Learn more about these different git repos.
Other Git URLs
The other day I experience the SSSD outage. I do not know exactly how it go in that state I was just working remotely over the VPN and then left the computer on. The screen locked but VPN probably dropped at some point. When I tried to unlock my account was not recognized. The SSD restart did not help so I checked the log. It reported that there are no cached credentials for me. May be the cache database got corrupt or something... Well, things happen. So how I recover from this situation being remote. I need to log as root, establish VPN connection and authenticate as myself for the creds to be cached again. I user RHEL so I was able to login as root into UI and use a preconfigured VPN client. If I were on Fedora or root did not have a VPN configured I would have been in trouble. Since we can't rely on the VPN being configured or even possible to establish (may be I do not have access at all but need to work offline) would be nice to have a way to seed the cache being root from the command line for the user I need. I envision it as a command:
sssd_seed --restore --domain=default --user=dpal --password=foo
This will restore the cred cache for the user allowing him to log offline. This would help a laptop user to easily restore offline cache without dealing with VPN.
Also an alternative would be to do the same thing through the PAM conversation. Say I do not have a cred cache for user foo for whatever reason (bug, upgrade went wrong, database corruption, user never logged in, the cache got wiped out by mistake, etc.). User tries to authenticate, SSSD detects that there is no valid cred cache for this user but SSSD configured to cache creds. Then SSSD would prompt user for root password. If the user knows root password and enters it correctly the SSSD then would prompt for the user password and then prompt again to confirm it. If password matches it would save it in the cache and let the user in. This way even inexperienced user would be able to seed his SSSD cred cache without all this VPN overhead.
Fields changed
type: defect => enhancement
milestone: NEEDS_TRIAGE => SSSD Deferred proposed_priority: => Undefined
rhbz: => todo
sss_seed is available since 6ea6ec5 therefore we can close this ticket.
changelog: => design: => design_review: => 0 fedora_test_page: => mark: => 0 review: => 1 selected: => sensitive: => 0
resolution: => worksforme status: new => closed
Metadata Update from @dpal: - Issue set to the milestone: SSSD Patches welcome
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2517
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.