[opensuse] sssd getent shows only local users
12.3 client connected to AD Hi I have sssd up and running against a Samba4 AD. It works fine. The only quirk is that getent passwd and getent group return only local users getent passwd lynn2 and getent group Domain\ Users work fine however getent passwd lynn2 lynn2:*:3000033:20513:lynn2:/home/users/lynn2:/bin/bash getent group 'Domain Users' Domain Users:*:20513: If I set enumerate = true in sssd.conf Then, getent passwd and getent group return as expected: both local and domain objects. But only the first time that the commnds are run. I believe that the enumerate line should allow me list all domain users too. Is it possible to get all the objects listed always with getent under sssd? /etc/nsswitch.conf passwd: compat sss group: compat sss /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [domain/default] access_provider = simple #simple_allow_users = myuser enumerate = false cache_credentials = True id_provider = ldap auth_provider = krb5 chpass_provider = krb5 krb5_realm = HH3.SITE krb5_server = hh16.hh3.site krb5_kpasswd = hh16.hh3.site ldap_uri = ldap://hh16.hh3.site/ ldap_search_base = dc=hh3,dc=site ldap_tls_cacertdir = /usr/local/samba/private/tls ldap_id_use_start_tls = False ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site ldap_default_authtok = xx ldap_default_authtok_type = password ldap_user_object_class = person ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group #ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/14/2013 04:19 AM:
I believe that the enumerate line should allow me list all domain users too. Is it possible to get all the objects listed always with getent under sssd?
/etc/nsswitch.conf passwd: compat sss group: compat sss
This isn't my area of expertise so this is just a guess. Isn't there a 'necessary and sufficnet' thing here? You've listed 'compat' first, so isn't a query going to try local frst? You don't have a qualifier on that to say what happens on failure. Do you really want local to have priority over sss? Do you want the priotity to be this absolute and unqualified? * maybe there needs to be a "[NOTFOUND=continue]" qualifier * maybe 'compat' isn't the right thing to use there This isn't my area of expertise so this is just a guess. -- For every person who wants to teach there are approximately thirty people who don't want to learn--much. W. C. Sellar and R. J. Yeatman, And Now All This (1932) introduction -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
[14.04.2013 14:01] [Anton Aylward]:
lynn said the following on 04/14/2013 04:19 AM:
I believe that the enumerate line should allow me list all domain users too. Is it possible to get all the objects listed always with getent under sssd?
/etc/nsswitch.conf passwd: compat sss group: compat sss
This isn't my area of expertise so this is just a guess. Isn't there a 'necessary and sufficnet' thing here? You've listed 'compat' first, so isn't a query going to try local frst? You don't have a qualifier on that to say what happens on failure.
Do you really want local to have priority over sss? Do you want the priotity to be this absolute and unqualified?
* maybe there needs to be a "[NOTFOUND=continue]" qualifier * maybe 'compat' isn't the right thing to use there
This isn't my area of expertise so this is just a guess.
The mentioned entries in /etc/nsswitch.conf are made by YaST. And yes, you might really "want local to have priority over sss", and if it is simply because of the local root user... In YaST, you also have a checkbox whether you want to list entities or not. For me, checking the box made no differencies, I never had remote users appearing on "getent passwd". Hovever, "getent passwd $remoteusername" worked as usual. When I changed "compat sss" to "compat ldap", I got the long list (> 2k users). So this should not be an issue with "compat", but related to "sss". I removed sssd from my box, and configured everything manually (for ldap) as I did before. Authentication against LDAP never worked with sssd, with or without enabled TLS. And I did not read about a working sssd against a (remote) LDAP server yet. Regards, Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 14/04/13 17:15, Werner Flamme wrote:
[14.04.2013 14:01] [Anton Aylward]:
lynn said the following on 04/14/2013 04:19 AM:
I believe that the enumerate line should allow me list all domain users too. Is it possible to get all the objects listed always with getent under sssd?
/etc/nsswitch.conf passwd: compat sss group: compat sss This isn't my area of expertise so this is just a guess. Isn't there a 'necessary and sufficnet' thing here? You've listed 'compat' first, so isn't a query going to try local frst? You don't have a qualifier on that to say what happens on failure.
Do you really want local to have priority over sss? Do you want the priotity to be this absolute and unqualified?
* maybe there needs to be a "[NOTFOUND=continue]" qualifier * maybe 'compat' isn't the right thing to use there
This isn't my area of expertise so this is just a guess. The mentioned entries in /etc/nsswitch.conf are made by YaST. And yes, you might really "want local to have priority over sss", and if it is simply because of the local root user...
In YaST, you also have a checkbox whether you want to list entities or not. For me, checking the box made no differencies, I never had remote users appearing on "getent passwd".
Hovever, "getent passwd $remoteusername" worked as usual.
When I changed "compat sss" to "compat ldap", I got the long list (> 2k users). So this should not be an issue with "compat", but related to "sss".I'
I removed sssd from my box, and configured everything manually (for ldap) as I did before. Authentication against LDAP never worked with sssd, with or without enabled TLS. And I did not read about a working sssd against a (remote) LDAP server yet.
Regards, Werner Hi everyone Thanks for the input and ideas. I'm getting closer by the post. In fact it's just about there. Your notes about local users are valid and indeed it makes sense on the client to reverse the order of nsswitch to specify sss before compat (or files, I can't see any difference between specifying either files or compat) as the only local user ever to log in on the clients is root. Everything else comes from AD ldap.
@Werner. I don't think tls has anything to do with authentication (but tell me otherwise). Isn't it just scrambling the signal over the network? Maybe you were using an old version of sssd? A self signed certificate? It works more or less out of the box with AD. I agree that authentication by a user DN and plain text password in a 0600 protected file is a bit like going back in time but with the sssd shipped with 12.3, you can use GSSAPI for access to LDAP. The advantage is that the keytab you need is created when you join the AD domain. The Kerberos module looks after the rest. Our only remaining gripe is that only single users or groups can be pulled with getent; getent passwd returns nothing except /etc/passwd but getent passwd lynn2 returns the single entry for the lynn2 object. So, not exactly what we want, but something we can live with. I'll take this over to the Fedora/sssd list and report back here if there are any developments. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
[15.04.2013 01:06] [lynn]:
On 14/04/13 17:15, Werner Flamme wrote:
[14.04.2013 14:01] [Anton Aylward]:
lynn said the following on 04/14/2013 04:19 AM:
I believe that the enumerate line should allow me list all domain users too. Is it possible to get all the objects listed always with getent under sssd?
/etc/nsswitch.conf passwd: compat sss group: compat sss This isn't my area of expertise so this is just a guess. Isn't there a 'necessary and sufficnet' thing here? You've listed 'compat' first, so isn't a query going to try local frst? You don't have a qualifier on that to say what happens on failure.
Do you really want local to have priority over sss? Do you want the priotity to be this absolute and unqualified?
* maybe there needs to be a "[NOTFOUND=continue]" qualifier * maybe 'compat' isn't the right thing to use there
This isn't my area of expertise so this is just a guess. The mentioned entries in /etc/nsswitch.conf are made by YaST. And yes, you might really "want local to have priority over sss", and if it is simply because of the local root user...
In YaST, you also have a checkbox whether you want to list entities or not. For me, checking the box made no differencies, I never had remote users appearing on "getent passwd".
Hovever, "getent passwd $remoteusername" worked as usual.
When I changed "compat sss" to "compat ldap", I got the long list (> 2k users). So this should not be an issue with "compat", but related to "sss".I'
I removed sssd from my box, and configured everything manually (for ldap) as I did before. Authentication against LDAP never worked with sssd, with or without enabled TLS. And I did not read about a working sssd against a (remote) LDAP server yet.
Regards, Werner Hi everyone Thanks for the input and ideas. I'm getting closer by the post. In fact it's just about there. Your notes about local users are valid and indeed it makes sense on the client to reverse the order of nsswitch to specify sss before compat (or files, I can't see any difference between specifying either files or compat) as the only local user ever to log in on the clients is root. Everything else comes from AD ldap.
@Werner. I don't think tls has anything to do with authentication (but tell me otherwise). Isn't it just scrambling the signal over the network?
No, it shouldn't. Yes, it is. :-) In 12.2, it was a hassle to convince sssd to work without TLS, but that might be related to YaST's interface.
Maybe you were using an old version of sssd? What is old? I use the version from 12.3 distro repo. Before, I used the version from 12.2, and did not see any positive changes.
A self signed certificate? Yes and no. Our corporate CA is certified by "Deutsche Telekom Root CA 2", which is known in most Browsers (and TB).
It works more or less out of the box with AD. I agree that authentication by a user DN and plain text password in a 0600 protected file is a bit like going back in time but with the sssd shipped with 12.3, you can use GSSAPI for access to LDAP. The advantage is that the keytab you need is created when you join the AD domain. The Kerberos module looks after the rest. Our only remaining gripe is that only single users or groups can be pulled with getent; getent passwd returns nothing except /etc/passwd but getent passwd lynn2 returns the single entry for the lynn2 object.
I have to use our (Sun One) LDAP server instead of the AD LDAP - company policy :-\ At least, the LDAP server allows binds with the name and password of the authenticating user, and does not require any fixed authentication account.
So, not exactly what we want, but something we can live with. I'll take this over to the Fedora/sssd list and report back here if there are any developments.
Good luck :-) Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn wrote:
return only local users
I've never used 'sssd', and wondered if your problem had anything to do with settings in samba -- specifically those for winbind. I'm thinking that sssd doesn't use or care about winbind, but note -- winbind has params for enum users, enum groups, AND winbind **expand** groups. Expand groups controls the recursive expansion and defaults to '1' in samba. The enum controls also default to 'no'. You mention you turned on enumeration. In winbind, that usually means samba is allowed to return the list of "all users" or the list of "all group"... but doesn't control *expanding* those groups. I don't know if sssd has a similar parameter, but if you are using windows logins, are you sure you want sssd and not winbind? Second note -- you have access_provider = simple => meaning simple access list that does NOT enumerate. You also seem to be configuring ldap. Assuming you are using ldap, don't you want access_provider = ldap? Note -- I stress again --- I've never used sssd, so I really don't knowif either of the above are issues. Also note: getent only returns the given database's key-value. I don't see anything to indicate it can do anything other than that. I.e. if it DID expand things, then it wouldn't be returning the database key's value, which would seem to violate the documented behavior. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 14/04/13 17:56, Linda Walsh wrote:
lynn wrote:
return only local users
I've never used 'sssd', and wondered if your problem had anything to do with settings in samba -- specifically those for winbind. I'm thinking that sssd doesn't use or care about winbind, but note -- winbind has params for enum users, enum groups, AND winbind **expand** groups. Expand groups controls the recursive expansion and defaults to '1' in samba. The enum controls also default to 'no'.
You mention you turned on enumeration. In winbind, that usually means samba is allowed to return the list of "all users" or the list of "all group"... but doesn't control *expanding* those groups.
I don't know if sssd has a similar parameter, but if you are using windows logins, are you sure you want sssd and not winbind?
Second note -- you have access_provider = simple => meaning simple access list that does NOT enumerate. You also seem to be configuring ldap. Assuming you are using ldap, don't you want access_provider = ldap?
Note -- I stress again --- I've never used sssd, so I really don't knowif either of the above are issues.
Also note: getent only returns the given database's key-value. I don't see anything to indicate it can do anything other than that. I.e. if it DID expand things, then it wouldn't be returning the database key's value, which would seem to violate the documented behavior.
Hi Linda We've turned to sssd to rid ourselves of the winbind nightmare on the Samba4 DC's. It just isn't ready. We've also tried nss-ldapd instead of winbind and it works perfectly, but needs the key to be cached and maintained to keep the client up, which is a pain. sssd looks ideal as you can get a client up in a matter of minutes as you can use any relevant key from the keytab which is produced when you join the domain. No, with AD, access is via Kerberos, not ldap so access_provide = krb5 is correct. Linda, I'm assuming you're using winbind. Is there any delay in getent returning any sort of output after a restart? I ask because we only have nss-ldapd to compare it with which returns getent output instantly. Thanks so much for your input and interest. Lynn x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn wrote:
Linda, I'm assuming you're using winbind. Is there any delay in getent returning any sort of output after a restart? I ask because we only have nss-ldapd to compare it with which returns getent output instantly.
Not really -- but I have 'files' set to be returned before winbind -- since nearly all what winbind returns is in the 'files'... so it's not a valid comparison really. My samba setup is hot/cold... when it works, it works well, when not:not, but I have multiple redundancies, so I often don't notice breakages -- that's both a good and a bad thing...(though more good in my case)... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 15/04/13 03:04, Linda Walsh wrote:
lynn wrote:
Linda, I'm assuming you're using winbind. Is there any delay in getent returning any sort of output after a restart? I ask because we only have nss-ldapd to compare it with which returns getent output instantly.
Not really -- but I have 'files' set to be returned before winbind -- since nearly all what winbind returns is in the 'files'... so it's not a valid comparison really.
My samba setup is hot/cold... when it works, it works well, when not:not, but I have multiple redundancies, so I often don't notice breakages -- that's both a good and a bad thing...(though more good in my case)...
I see. We have: passwd: compat sss group: compat sss The local stuff comes in instantaneously but the sssd stuff can be slow especially when the lan is busy. On the clients reversing to sss compat helps, I suppose because root is the only local user who ever needs to log in so we may as well give ldap priority. I know what you mean about the redundant servers. We have 2 S4 DC's. You only get to know by accident that you've been running on just one for over 3 days;) It gives you a false sense of security. Not found a way to remind me to check. Yet. Must try harder. . . L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
[15.04.2013 05:02] [lynn]:
I know what you mean about the redundant servers. We have 2 S4 DC's. You only get to know by accident that you've been running on just one for over 3 days;) It gives you a false sense of security. Not found a way to remind me to check. Yet. Must try harder. . .
We use Nagios with good results :-). Whenever one of our 3 ADs is down, there are alerts. This should work even better with Samba, since you do not have to install the nsclient++ on the box first ;-) Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Anton Aylward -
Linda Walsh -
lynn -
Werner Flamme