Redhat – Moving from nslcd to sssd on Red Hat to solve NSS MD5 issue

ldapredhatrhel6sssd

I have a problem with the latest version of Red Hat, nss/nscd does not accept MD5 certificates.
Because of recommendations I am replacing nscd with sssd with this howto http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html

I have ran this command to activate sssd:

authconfig --enablesssd --enablesssdauth --enablelocauthorize --update

I have made sure the references in /etc/nsswitch.conf are all set to "files sss":

passwd:     files sss
shadow:     files sss
group:      files sss

I have increased the debug_level to 5 to provide more information:

[root@tst-02 sssd]# cat sssd_default.log
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sysdb_domain_init_internal] (0x0200): DB File for default: /var/lib/sss/db/cache_default.ldb
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection CF9220
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_default,1)
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sss_names_init] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [fo_add_server] (0x0080): Adding new server 'ldap1.it.domain.nl', to service 'LDAP'
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [fo_add_server] (0x0080): Adding new server 'ldap2.it.domain.nl', to service 'LDAP'
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [permit].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0080): No SUDO module provided for [default] !!
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [ldap_get_autofs_options] (0x0200): Option ldap_autofs_search_base set to dc=it,dc=domain,dc=nl
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=it,dc=domain,dc=nl][SUBTREE][]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0020): No selinux module provided for [default] !!
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0020): No host info module provided for [default] !!
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [load_backend_module] (0x0200): no module name found in confdb, using [ldap].
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_process_init] (0x0020): Subdomains are not supported for [default] !!
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Entering.
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xd05680.
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection D05680
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Got a connection
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xd04ad0]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Entering.
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xd05080.
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_init_connection] (0x0200): Adding connection D05080
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [sbus_server_init_new_connection] (0x0200): Got a connection
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xd09030]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0xd04ad0]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [PAM]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0xd09030]
(Mon Jul 29 14:53:38 2013) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [NSS]
[root@tst-02 sssd]# cat /etc/sssd/sssd.conf
[domain/default]
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=it,dc=domain,dc=nl
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap1.it.domain.nl,ldap://ldap2.it.domain.nl
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 5

[sssd]
services = nss, pam
config_file_version = 2
debug_level = 5

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]
[root@tst-02 sssd]#

LDAP uses to work fine with nss/nscd/nslcd on Red Hat 6.2. Upgrading it to Red Hat 6.4 broke LDAP, because of the nss upgrade: http://www.unixmen.com/rhel-centos-6-4-ldap-md5-certificate-error-caused-by-nss-3-14-update/, https://access.redhat.com/site/solutions/323923.

Because we used nslcd used on the client side, it will not use the external environment variables, either a new certificate signed with stronger hash is required or downgrade nss and nss-tools to version 3.13.6-1.el6_3. Because of this reason I would like to use sssd instead.

How can I find out the reason why LDAP is not working with sssd?

Best Answer

Even SSSD will have the same issue as NSLCD, This issue was not with nss-pam-ldapd or nscd but with nss package.

So either upgrade nss package to the latest or Do below to add support for md5.

Add in /etc/grub.conf to the end of kernel lines

systemd.setenv=NSS_HASH_ALG_SUPPORT=+MD5

or

Create /etc/profile.d/nss.sh

export NSS_HASH_ALG_SUPPORT=+MD5
Related Topic