System Security Services Daemon (SSSD) - This project provides a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for FreeIPA, LDAP, & Active Directory.
Questions tagged [sssd]
353 questions
0
votes
2 answers
SSSD direct bind
I use openldap with the following structure:
dc=example,dc=org
├── ou=groups
│ ├── cn=wheel
│ └── cn=adm
└── ou=users
├── uid=firstname.lastname
└── uid=firstname.lastname
Every setup of SSSD I found use the setting ldap_search_base.…
ange
- 13
- 3
0
votes
0 answers
SSSD Linux passwd not working Windows Domain - Server does not support the requested control [1.3.6.1.4.1.42.2.27.8.5.1]
My linux box for some reason is not allowing to use the passwd command to change the user's Windows AD password. We can access the box using AD, run sudo using AD password, running id command I can see my AD groups, etc. so it looks fine but the…
0
votes
1 answer
SSSD hangs servers
When I boot the image from the diskless server (it is an RHEL 8.6) it gets Call Trace:
It looks like that sssd:2076 task is blocked on 120 seconds. I am not able to find anything about that in the network. Does anybody know how to resolve it?
sqr
- 15
- 3
0
votes
1 answer
Linux AD - Machine Account Name not updating on Domain Controller when Changing Hostname
I have some Alma 8 boxes which are integrated into Windows Active Directory (2012 R2) for user authentication using SSSD, using net ad (as opposed to realmd) for the domain join, for historic reasons. Everything works, with the exception of dynamic…
motorleague
- 53
- 7
0
votes
1 answer
Nested AD group is not respected with SSSD
I have a domain joined server, configured with sssd.
In sssd.conf I use
ad_access_filter = (memberof=CN=CustomGroup,OU=Security Group,DC=company,DC=com)
This works well for users in CustomGroup but not for users in the Nested_CustomGroup group that…
Norskyi
- 1
- 3
0
votes
0 answers
SSSD alternative for pam_authz_search option in nslcd
I have servers based on RHEL 7 and 8.
RHEL 7 serevers use nslcd to work with a LDAP server, RHEL 8 use SSSD.
For RHEL 7 I can provide access for users to allowed hosts only.
This functions is covered by the option in the nslcd.conf:
pam_authz_search…
Aleksandr Makhov
- 578
- 1
- 5
- 19
0
votes
1 answer
Kerberos credentials not renewed on ipa ubuntu client
When I use ssh to login to my freeipa client, I get Kerberos credentials (klist). However, after they expire, I no longer get the credentials (klist empty). This results with no home directory as the user does not have permissions for the nfs. I can…
YuvGM
- 153
- 4
0
votes
1 answer
Problems sudoing using a host connected to Active Directory (sssd, kerberos local sudoers file)
I am configuring Active Directory authentication for an Alma 8 box using SSSD, Kerberos, and initial SSH key for log in stored in an Active Directory object, and a local sudoers file that lists groups permitted to sudo.
I have connected the server…
motorleague
- 53
- 7
0
votes
1 answer
Enforce TLS1.2 in sssd client
In one of our environments Linux servers are set up with sssd / OpenLDAP for OS login.
To support older servers our OpenLDAP server has to support TLSv1.0 and TLSv1.1 still.
RedHat 8 does no longer support TLS levels below TLSv1.2, and thus the…
sastorsl
- 362
- 2
- 15
0
votes
0 answers
use sssd-simple to restrict access to certain group
I have configured sssd to authenticate against ldap
however i want to restrict the group that can connect to the server.
the sssd.conf below allows users that are not member of the mentioned group to connect. why?
how make sure only user member of…
danidar
- 53
- 2
- 8
0
votes
1 answer
Is it possible to overlay local LDAP attributes on top of a replicated tree?
A central LDAP server provides user data as posixAccount, whereby the attributes homeDirectory and loginShell are empty. I want allow users in this central LDAP server to access a Linux system.
If I use syncrepl to replicate the data to a local…
loris
- 232
- 1
- 12
0
votes
1 answer
idmap range on Ubuntu 20.04 (sssd) does not match CentOS 7 winbind idmaps (kinda)
My Active Directory maps in Ubuntu systems are very long compared to my CentOS IDs The last 4 digits match but Ubunutu seems to be adding a lot more to the beginning.
In CentOS winbind/samba I used a range to get the IDs I needed:
idmap config…
Ashley Hill
- 15
- 5
0
votes
1 answer
Ubuntu SSSD Auth Error with child/sub AD Domain
Need help authenticating linux (Ubuntu) server that is joined to child domain.
I can see the server name on the Domain Controller and able to run authentication test successfully however I am not able to login with my domain account. Seems like a…
AAABL
- 3
- 1
- 3
0
votes
1 answer
I can su as an [open]ldap user on an sssd, but I can't ssh or login directly as the same user, what am I missing?
On sssd client
authselect select sssd --force
systemctl enable --now sssd
[root@ldap-sssd ~]# id adam
uid=16859(adam) gid=100(users) groups=100(users)
[root@ldap-sssd ~]# su adam
bash-4.4$ su adam
Password:
su: Authentication failure
bash-4.4$
If…
thistleknot
- 161
- 6
0
votes
0 answers
Using active directory group as netgroup in sssd
I have an active directory domain with a handful of linux servers that interact with AD through sssd. I want to have a different sudoers configuration on different servers, and I know this can be done through netgroups. So far, I've managed to get…
Peter Lubans
- 101