Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cached_auth_timeout not honored for AD users authenticated via trust with FreeIPA #4933

Closed
sssd-bot opened this issue May 2, 2020 · 0 comments
Closed

cached_auth_timeout not honored for AD users authenticated via trust with FreeIPA #4933

sssd-bot opened this issue May 2, 2020 · 0 comments
Assignees
@jhrozek
Labels
Bugzilla Closed: Fixed Issue was closed as fixed.

Comments

@sssd-bot
Copy link

sssd-bot commented May 2, 2020

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3960

We set up a trust between the FreeIPA server and our AD, and we can correctly authenticate both AD users and FreeIPA users on the clients, but when we enabled cached_auth_timeout on the clients we noticed that the setting is not being honored for AD users, while it's working as expected for users defined in FreeIPA.

$ ssh freeipa-user@test76
Password: 
Last login: Fri Feb 15 16:53:28 2019 from 172.22.9.28
[freeipa-user@test74 ~]$ exit
logout
Connection to test74 closed.
$ ssh freeipa-user@test74
Password: 
Authenticated with cached credentials.
Last login: Mon Feb 18 10:00:42 2019 from 172.22.9.28

$ ssh ad-user@test74
Password: 
Last login: Fri Feb 15 16:54:22 2019 from 172.22.9.28
[ad-user@test74 ~]$ exit
logout
Connection to test74 closed.
$ ssh ad-user@test74
Password: 
Last login: Mon Feb 18 09:59:40 2019 from 172.22.9.28

But if we force the backed offline by blocking traffic directed to the FreeIPA server on the client firewall:

$ ssh ad-user@test74
Password: 
Authenticated with cached credentials.
Last login: Mon Feb 18 11:12:21 2019 from 172.22.9.28
[ad-user@test74 ~]$

This is our sssd.conf:

sssd.conf:

[domain/freeipa.example.com]
cached_auth_timeout = 3600
cache_credentials = True
krb5_store_password_if_offline = True
krb5_auth_timeout = 60
ipa_domain = freeipa.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = test74.freeipa.example.com
chpass_provider = ipa
dyndns_update = True
ipa_server = srv, freeipa-master.freeipa.example.come
dyndns_iface = enp0s3
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh

domains = freeipa.example.com
[nss]
homedir_substring = /home

[pam]
pam_verbosity = 2
[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

We're running FreeIPA 4.6.4 on CentOS 7.6.1810 on our FreeIPA server and SSSD 1.16.2 on our clients (both Ubuntu and CentOS):

server:

libipa_hbac-1.16.2-13.el7.x86_64
sssd-krb5-common-1.16.2-13.el7.x86_64
python2-ipaserver-4.6.4-10.el7.centos.noarch
sssd-ldap-1.16.2-13.el7.x86_64
ipa-client-4.6.4-10.el7.centos.x86_64
python-iniparse-0.4-9.el7.noarch
sssd-common-pac-1.16.2-13.el7.x86_64
sssd-proxy-1.16.2-13.el7.x86_64
ipa-server-trust-ad-4.6.4-10.el7.centos.x86_64
sssd-tools-1.16.2-13.el7.x86_64
python2-ipaclient-4.6.4-10.el7.centos.noarch
ipa-server-common-4.6.4-10.el7.centos.noarch
sssd-dbus-1.16.2-13.el7.x86_64
python-ipaddress-1.0.16-2.el7.noarch
ipa-server-4.6.4-10.el7.centos.x86_64
python-libipa_hbac-1.16.2-13.el7.x86_64
python2-ipalib-4.6.4-10.el7.centos.noarch
sssd-ipa-1.16.2-13.el7.x86_64
ipa-client-common-4.6.4-10.el7.centos.noarch
sssd-common-1.16.2-13.el7.x86_64
sssd-ad-1.16.2-13.el7.x86_64
sssd-1.16.2-13.el7.x86_64
ipa-server-dns-4.6.4-10.el7.centos.noarch
ipa-common-4.6.4-10.el7.centos.noarch
python-sssdconfig-1.16.2-13.el7.noarch
sssd-client-1.16.2-13.el7.x86_64
sssd-krb5-1.16.2-13.el7.x86_64

clients:

sssd-common-pac-1.16.2-13.el7_6.5.x86_64
sssd-ldap-1.16.2-13.el7_6.5.x86_64
sssd-client-1.16.2-13.el7_6.5.x86_64
python2-ipalib-4.6.4-10.el7.centos.2.noarch
sssd-krb5-common-1.16.2-13.el7_6.5.x86_64
sssd-ipa-1.16.2-13.el7_6.5.x86_64
sssd-krb5-1.16.2-13.el7_6.5.x86_64
sssd-proxy-1.16.2-13.el7_6.5.x86_64
ipa-client-4.6.4-10.el7.centos.2.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-common-4.6.4-10.el7.centos.2.noarch
ipa-client-common-4.6.4-10.el7.centos.2.noarch
python-sssdconfig-1.16.2-13.el7_6.5.noarch
python-libipa_hbac-1.16.2-13.el7_6.5.x86_64
sssd-common-1.16.2-13.el7_6.5.x86_64
sssd-ad-1.16.2-13.el7_6.5.x86_64
sssd-1.16.2-13.el7_6.5.x86_64
python-ipaddress-1.0.16-2.el7.noarch
libipa_hbac-1.16.2-13.el7_6.5.x86_64

Comments

Comment from jhrozek at 2019-02-21 12:50:13

Does it help to create a subsection for your trusted AD domain and add the parameter there?

[domain/freeipa.example.com/ad.example.com]
cached_auth_timeout = 3600

?

Comment from plumbeo at 2019-02-21 13:38:36

Does it help to create a subsection for your trusted AD domain and add the parameter there?
[domain/freeipa.example.com/ad.example.com]
cached_auth_timeout = 3600
?

It didn't. I added both cached_auth_timeout and cache_credentials in a subsection but there was no difference.

Another thing that I noticed is that sssctl user-show behaves differently for FreeIPA users and AD users:

# sssctl user-show freeipa-user
Name: freeipa-user
Cache entry creation date: 02/21/19 13:27:26
Cache entry last update time: 02/21/19 13:27:35
Cache entry expiration time: 02/21/19 14:57:35
Initgroups expiration time: 02/21/19 14:57:35
Cached in InfoPipe: No
# sssctl user-show freeipa-user@freeipa.example.com
Name: freeipa-user
Cache entry creation date: 02/21/19 13:27:26
Cache entry last update time: 02/21/19 13:27:35
Cache entry expiration time: 02/21/19 14:57:35
Initgroups expiration time: 02/21/19 14:57:35
Cached in InfoPipe: No

But:

# sssctl user-show ad-user
User ad-user is not present in cache.
# sssctl user-show ad-user@ad.example.com
Name: ad-user
Cache entry creation date: 02/21/19 13:21:17
Cache entry last update time: 02/21/19 13:28:24
Cache entry expiration time: 02/21/19 14:58:24
Initgroups expiration time: 02/21/19 14:58:24
Cached in InfoPipe: No

I don't know if it's important, for what it's worth caching doesn't seem to work even if I login using username+ad domain name, ie: ssh 'ad-user@ad.example.com'@test76.

Comment from jhrozek at 2019-03-01 21:21:21

You are right that this is a bug. Sorry about the delay.

Comment from jhrozek at 2019-03-01 21:21:34

Metadata Update from @jhrozek:

  • Issue tagged with: bug

Comment from jhrozek at 2019-03-07 22:13:10

Metadata Update from @jhrozek:

Comment from jhrozek at 2019-03-07 22:13:10

Issue linked to Bugzilla: Bug 1685581

Comment from jhrozek at 2019-03-07 22:18:44

Metadata Update from @jhrozek:

  • Issue assigned to jhrozek

Comment from jhrozek at 2019-03-07 22:18:54

PR: #772

Comment from jhrozek at 2019-03-07 22:19:15

Metadata Update from @jhrozek:

  • Issue set to the milestone: SSSD 2.2
  • Issue tagged with: PR

Comment from jhrozek at 2019-03-26 22:13:06

Comment from jhrozek at 2019-03-26 22:13:06

Metadata Update from @jhrozek:

  • Issue close_status updated to: Fixed
  • Issue status updated to: Closed (was: Open)

Comment from jhrozek at 2019-03-26 22:13:51

Feel free to open another ticket about the sssctl issue btw

Comment from jhrozek at 2019-05-20 08:59:58

Commit c911562d relates to this ticket

Comment from jhrozek at 2019-05-20 09:03:13

Related commits that also fix PREAUTH caching:

Comment from plumbeo at 2019-05-26 22:34:48

Hi, this is probably out of scope for this bug but I've been doing tests with a patched sssd 1.16.1 that includes both commits and while I can confirm that now I'm not seeing authentication traffic towards the DCs, sssd is always doing LDAP queries towards the FreeIPA servers. Am I missing some option to cache those too?
@sssd-bot sssd-bot added Bugzilla Closed: Fixed Issue was closed as fixed. labels May 2, 2020
@sssd-bot sssd-bot closed this as completed May 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhrozek jhrozek

Labels
Bugzilla Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jhrozek @sssd-bot