System Security Services Daemon (SSSD) - This project provides a set of daemons to manage access to remote directories and authentication mechanisms, it provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for FreeIPA, LDAP, & Active Directory.
Questions tagged [sssd]
327 questions
0
votes
0 answers
Linux server joined to child AD domain unable to authenticate users from parent domain
I have an Ubuntu 20.04 server that I have successfully joined to my domain using realm, US.EXAMPLE.COM.
The way our AD is structured is that all machines are joined to the child domain for their region and all users are setup in the parent domain,…
dan9k1
- 1
0
votes
0 answers
Issues getting sssd, PAM, and faillock to play along on RHEL7
I am having an issue that I'm almost certainly is tied to how I have faillock configured in my PAM system-auth and password-auth on some RHEL7 servers. We are required to use STIGs, so I have to use faillock with specific options associated with…
scjohnson
- 1
- 1
0
votes
0 answers
Using active directory group as netgroup in sssd
I have an active directory domain with a handful of linux servers that interact with AD through sssd. I want to have a different sudoers configuration on different servers, and I know this can be done through netgroups. So far, I've managed to get…
Peter Lubans
- 101
0
votes
0 answers
OEL 8.3 SSSD AD Login issue
I am running Oracle Enterprise LINUX 8.3 . I am able to join my AD domain with an admin account but when I try to login to the server using the same credentials that I used to join the server to the AD I am getting incorrect password.
Jun 24…
Keven Jones
- 1
- 1
0
votes
1 answer
pam_sss(crond:session): Request to sssd failed. Public socket has wrong ownership or permissions
we have Active Directory authentication with SSSD on a CENTOS 7.5
Starting from today users are unable to log in. When they try, they get:
/usr/bin/id: cannot find name for group ID xxxxxxxxxx
I looked into /var/log/secure:
pam_sss(crond:session):…
S4rg0n
- 13
- 5
0
votes
1 answer
SSSD integration with Ldap Error 'Could not start TLS encryption. TLS: hostname does not match CN in peer certificate'
We are currently using Wildcard certificate with SAN. I can successfully run ldapsearch from my client machine when I added TLS_REQSAN allow in openldap configuration.
Now i'm trying to integrate SSSD with secure LDAP but getting the below…
Jos
- 11
- 1
- 5
0
votes
1 answer
how to export permissions/ACLs from Samba share to clients?
I have a Synology NAS running Samba that serves up shares in my network. I've set up autofs, LDAP and sssd and can mount Samba home directories on the fly when I log into Linux and MacOS machines.
My shares on the NAS are on an Ext4 volume, i.e.…
Stephen Winnall
- 165
- 1
- 8
0
votes
1 answer
RedHat 7: Is there a way to remove AD support from sssd?
We are a RedHat only shop. No Windows machines. All of our hosts authenticate with ldaps (636).
Recently, there was a CVE about a Samba issue with Active Directory. CVE 2020-1472
We have absolutely no need at all for Active Directory connectivity.…
Scottie H
- 227
- 2
- 9
0
votes
1 answer
CentOS 8.2 LDAP client configuration
I'm trying to configure an LDAP client on a CentOS 8.2 machine, using SSSD.
The server doesn't use TLS or SSL.
I have modified the following configuration files :
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains =…
antoineh
- 1
- 1
0
votes
1 answer
How can I disable users in "domain admins" group from running sudo?
Hi we have a large company and have some Domain Admins who belong to the
id myadminuser
groups=101010(domain admins),
"domain admins" group.
I was surprised by default that the sudoers %admin group (If I understand correctly), extends to users in…
bluesquare
- 37
- 1
- 8
0
votes
0 answers
CentOS sssd: How to allow specific AD security group with space in the name to login while deny everything else?
People,
In CentOS v8 sssd: How to allow specific AD security group with space in the name to log in while denying everything else?
The AD security group is Domain Admins
I have tested the id but nothing is working:
[root@PRDLINUX01-VM ~]# id -g…
Senior Systems Engineer
- 1,155
- 2
- 27
- 55
0
votes
1 answer
how do I change realm login format in sssd?
I'm trying to figure out how to change my realm login format to allow for lowercase but currently it just seems to work with uppercase?
realm list
domain
type: kerberos
realm-name: domain
domain-name: domain
configured: kerberos-member
…
Andrew
- 103
- 3
0
votes
3 answers
Why does sssd return SID numbers instead of group names on Ubuntu?
I'm trying out sssd to use krb5 for authentication on a Ubuntu 18.04 host and can't figure out how to show the actual user groups (groups shows some sort of Windows SID instead of human readable names). The primary group looks ok (Domain Users...)…
Server Fault
- 3,454
- 7
- 48
- 88
0
votes
1 answer
Using Samba as an AD domain member with consistent automatically generated POSIX attributes across Linux members
I am trying to join multiple Linux devices to a Windows Active Directory Domain with both Domain logon and Samba file sharing functionality. I am trying to avoid manually adding POSIX attributes to AD users and groups here. Although seeming simple…
James Hopwood
- 27
- 1
- 5
0
votes
1 answer
FreeIpa. How to setup specific shell only on 1 host for group of users
I'd like to set specific shell for group of users only in 1 host. In my environment already installed FreeIpa. In FreeIpa I can change shell for all my hosts, it is not my requirement.
