On Thu, Feb 6, 2014 at 11:14 AM, Alexander Bokovoy <[email protected]>wrote:
> On Thu, 06 Feb 2014, Steve Dainard wrote: > >> So I've completed the setup, and can see the trust on the Windows side. >> >> I've joined a client to the IPA realm, and can login with a IPA user. When >> I try to login (console, ssh, su -) as a domain user I get: >> >> --------CLIENT SIDE-------- >> >> [root@rhel6-client ~]# su - sdainard@miovision >> su: user sdainard@miovision does not exist >> [root@rhel6-client ~]# su - [email protected] >> su: user [email protected] does not exist >> [root@rhel6-client ~]# su - [email protected] >> su: user [email protected] does not exist >> >> >> [root@rhel6-client ~]# ssh sdainard@miovision@localhost >> sdainard@miovision@localhost's password: >> Permission denied, please try again. >> >> >> /var/log/secure: >> Feb 6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): check pass; user >> unknown >> Feb 6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): authentication >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost >> Feb 6 10:13:09 rhel6 sshd[2435]: pam_succeed_if(sshd:auth): error >> retrieving information about user sdainard@miovision >> Feb 6 10:13:10 rhel6 sshd[2435]: Failed password for invalid user >> sdainard@miovision from ::1 port 47391 ssh2 >> Feb 6 10:13:20 rhel6 sshd[2436]: Connection closed by ::1 >> Feb 6 10:13:25 rhel6 sshd[2709]: Invalid user sdainard@miovision from >> ::1 >> Feb 6 10:13:25 rhel6 sshd[2710]: input_userauth_request: invalid user >> sdainard@miovision >> Feb 6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): check pass; user >> unknown >> Feb 6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): authentication >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost >> Feb 6 10:13:38 rhel6 sshd[2709]: pam_succeed_if(sshd:auth): error >> retrieving information about user sdainard@miovision >> Feb 6 10:13:40 rhel6 sshd[2709]: Failed password for invalid user >> sdainard@miovision from ::1 port 47417 ssh2 >> > Note that there are no logs from sssd above which means sssd never > consulted. > > > >> No logs for sssd; >> # pwd >> /var/log/sssd >> [root@snapshot-test sssd]# ll >> total 0 >> -rw-------. 1 root root 0 Feb 5 17:38 krb5_child.log >> -rw-------. 1 root root 0 Feb 5 17:38 ldap_child.log >> -rw-------. 1 root root 0 Feb 5 17:37 sssd.log >> -rw-------. 1 root root 0 Feb 5 17:38 sssd_miolinux.corp.log >> -rw-------. 1 root root 0 Feb 5 17:38 sssd_nss.log >> -rw-------. 1 root root 0 Feb 5 17:38 sssd_pac.log >> -rw-------. 1 root root 0 Feb 5 17:38 sssd_pam.log >> -rw-------. 1 root root 0 Feb 5 17:38 sssd_ssh.log >> > sssd doesn't log if not asked. Each section of /etc/sssd/sssd.conf can > have debug_level = <value> > line. For more details see sssd.conf(5). > > > >> /etc/sssd/sssd.conf: >> [domain/miolinux.corp] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = miolinux.corp >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = rhel6-client.miolinux.corp >> chpass_provider = ipa >> ipa_server = _srv_, ipa1.miolinux.corp >> ldap_tls_cacert = /etc/ipa/ca.crt >> > you are missing SSSD configuration for trusts: > > subdomains_provider = ipa > > > [sssd] >> services = nss, pam, ssh >> > and here also service 'pac' has to be referenced in the 'services = ' > line > > > config_file_version = 2 >> >> domains = miolinux.corp >> [nss] >> >> [pam] >> >> [sudo] >> >> [autofs] >> >> [ssh] >> >> [pac] >> >> >> >> > Basically, situation should look like this: > > 1. IPA master server configured to talk to AD DC, by means of using > winbindd in > background (on RHEL 6.x, in current Fedora it is done by directly > talking to AD LDAP services by SSSD). SSSD on IPA master uses it to > resolve IDs for AD users > and groups. This requires special setup of SSSD on IPA master, with > > [domain/...] > subdomains_provider = ipa > > and > > [sssd] > services = ..., pac > Server side looks right: [domain/miolinux.corp] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = miolinux.corp id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.miolinux.corp chpass_provider = ipa ipa_server = ipa1.miolinux.corp ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa [sssd] services = nss, pam, ssh, pac config_file_version = 2 domains = miolinux.corp [nss] [pam] [sudo] [autofs] [ssh] [pac] > > In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master > automatically by setting ipa_master_mode = True > > On RHEL 6.x one needs to add the parameters manually. > > 2. /etc/krb5.conf has to contain auth_to_local rules that map AD > principals to lower-cased versions because some applications (SSH) > are very picky about user/principal name mapping. This has to be done > on both IPA masters and IPA clients. > This was done on the IPA server, but the RHEL 6.5 client doesn't have this file. On the IPA server: [realms] MIOLINUX.CORP = { kdc = ipa1.miolinux.corp:88 master_kdc = ipa1.miolinux.corp:88 admin_server = ipa1.miolinux.corp:749 default_domain = miolinux.corp pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION$)s/@MIOVISION/@miovision/ auth_to_local = DEFAULT [root@ipa1 ~]# kinit [email protected] Password for [email protected]: kinit: KDC reply did not match expectations while getting initial credentials A CentOS 6.5 client has this file. The docs didn't mention the manual client config, I just assumed the IPA server would proxy the request. After adding, no change. > > 3. On IPA clients SSSD needs to have following in the > /etc/sssd/sssd.conf > > [domain/...] > subdomains_provider = ipa > > and > > [sssd] > services = ..., pac > Added. > > With these changes SSSD on IPA client will recognize AD users and > request IPA master to perform name/SID/etc resolution, and also will > make an attempt to parse special part of the Kerberos ticket > generated by AD DC (MS-PAC) that contains signed cached copy of group > ownership for AD users. > > SSSD needs restart after each config change. > > You can do checks step by step to see whether things are working: > > 1. Ensure that SSSD on IPA master resolves AD user properly: > > getent passwd [email protected] > > Should return non-empty entry. > Returns no values. [root@ipa1 ~]# getent passwd [email protected] [root@ipa1 ~]# > > 2. Ensure that SSSD on IPA client resolves AD user properly: > > getent passwd [email protected] > > Should return non-empty entry. > [root@snapshot-test ~]# getent passwd [email protected] [root@snapshot-test ~]# > > 3. Ensure that Kerberos infrastructure works: > > kinit [email protected] > kvno -S host ipa.client.domain > [root@ipa1 ~]# kinit [email protected] Password for [email protected]: kinit: KDC reply did not match expectations while getting initial credentials [root@ipa1 ~]# kinit [email protected] Password for [email protected]: [root@ipa1 ~]# kvno cifs/[email protected] cifs/[email protected]: kvno = 41 [root@ipa1 ~]# kvno -S host ipa1.miolinux.corp host/[email protected]: kvno = 2 [root@ipa1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 02/06/14 11:54:55 02/06/14 21:54:57 krbtgt/[email protected] renew until 02/07/14 11:54:55 02/06/14 11:55:38 02/06/14 21:54:57 cifs/[email protected] renew until 02/07/14 11:54:55 02/06/14 11:56:50 02/06/14 21:54:57 krbtgt/[email protected] renew until 02/07/14 11:54:55 02/06/14 11:57:05 02/06/14 21:54:57 host/[email protected] renew until 02/07/14 11:54:55 It appears the rewrite rules in krb5.conf are not working, not sure what I missed. > > 4. Attempt to use Kerberos ticket: > > ssh -l [email protected] ipa.client.domain > > At this point if everything works fine, SSHd will authenticate > [email protected] by its Kerberos ticket and authorize its access. > > > -- > / Alexander Bokovoy >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
