Sssd-tools

0 views
Skip to first unread message

Jackie Bullinger

unread,
Aug 5, 2024, 1:39:00 AM8/5/24
to reapcoubaffri
Ihave outlined all the steps necessary to get this up and working. There are a series of bugs regarding the install of the packages. All of the underlying software works great, but there are a few steps you have to take to make things work: -ubuntu-14-04-to-active-directory-domain-using-realmd

I tried the accepted answer on 16.04.1 LTS and the command failed with someting about the password. Running sudo realm join normally would give the error Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli, even though they are all installed. After searching for an hour I found this workaround, which says you should add --install=/ to the join command. So the full syntax is:


apt install sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin packagekit-tools cracklib-runtime appstream ldap-utils sssd-dbus apt-config-icons gstreamer1.0-tools libsss-sudo gstreamer1.0-plugins-base libsss-simpleifp0


My AD is not a Windows Server like yours, since I am broke and can't afford a x64 server or mini pc. So I'm stuck on a arm64 single board computer... So I have proxmox for Raspberry Pi (PiMox) with a debian 12.5.0 installation and I followed a guide about setting up samba as a Domain Controller if you also want to try make the same thing I have did the following guide since Samba is a big wordy for my brain to understand. (This is not a advertisement but to show how my servers work, External Contentwww.youtube.comContent embedded from external sources will not be displayed without your consent.Display all external contentThrough the activation of external content, you agree that personal data may be transferred to third party platforms. We have provided more information on this in our privacy policy.). But if you have any other OS you think I can use to emulate AD Server please tell me. Thanks, donh.


Great work! I will be getting rid of 2012 soon because it no longer gets updates. And I have retired and don't have to stay up on windows anymore. I guess I don't really need ad either. But how hard can it be. LOL


I am not an expert in this field. I have got this working successfully. My AD DC Server is NOT a Windows Server and you WILL/MIGHT have to modify properties to get it working as you may wish. I am using a Samba AD DC (4), replicate this if you fail using Windows Server.


System Security Services Daemon (SSSD) is the primary client software component supporting identity management in many Linux distributions, including Red Hat Enterprise Linux (RHEL), Fedora, and Debian. RHEL 8.6 and 9.0 contain new SSSD logging improvements, which we'll discuss in this article.


When troubleshooting issues related to SSSD, you must analyze or review SSSD debug logs. This can be daunting, especially when SSSD is configured to run with a high debug level. Tracking identity or authentication requests across different log files often requires deep knowledge of internal components. These requests are handled asynchronously, making linear log-file analysis unhelpful or time consuming. There may be tens of thousands of lines of log messages on high-traffic systems to review, with thousands of requests happening.


This unique request identifier, which bears no other meaning than being unique, is now printed in SSSD responder logs (such as sssd_nss.log or sssd_pam.log) to "tag" a log message and associate it with a specific request. The identifier [CID#1] is in the first line of this output:


SSSD responders forward this unique request identifier to back-end processes. The data provider's requests generate a unique ID, and the back-end log (for example, sssd_$domain.log) messages include the tag RID#X.


To facilitate investigations, SSSD introduced the "debug backtrace" feature starting with SSSD 2.5.x (available in RHEL 8.5 and newer). When a significant SSSD operational failure occurs, debug backtrace triggers a dump of the entire log (all log levels) from a specified date forward to help uncover the sequence of events that resulted in the failure. A dump is clearly highlighted in the log file by the begin and end markers:


SSSD includes a new log parsing tool in the sssd-tools package for debug-log analysis. This analyzer tool filters log messages pertaining to a specific client request you're investigating. This allows you to follow or track relevant logs for a specific request across the SSSD front-end, back-end, and child processes.


First, use the list argument to find the unique identifier associated with the client command you're tracking. NSS (identity) lookups are shown by default; for authentication requests, you must also pass the --pam argument:


You can add the -v option for more detailed information about each request. This option lists related subrequests that are executed inside SSSD and would normally be generated by a single client command.


The second request is an SSH login attempt for testuser. The number 2 (as in [CID#2]) is the unique ID you provide as an argument to the analyzer show command to track the request across SSSD components and print all relevant logs. In this snippet, RID#43 was generated by a subrequest of CID#2. The --pam argument is also needed here:


The logs printed by the analyzer are specifically associated with this authentication attempt. The tail end of this output shows that the simple access check failed. It also indicates the specific group that was missing and is needed to access the system:


These log messages show that this Active Directory user is not a member of the necessary group on the Active Directory side. They are a member of Linux-Acc...@ad.domain but not Linux-Acc...@child.dom. Once you add this user, they can successfully log in. Using the SSSD log analyzer makes finding the root cause of this failed authentication easier and quicker.


By default, the analyze command parses SSSD logs from the system where you run the command. You can use the --logdir option to analyze SSSD logs from any system. This requires providing a path to a directory containing SSSD debug logs. It could be useful for help-desk or support team members who often receive and analyze different sets of logs.


These logging improvements hopefully make system administrators' jobs easier. Please try out these new SSSD features and provide feedback about what works and doesn't work for you, what further improvements would make sense, or other suggestions. You can find the SSSD team's contacts on the project website.


The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. The content published on this site are community contributions and are for informational purpose only AND ARE NOT, AND ARE NOT INTENDED TO BE, RED HAT DOCUMENTATION, SUPPORT, OR ADVICE.

3a8082e126
Reply all
Reply to author
Forward
0 new messages