Greetings from Argentina! . First of all, sorry for my English, I'll try to do my best to explain myself.
I'm a sysadmin at a hosting company.
I have set up a LDAP (SLAPD) server so our support team can log-in to our cpanels and make basic stuff like restarting services, block spammers, etc.
It works like a charm. I deployed my setup (SSSD w/LDAP and SUDO) to nearly 30+ centos-based servers. Configuration files below.
The problem appeared some days ago, when the LDAP server started responding slowly.
When I went to see the logs, they were 26GB long (6 months period).
I then realized that LOCAL users from those servers were needlessly fetched from the the LDAP server.
I'll give you a clearer example:
1) I try to log in using SSH to one of my servers with user "imorandin". NOTE: The user "imorandin" EXISTS locally in /etc/passwd, /etc/shadow and has its group in /etc/group:
Code: Select all
# id imorandin
uid=500(imorandin) gid=501(imorandin) grupos=501(imorandin)
Code: Select all
# tail /var/log/sssd/sssd_LDAP.log
(Wed Mar 18 10:25:01 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=imorandin]
(Wed Mar 18 10:25:01 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
Code: Select all
# tail /var/log/ldap.log
Mar 18 10:25:02 vm004 slapd[3113]: conn=8109 op=6 SRCH base="ou=admin-users,dc=ldap,dc=domain,dc=com" scope=2 deref=0 filter="(&(uid=imorandin)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
Code: Select all
# cat /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
sudoers: files sss
----------------------------------------------------------------------------------------------
# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = LDAP
[nss]
filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,uucp,operator,games,gopher,ftp,dbus,vcsa,haldaemon,ntp,saslauth,postfix,abrt,sshd,tcpdump,named,mailnull,mysql,dovecot,cpanel,cpanelhorde,cpanelphpmyadmin,cpanelphppgadmin,cpanel,cpanelroundcube,mailman,cpanellogin,cpaneleximscanner,dovenull,pure-ftpd
reconnection_retries = 5
entry_cache_timeout = 1200
entry_cache_nowait_percentage = 75
entry_negative_timeout = 1200
[pam]
reconnection_retries = 5
offline_credentials_expiration = 10
offline_failed_login_attempts = 10
offline_failed_login_delay = 5
[sudo]
[domain/LDAP]
cache_credentials = true
#enumerate = true
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://domain.com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = allow
ldap_search_base = dc=ldap,dc=domain,dc=com
ldap_default_authtok_type = password
ldap_default_bind_dn = cn=sssd,dc=ldap,dc=domain,dc=com
ldap_default_authtok = xxxxxxxxxxxxxxxxxx
ldap_user_search_base = ou=admin-users,dc=ldap,dc=domain,dc=com
ldap_group_search_base = ou=groups,dc=ldap,dc=domain,dc=com
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
debug_level = 5
----------------------------------------------------------------------------------------------
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
NOTE: nsswith.conf and PAM where auto-configured using the command:
Code: Select all
authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
1) Disabling all lines from /etc/pam.d/ that contains pam_sss.so : Still fetches local users to LDAP
2) If I completely remove "sss" from /etc/nsswitch.conf, it stops fetching SSSD, but obviously it is not the solution
3) I've tried adding this to /etc/nsswitch.conf:
passwd: files [SUCCESS=return] sss
shadow: files [SUCCESS=return] sss
group: files [SUCCESS=return] sss
This is supposed to return and stop if the user is found in files, but it does not work. (it is the default behavior anyway).
If you need more data, please let me know.
Hope you can help me!
Thanks in advance to all of you.
Bye!