[Freeipa-users] SSS problems with eDirectory
Dmitri Pal
dpal at redhat.com
Wed Jul 21 21:58:33 UTC 2010
Scott Duckworth wrote:
> I'm trying to setup a vanilla installation of Fedora 13 to
> authenticate against an eDirectory server. We have this working on
> RHEL5 using nss_ldap and pam_ldap, but doing this same configuration
> on Fedora 13 did not work. So I'm now attempting the configuration
> using SSS. I used the graphical tools to setup the basics, then
> started editing /etc/sssd/sssd.conf to get the specifics right.
>
> The directory server uses rfc2307bis groups. User DNs do not have
> memberOf attributes or any shadow or kerberos attributes. Kerberos is
> not available, LDAP is used for authentication.
>
> The SSSD client is sssd-1.2.1-15.fc13.x86_64.
>
> /etc/sssd/sssd.conf:
> [sssd]
> config_file_version = 2
> reconnection_retries = 3
> sbus_timeout = 30
> services = nss, pam
> domains = CLEMSONU
> [nss]
> debug_level = 7
> filter_groups = root
> filter_users = root
> reconnection_retries = 3
> entry_cache_timeout = 1
> entry_cache_nowait_timeout = 1
> [pam]
> debug_level = 7
> reconnection_retries = 3
> [domain/CLEMSONU]
> debug_level = 20
> enumerate = False
> cache_credentials = False
> id_provider = ldap
> auth_provider = ldap
Try adding here
ldap_schema = rfc2307bis
> chpass_provider = none
> min_id = 1000
> ldap_uri = ldaps://clemsonuldap.clemson.edu
> <http://clemsonuldap.clemson.edu>
> ldap_id_use_start_tls = False
> ldap_tls_cacertdir = /etc/openldap/cacerts
> tls_reqcert = demand
> ldap_default_bind_dn = cn=CoESProxy,ou=proxyUsers,o=CLEMSONU
> ldap_default_authtok_type = password
> ldap_default_authtok = xxxxxx
> ldap_schema = rfc2307bis
> ldap_search_base = ou=SoC,ou=CES,o=CLEMSONU
> ldap_user_search_base = o=CLEMSONU
> ldap_group_search_base = o=CLEMSONU
> ldap_user_shell = coesLoginShell
> ldap_user_gecos = fullName
> ldap_user_fullname = fullName
> ldap_pwd_policy = none
>
> nss_sss appears to be mostly functioning. "getent passwd sduckwo"
> works. "getent group xxxx" is flaky - the group name and GID are
> always found, but group members are only sometimes reported, with no
> rhyme or reason why they are or are not reported. For example:
>
> [root at duck2 ~]# getent group coes_socunix
> coes_socunix:*:120105:sduckwo,duckwos,jdabney,mdabney
>
> The log shows:
>
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [be_get_account_info]
> (4): Got request for [4098][1][name=coes_socunix]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (6): calling ldap_search_ext with
> [(&(cn=coes_socunix)(objectclass=posixGroup))][o=CLEMSONU].
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [objectClass]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [cn]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [userPassword]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [gidNumber]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [member]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [nsUniqueId]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [modifyTimestamp]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (8): ldap_search_ext called, msgid = 5
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result]
> (8): Trace: sh[0x1cf13c0], connected[1], ops[0x1cc6ca0], ldap[0x1cca100]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_parse_entry]
> (9): OriginalDN: [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU].
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result]
> (8): Trace: sh[0x1cf13c0], connected[1], ops[0x1cc6ca0], ldap[0x1cca100]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_done] (6): Search result: Success(0), (null)
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_groups_process] (6): Search for groups, returned 1 results.
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result]
> (8): Trace: sh[0x1cf13c0], connected[1], ops[(nil)], ldap[0x1cca100]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result]
> (8): Trace: ldap_result found nothing!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [ldb] (9): start ldb
> transaction (nesting: 0)
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send]
> (7): Adding original DN
> [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU] to attributes of
> [coes_socunix].
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send]
> (6): Storing info for group coes_socunix
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sysdb_search_entry_done] (6): Error: Entry not Found!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sysdb_search_entry_done] (6): Error: Entry not Found!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_save_groups_loop] (9): Group 0 processed!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_save_grpmem_send] (7): Adding member users to group [coes_socunix]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_fill_memberships] (9): [IPA or AD Schema]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_fill_memberships] (7): member #0
> (cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU):
> [name=sduckwo,cn=users,cn=CLEMSONU,cn=sysdb]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_fill_memberships] (7): member #1
> (cn=DUCKWOS,ou=d,ou=Students,o=CLEMSONU):
> [name=duckwos,cn=users,cn=CLEMSONU,cn=sysdb]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_fill_memberships] (7): member #2
> (cn=JDABNEY,ou=j,ou=Students,o=CLEMSONU):
> [name=jdabney,cn=users,cn=CLEMSONU,cn=sysdb]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_fill_memberships] (7): member #3
> (cn=MDABNEY,ou=m,ou=Students,o=CLEMSONU):
> [name=mdabney,cn=users,cn=CLEMSONU,cn=sysdb]
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sysdb_search_entry_done] (6): Error: Entry not Found!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_fill_memberships] (7): member #4
> (cn=DABNEY,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sysdb_search_entry_done] (6): Error: Entry not Found!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_fill_memberships] (7): member #5
> (cn=DABNEY2,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sysdb_search_entry_done] (6): Error: Entry not Found!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_fill_memberships] (7): member #6
> (cn=MADPROF,ou=m,ou=EMPLOYEE,o=CLEMSONU): not found!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sysdb_search_entry_done] (6): Error: Entry not Found!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_fill_memberships] (7): member #7
> (cn=WAYNE,ou=w,ou=EMPLOYEE,o=CLEMSONU): not found!
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]]
> [sdap_save_grpmem_send] (6): Storing members for group coes_socunix
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [ldb] (9): commit ldb
> transaction (nesting: 0)
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_groups_done]
> (9): Saving 1 Groups - Done
> (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [acctinfo_callback]
> (4): Request processed. Returned 0,0,Success
>
> Members #4 - #7 were not found, even though they are valid user DNs.
> Any thoughts?
>
> Moving on...
>
> pam_sss does not appear to work. Here's some entries from the SSS log
> when trying to login to the system on the command-line:
>
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_send]
> (4): Executing simple bind as: cn=CoESProxy,ou=proxyUsers,o=CLEMSONU
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_done]
> (3): Bind result: Success(0), (null)
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (6): calling ldap_search_ext with
> [(&(uid=sduckwo)(objectclass=posixAccount))][o=CLEMSONU].
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [objectClass]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [uid]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [userPassword]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [uidNumber]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [gidNumber]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [fullName]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [homeDirectory]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [coesLoginShell]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [krbPrincipalName]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [fullName]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [memberOf]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [nsUniqueId]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [modifyTimestamp]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [shadowLastChange]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [shadowMin]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [shadowMax]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [shadowWarning]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [shadowInactive]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [shadowExpire]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [shadowFlag]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [krbLastPwdChange]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [krbPasswordExpiration]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_generic_send] (7): Requesting attrs: [pwdAttribute]
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send]
> (7): Adding original DN [cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU] to
> attributes of [sduckwo].
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send]
> (7): Original memberOf is not available for [sduckwo].
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send]
> (7): User principal is not available for [sduckwo].
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send]
> (6): Storing info for user sduckwo
>
> Up to here, everything looks good. It would be nice to not ask for
> all of the shadow and krb attributes since they don't exist in our
> directory, but no harm done.
>
> But then things start to go wrong:
>
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_get_initgr_process] (9): Process user's groups
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [sdap_initgr_nested_send] (4): User entry lacks original memberof ?
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_initgr_done]
> (9): Initgroups done
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [acctinfo_callback]
> (4): Request processed. Returned 3,2,Init Groups Failed
>
> Our directory doesn't use the memberOf user attribute, it just uses
> rfc2307bis style groups (objectClass=posixUser, member=<user DN>).
>
> Then, here's where things really go awry:
>
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [find_password_expiration_attributes] (9): No password policy requested.
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_send]
> (4): Executing simple bind as: cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_process_result]
> (4): ldap_result gave -1, something bad happend!
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [auth_bind_user_done]
> (9): Found ppolicy data, assuming LDAP password policies are active.
> (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
> [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>)
> [Internal Error (Interrupted system call)]
>
> "something bad happened" isn't very useful. And since SSS refuses to
> try and authenticate users without an encrypted connection, I can't
> easily use wireshark and friends to debug at the protocol level.
> While I could probably patch the source to print the actual LDAP error
> with ldap_err2string(), or maybe gdb the process and set a breakpoint
> when things go wrong to hopefully get some more useful information,
> this is beyond what I'd normally consider doing when deploying new
> software. Any suggestions?
>
> Moving on...
>
> We will need to dereference LDAP aliases but I have not yet been able
> to find a setting to enable this. I also have not found the
> equivalent of the pam_password_prohibit_message setting in
> /etc/ldap.conf; while not strictly required, it is nice to refer users
> to the proper way to change passwords in our environment.
>
> Any help would be appreciated. Thanks!
>
> Scott Duckworth, Systems Programmer II
> Clemson University School of Computing
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list