sssd interview questions
Top sssd frequently asked interview questions
I have a sssd setup to authentication against an LDAP server. I would like to use shadow attributes so that if it's in the past or set to 0 it won't let the user authenticate. It let's the user authenticate as long as the password is correct, ignoring shadowExpire attribute.
Logs:
[sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding shadowLastChange [15033] to attributes of [tuser].
[sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding shadowMin [1] to attributes of [tuser].
[sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding shadowMax [90] to attributes of [tuser].
[sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding shadowWarning [7] to attributes of [tuser].
[sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding shadowInactive [30] to attributes of [tuser].
[sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding shadowExpire [15126] to attributes of [tuser].
[sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [tuser].
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Additional Logs
[sssd[be[default]]] [find_password_expiration_attributes] (0x4000):Found shadow password expiration attributes.
[sssd[be[default]]] ([simple_bind_send] (0x0100): Executing simple bind as: uid=tuser,ou=people,dc=example,dc=com
[sssd[be[default]]] ([simple_bind_send] (0x2000): ldap simple bind sent, msgid = 1
[sssd[be[default]]] ([sdap_process_result] (0x2000): Trace: sh[0x19b86b0], connected[1], ops[0x19daeb0], ldap[0x18389a0]
[sssd[be[default]]] ([sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
[sssd[be[default]]] ([simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].
[sssd[be[default]]] ([simple_bind_done] (0x1000): Password Policy Response: expire [-1] grace [-1] error [No error].
Source: (StackOverflow)
I have recently upgraded to samba 4 from samba 3.5 on a RHEL 6.3 platform. It is pleasing that the new version can replace AD DC and has it's own built it kdc and ldb database. Now my intention is to make linux boxes authenticate to samba4 by connecting through ldap as samba 4 works like a kerberized ldap server. I am able to connect using Apache directory studio using the administrator dn to the ldap database. However I am unable to properly configure sssd on RHEL 6 client machines to authenticate against the samba server via ldap. Here is my sssd configuration file-
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
ldap_default_authtok_type = password
ldap_id_use_start_tls = False
cache_credentials = True
ldap_group_object_class = group
ldap_search_base = <My Domain dn>
chpass_provider = krb5
ldap_default_authtok = <Administrator Password>
id_provider = ldap
auth_provider = krb5
ldap_default_bind_dn = cn=Administrator,cn=Users,<My Domain dn>
ldap_user_gecos = displayName
debug_level = 0
ldap_uri = ldap://<samba_server_hostname>/
krb5_realm = <krb auth realm(same as domain name)>
krb5_kpasswd = <samba_server_hostname>
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_object_class = person
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_kdcip = <samba_server_hostname>
I can run kinit for Administrator on the client successfully, and I can run ldapsearch when binding as Administrator but id or getent passwd for any user is not working. Any ideas please ??
Source: (StackOverflow)
I'm running SSSD/LDAP on CentOS6 to authenticate users and I've configured it also to get SUDO information from the LDAP server.
If I run hostname on my server I get:
[root@myserver ~]# hostname
myserver
I configured sssd.conf with a search base, for example:
ldap_sudo_search_base = OU=Staff,OU=SUDOers,ou=company,dc=my,dc=com
Users who have SUDO rights on this machine have this kind of entry:
# SP_xxxx_me, Staff, SUDOers, company, my.com
dn: CN=SP_xxxx_me,OU=Staff,OU=SUDOers,ou=company,dc=my,dc=com
sudoHost: sometext-myserver
Now, as you see there is a mismatch between sudoHost and hostname.
Is there a way to match the two in sssd.conf without having to change the server hostname nor the entry in LDAP? I would like to define that all people who have SUDO rights on "sometext-myserver" also have sudo access on "myserver".
This the error I get with the current configuration:
[me@myserver ~]$ sudo su
me is not allowed to run sudo on myserver. This incident will be reported.
Source: (StackOverflow)
I am attempting to authenticate my Ubuntu 16.04 server to an AD but having trouble loading SSSD. My sssd.conf file looks like this:
[sssd]
services = nss, pam
config_file_version = 2
domains = MYDOMAIN.LOCAL
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
It is owned by root:root and file permission is set to 600. When attempting to start SSSD, systemctl reports the following:
● sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2016-06-03 08:06:46 EDT; 9s ago
Process: 6979 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4)
Jun 03 08:06:46 tempsvr systemd[1]: Starting System Security Services Daemon...
Jun 03 08:06:46 tempsvr sssd[6979]: SSSD couldn't load the configuration database [2]: No such file or directory.
Jun 03 08:06:46 tempsvr systemd[1]: sssd.service: Control process exited, code=exited status=4
Jun 03 08:06:46 tempsvr systemd[1]: Failed to start System Security Services Daemon.
Jun 03 08:06:46 tempsvr systemd[1]: sssd.service: Unit entered failed state.
Jun 03 08:06:46 tempsvr systemd[1]: sssd.service: Failed with result 'exit-code'.
Am I overlooking something? Thanks!!
Source: (StackOverflow)
Have a number of issues with OpenLDAP and SSSD going on here. In our environment, we are running an assortment of CentOS 5, 6, 7; FedoraCore 20+; and Ubuntu 12.04 to 14.04 clients. Running OpenLDAP 2.4.40 on CentOS 5 Servers. The CentOS 5 clients are running as straight LDAP clients. All the others are running SSSD/LDAP.
On the CentOS 5 machines, when running "getent hosts" it returns the entire LDAP Hosts Dbase; on the others it only returns the contents of the local /etc/hosts file. When explicitly searching for a host "getent hosts some_host"
it will only return a response if the host is in the local hosts file or in DNS. Getent on the 6 and above machines never searches the LDAP or SSSD dbases.
Any help in the would be appreciated.
J.D.
Source: (StackOverflow)
We are trying to integrate Redhat Linux 5.11 to WIndows 2012 Server AD. We followed the steps in https://access.redhat.com/solutions/29908 and still it didnt happen. We added the role in AD as given in link
https://msdn.microsoft.com/en-us/library/cc731178.aspx
Dism.exe /online /enable-feature /featurename:adminui /all to install the administration tools for Identity Management for UNIX.
after making the changes, it is expected to give ad users output for getent passwd command.
but its not. We find that port 749 is not listening in AD server for the RHEL 5.X CLients.
Not working at all. happens all the time.
Source: (StackOverflow)
I can get results running ldapsearch from client using ldaps:/// but nothing returns for getent passwd 'newuser01'.
My command fpr ldapsearch is:
ldapsearch -H ldaps://provider.example.com -x -D "cn=Manager,dc=example,dc=com" -W
and I get:
# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
# people, example.com
dn: ou=people,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
# groups, example.com
dn: ou=groups,dc=example,dc=com
ou: groups
objectClass: top
objectClass: organizationalUnit
# hosts, example.com
dn: ou=hosts,dc=example,dc=com
ou: hosts
objectClass: top
objectClass: organizationalUnit
# newuser01, people, example.com
dn: uid=newuser01,ou=people,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: newuser01
uid: newuser01
uidNumber: 1234
gidNumber: 1234
homeDirectory: /home/newuser01
loginShell: /bin/bash
gecos: newuser surname
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
userPassword:: e1NTSEF9MXZPNFh0aXRLM2h2V1Z6VmI5RTlUdjFpQ1RTSDArb1A=
# admins, groups, example.com
dn: cn=admins,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 3000
cn: admins
memberUid: newuser01
# search result
search: 2
result: 0 Success
# numResponses: 7
# numEntries: 6
I only changed sssd/sssd.conf file manually and this is what is inside sssd.conf on the client
[domain/default]
autofs_provider = ldap
ldap_schema = rfc2307bis
cache_credentials = True
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://provider.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_default_bind_dn = uid=newuser01,cn=users,cn=accounts,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = secretpassword
ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
[nss]
homedir_substring = /home
The result from running authconfig --test on the client:
authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldaps://provider.example.com"
LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is disabled
krb5 realm = ""
krb5 realm via dns is disabled
krb5 kdc = ""
krb5 kdc via dns is disabled
krb5 admin server = ""
pam_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldaps://provider.example.com"
LDAP base DN = "dc=example,dc=com"
LDAP schema = "rfc2307bis"
pam_sss is enabled by default
credential caching in SSSD is enabled
SSSD use instead of legacy services if possible is enabled
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is enabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
Source: (StackOverflow)
we're using openldap server with sssd for user authentication on centos and everything works fine. however, when we try to setup access filter to restrict login to users of a certain group (linuxgroup) as there are a lot of other users in the openldap server.
the issue is in openldap there is no memberof attribute, anyone know how to make it work to filter groups in openldap?
Source: (StackOverflow)
I've setup an LDAP server running on Centos 7. id, getent passwd, on users works. But 'ssh' failed. From /var/log/secure, it seems like authentication succeeded, but pam doesn't like something else. I'm not sure how to narrow down where the problem is.
/var/log/secure:
May 11 16:33:40 localhost sshd[45055]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldapserver.abc.com user=user1
May 11 16:33:40 localhost sshd[45055]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=ldapserver.abc.com user=user1
May 11 16:33:40 localhost sshd[45055]: pam_sss(sshd:account): Access denied for user user1: 6 (Permission denied)
May 11 16:33:40 localhost sshd[45055]: Failed password for user1 from ldapserver.abc.com port 55185 ssh2
May 11 16:33:40 localhost sshd[45055]: fatal: Access denied for user user1 by PAM account configuration [preauth]
/etc/sssd/sssd.conf:
[sssd]
services = nss, pam, autofs, ssh
config_file_version = 2
domains = default
[nss]
homedir_substring = /home
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,newsnsdc,nscd
[domain/default]
enumerate = False
ldap_tls_reqcert = never
autofs_provider = ldap
cache_credentials = True
krb5_realm = #
ldap_search_base = dc=abc,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_tls_cacert = /etc/openldap/certs/cacert.pem
ldap_uri = ldaps://ldapserver.abc.com:636
ldap_id_use_start_tls = False
ldap_default_bind_dn = uid=nssproxy,ou=users,dc=abc,dc=com
ldap_chpass_uri = ldaps://ldapserver.abc.com:636
ldap_default_authtok_type = password
ldap_default_authtok = 12345
debug_level = 4
[pam]
debug_level = 4
[sudo]
[autofs]
[ssh]
debug_level = 9
[pac]
[ifp]
/etc/pam.d/password-auth-ac:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
/etc/pam.d/system-auth-ac:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
/etc/nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
#initgroups: files
#hosts: db files nisplus nis dns
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
Source: (StackOverflow)
I'm playing around with PAM authentication using a small C program:
#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <stdlib.h>
int main()
{
pam_handle_t* pamh;
struct pam_conv pamc;
pamc.conv = &misc_conv;
pamc.appdata_ptr = NULL;
pam_start("su", getenv("USER"), &pamc, &pamh);
if (pam_authenticate(pamh, 0) != PAM_SUCCESS) {
fprintf(stderr, "Auth failed!\n");
} else {
fprintf(stderr, "Auth succeeded!\n");
}
pam_end(pamh, 0);
return 0;
}
Two kinds of users have access on my system, those created in the local shadow db, and those who traverse a configured sssd process to authenticate with LDAP against a remote active directory.
I've configured sssd to plug into PAM, which I'm able to confirm via a number of logs on the system and debug output from sssd, but the above program only works for local users. Users that would require authentication against sss get a PAM_AUTH_ERROR back from pam_authenticate whether they enter the correct credentials or not.
I'm surely missing something obvious. How can I access sss via PAM in a C program?
Source: (StackOverflow)