System Security Services Daemon (SSSD) - This project provides a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for FreeIPA, LDAP, & Active Directory.
Questions tagged [sssd]
353 questions
1
vote
0 answers
SSSD versus direct ldap IPA
I'm trying to setup so my sudoers in nsswitch.conf is using sss and not ldap directly. However, when I try to switch this and run a sudo I get following error:
Error
userX is not allowed to run sudo in hostx. This incident will be reported.
If I add…
N. J
- 131
- 5
1
vote
0 answers
Docker container cannot use its host's /etc/hosts file
After I joined some of my Ubuntu servers (mostly 20.02) to an AD domain(using realmd and sssd), they're unable to use their host's /etc/hosts file! Which they could do before they were a part of AD.
Has anyone ever faced anything like this before?
I…
Milad Zahmatkesh
- 11
- 1
1
vote
1 answer
Selective EXEC with LDAP-based sudo
I'm trying to translate this sudoers file into LDAP:
Defaults env_reset, env_keep="LESSSECURE SSH_CLIENT", !authenticate, noexec, requiretty, secure_path=/usr/local/bin:/usr/bin:/usr/sbin
Cmnd_Alias DNS = /usr/local/bin/dnsmanager
Cmnd_Alias LOGS =…
miken32
- 942
- 1
- 13
- 35
1
vote
0 answers
Kerberos ticket timeouts with sssd and cifs shares
We are integrating Linux machines into our Active Directory infrastructure. It works quite fine, users are logging in with their AD-credentials, and get access to cifs-network-shares via PAM-mount. However, if we are running some lengthy script…
Niels Jespersen
- 111
- 3
1
vote
1 answer
ldapsearch finds my account/user, sssd does not
I am trying to setup a new Server(Ubuntu 22.04 LTS) and authenticate users using organization accounts.
This is the public Documentation provided:
https://www.hs-regensburg.de/supportwiki/doku.php?id=en:public:netz:auth
When executing ldapsearch…
Sammy
- 13
- 4
1
vote
0 answers
How to confgure multi realm Kerberos
Intention
I want to set up 2 Kerberos realms where one can authenticate the users in the other.
Current Setup
I have 2 Kerberos Servers (ad.somedomain.com and kerb.foo.bar)
I have my users on kerb.foo.bar
User
user1
alice
bob
I can…
WesAtWork
- 11
- 2
1
vote
1 answer
LDAP SSSD SHA-512 authentication failure
I have a server with helm-openldap and a debian client.
I can't login to a user who has a SHA-512 encrypted password. If i store it in clear or MD5, it works perfectly.
$ id tuser
uid=5000(tuser) gid=5000(tuser)…
ange
- 13
- 3
1
vote
0 answers
adcli update does not save Kerberos ticket with new kvno
New Kerberos ticket of computer account is found by adcli update but not saved in keytab file.
adcli update --domain=example.org -v
The output "Retrieved kvno '4' for computer account" appears, but in the keytab file KVNO 3 is still the largest…
phanaz
- 360
- 2
- 9
1
vote
1 answer
Can SSSD authenticate via LDAP with anonymous binding either forbidden in ACLs and with 'olcRequires: authc' enforced?
I manage a LAN with a list of users accessing their NFS-shared homes while being auhtenticated via NIS/YP (CentOS/Fedora-based clients and servers).
I'm in the painful process of migrating out of NIS/YP (which is slowly but irreversibily being…
Francesco
- 45
- 9
1
vote
0 answers
Using ssh with sssd for password or publickey and extending with MFA support through PAM
So after some extensive testing and discussing I can no longer wrap my head around this problem on my own.
Goal: Authenticating over ssh with either publickey or password, and use PAM for MFA.
System used is Ubuntu Server 20.04
Splitting this into…
emollusion
- 11
- 1
1
vote
1 answer
LDAP finds user, but "permission denied" when logging in
I am setting up an LDAP client in Red Hat 8.
After setting up the config files I did an LDAP user test and it came back successfully:
# id myusername
uid=666(myusername) gid=510(active_users) groups=510(active_users)
If I run an ldapsearch it…
Fred
- 121
- 1
- 7
1
vote
3 answers
every LDAP user gives "permission denied" with LDAP and sssd (Centos7)
I am trying to limit LDAP logins to the "admin" group.
This is my /etc/sssd/sssd.conf file:
[domain/default]
autofs_provider = ldap
ldap_tls_reqcert = allow
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
cache_credentials…
Iggy
- 15
- 1
- 4
1
vote
1 answer
pam_unix(sshd:auth): authentication failure because of encrypted password from PAM stack
To configure sssd to connect AD server.
I set id_provider to ldap
As AD server cannot accept TLS, so I closed it by:
ldap_id_use_start_tls = false
set ssl off in ldap.conf
When I use login ftp via domain account, it works. But it failed for ssh.
I…
user929572
- 11
- 1
1
vote
1 answer
What am I missing to setup sudo access with openldap?
I'm using lxd/lxc containers (Oracle Linux 8) to rapidly deploy the environment (so if you have lxd setup, you can modify the ip scheme to match lxd's bridge subnet / DNS and then paste the code into separate lxc containers).
I can authenticate as…
thistleknot
- 161
- 6
1
vote
1 answer
Linux: Converting from NIS to AD auth, how to associate old UID/GID to "new" users?
Background: Our org has used NIS for 20+ years for UNIX/Linux authentication, continuing thru the present time. Windows and Active Directory came on the scene in our org sometime around 16 years ago, but AD was never used for Linux auth (only using…
Will Dennis
- 304
- 4
- 16