UIDs don’t

[SSSD-users] Re: [Freeipa-users] Auto create NFS home folders on IPA Server.

or pam_mkhomedir. Or if using kerberized NFS, our pam_kmkhomedir. > On Feb 27, 2018, at 3:40 AM, Alexander Bokovoy via FreeIPA-users > wrote: > > On ti, 27 helmi 2018, TomK via FreeIPA-users wrote: >> On 2/26/2018 1:27 AM, Alexander Bokovoy via

[SSSD-users] Re: [Freeipa-users] Re: Re: Auto create NFS home folders on IPA Server.

I noted before that we have a Kerberized mkhomedir. There’s a pam module, pam_kmkhomedir. It does a kerberized call to a service on the NFS server or some other system that has the file system mounted in a way that it can create directories. We did this because we use Kerberized NFS. Root can’t

[SSSD-users] Re: net groups with IPA

> On Nov 13, 2017, at 12:51 PM, Alexander Bokovoy wrote: > > Not sure why you keep saying that. Your example showed only one entry. Suppose I want to generate (host1, user1,) (host2, user2,) I can use ipa netgroup-add-member —hosts=host1 —users=user1 ipa

[SSSD-users] Re: net groups with IPA

for just netgroups. Is that what you’d suggest? > On Nov 13, 2017, at 12:15 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > > On ma, 13 marras 2017, Charles Hedrick wrote: >> While we’re on this subject, it would be useful for IPA to support >> netgroup.byhost.

[SSSD-users] Re: net groups with IPA

t. > On Nov 13, 2017, at 11:44 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > > On ma, 13 marras 2017, Charles Hedrick wrote: >> Sure. We use netgroups for /etc/exports. The most natural format for triples >> is >> >> (host,,) >> >> That’

[SSSD-users] Re: net groups with IPA

. rlogin ignores triples that aren’t in the current NIS domain (or blank, presumably). sshd ignores the domain component. > On Nov 13, 2017, at 4:25 AM, Pavel Březina <pbrez...@redhat.com> wrote: > > On 11/08/2017 11:47 PM, Charles Hedrick wrote: >> In my opinion the whole rfc3

[SSSD-users] Re: net groups with IPA

is too inefficient, so they depend upon a cache whose normal TTL is a day. > On Nov 13, 2017, at 4:25 AM, Pavel Březina <pbrez...@redhat.com> wrote: > > On 11/08/2017 11:47 PM, Charles Hedrick wrote: >> In my opinion the whole rfc3704bis implementation of net groups is won

[SSSD-users] Re: net groups with IPA

Sure. We use netgroups for /etc/exports. The most natural format for triples is (host,,) That’s the format Netapp documents. By default, ipa netgroup-add-member uses (host,-,domain) where domain seems to come from our Kerberos domain. Netapp documentation requests leaving that field blank,

[SSSD-users] Re: net groups with IPA

> On Nov 9, 2017, at 3:43 PM, Lukas Slebodnik <lsleb...@redhat.com> wrote: > > On (08/11/17 20:53), Charles Hedrick wrote: >> We want to move our net groups from NIS to IPA. I’ve loaded the groups. >> They’re visible on a system that uses nslcd pointed at the IPA

[SSSD-users] Re: net groups with IPA

the triples rather than doing a complex mapping going in and out. > On Nov 8, 2017, at 5:08 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > Pavel, does this sound like the bug you were looking at wrt sudo lately? > > On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hed

[SSSD-users] Re: net groups with IPA

Netapp wants the domain field to be blank. That leaves us a problem that’s hard to solve. On Nov 8, 2017, at 4:41 PM, Charles Hedrick <hedr...@rutgers.edu<mailto:hedr...@rutgers.edu>> wrote: OK, I see what’s going on, but it looks like a bug. We mostly use net groups for hosts

[SSSD-users] Re: net groups with IPA

;. This also looks like a bug. On Nov 8, 2017, at 3:53 PM, Charles Hedrick <hedr...@rutgers.edu<mailto:hedr...@rutgers.edu>> wrote: We want to move our net groups from NIS to IPA. I’ve loaded the groups. They’re visible on a system that uses nslcd pointed at the IPA server. But th

[SSSD-users] net groups with IPA

We want to move our net groups from NIS to IPA. I’ve loaded the groups. They’re visible on a system that uses nslcd pointed at the IPA server. But the systems that use SSSD for authentication don’t show anything. The net groups all show as undefined. I’ve turned on debugging and looked at the