On Thu, 06 Feb 2014, Steve Dainard wrote:
So I've completed the setup, and can see the trust on the Windows side.

I've joined a client to the IPA realm, and can login with a IPA user. When
I try to login (console, ssh, su -) as a domain user I get:

--------CLIENT SIDE--------

[root@rhel6-client ~]# su - sdainard@miovision
su: user sdainard@miovision does not exist
[root@rhel6-client ~]# su - sdain...@miovision.corp
su: user sdain...@miovision.corp does not exist
[root@rhel6-client ~]# su - sdain...@miovision.corp
su: user sdain...@miovision.corp does not exist


[root@rhel6-client ~]# ssh sdainard@miovision@localhost
sdainard@miovision@localhost's password:
Permission denied, please try again.


/var/log/secure:
Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): check pass; user
unknown
Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Feb  6 10:13:09 rhel6 sshd[2435]: pam_succeed_if(sshd:auth): error
retrieving information about user sdainard@miovision
Feb  6 10:13:10 rhel6 sshd[2435]: Failed password for invalid user
sdainard@miovision from ::1 port 47391 ssh2
Feb  6 10:13:20 rhel6 sshd[2436]: Connection closed by ::1
Feb  6 10:13:25 rhel6 sshd[2709]: Invalid user sdainard@miovision from ::1
Feb  6 10:13:25 rhel6 sshd[2710]: input_userauth_request: invalid user
sdainard@miovision
Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): check pass; user
unknown
Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Feb  6 10:13:38 rhel6 sshd[2709]: pam_succeed_if(sshd:auth): error
retrieving information about user sdainard@miovision
Feb  6 10:13:40 rhel6 sshd[2709]: Failed password for invalid user
sdainard@miovision from ::1 port 47417 ssh2
Note that there are no logs from sssd above which means sssd never
consulted.


No logs for sssd;
# pwd
/var/log/sssd
[root@snapshot-test sssd]# ll
total 0
-rw-------. 1 root root 0 Feb  5 17:38 krb5_child.log
-rw-------. 1 root root 0 Feb  5 17:38 ldap_child.log
-rw-------. 1 root root 0 Feb  5 17:37 sssd.log
-rw-------. 1 root root 0 Feb  5 17:38 sssd_miolinux.corp.log
-rw-------. 1 root root 0 Feb  5 17:38 sssd_nss.log
-rw-------. 1 root root 0 Feb  5 17:38 sssd_pac.log
-rw-------. 1 root root 0 Feb  5 17:38 sssd_pam.log
-rw-------. 1 root root 0 Feb  5 17:38 sssd_ssh.log
sssd doesn't log if not asked. Each section of /etc/sssd/sssd.conf can
have debug_level = <value>
line. For more details see sssd.conf(5).


/etc/sssd/sssd.conf:
[domain/miolinux.corp]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = miolinux.corp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rhel6-client.miolinux.corp
chpass_provider = ipa
ipa_server = _srv_, ipa1.miolinux.corp
ldap_tls_cacert = /etc/ipa/ca.crt
you are missing SSSD configuration for trusts:

subdomains_provider = ipa

[sssd]
services = nss, pam, ssh
and here also service 'pac' has to be referenced in the 'services = '
line

config_file_version = 2

domains = miolinux.corp
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]




Basically, situation should look like this:

1. IPA master server configured to talk to AD DC, by means of using winbindd in
   background (on RHEL 6.x, in current Fedora it is done by directly
   talking to AD LDAP services by SSSD). SSSD on IPA master uses it to resolve 
IDs for AD users
   and groups. This requires special setup of SSSD on IPA master, with

   [domain/...]
   subdomains_provider = ipa

   and

   [sssd]
     services = ..., pac

   In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
automatically by setting ipa_master_mode = True

   On RHEL 6.x one needs to add the parameters manually.

2. /etc/krb5.conf has to contain auth_to_local rules that map AD
   principals to lower-cased versions because some applications (SSH)
   are very picky about user/principal name mapping. This has to be done
   on both IPA masters and IPA clients.

3. On IPA clients SSSD needs to have following in the
   /etc/sssd/sssd.conf

   [domain/...]
   subdomains_provider = ipa

   and

   [sssd]
   services = ..., pac

   With these changes SSSD on IPA client will recognize AD users and
   request IPA master to perform name/SID/etc resolution, and also will
   make an attempt to parse special part of the Kerberos ticket
   generated by AD DC (MS-PAC) that contains signed cached copy of group
   ownership for AD users.

SSSD needs restart after each config change.

You can do checks step by step to see whether things are working:

1. Ensure that SSSD on IPA master resolves AD user properly:

   getent passwd user@ad.domain

   Should return non-empty entry.

2. Ensure that SSSD on IPA client resolves AD user properly:

   getent passwd user@ad.domain

   Should return non-empty entry.

3. Ensure that Kerberos infrastructure works:

   kinit user@ad.domain
   kvno -S host ipa.client.domain

4. Attempt to use Kerberos ticket:

   ssh -l user@ad.domain ipa.client.domain

   At this point if everything works fine, SSHd will authenticate
   user@ad.domain by its Kerberos ticket and authorize its access.


--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to