On Thu, 06 Feb 2014, Steve Dainard wrote:
So I've completed the setup, and can see the trust on the Windows side.
I've joined a client to the IPA realm, and can login with a IPA user. When
I try to login (console, ssh, su -) as a domain user I get:
--------CLIENT SIDE--------
[root@rhel6-client ~]# su - sdainard@miovision
su: user sdainard@miovision does not exist
[root@rhel6-client ~]# su - [email protected]
su: user [email protected] does not exist
[root@rhel6-client ~]# su - [email protected]
su: user [email protected] does not exist
[root@rhel6-client ~]# ssh sdainard@miovision@localhost
sdainard@miovision@localhost's password:
Permission denied, please try again.
/var/log/secure:
Feb 6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): check pass; user
unknown
Feb 6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Feb 6 10:13:09 rhel6 sshd[2435]: pam_succeed_if(sshd:auth): error
retrieving information about user sdainard@miovision
Feb 6 10:13:10 rhel6 sshd[2435]: Failed password for invalid user
sdainard@miovision from ::1 port 47391 ssh2
Feb 6 10:13:20 rhel6 sshd[2436]: Connection closed by ::1
Feb 6 10:13:25 rhel6 sshd[2709]: Invalid user sdainard@miovision from ::1
Feb 6 10:13:25 rhel6 sshd[2710]: input_userauth_request: invalid user
sdainard@miovision
Feb 6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): check pass; user
unknown
Feb 6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Feb 6 10:13:38 rhel6 sshd[2709]: pam_succeed_if(sshd:auth): error
retrieving information about user sdainard@miovision
Feb 6 10:13:40 rhel6 sshd[2709]: Failed password for invalid user
sdainard@miovision from ::1 port 47417 ssh2
Note that there are no logs from sssd above which means sssd never
consulted.
No logs for sssd;
# pwd
/var/log/sssd
[root@snapshot-test sssd]# ll
total 0
-rw-------. 1 root root 0 Feb 5 17:38 krb5_child.log
-rw-------. 1 root root 0 Feb 5 17:38 ldap_child.log
-rw-------. 1 root root 0 Feb 5 17:37 sssd.log
-rw-------. 1 root root 0 Feb 5 17:38 sssd_miolinux.corp.log
-rw-------. 1 root root 0 Feb 5 17:38 sssd_nss.log
-rw-------. 1 root root 0 Feb 5 17:38 sssd_pac.log
-rw-------. 1 root root 0 Feb 5 17:38 sssd_pam.log
-rw-------. 1 root root 0 Feb 5 17:38 sssd_ssh.log
sssd doesn't log if not asked. Each section of /etc/sssd/sssd.conf can
have
debug_level = <value>
line. For more details see sssd.conf(5).
/etc/sssd/sssd.conf:
[domain/miolinux.corp]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = miolinux.corp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rhel6-client.miolinux.corp
chpass_provider = ipa
ipa_server = _srv_, ipa1.miolinux.corp
ldap_tls_cacert = /etc/ipa/ca.crt
you are missing SSSD configuration for trusts:
subdomains_provider = ipa
[sssd]
services = nss, pam, ssh
and here also service 'pac' has to be referenced in the 'services = '
line
config_file_version = 2
domains = miolinux.corp
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
Basically, situation should look like this:
1. IPA master server configured to talk to AD DC, by means of using winbindd in
background (on RHEL 6.x, in current Fedora it is done by directly
talking to AD LDAP services by SSSD). SSSD on IPA master uses it to resolve
IDs for AD users
and groups. This requires special setup of SSSD on IPA master, with
[domain/...]
subdomains_provider = ipa
and
[sssd]
services = ..., pac
In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
automatically by setting
ipa_master_mode = True
On RHEL 6.x one needs to add the parameters manually.
2. /etc/krb5.conf has to contain auth_to_local rules that map AD
principals to lower-cased versions because some applications (SSH)
are very picky about user/principal name mapping. This has to be done
on both IPA masters and IPA clients.
3. On IPA clients SSSD needs to have following in the
/etc/sssd/sssd.conf
[domain/...]
subdomains_provider = ipa
and
[sssd]
services = ..., pac
With these changes SSSD on IPA client will recognize AD users and
request IPA master to perform name/SID/etc resolution, and also will
make an attempt to parse special part of the Kerberos ticket
generated by AD DC (MS-PAC) that contains signed cached copy of group
ownership for AD users.
SSSD needs restart after each config change.
You can do checks step by step to see whether things are working:
1. Ensure that SSSD on IPA master resolves AD user properly:
getent passwd [email protected]
Should return non-empty entry.
2. Ensure that SSSD on IPA client resolves AD user properly:
getent passwd [email protected]
Should return non-empty entry.
3. Ensure that Kerberos infrastructure works:
kinit [email protected]
kvno -S host ipa.client.domain
4. Attempt to use Kerberos ticket:
ssh -l [email protected] ipa.client.domain
At this point if everything works fine, SSHd will authenticate
[email protected] by its Kerberos ticket and authorize its access.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
