Are you connecting an AD server or an LDAP server? If the former is
ad_use_ldaps set to true or false?
Spike
On Wed, Feb 21, 2024 at 11:46 AM Johnnie W Adams wrote:
> Hi, folks,
>
>
> So I've got a very puzzling situation. Just today, when I look at
> sssd with systemctl status, I get
d, Jan 31, 2024 at 8:01 AM Sumit Bose wrote:
> Am Mon, Jan 22, 2024 at 03:08:30PM -0600 schrieb Spike White:
> > All,
> >
> >
> > We’re auditing for successful & healthy AD join of our 32K+ servers. Our
> > check is basically this:
> >
> >
> > AUT
s that are allegedly failing, but
sssd is truly succeeding.
Spike White
--
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedorapr
, there's an optimization that's not expensive
(to clients doing LDAP searches) called 'tokengroups'.
Spike White
On Thu, Jan 18, 2024 at 5:28 PM Finn Fysj wrote:
> I'm experiencing problems on my RHEL 9 instance when looking up members of
> group using
> getent group . I can only get us
lso fails if it is configured to use KCM.
>
> Alejandro
>
> On Wed, Jan 10, 2024 at 11:02 PM Spike White
> wrote:
>
>> All,
>>
>> Is there a packaging problem on the latest version of RHEL8 sssd?
>>
>> On several of our RHEL8 servers during the las
All,
Is there a packaging problem on the latest version of RHEL8 sssd?
On several of our RHEL8 servers during the last update cycle, sssd logins
start failing. It appears to be when upgrading to version
sssd-2.9.1-4.0.1.el8_9.x86_64.
Upon deep dive, it turns out the sssd-kcm RPM is missing.
I don't understand why that full list of permitted_enctypes is a problem,
while your abbreviated list is not.
I do know that windows AD controllers seem to favor aes256-cts-hmac-sha1-96
and aes128-cts-hmac-sha1-96. For most AD domains, DES was deprecated long
ago and as of last year, I think
> On 04/10/2023 17:02, Spike White wrote:
> > We see in other places in this McAfee script that they run this command
> > using 'su' instead of 'sudo'.
> >
> > su -s /bin/sh -c "LD_LIBRARY_PATH=... ${PROGROOT}/bin/macmnsvc
> > status" m
Anyway, it's McAfee's problem to fix now. We'll report it and I'm sure
they'll figure out a solution.
Spike White
On Wed, Oct 4, 2023 at 4:45 AM Alexey Tikhonov wrote:
>
>
> On Wed, Oct 4, 2023 at 11:40 AM Alexey Tikhonov
> wrote:
>
>>
>>
>> On Tue, Oct 3,
wrote:
> On Mon, Oct 2, 2023 at 7:01 PM Spike White wrote:
> >
> > So the idea to turn on debug_level = 9 on the client and view the logs
> was inspired. We turned on debug level 9 on 4 clients;
> >
> > 2 in the list (that we got from AD team of servers in that AMERAust
On Mon, Oct 2, 2023 at 2:37 AM Alexey Tikhonov wrote:
> Hi,
>
> On Mon, Oct 2, 2023 at 6:20 AM Spike White wrote:
>
>> All,
>>
>> Is there anything in sssd's RHEL and RHEL-like Linux server OS settings
>> that perform LDAP binds or connections to AD every 30 minut
All,
Is there anything in sssd's RHEL and RHEL-like Linux server OS settings
that perform LDAP binds or connections to AD every 30 minutes?
What our AD team is seeing is all of the DCs in our biggest AMER AD site
peak with LDAP sessions for about 10 minutes at the top of the hour then
again at
Redhat also has some good documentation and white papers about "directly
integrating Linux servers to AD".
for instance, Red Hat Enterprise Linux 8 Integrating RHEL systems directly
with Windows Active Directory
services?
>
> Thank you.
>
> Stefan
>
>
>
> Am Mo., 24. Juli 2023 um 23:14 Uhr schrieb Spike White <
> spikewhit...@gmail.com>:
>
>> I know on a former commercial product I used the monthly machine
>> account credential renewal had a "hook"
I know on a former commercial product I used the monthly machine
account credential renewal had a "hook" parameter where you could specify
an executable script to be called. It was designed to work with Samba, so
that you could write the samba keytab file without Samba needing to access
the
for this
slowness. Only on exhaustive research did they determine their app is
contacting kerberos directly.
Spike
On Fri, Jun 23, 2023 at 11:07 AM Spike White wrote:
> Appreciate the insight. These are production RHEL7 servers, which I see
> are based on sssd-1.16.5-xxx. As in anything production
Vivianne,
Is this with a simple AD forest (single domain)?
We see lost memberships for accounts sporadically too, but only for
cross-domain accounts. (another domain, same forest). And it does not
occur nearly as frequently as you -- might be a single account once every 5
hrs. Like you,
Thu, Jun 22, 2023 at 7:52 PM Spike White
> wrote:
>
>> Alexey,
>>
>> Thanks for the suggestion.
>>
>> This is a commercial application. Cloudera's hadoop implementation. No
>> idea if they use getgrouplist() under the hood. I can ask our Cloudera
>&g
Spike
On Thu, Jun 22, 2023 at 10:44 AM Alexey Tikhonov
wrote:
> Hi,
>
> On Thu, Jun 22, 2023 at 4:47 PM Spike White
> wrote:
>
>> All,
>>
>> Successful sssd consumer here.
>>
>> Have an app team running Hadoop. They're getting these performance
filter_users_in_groups = false?
Spike White
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code
.
Seeking enlightenment,
Spike White
(Happy sssd customer)
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en
directly. At
least in our company's sssd.conf files, it does not.
Spike White
On Wed, Mar 29, 2023 at 7:19 AM Kodiak Firesmith
wrote:
> Hi Folks,
>
> I'm nominally aware that the ability for adcli joins to honor custom
> enctypes became a thing around 2018, but I'm having a he
Pieter,
Never mind. I am wrong. restarted sssd and waited for AD replication.
Setting TRUSTED_FOR_DELEGATION on the machine account is sufficient.
I now get a Kerberos cred when I SSH SSO (via Putty) onto Linux server.
Spike
On Tue, Mar 28, 2023 at 3:06 PM Spike White wrote:
> Pie
Pieter,
I was playing around with this also.I was setting
TRUSTED_FOR_DELEGATION on the machine account as well. And it was
accomplishing nothing.
I'm guessing it's the user's account that needs to have
TRUSTED_FOR_DELEGATION. Not the machine account.
So when you start putty, you start it
Pieter,
I have Connection -> SSH -> Auth -> GSSAPI -> Allow GSSAPI -> credential
delegation turned on in putty.
As well as on the target Linux server, it has [libdefaults] forwardable =
true. The error I get when I ssh in is:
[admspike_white@austgcore17 ~]$ klist
klist: Credentials cache
Pieter,
We use GSSAPI instead of GSS-SPNEGO for ssh SSO, but it should work the
same. This does not really involve sssd at all (for the authentication).
What happens is that your ssh daemon is Kerberos-aware. So when it is
presented with a Kerberos ticket, the ssh daemon contacts the Kerberos
All,
We are surveying our ecosystem of Linux servers, trying to slowly eradicate
the weak rc4 encryption from AD. (Our AD team has done all the legwork;
plus we’ve tested and we’re certain that rc4 is not required for OS-level
AD integration.)
We’re focusing on eliminating rc4 from our
Sam,
Appreciate the clarification. Makes sense now.
Spike
On Mon, Jan 9, 2023 at 10:05 AM Sam Morris wrote:
> On 09/01/2023 15:38, Spike White wrote:
> > Sumit,
> >
> > Thanks for answer.
> >
> > MS claims that adcli + sssd allows you to join an Azure AD d
Sumit Bose wrote:
> Am Thu, Jan 05, 2023 at 11:03:55AM -0600 schrieb Spike White:
> > All,
> >
> > Our org uses sssd for direct integration to our corp AD forest, which has
> > the std MS schema extension (RFC 2307bis IIRC).
> >
> > Currently, we have some Wi
All,
Our org uses sssd for direct integration to our corp AD forest, which has
the std MS schema extension (RFC 2307bis IIRC).
Currently, we have some Windows builds running in the Azure cloud,
integrated via AzureAD. I'm not a Windows engineer, so I don't know the
details of this Windows-based
?
If the former, then I'd beat up on your maintainer for AD site and
services; they have defined non-local global catalog servers for your site.
Spike
On Thu, Dec 22, 2022 at 4:14 PM Spike White wrote:
> Jeffrey,
>
> Bear in mind I'm a Linux engineer. (I speak regularly to our AD team
Jeffrey,
Bear in mind I'm a Linux engineer. (I speak regularly to our AD team). As
I understand it, the domain-local memberships are housed in the local
domain, not the GC.
If you look at the output of 'sssctl domain-status ', you will see
it references two DCs that it's bound to. The local
:
> Am Wed, Dec 14, 2022 at 07:52:38PM + schrieb Christian, Mark:
> > On Wed, 2022-12-14 at 13:00 -0600, Spike White wrote:
> > > Sssd experts,
> > > We have been running sssd to AD integrate to a cross-domain AD forest
> > > for ~2 years now. With RHEL 7
Jeffrey,
I'm told that the alternative to tokengroups would be recursive LDAP
queries. Which would be expensive for the clients, particularly with
heavily-nested subgroups.
Prior to us using tokengroups, we tried to limit the cost of these LDAP
queries by limiting the LDAP query depth to false.
. All expected logins appear to work.
1. Can we ignore these messages?
2. Are they due to this new sssd version?
3. Why does a pac service start up if we do not explicitly define it in
our list of services?
Spike White
___
sssd-users mailin
022 at 3:46 PM Spike White wrote:
> Really really appreciate the head's up on this Sumit!
>
> We'd seen the notice yesterday, but from the brief description our
> guess was that sssd was unaffected. Then your message showed up. So
> timely!
>
> We're coordinating with o
Really really appreciate the head's up on this Sumit!
We'd seen the notice yesterday, but from the brief description our
guess was that sssd was unaffected. Then your message showed up. So
timely!
We're coordinating with our AD team now.
Spike
Spike White
On Tue, Nov 15, 2022 at 12:07 AM
t;
--os-version="$OS_VERSION_FULL " --domain-ou="$OU_CONTAINER" --show-details
--host-keytab=/etc/krb5.keytab --host-fqdn=$FQDN
--user-principal="host/$FQDN@$JOINDOMAIN"
If I've missed a step please advise.
Spike White
On Tue, Oct 18, 2022 at 2:39 PM Kodiak Firesmith
wrote
sssd personnel,
When a Linux SE fat-fingers the domain name when doing a 'realm permit' or
'realm permit -g', it locks all permitted users and groups.
Even worse, it's not usually obvious from looking at the
'simple_allow_users' and 'simple_allow_groups' lines which entry is the
culprit.
Sumit,
AD administrators maintain the relationship between subnet and sites in the
"AD Sites and Services" administrative tool.
They associate particular subnets with a particular site there. From your
URL, it appears that the client sends its IP address in its CLDAP query.
The AD DC does the
Mark,
We have tens of thousands of RHEL7/OL7 (sssd 1.16.*) and RHEL8/OL8
servers connected to a single (multi-domain) AD forest.
Before RHEL7/OL7, sssd would technically work but you didn't have any of
the good trouble-shooting calls. So we didn't AD integrate older OS
versions.
In your
Ed,
I'm a Linux engineer, reading and learning on this sssd mailing list. I
had just never seen a large company that used that algorithm that's all.
Spike
On Mon, May 9, 2022 at 2:21 AM wrote:
> Hey Spike,
>
> I'm curious, why is it you previously said that SSSD based ID mapping is
> only
we'll likely come up with a system to populate these
> values in the AD from an existing SSSD Linux client so that they match,
> then we can transition all other Linux clients over from using the SSSD
> mapping algorithm to using these values from AD.
>
>
> Ed
>
>
>
Ed,
Got this from our AD team:
This MS article contains info regarding RFC 2307 and mentions it being
included in Window 2003 and later. Hopefully, this helps.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/213f515b-9cf2-43e8-b6c8-47b13cd61281
We are currently up to
Ed,
When you say "uses the SSSD ID mapping algorithm to calculate UID and GID",
do you mean that algorithm that formulaically calculates the user's UID off
the Windows SID?
We are a large company (~25 - 27k sssd clients), but we use the RFC 2307bis
schema extension from Microsoft. Beaucoup NAS
.x86_64 RPMs do not fix the problem. The
problem is very easily reproducible; we have a test box with it exhibiting
this under-discovery.
Spike White
On Thu, Feb 3, 2022 at 11:43 AM Bill Conn wrote:
> Hello Spike,
>
> Thanks for the info and links. It looks like rolling back sssd
All,
Occasionally some of our app teams work with external auditors that wish to
verify proper login access to servers.
In our older commercial AD integration tool, they'd just run an "access
report" which would provide all desired information. I got hit up today to
run an access report for
Bill,
Same situation here. In our case, it's an overarching global AD domain
with 4 regional child domains. One child domain cannot discover the other
domains. In specifics, these are the bad sssd versions:
OL7: 1.16.5-10*.0.1*.el7_9.11
RHEL7: 1.16.5-10.el7_9.11
We had to roll back to
Justin,
if it's https://krbdev.mit.edu/rt/Ticket/Display.html?id=9037 , then it's
even more evil to positively prove than dialing up the sssd debug level.
The min debug level to get verbose adcli update output is debug level 7.
Even running at this debug level for just a few days swamps the
).
In other AD domains (like AMER), consistently all servers with this new
sssd version do discover all AD domains. So servers in AMER discover all
expected domains.
Spike
On Tue, Jan 18, 2022 at 12:11 PM Alexey Tikhonov
wrote:
>
>
> On Tue, Jan 18, 2022 at 5:52 PM Spike White
sssd experts,
This sssd version (released Tue 23 Nov 2021) is under-discovering AD
domains.
A similar sssd bug occurred last July, where sssd over-discovered AD
domains (AD domains for which there was not a legal trust relationship with
this AD domain.) Now, it appears that sssd is
Tikhonov wrote:
> Hi,
>
> what exactly do you want to achieve?
> Do you want to rebuild binary rpm?
>
> On Wed, Dec 8, 2021 at 3:34 PM Spike White wrote:
>
>> All,
>>
>> I have reviewed:
>>
>> https://github.com/SSSD/sssd
>> https://sss
All,
I have reviewed:
https://github.com/SSSD/sssd
https://sssd.io/
And most especially:
https://sssd.io/contrib/building-sssd.html
In an attempt to build RHEL8 sssd RPMs from github.com:SSSD/sssd.git.
In the past, I have attempted to build RHEL8 RPMs on RHEL8. That is a
fool's errand!
All,
This new sssd version for RHEL7 (sssd-1.16.5-10.el7_9.11) fixes a bug
we’ve seen in sssd. This bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1984591 . (Thanks, Sumit!)
We’ve verified this bugfix – that it only auto-discovers the expected
domains now, not the extra domains that it
Sumit,
Good day! I'm curious about your statement "during authentication". I
seek clarification. It's when you said:
... until recently SSSD unconditionally updated the group-memberships
of the user *during authentication*.
We do a lot of GSSAPI-based ssh logins. That is, we acquire a
r Spike --
> see below.
>
> On 11/25/21 10:15, Spike White wrote:
> > Harald,
> >
> > I was hoping someone smarter than me would respond; someone who knew the
> > answer. But no one else did, so let me take a crack at it. I know the
> > problems an
upport for RFC2307 mapping, but not
RFC2307bis. They’re very close but not identical).
Spike White
On Tue, Nov 23, 2021 at 9:36 AM Harald 11 wrote:
> Hello!
>
> I am using sssd 2.4 with Debian 11.
>
> I try to setup a samba server within a samba ads domain. I did several
&
> https://bugzilla.redhat.com/show_bug.cgi?id=1716981
>
>
>
> So I run a “yum update” and re-joined the host to the realm, and now the
> AD-logons seem to be working fine! Now I “only” need to find out the very
> happening that rendered KCM to fail. :-)
>
>
>
> Thanks for al
Aron,
Several things.Some backgroun -- in our company, we have thousands of
OL8.x and hundreds of RHEL 8.x Linux servers directly AD integrated to our
corp AD domain.
I compared our sssd.conf with yours. I think you want to add the 'ifp'
service for *L8. It's the infopipe service. Used by
Leon,
Granted we're not doing NIS + SSSD on OL8. Only RHEL6/7 and OL6/7.
But where we do NIS + SSSD, we're putting NIS in /etc/nsswitch.conf.
Something like:
passwd: files sss nis
group: files sss nis
netgroup: files sss
automount: sss files
This is from a OL7 server running NIS
Alexey,
I'm not going to speak for another, but for us -- enumeration is a
wonderful tool for troubleshooting login/access issues. Even though it's a
performance hit, we'll accept that hit, in exchange for the ability of the
support engineers to be able to enumerate sssd's idea of group
This sounds very familiar to something we recently encountered.
Are you having login/sudo times on the order of 3-5 mins? did this start
around the July time frame? Do you have additional untrusted lab AD
domains used for testing? Are those lab domains possibly inaccessible to
particular
Phillip,
By no means do I pretend to be an expert on building sssd. I fully realize
how there's dozens, probably a hundred of prereq pkgs that have to be
installed. In order to have the proper build env for sssd. Even more if
you wish to package up into RPMs.
I particularly don't pretend to
that Samba even provides some helper script or program that you
can call -- passing in the new monthly password. So adcli update could
call such a Samba heiper script.
Spike
On Fri, Oct 8, 2021 at 8:58 AM Patrick Goetz wrote:
>
>
> On 10/7/21 12:01, Spike White wrote:
> >
On Fri, Oct 8, 2021 at 5:54 PM Spike White wrote:
> Sumit,
>
> It took all day, but I finally got these RPMs on a test box:
>
> libsss_simpleifp-2.4.0-9.el8_4.2sb1.x86_64
> sssd-ipa-2.4.0-9.el8_4.2sb1.x86_64
> sssd-client-2.4.0-9.el8_4.2sb1.x86_64
> sssd-krb5-common-2
builddep sssd and
following) work on RHEL8.4?
On Fri, Oct 8, 2021 at 12:42 PM Sumit Bose wrote:
> Am Fri, Oct 08, 2021 at 08:51:55AM -0500 schrieb Spike White:
> > Sumit,
> >
> > It would probably be faster for you to do a test build. I'd have to
> fumble
> >
trusted domains. Now with this new
sssd version (~July), 'sssctl domain-list' shows the expected 5 trusted
domains and the 14 untrusted domains.
Spike
On Fri, Oct 8, 2021 at 1:01 AM Sumit Bose wrote:
> Am Thu, Oct 07, 2021 at 11:38:54AM -0500 schrieb Spike White:
> > All (but par
SELinux denied this attempt.
> Audit log will contain a denied entry if that is the case. Maybe it will
> help you.
>
>
> Kind regards,
> Grigory Trenin
>
> чт, 7 окт. 2021 г. в 20:02, Spike White :
>
>> FYI -- update on this situation.
>>
>> AD D
o 7. Because we want to
see examples more frequently, to find failed updates.
BTW, the packet capture on a successful machine account password renewal is
only 8K, so that very targeted debug will not swamp our /var/log or /tmp
filesystems.
Spike
On Wed, Aug 25, 2021 at 10:32 AM Spike White wr
All (but particularly Sumit since he wrote the comments on
https://bugzilla.redhat.com/show_bug.cgi?id=1984591),
There are at least two problems created by this recently-introduced sssd
bug. One problem is solvable by the suggested work-around, the other is
not. The work-around suggested is:
), not for the kpasswd port.
Yes, we're very anxious to hear what our AD admins will tell us from their
AD DC logs.
Spike
On Wed, Sep 29, 2021 at 5:13 AM Sumit Bose wrote:
> Am Tue, Sep 28, 2021 at 03:18:06PM -0500 schrieb Spike White:
> > All,
> >
> > We took Sumit’s advice and enabled
point, we’re unsure whether this is an adcli problem or an AD
problem.
Does adcli update attempt to authenticate back to the same AD DC with the
new password? Or does it randomly pick an AD DC to authentication back to,
with the new password?
Spike White
On Wed, Aug 25, 2021 at 10:32 AM Spike
Sumit and others,
Our level 1 server support team has identified 107 servers that dropped out
of the domain in Aug.By far, that's their biggest burden with sssd --
the automatic machine account renewal.
Over the long weekend, our team ran a report that identified any pingable
candidates that
Patrick,
kinit -k acquires a new fresh TGT ticket.
kinit -R renews an existing TGT ticket (if it's not already expired). Even
if renewed, "renew until" doesn't change (usually 7 days).
None of these are updating any computer account password on AD. That's an
AD-specific requirement, that
SOLVED: find automount maps in non-local AD domain.
All,
We solved this a couple of months ago; just took a while to get time to
write it up. We have automounts in our AD domains and autofs finds them.
By default, autofs always looks in the local domain for its automount
maps.
We have an AD
-KeyVersionNumber, but not updating /etc/krb5.keytab?
I think this is the common case that we're seeing -- that these other cases
(plus one other) are the unusual end-corner cases.
Spike
On Thu, Sep 2, 2021 at 12:49 AM Sumit Bose wrote:
> Am Wed, Sep 01, 2021 at 11:39:30AM -0500 schrieb
QDN/IP address. I'll be trying to track down who did this and for
what reason.
On Wed, Sep 1, 2021 at 10:08 AM Spike White wrote:
> Ok, this is *very* illuminating!
>
> I see this in sssd_amer.company.com.log"
>
> (2021-09-01 3:44:46
Wed, Sep 1, 2021 at 2:46 AM Sumit Bose wrote:
> Am Tue, Aug 31, 2021 at 09:53:01PM +0200 schrieb Alexey Tikhonov:
> > On Tue, Aug 31, 2021 at 6:47 PM Spike White
> wrote:
> >
> > > All,
> > >
> > > OK we have a query we run in AD for machine ac
All,
OK we have a query we run in AD for machine account passwords for a certain
age. In today's run, 31 - 32 days. Then we verify it's pingable.
We have found such one such suspicious candidate today (two actually, but
the other Linux server is quite sick). So one good research candidate.
Todd,
I confess I don't completely understand your solution. I get that
configuration management tools use the passwordlastset attribute with a
value that's greater than XX days to cull objects. My Windows server
engineering counterparts have a scheduled job that deletes all machine
accounts
Sumit and Gordon,
You have given me much to think on and digest. Thanks.
Gordon, we religiously patch monthly. Except for sssd in July, where a new
update sssd*-2.4.0-9.0.1.el8_4.1.x86_64 broke our env and we had to roll
back the update to previous version sssd*-2.4.0-9.0.1.el8.x86_64 . (We
Sssd experts,
*Short summary: * How can we troubleshoot sssd’s ‘Automatic Kerberos Host
Keytab Renewal’ process?We have ~0.4% of our Linux servers dropping
off the AD domain monthly.
*Longer explanation:*
Over the past two years, we have on-boarded sssd as our Linux AD
integration
All,
sssctl user-check is very good.In particular, when you want to see if a
particular user is conferred access, you look for the:
pam_acct_mgmt: Success
or the:
pam_acct_mgmt: Permission denied
lines.
But often, users are members of multiple various groups. It's often
difficult to
Pavel,
To me, what was most helpful in the old documentation was the architectural
discussions embedded in the enhancement requests. When the requests were
satisfied.
Examples:
use of short names in non-local domains
auto-discovery of trusted domains
For instance, until I read that
find the child auto.* maps. Whereas a server in amer
does.
I would rather not have to copy my correct autofs AD structure to each
child AD domain. It’s tested and working for over a year in amer.
How can I get a non-amer server to see the automount maps?
Jeremy,
My understanding is that even AD 2016 will support arcfour-hmac (even
though it's deprecated and not recommended). Local company AD teams will
make the decision to stop supporting arcfour-hmac or not. (for instance,
our company's team tried -- and it broke something to do with
Jeremy,
First off, this is not a sssd problem. You've proven that by your kinit -k
attempts failing. This is an underlying problem between your kerberos
client, your AD DC and your /etc/krb5.keytab file. Once you fix this
underlying issue, I expect sssd will work.
Your AD domain may be
is already in use.)
Or an equiv option for case_sensitive (which is for user and groups only).
Say:
case_sensitive_homedirs = {True|False|Preserving}
Spike
On Wed, May 5, 2021 at 12:35 AM Sumit Bose wrote:
> Am Tue, May 04, 2021 at 11:58:56AM -0500 schrieb Spike White:
> > sss
sssd experts,
With an AD backend, by default the AD provider sets case_sensitive ==
False. This has the desired action of lower-casing user names. (and group
names). But not home directories.
How can we similarly lower case home directories? Our AD admins have an
edict to camel-case their
All,
I read with great interest the release notes on a recent sssd release
notes. That terse note had a link to a fuller discussion on the better AD
DC discovery algorithm.
The original sssd AD DC discovery algorithm looked up the SRV records in
DNS for this local AD domain. It randomly
> stolen tokens harder for attacker.
>
> [1] https://sssd.io/docs/users/relnotes/notes_1_15_3
> [2] https://sssd.io/docs/design_pages/kcm.html
>
> Best regards,
> Pawel
>
> On Sat, Mar 20, 2021 at 4:06 AM Spike White
> wrote:
>
>> All,
>>
>>
>
All,
https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
Is this a security concern for the sssd version on RHEL7 & 8? I.e., if a
hacker acquires root on one low-value asset, can move laterally to more
high-value assets?
Spike W
Sanjay,
We had the opposite problem. with ldap_use_tokengroups = True, we were
getting incorrect group memberships. It's been a couple of years, but I
seem to recall it was either universal group membership, or else
memberships in non-local AD domains that weren't being show. (global
groups).
sssd experts,
On ~Dec 14th, CVE-2020-1472 was reported against RHEL7. It's a samba
vulnerability. Among the very many vulnerable RPMs identified in the
errata, they list samba-client-libs RPM.
The sssd-ad RPM has an RPM dependency on this samba-client-libs RPM. I
believe the sssd-ad RPM is
Marc,
Sumit raises a good point about account lock-outs. But if that is not a
concern for you, it seems that you could accomplish this in your PAM stack.
Right now, you probably have something like:
...
authsufficient pam_sss.so
forward_pass
Is this a NFS mount point? If so, maybe you're hitting the "16
supplemental group" NFS inherent bug.
Spike
On Fri, Nov 20, 2020 at 2:21 PM Tung, Paul wrote:
> Hi,
>
>
>
> I was hoping someone on this list might be able to help.
>
> I’m getting permission denied when trying to access a
All,
This is just an annoyance that occurs periodically and we can't figure out
why. We know how to remediate once seen.
Every now and then, on a new build the sssd join/configure will fail.
For example, a server provisioner today built 10 boxes and 2 failed. Upon
closer inspection, we see
.
Spike
On Tue, Nov 10, 2020 at 12:23 AM Sumit Bose wrote:
> On Mon, Nov 09, 2020 at 12:06:05PM -0600, Spike White wrote:
> > All,
> >
> > In this particular case, it's an automation script that logs in (via SSH)
> > and performs activities as those two service
too late (for sshd).
BTW, I realize this is not a sssd problem. It's a sshd problem (when
relying on a case-insensitive back-end user auth, such as AD).
Spike
On Thu, Nov 5, 2020 at 3:03 AM Sumit Bose wrote:
> On Wed, Nov 04, 2020 at 12:03:16PM -0600, Spike White wrote:
> >sssd prof
sssd professionals,
Interesting problem; seems to be an interaction with sshd daemon when
using an AD back-end.
When using sssd (with an AD back-end), what should my “Match” blocks in
/etc/ssh/sshd_config file look like for over-riding user values?
Right now, my Match blocks look like:
1 - 100 of 189 matches
Mail list logo