SSSD / sssd

Clone

#3019 IFP user_attributes don work on trusted AD
Closed: Invalid None Opened 7 years ago by doctor.

Closed: Invalid
Reopen Issue

Hello!
Found something, can't fix it myself.

Steps to:
1. Setup IPA Server
2. Setup trust with AD
3. Setup IPA auth on spacewalk
4. Try to login as AD user to spacewalk webUI
5. Fail.

From httpd error log:

[DATE] [:notice] [pid number] mod_authnz_pam: PAM authentication passed for user aduser@ad.com
[DATE] [:error] [pid number] dbus call GetUserAttr returned value 0 instead of DBUS_TYPE_DICT_ENTRY

Check on spacewalk server:
IPAUSER - works flawlessly

# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:ipauser array:string:email,firstname,lastname,ou,gecos




method return sender=:1.7 -> dest=:1.31 reply_serial=2
   array [
      dict entry(
         string "email"
         variant             array [
               string "ipauser@ipa.local"
            ]
      )
      dict entry(
         string "firstname"
         variant             array [
               string "John"
            ]
      )
      dict entry(
         string "lastname"
         variant             array [
               string "Doe"
            ]
      )
      dict entry(
         string "ou"
         variant             array [
               string "Corp Inc"
            ]
      )
      dict entry(
         string "gecos"
         variant             array [
               string "John Doe"
            ]
      )
   ]



# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:ipauser



method return sender=:1.7 -> dest=:1.33 reply_serial=2
   array [
      string "admins"
      string "spacewalk_admins"
      string "ipausers"
      string "trust admins"
   ]

ADUSER - not working as aspected

# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:aduser@ad.com array:string:email,firstname,lastname,ou,gecos




method return sender=:1.7 -> dest=:1.34 reply_serial=2
   array [
      dict entry(
         string "gecos"
         variant             array [
               string "Doe John Surname"
            ]
      )
   ]






# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:aduser@ad.com




method return sender=:1.7 -> dest=:1.32 reply_serial=2
   array [
      string "spacewalk admins@ad.com"
      string "domain admins@ad.com"
      string "domain users@ad.com"
      string "vpnusers@ad.com"
      string "acl-git@ad.com"
      string "ad_admins"
      string "admins"
      string "spacewalk_admins"
   ]

spacewalk sssd config:

[domain/ipa.local]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = spacewalk.ipa.local
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, dc3.ipa.local
dyndns_iface = ens192
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_user_extra_attrs = email:mail, firstname:givenname, lastname:sn, ou
subdomains_provider = ipa
debug_level = 6
[sssd]
services = nss, sudo, pam, ssh, ifp, pac
config_file_version = 2

domains = ipa.local
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]
allowed_uids = apache, root
user_attributes = +email, +firstname, +lastname, +ou, +mail

Suppose IFP won't work on trusted domains, with additional attributes, only default ones.

Am i missed something in config with IPA and trusts?

Thank you!

Yes you did, the user requests for AD trusted users are routed through the IPA server, so you need to put the same user_attributes and ldap_user_extra_attrs to the server side's sssd.conf as well.

btw sorry this is not obvious. I'm juggling several things at the moment, but writing this setup up in docs and a blog post is on my todo list..

The reporter confirmed on IRC that adding the attributes to the server side sssd.conf helped. Closing.

resolution: => worksforme
status: new => closed

Metadata Update from @doctor:
- Issue set to the milestone: SSSD 1.13 backlog
7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4060

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
None
major
defect
SSSD
1.13.0
None
0
0
None
0
0
None
SSSD IFP IPA TRUST AD
None
0
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.