search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
608 stars 249 forks source link

"session_recording" has no effect, no error in logs #7082

Open minfrin opened 11 months ago

minfrin commented 11 months ago

Having set up sssd's session recording as follows on a RHEL9 machine, and configuring tlog, everything works correctly and a session is logged:

[root@robinhood sssd]# cat /etc/sssd/conf.d/session-recording.conf 
# [snip]
[session_recording]
scope = all

[root@robinhood sssd]# ls -al /etc/sssd/conf.d/session-recording.conf 
-rw-------. 1 root root 341 Dec  8 01:36 /etc/sssd/conf.d/session-recording.conf

The identical configuration on a Rocky9 machine has no effect: sssd makes no attempt to spawn tlog-rec-session, and doesn't log anything to complain.

Running tlog-rec-session manually works fine.

The version of sssd is sssd-common-2.9.1-4.el9_3.x86_64.

Other people have complained of similar symptoms, but no answers: https://discussion.fedoraproject.org/t/session-recording-with-sssd-not-working/77289

alexey-tikhonov commented 11 months ago

SSSD doesn't "spawn tlog-rec-session" but merely overwrites user's shell.

Compare /etc/nsswitch.conf on RHEL and Rocky - make sure NSS uses SSSD to resolve this user.

And, btw, if you also (as in the post you referenced) use 'files provider' then consider migrating to 'proxy provider' (because the former is deprecated).

minfrin commented 11 months ago

All of this is controlled by the authselect mechanism, and in both cases /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf.

Both files are identical on both machines. Working on RHEL9:

[root@rhel9 ~]# cat /etc/nsswitch.conf | grep -v "#"

passwd:     files sss systemd
group:      files sss systemd
netgroup:   sss files
automount:  sss files
services:   sss files

shadow:     files
hosts:      files dns myhostname

aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

Not working on Rocky9:

[root@rocky9 root]# cat /etc/authselect/nsswitch.conf | grep -v "#"

passwd:     files sss systemd
group:      files sss systemd
netgroup:   sss files
automount:  sss files
services:   sss files

shadow:     files
hosts:      files dns myhostname

aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

As I'm on a stable distribution using the automated tooling, I'm not in a position to modify this behaviour from files provider to proxy provider.

How would I debug a failure to overwrite the user's shell? What seems to be happening is that the shell is silently not being overwritten, and the end user is allowed to silently continue with auditing turned off.

What does work is manually setting the user's shell to /usr/bin/tlog-rec-session in /etc/passwd, but the point of doing this in sssd is to make this step unnecessary.

alexey-tikhonov commented 11 months ago

I'm not sure how this works for you on RHEL9 if you have files sss - 'files' first.

Btw, what domains are defined in sssd.conf*?

Can you show: