On Thu, Feb 6, 2014 at 11:14 AM, Alexander Bokovoy <aboko...@redhat.com>wrote:

> On Thu, 06 Feb 2014, Steve Dainard wrote:
>
>> So I've completed the setup, and can see the trust on the Windows side.
>>
>> I've joined a client to the IPA realm, and can login with a IPA user. When
>> I try to login (console, ssh, su -) as a domain user I get:
>>
>> --------CLIENT SIDE--------
>>
>> [root@rhel6-client ~]# su - sdainard@miovision
>> su: user sdainard@miovision does not exist
>> [root@rhel6-client ~]# su - sdain...@miovision.corp
>> su: user sdain...@miovision.corp does not exist
>> [root@rhel6-client ~]# su - sdain...@miovision.corp
>> su: user sdain...@miovision.corp does not exist
>>
>>
>> [root@rhel6-client ~]# ssh sdainard@miovision@localhost
>> sdainard@miovision@localhost's password:
>> Permission denied, please try again.
>>
>>
>> /var/log/secure:
>> Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
>> Feb  6 10:13:09 rhel6 sshd[2435]: pam_succeed_if(sshd:auth): error
>> retrieving information about user sdainard@miovision
>> Feb  6 10:13:10 rhel6 sshd[2435]: Failed password for invalid user
>> sdainard@miovision from ::1 port 47391 ssh2
>> Feb  6 10:13:20 rhel6 sshd[2436]: Connection closed by ::1
>> Feb  6 10:13:25 rhel6 sshd[2709]: Invalid user sdainard@miovision from
>> ::1
>> Feb  6 10:13:25 rhel6 sshd[2710]: input_userauth_request: invalid user
>> sdainard@miovision
>> Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
>> Feb  6 10:13:38 rhel6 sshd[2709]: pam_succeed_if(sshd:auth): error
>> retrieving information about user sdainard@miovision
>> Feb  6 10:13:40 rhel6 sshd[2709]: Failed password for invalid user
>> sdainard@miovision from ::1 port 47417 ssh2
>>
> Note that there are no logs from sssd above which means sssd never
> consulted.
>
>
>
>> No logs for sssd;
>> # pwd
>> /var/log/sssd
>> [root@snapshot-test sssd]# ll
>> total 0
>> -rw-------. 1 root root 0 Feb  5 17:38 krb5_child.log
>> -rw-------. 1 root root 0 Feb  5 17:38 ldap_child.log
>> -rw-------. 1 root root 0 Feb  5 17:37 sssd.log
>> -rw-------. 1 root root 0 Feb  5 17:38 sssd_miolinux.corp.log
>> -rw-------. 1 root root 0 Feb  5 17:38 sssd_nss.log
>> -rw-------. 1 root root 0 Feb  5 17:38 sssd_pac.log
>> -rw-------. 1 root root 0 Feb  5 17:38 sssd_pam.log
>> -rw-------. 1 root root 0 Feb  5 17:38 sssd_ssh.log
>>
> sssd doesn't log if not asked. Each section of /etc/sssd/sssd.conf can
> have   debug_level = <value>
> line. For more details see sssd.conf(5).
>
>
>
>> /etc/sssd/sssd.conf:
>> [domain/miolinux.corp]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = miolinux.corp
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = rhel6-client.miolinux.corp
>> chpass_provider = ipa
>> ipa_server = _srv_, ipa1.miolinux.corp
>> ldap_tls_cacert = /etc/ipa/ca.crt
>>
> you are missing SSSD configuration for trusts:
>
> subdomains_provider = ipa
>
>
>  [sssd]
>> services = nss, pam, ssh
>>
> and here also service 'pac' has to be referenced in the 'services = '
> line
>
>
>  config_file_version = 2
>>
>> domains = miolinux.corp
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>>
>>
>>
> Basically, situation should look like this:
>
> 1. IPA master server configured to talk to AD DC, by means of using
> winbindd in
>    background (on RHEL 6.x, in current Fedora it is done by directly
>    talking to AD LDAP services by SSSD). SSSD on IPA master uses it to
> resolve IDs for AD users
>    and groups. This requires special setup of SSSD on IPA master, with
>
>    [domain/...]
>    subdomains_provider = ipa
>
>    and
>
>    [sssd]
>      services = ..., pac
>

Server side looks right:

[domain/miolinux.corp]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = miolinux.corp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.miolinux.corp
chpass_provider = ipa
ipa_server = ipa1.miolinux.corp
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa

[sssd]
services = nss, pam, ssh, pac
config_file_version = 2

domains = miolinux.corp
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]



>
>    In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
>    automatically by setting       ipa_master_mode = True
>
>    On RHEL 6.x one needs to add the parameters manually.
>
> 2. /etc/krb5.conf has to contain auth_to_local rules that map AD
>    principals to lower-cased versions because some applications (SSH)
>    are very picky about user/principal name mapping. This has to be done
>    on both IPA masters and IPA clients.
>

This was done on the IPA server, but the RHEL 6.5 client doesn't have this
file.

On the IPA server:

[realms]
 MIOLINUX.CORP = {
  kdc = ipa1.miolinux.corp:88
  master_kdc = ipa1.miolinux.corp:88
  admin_server = ipa1.miolinux.corp:749
  default_domain = miolinux.corp
  pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION$)s/@MIOVISION/@miovision/
auth_to_local = DEFAULT

[root@ipa1 ~]# kinit sdain...@miovision.corp
Password for sdain...@miovision.corp:
kinit: KDC reply did not match expectations while getting initial
credentials



A CentOS 6.5 client has this file. The docs didn't mention the manual
client config, I just assumed the IPA server would proxy the request. After
adding, no change.



>
> 3. On IPA clients SSSD needs to have following in the
>    /etc/sssd/sssd.conf
>
>    [domain/...]
>    subdomains_provider = ipa
>
>    and
>
>    [sssd]
>    services = ..., pac
>

Added.


>
>    With these changes SSSD on IPA client will recognize AD users and
>    request IPA master to perform name/SID/etc resolution, and also will
>    make an attempt to parse special part of the Kerberos ticket
>    generated by AD DC (MS-PAC) that contains signed cached copy of group
>    ownership for AD users.
>
> SSSD needs restart after each config change.
>
> You can do checks step by step to see whether things are working:
>
> 1. Ensure that SSSD on IPA master resolves AD user properly:
>
>    getent passwd user@ad.domain
>
>    Should return non-empty entry.
>

Returns no values.

[root@ipa1 ~]# getent passwd sdain...@miovision.corp
[root@ipa1 ~]#




>
> 2. Ensure that SSSD on IPA client resolves AD user properly:
>
>    getent passwd user@ad.domain
>
>    Should return non-empty entry.
>

[root@snapshot-test ~]# getent passwd sdain...@miovision.corp
[root@snapshot-test ~]#




>
> 3. Ensure that Kerberos infrastructure works:
>
>    kinit user@ad.domain
>    kvno -S host ipa.client.domain
>

[root@ipa1 ~]# kinit sdain...@miovision.corp
Password for sdain...@miovision.corp:
kinit: KDC reply did not match expectations while getting initial
credentials

[root@ipa1 ~]# kinit sdain...@miovision.corp
Password for sdain...@miovision.corp:

[root@ipa1 ~]# kvno cifs/dc1.miovision.c...@miovision.corp
cifs/dc1.miovision.c...@miovision.corp: kvno = 41

[root@ipa1 ~]# kvno -S host ipa1.miolinux.corp
host/ipa1.miolinux.c...@miolinux.corp: kvno = 2

[root@ipa1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sdain...@miovision.corp

Valid starting     Expires            Service principal
02/06/14 11:54:55  02/06/14 21:54:57  krbtgt/miovision.c...@miovision.corp
 renew until 02/07/14 11:54:55
02/06/14 11:55:38  02/06/14 21:54:57  cifs/dc1.miovision.c...@miovision.corp
renew until 02/07/14 11:54:55
02/06/14 11:56:50  02/06/14 21:54:57  krbtgt/miolinux.c...@miovision.corp
renew until 02/07/14 11:54:55
02/06/14 11:57:05  02/06/14 21:54:57  host/ipa1.miolinux.c...@miolinux.corp
 renew until 02/07/14 11:54:55

It appears the rewrite rules in krb5.conf are not working, not sure what I
missed.



>
> 4. Attempt to use Kerberos ticket:
>
>    ssh -l user@ad.domain ipa.client.domain
>
>    At this point if everything works fine, SSHd will authenticate
>    user@ad.domain by its Kerberos ticket and authorize its access.
>
>
> --
> / Alexander Bokovoy
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to