[Freeipa-users] sssd receives another uid/gid after disabled HBAC rule
Gregor Bregenzer
gregor.bregenzer at gmail.com
Wed Sep 10 06:19:15 UTC 2014
Hello Sumit,
i think maybe there is a different problem i just discovered by
accident. As stated in the first email, i have an AD trust with
FreeIPA that receives all POSIX attributes from AD, but i get
different values:
On the FreeIPA server that has the AD trust (ipa1.linux.intern) i get
the correct GID (=10000, this is the AD group linuxusers) that is set
in AD, but on the client (linux1.linux.intern) i get another one ( =
10005):
ipa1.linux.intern
~~~~
[root at ipa1 httpd]# getent passwd user1 at aaa
user1 at aaa.intern:*:10005:
10000:user1:/home/aaa.intern/user1:/bin/bash
-bash-4.2$ id
uid=10005(user1 at aaa.intern) gid=10000(linuxusers at aaa.intern)
groups=10000(linuxusers at aaa.intern),1933000004(ad_users)
~~~~
linux1.linux.intern
~~~~~~~~
[root at linux1 sssd]# getent passwd user1 at aaa
user1 at aaa.intern:*:10005:10005::/home/user1 at aaa.intern:/bin/bash
[user1 at aaa.intern@linux1 ~]$ id
uid=10005(user1 at aaa.intern) gid=10005(user1 at aaa.intern)
Gruppen=10005(user1 at aaa.intern),1933000004(ad_users)
Logfile on ipa1.linux.intern sssd_nss.log
(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
Running command [17] with input [user1 at aaa.intern].
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'user1 at aaa.intern' matched expression for domain
'aaa.intern', user is user1 │
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [user1] from [aaa.intern]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str]
(0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0100): Requesting info for [user1 at aaa.intern]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x7fe19e562700
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x7fe19e562830
│
03│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running
timer event 0x7fe19e562700 "ltdb_callback"
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying
timer event 0x7fe19e562830 "ltdb_timeout"
│va
r/│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer
event 0x7fe19e562700 "ltdb_callback"
│
│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [check_cache] (0x0400):
Cached entry is valid, returning..
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0400): Returning info for user [user1 at aaa.intern]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000):
Idle timer re-set for client [0x7fe19e563d40][21]
│
----------
Logfile on linux1.linux.intern sssd_nss.log
(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'user1 at aaa' matched expression for domain 'aaa.intern',
user is user1 │
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam] (0x0100):
Requesting info for [user1] from [aaa.intern]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str]
(0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0100): Requesting info for [user1 at aaa.intern]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x20e2c20
│
(W│
│
00│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x20e2590
│
(W│
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running
timer event 0x20e2c20 "ltdb_callback"
│
(W│
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying
timer event 0x20e2590 "ltdb_timeout"
│
(W│
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer
event 0x20e2c20 "ltdb_callback"
│
(W│
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_issue_request]
(0x0400): Issuing request for [0x432730:1:user1 at aaa.intern]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_get_account_msg]
(0x0400): Creating request for [aaa.intern][4097][1][name=user1]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_add_timeout] (0x2000):
0x20d72e0
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_internal_get_send]
(0x0400): Entering request [0x432730:1:user1 at aaa.intern]
│
01│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_remove_timeout]
(0x2000): 0x20d72e0
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_dispatch] (0x4000):
dbus conn: 20DB0F0
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_dispatch] (0x4000):
Dispatching.
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_get_reply] (0x1000):
Got reply from Data Provider - DP error code: 0 errno: 0 error
message: Success
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str]
(0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0100): Requesting info for [user1 at aaa.intern]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x20e8530
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x20e85e0
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running
timer event 0x20e8530 "ltdb_callback"
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying
timer event 0x20e85e0 "ltdb_timeout"
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer
event 0x20e8530 "ltdb_callback"
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0400): Returning info for user [user1 at aaa.intern]
│
02│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_req_destructor]
(0x0400): Deleting request: [0x432730:1:user1 at aaa.intern]
│
:/│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000):
Idle timer re-set for client [0x20e44a0][20]
│
│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000):
Idle timer re-set for client [0x20e44a0][20]
│
(W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [client_recv] (0x0200):
Client disconnected!
│/v
ar│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [client_destructor]
(0x2000): Terminated client [0x20e44a0][20]
~~~~
I think i need to get this one right before the HBAC rule - right?
Here is my ipa1.linux.intern sssd.conf:
~~~~~~~~~
[domain/linux.intern]
debug_level=9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.intern
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.linux.intern
chpass_provider = ipa
ipa_server = ipa1.linux.intern
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
debug_level=9
services = nss, sudo, pam, ssh, pac
config_file_version = 2
subdomains_provider = ipa
domains = linux.intern
[nss]
debug_level=9
homedir_substring = /home
[pam]
debug_level=9
[sudo]
[autofs]
[ssh]
[pac]
debug_level=9
[ifp]
~~~~~~~~~~~~~~
Here's my linux1.linux.intern sssd.conf
~~~~~
[domain/linux.intern]
debug_level=9
cache_credentials = False
krb5_store_password_if_offline = False
ipa_domain = linux.intern
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = linux1.linux.intern
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa1.linux.intern
ldap_tls_cacert = /etc/ipa/ca.crt
use_fully_qualified_domains = True
# For the SUDO integration
sudo_provider = ldap
ldap_uri = ldap://ipa1.linux.intern
ldap_sudo_search_base = ou=sudoers,dc=linux,dc=intern
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/linux1.linux.intern
ldap_sasl_realm = LINUX.INTERN
krb5_server = ipa1.linux.intern
[sssd]
debug_level=9
services = nss, pam, ssh, sudo
config_file_version = 2
#default_domain_suffix=aaa.intern
domains = linux.intern
[nss]
debug_level=9
override_homedir = /home/%u
override_shell = /bin/bash
[pam]
debug_level=9
[sudo]
[autofs]
[ssh]
debug_level=9
[pac]
debug_level=9
~~~~
I used the following command to create the AD trust:
ipa trust-add --type=ad aaa.intern --admin Administrator
--password --range-type ipa-ad-trust-posix
Do you need any other debug information?
Thanks!
Gregor
2014-09-08 9:17 GMT+02:00 Sumit Bose <sbose at redhat.com>:
> On Sun, Sep 07, 2014 at 11:41:16PM +0200, Gregor Bregenzer wrote:
>> Hi!
>>
>> I have an AD trust with FreeIPA 4.0.1 and defined a HBAC rule for a
>> specific user group (=ad_users which is an posix group that has an
>> external group as member) to login on a specific client
>> (=linux1.linux.intern).
>>
>> The problem is: once i disable the rule and the AD user is not allowed
>> to login anymore, the user on the client gets another uid and gid via
>> sssd.
>>
>> I use the posix attributes from AD, which will get received by sssd perfectly.
>> The client is running on CentOS 6.5 and uses sssd 1.9.2.129.el6_5.4
>> AD domain = aaa.intern
>> IPA domain = linux.intern
>> AD-User: user1 (uid=1005,gid=10005)
>>
>> Here an example:
>> ----------------------------
>> 1.) disable the hbac rule and the default allow_all rule:
>> 2.) check the uid/gid on the client (=linux1.linux.intern) and it looks fine:
>>
>> [root at linux1 sssd]# getent passwd user1 at aaa
>> user1 at aaa.intern:*:10005:10005::/home/user1 at aaa.intern:/bin/bash
>>
>> 3.) Login with ssh to client as user1. It will be denied upon correct
>> password input and ssh sessions closes. Up until now everything as
>> expected. But now:
>>
>> 4.) check for the uid/gid on the client - something totally different.
>> It now also receives the Firstname and Lastname from AD, latter is
>> empty:
>>
>> [root at linux1 sssd]# getent passwd user1 at aaa
>> user1 at aaa.intern:*:11601:11601:user1:/home/user1 at aaa.intern:/bin/bash
>>
>> 5.) Enable the hbac rule and login works, but the unexpected uid/gid
>> stays the same:
>>
>> login as: user1 at aaa
>> user1 at aaa@192.168.0.100's password:
>> login as: user1 at aaa
>> user1 at aaa@192.168.0.100's password:
>> Last failed login: Sun Sep 7 23:19:49 CEST 2014 from 192.168.0.26 on ssh:notty
>> There were 2 failed login attempts since the last successful login.
>> Creating home directory for user1 at aaa.
>> Last login: Sun Sep 7 23:21:02 2014 from 192.168.0.26
>> [user1 at aaa.intern@linux1 ~]$ id
>> uid=11601(user1 at aaa.intern) gid=11601(user1 at aaa.intern)
>> Gruppen=11601(user1 at aaa.intern),1933000004(ad_users)
>> [user1 at aaa.intern@linux1 ~]$
>> ---------------------------------
>>
>> Anyone have a clue what might be the problem?
>
> I would expect some kind of collision, but to be sure I need the SSSD
> log files. Please try to reproduce the switch and send me the log file,
> if possilbe with debug_level=9.
>
> bye,
> Sumit
>
>>
>> Here's the sssd.conf:
>> [root at linux1 sssd]# cat /etc/sssd/sssd.conf
>> [domain/linux.intern]
>> debug_level=6
>> cache_credentials = False
>> krb5_store_password_if_offline = False
>> ipa_domain = linux.intern
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = linux1.linux.intern
>> chpass_provider = ipa
>> ipa_dyndns_update = True
>> ipa_server = _srv_, ipa1.linux.intern
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> use_fully_qualified_domains = True
>> # For the SUDO integration
>> sudo_provider = ldap
>> ldap_uri = ldap://ipa1.linux.intern
>> ldap_sudo_search_base = ou=sudoers,dc=linux,dc=intern
>> ldap_sasl_mech = GSSAPI
>> ldap_sasl_authid = host/linux1.linux.intern
>> ldap_sasl_realm = LINUX.INTERN
>> krb5_server = ipa1.linux.intern
>> entry_cache_sudo_timeout = 30
>> [sssd]
>> debug_level=6
>> services = nss, pam, ssh, sudo
>> config_file_version = 2
>> default_domain_suffix=aaa.intern
>> domains = linux.intern
>> [nss]
>> debug_level=9
>> override_homedir = /home/%u
>> override_shell = /bin/bash
>> [pam]
>> debug_level=6
>> [sudo]
>> debug_level=6
>> [autofs]
>>
>> [ssh]
>> debug_level=6
>> [pac]
>>
>>
>>
>> Thanks!
>> Gregor
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list