Facebook Twitter
Linkedin LJ
Git Instagram
IPv6
3 posts tagged

sssd

AD + SSSD

If you have host in the AD with the SSSD then your root user can be any user from the domain. So

%groupname ALL=(ALL) NOPASSWD:ALL

would actually give permissions to all users from the “groupname” to become any AD user they want, and if they’re SSH’ng the localhost then, they would have Kerberos ticket as well. It is not actually that evident, but Active Directory is an identity provider, so if you are superuser on the host – you can be AD user on the host.

2017   IT   linux   sssd

Debugging IDM

One of the most frequent cases I have is that “sometimes” and “somewhere” user is not getting authenticated. Trying to SSH to the host works for some users not always, “id username” returns errors sometimes – it’s all the same problem in the environment with LDAP replication. It does not actually matter what kind of the LDAP server or domain controller is being used, always check:

  1. enable debug log on the client. If the client is SSSD, add “debug_level = 9” to the /etc/sssd/sssd.conf and then restart it. Invalidate it’s cache if possible.
  2. repeat the test so you would see the error.
  3. collect the log file from the client. You would see what server it has queried to get the information.
  4. check server’s log. Most likely there is no requested information on this LDAP instance due to replication issues.

This would help to identify and fix the problem.

2017   idm   IT   ldap   linux   sssd

Parsing sssd debug log

Lol, hope to add more in furure

grep -v "timed event" |grep -v "timer event"|grep -v "Requesting"|grep -v "SBUS"|grep -v "callback"|grep -v "dispatch"|grep -v "a sysbus message"|grep -v "No sub-attributes for" |grep -v "reusing cached connection" |grep -v "nesting:"|grep -v "sbus_remove_watch"|grep -v "be_client_destructor"|grep -v "sdap_process_result"|grep -v "Comparing LDAP with LDAP" |grep -v "Message type:"|grep -v "unenforced gpo skipped"
2017   IT   linux   sssd