Sssd pam interface problems


#1

We decided to implement ldap authorization on our environment and faced some
problems during the process.

Brief info:

We have chef server and cookbooks which serving ldap client and server.
OS:Centos 6.3 x86_64

On our ldap server we have slapd daemon which configures throw chef-client.With
this we don’t have any problems.
On our client side we have sssd daemon which provides NSS and PAM interface
toward the system.

Situation:
We have for a example new server.
To bootstrap it we execute chef-client on it.
Everything is fine.But then it starts to process ldap_client cookbook,
it installs daemon and it’s config file then restarts it.
After this it process ssh cookbook which process data_bag and creates
required home directory,creates ssh keys,and change ownership.

During 1st run when sssd daemon wasn’t started and pam interface wasn’t
provided
so instead this :
ls -all /home:
drwxr-xr-x 3 user1 user1 4096 Feb 15 10:30 user1
drwxr-xr-x 3 user2 user2 4096 Feb 15 10:30 user2

we have this:
drwxr-xr-x 3 root root 4096 Feb 15 10:30 user1
drwxr-xr-x 3 root root 4096 Feb 15 10:30 user2

It is happening because sssd daemon was stopped and new pam interface
wasn’t provided,so current chef-run couldn’t contact our ldap server.

BUT when we execute chef-client second time and sssd is running
we receive desired result:
drwxr-xr-x 3 user1 user1 4096 Feb 15 10:30 user1
drwxr-xr-x 3 user2 user2 4096 Feb 15 10:30 user2

Ownership of the home directories are correct.
Output:

create new directory /home/user1/.ssh[2013-02-15T11:13:14+02:00] INFO:

directory[/home/user1/.ssh] owner changed to 5001
[2013-02-15T11:13:14+02:00] INFO: directory[/home/user1/.ssh] group changed
to 5001
[2013-02-15T11:13:14+02:00] INFO: directory[/home/user1/.ssh] mode changed
to 700

change mode from '' to '0700'
change owner from '' to 'user1'
change group from '' to 'user1'

So the question is:
is it possible during chef-client run somehow reinit it’s resources so it could
know about new PAM interface?

P.S:Sorry for my bad english


#2

RIght now, unfortunately, you will have to do it over multiple runs.

This is a good use case for “phases”, as talked about a few weeks ago
on the mailing list.

-s

On Fri, Feb 15, 2013 at 6:45 AM, anikeev1988@yandex.ru wrote:

We decided to implement ldap authorization on our environment and faced some
problems during the process.

Brief info:

We have chef server and cookbooks which serving ldap client and server.
OS:Centos 6.3 x86_64

On our ldap server we have slapd daemon which configures throw chef-client.With
this we don’t have any problems.
On our client side we have sssd daemon which provides NSS and PAM interface
toward the system.

Situation:
We have for a example new server.
To bootstrap it we execute chef-client on it.
Everything is fine.But then it starts to process ldap_client cookbook,
it installs daemon and it’s config file then restarts it.
After this it process ssh cookbook which process data_bag and creates
required home directory,creates ssh keys,and change ownership.

During 1st run when sssd daemon wasn’t started and pam interface wasn’t
provided
so instead this :
ls -all /home:
drwxr-xr-x 3 user1 user1 4096 Feb 15 10:30 user1
drwxr-xr-x 3 user2 user2 4096 Feb 15 10:30 user2

we have this:
drwxr-xr-x 3 root root 4096 Feb 15 10:30 user1
drwxr-xr-x 3 root root 4096 Feb 15 10:30 user2

It is happening because sssd daemon was stopped and new pam interface
wasn’t provided,so current chef-run couldn’t contact our ldap server.

BUT when we execute chef-client second time and sssd is running
we receive desired result:
drwxr-xr-x 3 user1 user1 4096 Feb 15 10:30 user1
drwxr-xr-x 3 user2 user2 4096 Feb 15 10:30 user2

Ownership of the home directories are correct.
Output:

create new directory /home/user1/.ssh[2013-02-15T11:13:14+02:00] INFO:

directory[/home/user1/.ssh] owner changed to 5001
[2013-02-15T11:13:14+02:00] INFO: directory[/home/user1/.ssh] group changed
to 5001
[2013-02-15T11:13:14+02:00] INFO: directory[/home/user1/.ssh] mode changed
to 700

change mode from '' to '0700'
change owner from '' to 'user1'
change group from '' to 'user1'

So the question is:
is it possible during chef-client run somehow reinit it’s resources so it could
know about new PAM interface?

P.S:Sorry for my bad english


#3

I thought PagerDuty was gonna hire me, have under 4k in the bank, let me know if opscode has an opening.

415-852-1889.

Sent by Awesome.

On Feb 15, 2013, at 6:21 AM, Sean OMeara someara@gmail.com wrote:

RIght now, unfortunately, you will have to do it over multiple runs.

This is a good use case for “phases”, as talked about a few weeks ago
on the mailing list.

-s

On Fri, Feb 15, 2013 at 6:45 AM, anikeev1988@yandex.ru wrote:

We decided to implement ldap authorization on our environment and faced some
problems during the process.

Brief info:

We have chef server and cookbooks which serving ldap client and server.
OS:Centos 6.3 x86_64

On our ldap server we have slapd daemon which configures throw chef-client.With
this we don’t have any problems.
On our client side we have sssd daemon which provides NSS and PAM interface
toward the system.

Situation:
We have for a example new server.
To bootstrap it we execute chef-client on it.
Everything is fine.But then it starts to process ldap_client cookbook,
it installs daemon and it’s config file then restarts it.
After this it process ssh cookbook which process data_bag and creates
required home directory,creates ssh keys,and change ownership.

During 1st run when sssd daemon wasn’t started and pam interface wasn’t
provided
so instead this :
ls -all /home:
drwxr-xr-x 3 user1 user1 4096 Feb 15 10:30 user1
drwxr-xr-x 3 user2 user2 4096 Feb 15 10:30 user2

we have this:
drwxr-xr-x 3 root root 4096 Feb 15 10:30 user1
drwxr-xr-x 3 root root 4096 Feb 15 10:30 user2

It is happening because sssd daemon was stopped and new pam interface
wasn’t provided,so current chef-run couldn’t contact our ldap server.

BUT when we execute chef-client second time and sssd is running
we receive desired result:
drwxr-xr-x 3 user1 user1 4096 Feb 15 10:30 user1
drwxr-xr-x 3 user2 user2 4096 Feb 15 10:30 user2

Ownership of the home directories are correct.
Output:

create new directory /home/user1/.ssh[2013-02-15T11:13:14+02:00] INFO:
directory[/home/user1/.ssh] owner changed to 5001
[2013-02-15T11:13:14+02:00] INFO: directory[/home/user1/.ssh] group changed
to 5001
[2013-02-15T11:13:14+02:00] INFO: directory[/home/user1/.ssh] mode changed
to 700

change mode from ‘’ to '0700’
change owner from ‘’ to 'user1’
change group from ‘’ to ‘user1’

So the question is:
is it possible during chef-client run somehow reinit it’s resources so it could
know about new PAM interface?

P.S:Sorry for my bad english


#4

lol?

http://www.opscode.com/careers/

–AJ

On 16 February 2013 22:23, Justin Alan Ryan serial.rockstar@gmail.com wrote:

I thought PagerDuty was gonna hire me, have under 4k in the bank, let me know if opscode has an opening.

415-852-1889.

Sent by Awesome.

On Feb 15, 2013, at 6:21 AM, Sean OMeara someara@gmail.com wrote:

RIght now, unfortunately, you will have to do it over multiple runs.

This is a good use case for “phases”, as talked about a few weeks ago
on the mailing list.

-s

On Fri, Feb 15, 2013 at 6:45 AM, anikeev1988@yandex.ru wrote:

We decided to implement ldap authorization on our environment and faced some
problems during the process.

Brief info:

We have chef server and cookbooks which serving ldap client and server.
OS:Centos 6.3 x86_64

On our ldap server we have slapd daemon which configures throw chef-client.With
this we don’t have any problems.
On our client side we have sssd daemon which provides NSS and PAM interface
toward the system.

Situation:
We have for a example new server.
To bootstrap it we execute chef-client on it.
Everything is fine.But then it starts to process ldap_client cookbook,
it installs daemon and it’s config file then restarts it.
After this it process ssh cookbook which process data_bag and creates
required home directory,creates ssh keys,and change ownership.

During 1st run when sssd daemon wasn’t started and pam interface wasn’t
provided
so instead this :
ls -all /home:
drwxr-xr-x 3 user1 user1 4096 Feb 15 10:30 user1
drwxr-xr-x 3 user2 user2 4096 Feb 15 10:30 user2

we have this:
drwxr-xr-x 3 root root 4096 Feb 15 10:30 user1
drwxr-xr-x 3 root root 4096 Feb 15 10:30 user2

It is happening because sssd daemon was stopped and new pam interface
wasn’t provided,so current chef-run couldn’t contact our ldap server.

BUT when we execute chef-client second time and sssd is running
we receive desired result:
drwxr-xr-x 3 user1 user1 4096 Feb 15 10:30 user1
drwxr-xr-x 3 user2 user2 4096 Feb 15 10:30 user2

Ownership of the home directories are correct.
Output:

create new directory /home/user1/.ssh[2013-02-15T11:13:14+02:00] INFO:
directory[/home/user1/.ssh] owner changed to 5001
[2013-02-15T11:13:14+02:00] INFO: directory[/home/user1/.ssh] group changed
to 5001
[2013-02-15T11:13:14+02:00] INFO: directory[/home/user1/.ssh] mode changed
to 700

change mode from ‘’ to '0700’
change owner from ‘’ to 'user1’
change group from ‘’ to ‘user1’

So the question is:
is it possible during chef-client run somehow reinit it’s resources so it could
know about new PAM interface?

P.S:Sorry for my bad english