System Security Services Daemon (SSSD) - This project provides a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for FreeIPA, LDAP, & Active Directory.
Questions tagged [sssd]
353 questions
1
vote
0 answers
SSSD and Checking AD Domain Join Status via "net ads testjoin"
I have a question about checking AD domain join status for Linux(CentOS 6) systems that use SSSD.
For initial domain join I used winbind "net ads join -k ..."
Obtained host keytab etc.
When I issue "net ads testjoin", I get "Join OK".
After a month,…
BBDG
- 157
- 1
- 2
- 7
1
vote
1 answer
klist returns no tickets when using "pam_krb5.so try_first_pass"
We have
auth optional pam_krb5.so try_first_pass
in
/etc/pam.d/password-auth-ac
and
/etc/pam.d/system-auth-ac
however when I do a klist after successful login, I get
klist: No credentials cache found (filename: /tmp/nnnnn)
What…
Saqib Ali
- 428
- 2
- 7
- 21
1
vote
1 answer
FreeBSD 10.3 SSSD AD integration issues
I'm having a lot of issues with FreeBSD 10.3
I'm finding the binary packages are fairly useless. I've had to build nearly everything to make things "work". I like using the adcli tool to join to a domain (MUCH nicer than samba). But the binary…
jbgeek
- 51
- 7
1
vote
1 answer
Linux folder has realm name appended
I'm using RedHat with SSSD authentication against active directory.
There are 3 domains specified in the sssd.conf file with the default suffix specified for the domain where users reside.
When a new file is created using a domain account it is…
owenrumney
- 121
- 4
1
vote
1 answer
SSSD list allowed users only
We are using SSSD for authentication using LDAP. And I filter the user access using simple_allow_groups as follows:
access_provider = simple
simple_allow_groups = Computer Admins
(Note: Computer Admins is a LDAP group)
Is it possible to get a list…
Saqib Ali
- 428
- 2
- 7
- 21
1
vote
0 answers
Centos 7 sssd authentication with authlite in child domain
Centos 7 server is joined to abc.com and authentication is working to abc.com with authlite for two-factor authentication. A child domain was created a.abc.com but authentication is not working to the child domain. Can the server be joined to two…
Sonia Gilbert
- 11
- 1
1
vote
1 answer
sss_useradd vs useradd with SSSD
I am currently using sssd to authenticate users to active directory. However, I still need to be able to add local users. I noticed SSSD has a local provider and also as a tool to add local users to the cache through sss_useradd. But through my…
CodyK
- 175
- 1
- 9
1
vote
1 answer
Deleted /var/lib/sss/db/config.ldb by mistake
I deleted /var/lib/sss/db/config.ldb by mistake. Now when I try to start SSSD, I get the following errors:
(Wed Nov 23 11:40:36:059914 2016) [sssd] [check_file] (0x0400): lstat for [/var/run/nscd/socket] failed: [2][No such file or directory].
(Wed…
Saqib Ali
- 428
- 2
- 7
- 21
1
vote
1 answer
How to force sudo to use existing kerberos ticket?
Ok, so I'm using Windows Server 2012 as a Domain Controller.
I've connected two Centos7 clients to the domain via samba.
Authentication works as expected via SSH; however, when attempting
to sudo, pam still asks for a password.
Once you supply the…
Pete
- 11
- 2
1
vote
1 answer
LDAP group filter using SSSD
I am using RHEL 7.2 image and trying to provide group based LDAP authentication using SSSD. How do I enable group based filters using SSSD?
I am attaching my sssd.conf file and I haven't enabled TLS on LDAP server (OpenDJ). I changed the value of…
Chakri
- 11
- 1
- 4
1
vote
1 answer
SELinux rules in CentOS 7 with Samba and SSSD on Kerberos Ticket generation
I've built a simple File Server with Samba and Netatalk running on CentOS 7.2. Everything is working as expected except for SELinux that's denying Samba to authenticate due to a policy of denying writes on /var/tmp for the Kerberos Ticket.
This is…
Vinícius Ferrão
- 5,520
- 11
- 55
- 95
1
vote
0 answers
Domain User home directory upon first login
I'm having some trouble setting up default files in the user home directory. The setup is a Centos 7, and I've successfully let it join the company's domain and authenticate through our AD.
I'm able to login using my domain username and password.…
Boon
- 11
- 1
- 3
1
vote
1 answer
FreeIPA AD Trust based Integration using SunLDAP to store Policies
If we want to use the FreeIPA Active Directory Trust Integration Option, can we use an existing implementation of SunLDAP to store the Policies (e.g. sudo, hbac etc.)
Essentially we don't to create another LDAP Directory just for storing the…
Saqib Ali
- 428
- 2
- 7
- 21
1
vote
1 answer
Is there a way to configure sudo to not need to lookup group names / or speed up sssd group name resolution?
I've got a large number of Linux hosts that are connected using sssd to a Windows Active Directory (AD) domain for user/group lookup. That mostly works fine except for one problem; sudo.
From what I've been able to find in my testing anytime you…
Jason Alavaliant
- 23
- 5
1
vote
1 answer
Detect SSSD authenticating domain programmatically in multi-domain environment
We have some servers in a mixed RH5/RH6 enthat need to authenticate to one of two LDAP services. This is implemented in SSSD and is running fine. Users from either domain can login successfully and where there is a username overlap the correct…
Drew
- 83
- 6