Bug 5475 - [Package Request] sssd
: [Package Request] sssd
Status: RESOLVED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Contributed Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: Alexey Ivanov
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-05-05 00:27 MSD by Zombie Ryushu
Modified: 2015-10-18 01:34 MSD (History)
3 users (show)

See Also:
RPM Package: sssd
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2015-05-05 00:27:37 MSD
I request sssd be ported over from OpenMandriva to address the issue of offline authentication of OpenLDAP and Heimdal Kerberos. Currently, nss_updatedb must be used with nslcd to address this bu hand, and pam_ccreds must cache Kerberos Credentials. sssd would automate this single Sign in aspects for laptop units that are not always within reach of a Domain Controller.
Comment 1 Alexey Ivanov 2015-05-18 10:26:13 MSD
This involves upgrade to cifs-utils. I'm on on it.
Comment 2 Alexey Ivanov 2015-06-03 11:33:03 MSD
Zombie Ryushu, I have to ask for your help.

I have packaged sssd successfully. It involved minor updates to two other packages and uncovered a bug in cyrus-sasl.

But I don't have possibility to give it a thorough testing at the moment.
I can confirm successful initialization of LOCAL and AD back-ends. But didn't give NSS and PAM almost any checks.

If you have free client machine to test under your environment please feel free to do so.

You will have to add several containers. These are x86_64 ones:

urpmi.addmedia 2503643 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2503643/x86_64/main/release/
urpmi.addmedia 2502850 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2502850/x86_64/main/release/
urpmi.addmedia 2505346 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2505346/x86_64/main/release/
urpmi.addmedia 2504246 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2505346/x86_64/main/release/

and these are i586 ones:

urpmi.addmedia 2502849 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2502849/x86_64/main/release/
urpmi.addmedia 2503642 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2503642/x86_64/main/release/
urpmi.addmedia 2505345 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2505345/x86_64/main/release/
urpmi.addmedia 2504245 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2504245/x86_64/main/release/

There is no default configuration at all. The package does not alter any config files, it just installs sssd services. You'll have to configure it manually.

I'd like to hear from you if you find problems or come up with ideas.
Comment 3 Zombie Ryushu 2015-06-04 08:58:04 MSD
     2/3: cifs-utils            ##########################################################################################################################################################################################################
update-alternatives: using /usr/lib64/cifs-utils/idmapwb.so to provide /etc/cifs-utils/idmap-plugin (cifs-idmap-plugin) in auto mode
update-alternatives: error: error creating symbolic link `/etc/cifs-utils/idmap-plugin.rpm-tmp': No such file or directory
ERROR: 'script' failed for cifs-utils-6.4-1-rosa2014.1.x86_64: 
error: %post(cifs-utils-6.4-1.x86_64) scriptlet failed, exit status 2

got some scriptlet errors
Comment 4 Alexey Ivanov 2015-06-04 09:13:06 MSD
Ah, I'm sorry, I've made a mistake while generating URI strings. The correct commands should look like this:

x86_64 ones:

urpmi.addmedia 2503643 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2503643/x86_64/main/release/
urpmi.addmedia 2502850 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2502850/x86_64/main/release/
urpmi.addmedia 2505346 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2505346/x86_64/main/release/
urpmi.addmedia 2504246 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2504246/x86_64/main/release/

i586 ones:

urpmi.addmedia 2502849 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2502849/i586/main/release/
urpmi.addmedia 2503642 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2503642/i586/main/release/
urpmi.addmedia 2505345 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2505345/i586/main/release/
urpmi.addmedia 2504245 http://abf-downloads.rosalinux.ru/aivanov_personal/container/2504245/i586/main/release/

Packages you are interested in are:

'sssd' - daemon itself
'sssd-client' - nss, pam, krb5 and other plugins
'sssd-tools' - a set of tools for manipulating LOCAL backend database (sss_useradd, sss_usermaod, etc.)

When 'sssd' package is installed it should pull 'sssd-client' as required package. The latter package 'sssd-rools' is optional and should be installed manually if required (not everyone really needs LOCAL backend).
Comment 5 Alexey Ivanov 2015-06-04 09:15:53 MSD
(In reply to comment #3)
>      2/3: cifs-utils           
> #############################################################################
> #############################################################################
> ################################################
> update-alternatives: using /usr/lib64/cifs-utils/idmapwb.so to provide
> /etc/cifs-utils/idmap-plugin (cifs-idmap-plugin) in auto mode
> update-alternatives: error: error creating symbolic link
> `/etc/cifs-utils/idmap-plugin.rpm-tmp': No such file or directory
> ERROR: 'script' failed for cifs-utils-6.4-1-rosa2014.1.x86_64: 
> error: %post(cifs-utils-6.4-1.x86_64) scriptlet failed, exit status 2
> 
> got some scriptlet errors

This is interesting. I did not alter this part of package. It should have been OK.

Is /etc/ partition writable?
Does /etc/cifs-utils/ directory exist?

I'll give it some testing as soon as I have possibility anyway.
Comment 6 Zombie Ryushu 2015-06-04 09:46:34 MSD
/etc/cifs-utils/ does not exist. Should it be created?
Comment 7 Alexey Ivanov 2015-06-04 09:52:43 MSD
Ignore this error for now. It shouldn't have broken anything. I'll investigate it later.
Comment 8 Zombie Ryushu 2015-06-04 11:43:02 MSD
Okay, I got it working with OpenLDAP in a rather unsafe manner but it is working. I need to work on certain enumerations.
Comment 9 Zombie Ryushu 2015-06-04 13:11:58 MSD
An update before I take a nap: It functions. But it REQUIRES working TLSv1.2 on LDAP's end. This may be slightly easier to handle on AD's end. Another issue is the fact that it seems to be marking accounts with the * Property rather than the x property, which makes them inelligible for normal Posix Authentication. This is not good, even though Kerberos over rides this stuff
Comment 10 Zombie Ryushu 2015-06-04 18:59:19 MSD
I've managed to get it authenticating off Heimdal Kerberos. I managed to get PAM working by having Drakauth set it up for regular LDAP and Kerberos, then replacing all instances of pam_krb5.so with pam_sss.so. The system authenticated, and got a TGT. It's still not enumerating Posix Shadow.

DrakAuth is still producing broken krb5.conf configs that cause kinit to error out.
Comment 11 Zombie Ryushu 2015-06-05 04:08:45 MSD
Okay. I got a working PAM Config that is NOT Totally FUBAR.

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_sss.so
session     required      pam_unix.so
Comment 12 Zombie Ryushu 2015-06-05 04:24:41 MSD
# I needed to add pam_mkhomedir.so for new Home Directory Creation.

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel/
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so  
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_sss.so 
session     required      pam_unix.so
Comment 13 Zombie Ryushu 2015-06-05 04:33:12 MSD
I have gotten the system authenticating, online and offline, and it appears to survive a reboot. Root can still log in, users have Home Directory's auto-created. Users also get a Kerberos TGT on Login

I still cannot enumerate sudo, or use Shadow Authentication with Domain users via LDAP. All Domain level users have a * rather than an x indicating they are invalid for sudo.
Comment 14 Denis Silakov 2015-10-18 01:34:43 MSD
I would call this one done since sssd is now available in repos. Particular issues can be discussed in separate bugs (e.g., we have bug 6280 for sudo issue ).