Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IFP user_attributes don work on trusted AD #4060

Closed
sssd-bot opened this issue May 2, 2020 · 0 comments
Closed

IFP user_attributes don work on trusted AD #4060

sssd-bot opened this issue May 2, 2020 · 0 comments
Labels
Closed: Not a bug

Comments

@sssd-bot
Copy link

sssd-bot commented May 2, 2020

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3019

  • Created at 2016-05-21 20:11:32 by doctor
  • Closed as Invalid
  • Assigned to nobody

Hello!
Found something, can't fix it myself.

Steps to:

  1. Setup IPA Server
  2. Setup trust with AD
  3. Setup IPA auth on spacewalk
  4. Try to login as AD user to spacewalk webUI
  5. Fail.

From httpd error log:

[DATE] [:notice] [pid number] mod_authnz_pam: PAM authentication passed for user aduser@ad.com
[DATE] [:error] [pid number] dbus call GetUserAttr returned value 0 instead of DBUS_TYPE_DICT_ENTRY

Check on spacewalk server:
IPAUSER - works flawlessly

# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:ipauser array:string:email,firstname,lastname,ou,gecos




method return sender=:1.7 -> dest=:1.31 reply_serial=2
   array [
      dict entry(
         string "email"
         variant             array [
               string "ipauser@ipa.local"
            ]
      )
      dict entry(
         string "firstname"
         variant             array [
               string "John"
            ]
      )
      dict entry(
         string "lastname"
         variant             array [
               string "Doe"
            ]
      )
      dict entry(
         string "ou"
         variant             array [
               string "Corp Inc"
            ]
      )
      dict entry(
         string "gecos"
         variant             array [
               string "John Doe"
            ]
      )
   ]



# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:ipauser



method return sender=:1.7 -> dest=:1.33 reply_serial=2
   array [
      string "admins"
      string "spacewalk_admins"
      string "ipausers"
      string "trust admins"
   ]

ADUSER - not working as aspected

# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:aduser@ad.com array:string:email,firstname,lastname,ou,gecos




method return sender=:1.7 -> dest=:1.34 reply_serial=2
   array [
      dict entry(
         string "gecos"
         variant             array [
               string "Doe John Surname"
            ]
      )
   ]






# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:aduser@ad.com




method return sender=:1.7 -> dest=:1.32 reply_serial=2
   array [
      string "spacewalk admins@ad.com"
      string "domain admins@ad.com"
      string "domain users@ad.com"
      string "vpnusers@ad.com"
      string "acl-git@ad.com"
      string "ad_admins"
      string "admins"
      string "spacewalk_admins"
   ]

spacewalk sssd config:

[domain/ipa.local]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = spacewalk.ipa.local
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, dc3.ipa.local
dyndns_iface = ens192
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_user_extra_attrs = email:mail, firstname:givenname, lastname:sn, ou
subdomains_provider = ipa
debug_level = 6
[sssd]
services = nss, sudo, pam, ssh, ifp, pac
config_file_version = 2

domains = ipa.local
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]
allowed_uids = apache, root
user_attributes = +email, +firstname, +lastname, +ou, +mail

Suppose IFP won't work on trusted domains, with additional attributes, only default ones.

Am i missed something in config with IPA and trusts?

Thank you!

Comments

Comment from jhrozek at 2016-05-22 23:04:48

Yes you did, the user requests for AD trusted users are routed through the IPA server, so you need to put the same user_attributes and ldap_user_extra_attrs to the server side's sssd.conf as well.

Comment from jhrozek at 2016-05-22 23:10:38

btw sorry this is not obvious. I'm juggling several things at the moment, but writing this setup up in docs and a blog post is on my todo list..

Comment from jhrozek at 2016-05-23 18:22:19

The reporter confirmed on IRC that adding the attributes to the server side sssd.conf helped. Closing.

resolution: => worksforme
status: new => closed

Comment from doctor at 2017-02-24 14:49:54

Metadata Update from @doctor:

  • Issue set to the milestone: SSSD 1.13 backlog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Closed: Not a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sssd-bot