[CentOS] SSSD and usermod

Wed Jan 15 09:39:22 UTC 2014
Mitja Mihelič <mitja.mihelic at arnes.si>

Hi Dimitar!

FreeIPA might be worth a look. We already have a user management system 
that currently manages passwd/shadow. The idea was to migrate 
passwd/shadow info to 389DS so we could distribute the users across 
multiple servers. Perhaps our management system could use FreeIPA's 
tools for user management.

I could not find find the attachment in your last email, could you 
please send it again?
Do you perhaps have experience in managing a SSSD-389DS system with 70k 
users and about 500 queries per second to SSSD?

Regards, Mitja

--
Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8877, fax: +386 1 479 88 78

On 07. 01. 2014 21:27, Dimitar Georgievski wrote:
> Hi Mitja,
>
> >From the description of the problem it seems that the usermod - SSSD
> integration is not working. 389DS just stores the user information but SSSD
> is not enforcing the policy, and usermod fails because the user info is not
> stored locally.
>
> I think you should consider using FreeIPA instead of just 389DS, because
> with it you would be able to manage centrally user policies (sudo, host
> access rules, account expiration etc). With this you would be able to
> enforce a lock of a user account on a particular host or group of hosts.
> FreeIPA would just give you the user friendly tools (Web UI and command
> line) to manage the user accounts and their policies. 389DS would still be
> storing and providing the information about these resources.
>
> You should also try posting this question on the freeipa mailing list. It
> also covers the usage of the SSSD client. You could get answers to your
> questions directly from the developers and RH engineers.
>
> If it's of any help I've attached a sample of SSSD configuration used in
> our environment.
>
> Thanks
>
> Dimitar
>
>
> On Tue, Jan 7, 2014 at 7:57 AM, Mitja Mihelič <mitja.mihelic at arnes.si>wrote:
>
>> Hi Dimitar!
>>
>> We only want to SSSD with 389DS instead of the local passwd/shadow files.
>> We do not want to go full IPA for this server.
>>
>> Setting up SSSD with authconfig automatically set up PAM and
>> /etc/nsswitch.conf.
>> SSSD will only be used for these (nsswitch.conf):
>>
>> passwd:    files sss
>> shadow:    files sss
>> services:   files sss
>> I have also attached our sssd.conf.
>> Currently getent and id cmdline tools work as expected by getting user
>> info from SSSD which in turn gets it from 389DS/LDAP. SSH also works.
>>
>> We are starting to lean toward the possibility, that usermod and its
>> sibling utils from shadow-utils do not support SSSD as fully as we were
>> expecting them to.
>> Is this the case and can any other cmdline user administration tools be
>> used to lock users?
>>
>> I know there is the possibility of making our own tools for this, but
>> still...
>>
>> Regards, Mitja
>>
>>
>> --
>> Mitja Mihelič
>> ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
>> tel: +386 1 479 8877, fax: +386 1 479 88 78
>>
>> On 06. 01. 2014 16:02, Dimitar Georgievski wrote:
>>
>>> Hi MItja,
>>>
>>> it looks like you are trying to integrate SSSD with FreeIPA. I think the
>>> following presentation will help you review the SSSD configuration even if
>>> you are trying to use 389DS independently:
>>> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>>>
>>> Check the page titled " Example configuration - SSSD with FreeIPA server".
>>> SSSD has to be configured to talk to LDAP server. Check also the settings
>>> in /etc/nsswitch.conf. You might need to modify it to enable SSSD
>>> integration with other services.
>>>
>>> This example comes from a host that is using SSSD for SSH authentication
>>> and sudo integration with a FreeIPA server:
>>> passwd:     files sss
>>> shadow:     files sss
>>> group:      files sss
>>> sudoers:    files sss
>>>
>>> Dimitar
>>>
>>>
>>> On Fri, Jan 3, 2014 at 10:17 AM, Mitja Mihelič <mitja.mihelic at arnes.si
>>>> wrote:
>>>   Hi!
>>>> How to get usermod working with SSSD/389DS ?
>>>>
>>>> We have SSSD set up on our server and it uses 389DS.
>>>> SSSD was enabled with the following command:
>>>> authconfig --enablesssd --enablesssdauth --ldapbasedn=dc=example,dc=com
>>>> --enableshadow --enablemkhomedir --enablelocauthorize --update
>>>>
>>>> Running for example "usermod -L username" returns:
>>>> usermod: user 'username' does not exist in /etc/passwd
>>>>
>>>> Each time usermod is executed there is a query logged in 389DS, so SSSD
>>>> does pass the request to 389DS.
>>>> Strace (attached) of usermod shows that it gets at least gecos back from
>>>> SSSD and that it checked the /var/lib/sss/mc/passwd file which contains:
>>>> username
>>>> Name Lastname
>>>> /home/username
>>>> /bin/bash
>>>>
>>>> Soon after that it starts to open /etc/shadow and /etc/passwd.
>>>>
>>>> What are we missing?
>>>> Any insight would be appreciated.
>>>>
>>>> Regards, Mitja
>>>>
>>>> --
>>>> --
>>>> Mitja Mihelič
>>>> ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
>>>> tel: +386 1 479 8877, fax: +386 1 479 88 78
>>>>
>>>>
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>
>>>>
>>>>   _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos