search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
608 stars 247 forks source link

sss_ssh_knownhostsproxy in AD environnement #7108

Open staeglis opened 11 months ago

staeglis commented 11 months ago

I want to store the hosts in our AD using the attribute altSecurityIdentities and I've set this in the domain section of the sssd.conf:

ldap_host_ssh_public_key = altSecurityIdentities

Then I've set the attribute the attribute via adcli (unfortunately this doesn't support multi-value attributes, so I've added only one key) in format as described in the documentation.

Unfortunately the output of sss_ssh_knownhostsproxy is empty:

sss_ssh_knownhostsproxy -k testhost.domain.test

I guess that SSSD is not able to match testhost.domain.test with the machine account although testhost.domain.test is the value of dNSHostName.

Log output:

(2023-12-22 11:54:46): [ssh] [cache_req_common_process_dp_reply] (0x0040): [CID#1] CR #0: Could not get account info [1432158215]: DP target is not configured
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  [ssh] [server_setup] (0x0080): Failed setting process group: Operation not permitted[1]. We might leak processes in case of failure
   *  [ssh] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
   *  (2023-12-22 11:54:43): [ssh] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
   *  (2023-12-22 11:54:43): [ssh] [schedule_responder_idle_timer] (0x2000): Re-scheduling the idle timeout [responder_idle_timeout] for the responder [0x557a654192d0]
   *  (2023-12-22 11:54:43): [ssh] [setup_responder_idle_timer] (0x2000): Setting up the idle timeout [responder_idle_timeout] for the responder [0x557a654192d0]
   *  (2023-12-22 11:54:43): [ssh] [confdb_get_domain_internal] (0x0400): No enumeration for [DOMAIN.TEST]!
   *  (2023-12-22 11:54:43): [ssh] [confdb_get_domain_internal] (0x0400): Please note that when enumeration is disabled `getent passwd` does not return all users by design. See sssd.conf man page for more detailed information
   *  (2023-12-22 11:54:43): [ssh] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
   *  (2023-12-22 11:54:43): [ssh] [sss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells
   *  (2023-12-22 11:54:43): [ssh] [sss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells
   *  (2023-12-22 11:54:43): [ssh] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/bash in /etc/shells
   *  (2023-12-22 11:54:43): [ssh] [sss_get_etc_shells] (0x0400): Found shell /bin/rbash in /etc/shells
   *  (2023-12-22 11:54:43): [ssh] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/rbash in /etc/shells
   *  (2023-12-22 11:54:43): [ssh] [sss_get_etc_shells] (0x0400): Found shell /bin/dash in /etc/shells
   *  (2023-12-22 11:54:43): [ssh] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/dash in /etc/shells
   *  (2023-12-22 11:54:43): [ssh] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/screen in /etc/shells
   *  (2023-12-22 11:54:43): [ssh] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/sh in /etc/shells
   *  (2023-12-22 11:54:43): [ssh] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
   *  (2023-12-22 11:54:43): [ssh] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
   *  (2023-12-22 11:54:43): [ssh] [sysdb_domain_init_internal] (0x0200): DB File for DOMAIN.TEST: /var/lib/sss/db/cache_DOMAIN.TEST.ldb
   *  (2023-12-22 11:54:43): [ssh] [sysdb_domain_init_internal] (0x0200): Timestamp file for DOMAIN.TEST: /var/lib/sss/db/timestamps_DOMAIN.TEST.ldb
   *  (2023-12-22 11:54:43): [ssh] [sysdb_ldb_connect] (0x4000): No ldb module path set in env
   *  (2023-12-22 11:54:43): [ssh] [ldb] (0x0400): asq: Unable to register control with rootdse!
   *  (2023-12-22 11:54:43): [ssh] [sysdb_ldb_connect] (0x4000): No ldb module path set in env
   *  (2023-12-22 11:54:43): [ssh] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
   *  (2023-12-22 11:54:43): [ssh] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
   *  (2023-12-22 11:54:43): [ssh] [sss_process_init] (0x0400): Responder initialization complete (socket-activated)
   *  (2023-12-22 11:54:43): [ssh] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
   *  (2023-12-22 11:54:43): [ssh] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
   *  (2023-12-22 11:54:43): [ssh] [ssh_process_init] (0x0400): SSH Initialization complete
   *  (2023-12-22 11:54:43): [ssh] [sss_dp_init_done] (0x0400): Client is registered with DP
   *  (2023-12-22 11:54:43): [ssh] [sss_domain_get_state] (0x1000): Domain DOMAIN.TEST is Active
   *  (2023-12-22 11:54:43): [ssh] [cache_req_domain_new_list_from_domain_resolution_order] (0x0400): Domain resolution order list: not set
   *  (2023-12-22 11:54:43): [ssh] [sysdb_get_certmap] (0x0400): No certificate maps found.
   *  (2023-12-22 11:54:43): [ssh] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/DOMAIN.TEST/root@domain.test] to negative cache permanently
   *  (2023-12-22 11:54:43): [ssh] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/DOMAIN.TEST/root@domain.test] to negative cache permanently
   *  (2023-12-22 11:54:43): [ssh] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache permanently
   *  (2023-12-22 11:54:43): [ssh] [sss_ncache_set_str] (0x0400): Adding [NCE/GID/0] to negative cache permanently
   *  (2023-12-22 11:54:43): [ssh] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
   *  (2023-12-22 11:54:46): [ssh] [get_client_cred] (0x4000): Client [0x557a65499d80][18] creds: euid[0] egid[0] pid[3836] cmd_line['sss_ssh_knownhostsproxy'].
   *  (2023-12-22 11:54:46): [ssh] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x557a65499d80][18]
   *  (2023-12-22 11:54:46): [ssh] [accept_fd_handler] (0x0400): [CID#1] Client [cmd sss_ssh_knownhostsproxy][uid 0][0x557a65499d80][18] connected!
   *  (2023-12-22 11:54:46): [ssh] [sss_cmd_get_version] (0x0200): [CID#1] Received client version [0].
   *  (2023-12-22 11:54:46): [ssh] [sss_cmd_get_version] (0x0200): [CID#1] Offered version [0].
   *  (2023-12-22 11:54:46): [ssh] [ssh_protocol_parse_request] (0x0400): [CID#1] Requested domain [<ALL>]
   *  (2023-12-22 11:54:46): [ssh] [ssh_cmd_get_host_pubkeys] (0x0400): [CID#1] Requesting SSH host public keys for [testhost.domain.test] from [<ALL>]
   *  (2023-12-22 11:54:46): [ssh] [cache_req_set_plugin] (0x2000): [CID#1] CR #0: Setting "SSH Host ID by name" plugin
   *  (2023-12-22 11:54:46): [ssh] [cache_req_send] (0x0400): [CID#1] CR #0: REQ_TRACE: New request [CID #1] 'SSH Host ID by name'
   *  (2023-12-22 11:54:46): [ssh] [cache_req_process_input] (0x0400): [CID#1] CR #0: Parsing input name [testhost.domain.test]
   *  (2023-12-22 11:54:46): [ssh] [sss_parse_name] (0x0100): [CID#1] Domain not provided!
   *  (2023-12-22 11:54:46): [ssh] [sss_parse_name_for_domains] (0x0200): [CID#1] name 'testhost.domain.test' matched without domain, user is testhost.domain.test
   *  (2023-12-22 11:54:46): [ssh] [cache_req_set_name] (0x0400): [CID#1] CR #0: Setting name [testhost.domain.test]
   *  (2023-12-22 11:54:46): [ssh] [cache_req_select_domains] (0x0400): [CID#1] CR #0: Performing a multi-domain search
   *  (2023-12-22 11:54:46): [ssh] [cache_req_search_domains] (0x0400): [CID#1] CR #0: Search will bypass the cache and check the data provider
   *  (2023-12-22 11:54:46): [ssh] [cache_req_validate_domain_type] (0x2000): [CID#1] Request type POSIX-only for domain DOMAIN.TEST type POSIX is valid
   *  (2023-12-22 11:54:46): [ssh] [cache_req_set_domain] (0x0400): [CID#1] CR #0: Using domain [DOMAIN.TEST]
   *  (2023-12-22 11:54:46): [ssh] [cache_req_search_send] (0x0400): [CID#1] CR #0: Looking up testhost.domain.test
   *  (2023-12-22 11:54:46): [ssh] [cache_req_search_ncache] (0x2000): [CID#1] CR #0: This request type does not support negative cache
   *  (2023-12-22 11:54:46): [ssh] [cache_req_search_dp] (0x0400): [CID#1] CR #0: Looking up [testhost.domain.test] in data provider
   *  (2023-12-22 11:54:46): [ssh] [cache_req_common_process_dp_reply] (0x0040): [CID#1] CR #0: Could not get account info [1432158215]: DP target is not configured
********************** BACKTRACE DUMP ENDS HERE *********************************

See also:

https://github.com/SSSD/sssd/issues/7091

sumit-bose commented 10 months ago

Hi,

can you share the other SSSD logs as well and your sssd.conf?

bye, Sumit

staeglis commented 10 months ago

Sure.

Domain log:

(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [sbus_dispatch] (0x4000): Dispatching.
(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [sbus_dispatch] (0x4000): Dispatching.
(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.hostHandler on /sssd
(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.ssh]
(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [dp_attach_req] (0x0400): [RID#1500] DP Request [HostID #1500]: REQ_TRACE: New request. [sssd.ssh CID #5] Flags [0000].
(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [dp_attach_req] (0x0400): [RID#1500] Number of active DP request: 1
(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [dp_find_method] (0x0100): [RID#1500] Target [hostid] is not initialized
(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [_dp_req_recv] (0x0400): DP Request [HostID #1500]: Receiving request data.
(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [dp_req_destructor] (0x0400): DP Request [HostID #1500]: Request removed.
(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [sbus_issue_request_done] (0x0200): sssd.dataprovider.hostHandler: Error [1432158215]: DP target is not configured
(2024-01-12 12:55:33): [be[DOMAIN.TEST]] [sbus_dispatch] (0x4000): Dispatching.

sssd.conf:


[autofs]

[sudo]

[sssd]
config_file_version = 2
domains = DOMAIN.TEST

[pam]
offline_credentials_expiration = 0

[domain/DOMAIN.TEST]
debug_level = 9
id_provider = ad
access_provider = ad
cache_credentials = true
ldap_id_mapping = False
ad_gpo_access_control = permissive
autofs_provider = ad
ldap_autofs_search_base = ou=automount,dc=domain,dc=test
ldap_user_ssh_public_key = altSecurityIdentities
ldap_host_ssh_public_key = altSecurityIdentities
aplopez commented 4 days ago

Please try enabling the ssh service in SSSD by adding the following line to the [sssd] section of the configuration:

services = ssh

BTW, sss_ssh_knownhostsproxy is deprecated in SSSD 2.10. sss_ssh_knownhosts replaces it. More information in man sss_ssh_knownhosts(5).