[SSSD-users] Re: Warning for cached password expiration

On Fri, Feb 23, 2024 at 12:06 PM John Doe wrote: > Now I know I can calculate the time for expiration myself by > checking the 'offline_credentials_expiration' value in sssd.conf and > add that to the timestamp for cache entry last update time reported > by 'sudo sssctl user-show $USER' Are you

[SSSD-users] Re: best practice, using machine-account keytab for service SPNs

On Thu, Jul 20, 2023 at 8:38 AM Stefan Bauer wrote: > However i have a bad feeling about letting services read the keytab > file as it gives access to the machine-account. > > Opinions? > > How do you handle service keytabs and it's rotation? Permitting applications to access only the

[SSSD-users] Re: not getting cached ticket from PuTTY login

On Wed, Mar 29, 2023 at 5:01 PM Pieter Voet wrote: > So, that should be it... I now have to get to the Active Directory > department on my corporate environment and ask them to set the flag > for me, because it seems that only Administrator can set the flag ( > if not customized ), even if you (

[SSSD-users] Re: not getting cached ticket from PuTTY login

On Mon, Mar 27, 2023 at 4:02 PM Spike White wrote: > Pieter, > > I have Connection -> SSH -> Auth -> GSSAPI -> Allow GSSAPI -> > credential delegation turned on in putty. > > As well as on the target Linux server, it has [libdefaults] > forwardable = true. The error I get when I ssh in is: > >

[SSSD-users] Re: Can SSSD be set up to disallow login if provider not available?

On Thu, Jul 7, 2022 at 6:21 AM Alexey Tikhonov wrote: > On Thu, Jul 7, 2022 at 12:14 PM Fisher, Philip wrote: > > > In particular, if the provider is offline/not available (in this > > case an AD server/servers) then login should fail. > > Sounds like `cache_credentials = false`? (see `man

[SSSD-users] Re: Do any commercial NAS vendors use the SSD ID mapping algorithm?

On Thu, Apr 28, 2022 at 10:39 PM wrote: > For good reasons we need to move from Linux based file servers to a > NAS. The problem is that all our Linux systems use the SSD ID > mapping algorithm to calculate UID and GIDs (and it works > great!). We've not found a commercial NAS vendor who

[SSSD-users] Re: Using SSSD in a road warrior setup; update cached credentials problem

On Thu, Apr 21, 2022 at 9:16 AM David Wittwer wrote: > I've got a problem with step #3: How can I force SSSD to renew the > cached password of the user as soon as the LDAP server becomes > available? (As mentioned, the VPN connection is activated *after* > the user logs in.) Something needs to

[SSSD-users] Re: is the sssd monitor even necessary?

On Wed, Mar 16, 2022 at 6:04 AM Alexey Tikhonov wrote: > How would you use SSSD without any domain configured? I have a host on which I kinit against principals in Kerberos realms for which the host is not joined and has no other sssd services running, and I use KCM as the Kerberos credentials

[SSSD-users] is the sssd monitor even necessary?

For recent versions of sssd, the monitor (the sssd.service) won’t even start unless at least one domain is configured. As sssd.conf(5) notes, all sssd services can be socket-activated when needed. There is no need to list any services in the "services" parameter in [sssd]. So, this leads to a

[SSSD-users] feasible to use sssd in mostly offline mode?

For our on-site Linux machines, we use the sssd-ad provider to both map users/groups from Active Directory, and to authenticate users via Kerberos. It works fantastically well, to the point where we have absolutely no desire to go back to maintaining local users/groups in /etc/passwd and

[SSSD-users] Re: D-Bus / SSSD / LDAP authentication from a java application

On Fri, Sep 10, 2021 at 3:20 AM Daniil Kirilyuk wrote: > We're developing a java application, which should authenticate users > against both LDAP and custom formatted files containing user > information. Both username/password and certificate authentication > are planned to be supported. Our

[SSSD-users]Re: Trouble-shooting sssd’s ‘Automatic Kerberos Host Keytab Renewal’ with AD back-end….

On 2021-09-08 at 14:18-0400 Todd Mote wrote: > The $ at the end of the host name is for AD. $ is > the actual name of the account in AD. The Kerberos utilities are > just asking the KDC to renew tickets for accounts. Computer > accounts in AD happen to have a $ appended to them under the

[SSSD-users]Re: Trouble-shooting sssd’s ‘Automatic Kerberos Host Keytab Renewal’ with AD back-end….

On Thu, Aug 26, 2021 at 8:11 PM Christian, Mark wrote: > [W]hy bother with updating the machine account password? For sites that have a lot of machine churn, where machine accounts aren't reliably purged from AD when the underlying host is decommissioned, disabling and/or purging machine

[SSSD-users] Re: AD + Smart Card without having the user certificate in AD

On Mon, Jul 26, 2021 at 5:05 AM Assaf Morami wrote: > Is it possible to turn off certificate matching against AD, and just > use the username while taking the certificate directly from the > smart card? For sssd 2.1.0 and later, you should be able to use sss-certmap(5) to accomplish this, yes.

[SSSD-users] Re: AD + Smart Card without having the user certificate in AD

On Sun, Jul 18, 2021 at 1:26 PM Assaf Morami wrote: > Is it possible to have an AD + Smart Card setup, without having the > user certificate in AD? meaning have sssd take the certificate > straight from the smart card. Starting with sssd 2.1.0, sssd can map smart card certificates to AD users

[SSSD-users] Re: tips for debugging smartcard authentication failures in sssd?

On Thu, Jul 15, 2021 at 9:37 AM Arthur Scott Poore wrote: We managed to figure it out before I saw your reply, but you were on the right track: > One other question related to being air-gapped, do the certificates > on the cards have OCSP/CRL info/urls set? If so, SSSD may be trying > to check

[SSSD-users] tips for debugging smartcard authentication failures in sssd?

We have an air-gapped network of RHEL7 hosts that use sssd to perform PKINIT (smartcard + Kerberos) authentication against Windows Server 2016 domain controllers. Setting this up properly entailed setting pkinit_anchors, pkinit_pool, pkinit_cert_match, et. al. in the krb5.conf file, and enabling

[SSSD-users] Re: RHEL 8.3 KDC has no support for encryption type

On Sun, May 9, 2021 at 9:23 PM Spike White wrote: > My understanding is that even AD 2016 will support arcfour-hmac > (even though it's deprecated and not recommended). Correct; we are using it with Windows Server 2016. > Local company AD teams will make the decision to stop supporting >

[SSSD-users] Re: RHEL 8.3 KDC has no support for encryption type

On Sun, May 9, 2021 at 6:09 PM Jeremy Monnet wrote: > > It's not advisable to leave crypto-polcies at LEGACY -- that > > accepts some truly weak ciphers. > > You are right, only I do not decide the AD version used... 2012R2 is > still supported by Microsoft, so people are not eager to migrate to

[SSSD-users] Re: RHEL 8.3 KDC has no support for encryption type

On Wed, May 5, 2021 at 3:27 PM Jeremy Monnet wrote: > [root@hostname sssd]# kinit -V -k > Using new cache: persistent:0:krb_ccache_PECiZeh > Using principal: host/fqdn@DOMAIN > kinit: Client 'host/fqdn@domain' not found in Kerberos database while getting > initial credentials You cannot knit

[SSSD-users] Re: Is this still a security problem to be concerned about?

On Sun, Mar 21, 2021 at 4:24 PM Spike White wrote: > If we limit our KRB5 encryption algorithms to only strong cyphers > (AES128 and AES256), would that thwart the above SSSD attack? No. The fundamental issue is this: if an attacker has compromised a Linux host, then the attacker has access to

[SSSD-users] Re: Advantages of signed SASL bindings vs unsigned SASL bindings....

On Mon, Oct 12, 2020 at 11:25 AM Spike White wrote: > I believe our older sssd clients (RHEL 6) cannot do gss-spnego auth > mech. Only our newer RHEL7 and RHEL8 clients can do gss-spnego. Correct. sssd relies on the Cyrus SASL library to perform the authentication, and the RHEL6 version of

[SSSD-users] Re: realmd: socket activation and sssd.conf's services= line

On Wed, Sep 9, 2020 at 9:58 AM Andreas Hasenack wrote: > Debian and Ubuntu use the upstream systemd service files as is, with > no changes, and we do see conflicts when services= is used together > with socket activation. Perhaps the best conclusion to draw from this is that activating sssd

[SSSD-users] Re: Are sssd's AD SASL bindings signed?

On Wed, Sep 2, 2020 at 3:17 PM Spike White wrote: > What cybersecurity is reporting off of is a particular event number > on its AD controllers. which is showing a connection to a LDAP > port. > > Is there another (better) event that it should be looking for > instead? I.e., it should be

[SSSD-users] Re: Are sssd's AD SASL bindings signed?

On Wed, Sep 2, 2020 at 1:46 PM Spike White wrote: > I apologize if this has been covered already. But this was just > brought up by our cybersecurity team. They plan to disable > "deprecated protocols". By that, they mean simple LDAP binding to > AD's LDAP port. Because of passing content in

[SSSD-users] Re: How to authenticate machine with Kerberos to Active Directory?

On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor wrote: > I have a program I am trying to set up which tries to authenticate > with the principal host\machine-FQDN@REALM using Kerberos. > > However, when I run kinit -k, the machine isn't found in the Kerberos > database. "kinit -k" (with no

[SSSD-users] Re: sssd 1.16.4. ADV190023.

On Thu, Feb 13, 2020 at 10:24 AM Mote, Todd wrote: > Only using GSSAPI causes the unsigned SASL event. > > root@anti-test:~ # ldapsearch -H ldap://dc01a.ADTEST.domain.com -Y GSSAPI -b > '' -s base > SASL/GSSAPI authentication started > SASL username: ANTI-TEST$@ADTEST.domain.com > SASL SSF: 256

[SSSD-users] synthesizing SID-mapped passwd/group entries from LDIF data

/qralston/genent It works for us in our environment; hopefully others will find it useful as well. This is the initial release, so it may be buggy. Feedback, pull requests, issues, et. al. are all welcome; please consult the TODO.md file. On Fri, Oct 25, 2019 at 8:11 PM James Ralston wrote

[SSSD-users] Re: Provider clarifications

On Thu, Jan 9, 2020 at 7:59 AM Lars Francke wrote: > > > auth: Validates credentials for an object > > > > The auth provider is the backend that sssd uses to provide PAM > > “auth” module services for applications that are configured to > > call pam_sss.so in the PAM auth stack. E.g.: > > > >

[SSSD-users] Re: Provider clarifications

On Mon, Jan 6, 2020 at 10:25 AM Lars Francke wrote: > Hi, > > I've got a question that seems pretty trivial to me so it feels like > I'm missing something obvious. > > I know that there are different provider types: id, auth, chpass, > access (and maybe others) > > But what I don't quite

[SSSD-users] Re: users home directory path not as expected

On Mon, Jan 6, 2020 at 6:02 PM Manuel Sopena Ballesteros wrote: > Our intention is to mount user home directory from out centralized > storage using autofs but for some reason the mount point goes to > /home// instead of /home/ > > This is out sssd configuration > > [domain/] > … > > [nss] >

[SSSD-users] Re: smartcard mapping via msUPN SAN (OID 1.3.6.1.4.1.311.20.2.3)?

On Mon, Oct 28, 2019 at 3:21 AM Sumit Bose wrote: > I'm sorry, currently there are some copy-and-paste errors in the > examples of the sss-certmap man page. I'll try to fix them in one of > the next releases. A related question, which I don't see answered in sss-certmap(5): if sssd is

[SSSD-users] Re: smartcard mapping via msUPN SAN (OID 1.3.6.1.4.1.311.20.2.3)?

On Mon, Oct 28, 2019 at 3:21 AM Sumit Bose wrote: > unfortunately there are two different ways to encode Kerberos > principals, one is the AD way with OID 1.3.6.1.4.1.311.20.2.3 the other > is defined in RFC 4556 with 1.3.6.1.5.2.2. > > To be most flexible the mapping and matching rules provide

[SSSD-users] Re: Is there an RFC or detailed design document describing SSSD's ID Mapping algorithm?

On Wed, Oct 16, 2019 at 6:17 PM Jeff Thornsen wrote: > The reason I ask is because I use a bunch of storage appliances that > offer Secure-NFS (NETAPP, EMC UNITY, etc.), but they only support > NIS, IDMU, RFC2307, and RFC2307bis style Identity Mapping, all of > which require manual assignment of

[SSSD-users] smartcard mapping via msUPN SAN (OID 1.3.6.1.4.1.311.20.2.3)?

I was reviewing the documentation for the "certificate mapping and matching rules for all providers" feature that landed in sssd 2.0: https://docs.pagure.org/SSSD.sssd/design_pages/certmaps_for_LDAP_AD_file.html However, I'm not sure how to use this feature to map certificates to AD users based

[SSSD-users] Re: sssd PKINIT smartcard auth on RHEL7?

On Mon, Oct 21, 2019 at 4:25 PM James Cassell wrote: > On Mon, Oct 21, 2019, at 1:16 PM, James Ralston wrote: > > > When you say "SSH authentication using the Smart Card", what > > exactly do you mean? > > I mean using the private key on the Smart Ca

[SSSD-users] Re: sssd PKINIT smartcard auth on RHEL7?

19 -p1 -b .enable-pkinit-debugging ln NOTICE LICENSE @@ -521,6 +523,7 @@ %{__cc} -fPIC -shared -o noport.so -Wall -Wextra $RPM_SOURCE_DIR/noport.c %check +exit 0 # Alright, this much is still a work in progress. %if %{?__isa_bits:%{__isa_bits}}%{!?__isa_bits:32} == 64 if hostname | grep -q

[SSSD-users] Re: sssd PKINIT smartcard auth on RHEL7?

On Sat, Oct 19, 2019 at 3:26 AM James Cassell wrote: > On Fri, Oct 18, 2019, at 9:58 PM, James Ralston wrote: > > > I am struggling to get smartcard authentication working on RHEL7, > > using sssd-1.16.4-21.el7 and krb5 PKINIT against Microsoft Active > > Directory

[SSSD-users] sssd PKINIT smartcard auth on RHEL7?

I am struggling to get smartcard authentication working on RHEL7, using sssd-1.16.4-21.el7 and krb5 PKINIT against Microsoft Active Directory KDCs. Has anyone actually gotten this working? If so, what behavior differences do you see from various login mechanisms (gdm, login, et. al.)? Because I

[SSSD-users] Re: [AD] Filter out disabled users

On Thu, Sep 12, 2019 at 12:50 PM Hinrikus Wolf wrote: > I have implemented the ldap_saerch_base. But the disabled users > are still listed in > > > getent passwd > > That means they are present for PAM. Not necessarily. If you did not wipe the sssd cache after you changed the configuration,

[SSSD-users] Re: [AD] Filter out disabled users

On Wed, Sep 11, 2019 at 3:05 PM Hinrikus Wolf wrote: > ldap_search_base = > dc=fsmpi,dc=rwth-aachen,dc=de?subtree?(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) Putting an (objectClass=user) filter in

[SSSD-users] Re: KCM credential forwarding behavior broken?

On Tue, Jun 4, 2019 at 1:25 AM Winberg Adam wrote: > Sounds like the same issue I had, i created a bugzilla ticket for it: > https://bugzilla.redhat.com/show_bug.cgi?id=1712875 Thanks; I piled on. > For us KCM does not bring anything extra to the table as it does not > manage ticket renewals

[SSSD-users] KCM credential forwarding behavior broken?

I filed this issue a week or so ago: https://pagure.io/SSSD/sssd/issue/4017 In essence, it would seem that if KCM already has credentials in the cache, then KCM will never discard those credentials in favor of new credentials being forwarded via sshd, even if the credentials in the cache are

[SSSD-users] RHEL8 sssd-kcm can't accept credentials forwarded from sshd?

Now that RHEL8 is out, our site is again looking at whether it would be feasible to change our default Kerberos credentials storage from the kernel persistent keyring to sssd-kcm. Unfortunately, the answer still seems to be no, as we haven't been able to find a way to get Kerberos ticket

[SSSD-users] Re: getent group empty output - no members shown

On Mon, Apr 1, 2019 at 2:18 AM Hans Schou wrote: > On Fri, 29 Mar 2019 at 16:49, James Ralston wrote: > > > 1. You are setting ldap_id_mapping = False, so that means > >sssd will only map groups that have the gidNumber > >attribute. If there i

[SSSD-users] Re: getent group empty output - no members shown

On Fri, Mar 29, 2019 at 9:25 AM Hans Schou wrote: > "getent group " does not give any output at all. > However "getent passwd" looks correctly up in the AD: > > $ getent passwd zmir2 > zmir2:*:2956636:100:Hans Schou:/home/zmir2:/bin/bash > $ grep -c ^zmir2 /etc/passwd > 0 > > nsswitch looks

[SSSD-users] Re: smartcard authentication directly against AD (no IPA)?

On Fri, Aug 10, 2018 at 8:31 PM James Cassell wrote: > We had to add each user's Smart Card certificate to the "User > Certificate" attribute in Active Directory. We were not able to > make the association only based on trusting the X.509 certificate > like Windows does. Bah. I'll get no end

[SSSD-users] Re: recreate machine keytab file

On Mon, Jul 9, 2018 at 8:19 AM Ondrej Valousek wrote: > Is there any way how can we recreate system keytab file of a machine > joined to AD if the file has been broken/deleted? > > I want to avoid doing join again as this would probably delete the > existing account (with all attributes we have

[SSSD-users] managing RHEL5 sssd clients without functional ldap_id_mapping?

We have a small development Active Directory domain where we have several RHEL7 hosts. We never extended our AD schema with the RFC2307 attributes (uidNumber, gidNumber, et. al.). Instead, we just configured sssd with ldap_id_mapping = true. It works fantastically well! BUT: now we need to add

[SSSD-users] Re: AD in mixed OS environment with SSSD

On Mon, Apr 30, 2018 at 8:35 AM, Zdravko Zdravkov wrote: > HI all. > > I've got working samba AD server. It is playing nicely with Windows > 10 and also successfully authenticating Linux machines with SSSD. > On the Windows machines I have our EMC storage smb mounted via group

[SSSD-users] Re: does sssd support using a Microsoft read-only Domain Controller (RODC)?

On Thu, Apr 19, 2018 at 3:12 AM, Sumit Bose wrote: > Unfortunately there is a special behavior of the AD provider which > is not documented in the man page which would use > MYCLIENT$@EXAMPLE.ORG as default, see below ... OK… > > > > However, this is ambiguous. Does this

[SSSD-users] Re: Existing UID ranges

On Thu, Apr 19, 2018 at 8:14 AM, John Hearns wrote: > I think this question must be asked many times. So forgive me. We > have an existing set of Unix usernames/uids which are pushed out > onto the client workstations vi a configuration management > system. Ie there are

[SSSD-users] Re: does sssd support using a Microsoft read-only Domain Controller (RODC)?

On Tue, Apr 17, 2018 at 2:27 AM, Sumit Bose <sb...@redhat.com> wrote: > On Mon, Apr 16, 2018 at 04:28:59PM -0400, James Ralston wrote: > > > Has anyone figured out how to make sssd utilize a Microsoft > > read-only Domain Controller (RODC)? > > > > But no matte

[SSSD-users] does sssd support using a Microsoft read-only Domain Controller (RODC)?

Has anyone figured out how to make sssd utilize a Microsoft read-only Domain Controller (RODC)? The host we want to join to AD is already behind the RODC. So, we are trying to "join" the host to the RODC by pre-creating a computer account object in AD (via a RWDC), then exporting a Kerberos

[SSSD-users] Re: how to call SSS_NSS_GETIDBYSID from other programs?

On Wed, Sep 20, 2017 at 3:34 AM, Sumit Bose wrote: > $ python > Python 2.7.12 (default, Sep 29 2016, 12:52:15) > [GCC 6.2.1 20160916 (Red Hat 6.2.1-2)] on linux2 > Type "help", "copyright", "credits" or "license" for more information. import pysss_nss_idmap

[SSSD-users] Re: how to call SSS_NSS_GETIDBYSID from other programs?

On Tue, Sep 19, 2017 at 4:08 PM, James Ralston <rals...@pobox.com> wrote: > I could just issue individual getpwnam()/getgrnam() calls for every > user/group object, and let sssd synthesize the entries. But this > would require careful tuning of sssd's cache configuration opt

[SSSD-users] how to call SSS_NSS_GETIDBYSID from other programs?

I have a storage appliance that needs local passwd/group files loaded onto it, which need to match the entries we get by using sssd's ldap_id_mapping feature. So I need some way to enumerate or synthesize passwd/group entries, for every user/group object in our domain, using LDIF dumps from AD

[SSSD-users] Re: please do not remove enumeration from AD provider

On Thu, Jan 28, 2016 at 8:18 AM, Bolke de Bruin wrote: > As mentioned in another thread one of the Hadoop components (Ranger) > syncs all users and groups (including GIDs) on a regular basis to > provide authorization. Unfortunately, that is the problem. :-( Apache Ranger

[SSSD-users] Re: please do not remove enumeration from AD provider

Following up on an issue from a while ago… On Thu, May 14, 2015 at 9:32 PM, Stephen Gallagher wrote: > [T]he SSSD developers are spending a moderate amount of time dealing > with bugs in it [enumeration], first of all. Secondly, the > limitations aren't really clearly

[SSSD-users] Re: disable ad backend group filtering? (was Re: Re: speeding up iterative enumeration?)

On Wed, Jan 27, 2016 at 10:24 AM, Jakub Hrozek wrote: > btw the other thing we've been talking about is only do write the > entry when it actually changes. Most of the time, when we refresh > the entry from the server, nothing changes. The idea would be to > write only the

[SSSD-users] speeding up iterative enumeration?

We are using the ad provider for sssd, with the id mapping feature enabled. We have a program that obtains a list of all Active Directory users and groups via LDAP, and then calls getpwnam()/getgrnam() on those users and groups. (We used to accomplish this enumeration simply by enabling

[SSSD-users] disable ad backend group filtering? (was Re: Re: speeding up iterative enumeration?)

On Tue, Jan 26, 2016 at 3:03 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Tue, Jan 26, 2016 at 02:19:42PM -0500, James Ralston wrote: > >> Here's the problem: unless the user/group objects already happen to be >> in sssd's cache, enumerating the passwd/group entrie

Re: [SSSD-users] please do not remove enumeration from AD provider

On Wed, May 6, 2015 at 3:10 PM, Stephen Gallagher sgall...@redhat.com wrote: To be fair, it's not that hard to turn that [ldapsearch command] into a bash script that your users can use instead of learning the ldap syntax. But yes, that's still a change in behavior. We could, but I think just

Re: [SSSD-users] could not store group failures for lookups on Active Directory groups

Hi Lukas, On Wed, May 6, 2015 at 1:47 AM, Lukas Slebodnik lsleb...@redhat.com wrote: On (06/05/15 01:12), James Ralston wrote: enumerate = true I Hope it was just for testing purposes. We do not recommend to enable enumeration. I know it's not recommended. I'll address

[SSSD-users] please do not remove enumeration from AD provider

On Wed, May 6, 2015 at 4:27 AM, Jakub Hrozek jhro...@redhat.com wrote: You know, just this morning, I was thinking about enumeration. It doesn't work for IPA views at all for example. It doesn't work for trusted domains at all either (except for some limited support in AD trusted domains

Re: [SSSD-users] could not store group failures for lookups on Active Directory groups

On Wed, May 6, 2015 at 1:26 PM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, May 06, 2015 at 01:02:22PM -0400, James Ralston wrote: 3. Wait for Red Hat to rebase RHEL6 to 1.12.5? RHEL-6.7 will rebase to sssd-1-12. If you want to stay on the supported patch, this is the best option. btw

[SSSD-users] could not store group failures for lookups on Active Directory groups

Hi, I think this problem may be part (or related to) the FreeIPA/SSSD LDAP cross-forest trust slow queries issue, but I'm not sure. We've been testing sssd on our RHEL6 and RHEL7 hosts, using the latest available packages. We have a fairly simple sssd configuration. We use the ad provider with