On Thu, 06 Feb 2014, Steve Dainard wrote:
   In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
   automatically by setting       ipa_master_mode = True

   On RHEL 6.x one needs to add the parameters manually.

2. /etc/krb5.conf has to contain auth_to_local rules that map AD
   principals to lower-cased versions because some applications (SSH)
   are very picky about user/principal name mapping. This has to be done
   on both IPA masters and IPA clients.


This was done on the IPA server, but the RHEL 6.5 client doesn't have this
file.

On the IPA server:

[realms]
MIOLINUX.CORP = {
 kdc = ipa1.miolinux.corp:88
 master_kdc = ipa1.miolinux.corp:88
 admin_server = ipa1.miolinux.corp:749
 default_domain = miolinux.corp
 pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION$)s/@MIOVISION/@miovision/
auth_to_local = DEFAULT

[root@ipa1 ~]# kinit sdain...@miovision.corp
Password for sdain...@miovision.corp:
kinit: KDC reply did not match expectations while getting initial
credentials
MIT Kerberos is case-sensitive for the realm, so it should always be
 kinit sdain...@miovision.corp

make also sure that your rule above has proper realm. If your realm is
MIOVISION.CORP, then auth_to_local rule is

auth_to_local = 
RULE:[1:$1@$0](^.*@MIOVISION.CORP$)s/@MIOVISION.CORP/@miovision.corp/

In MIT Kerberos 1.13 we'll have an interface that will allow SSSD to
automatically generate (and supply) these rules. Prior to that we have
to have explicit configuration on all clients and servers.

A CentOS 6.5 client has this file. The docs didn't mention the manual
client config, I just assumed the IPA server would proxy the request. After
adding, no change.
A request to IPA server needs to come from a client and a client needs
to know about that. We changed SSSD 1.11+ to discover IPA capabilities
and self-configure but for older clients (1.9..1.10) you need to perform
it through explicit config.

   With these changes SSSD on IPA client will recognize AD users and
   request IPA master to perform name/SID/etc resolution, and also will
   make an attempt to parse special part of the Kerberos ticket
   generated by AD DC (MS-PAC) that contains signed cached copy of group
   ownership for AD users.

SSSD needs restart after each config change.

You can do checks step by step to see whether things are working:

1. Ensure that SSSD on IPA master resolves AD user properly:

   getent passwd user@ad.domain

   Should return non-empty entry.


Returns no values.

[root@ipa1 ~]# getent passwd sdain...@miovision.corp
[root@ipa1 ~]#
Can you add debug_level=9 to [domain/...] section in
/etc/sssd/sssd.conf, restart sssd and try again?

In /var/log/sssd/sssd_<domain>.log there will be a lot of debug
information that I'd like to see (send it privately).

If sssd properly tries to talk to winbindd to resolve id, I'd like to
see winbind logs then:

# smbcontrol all debug 100
# getent passwd sdain...@miovision.corp
# smbcontrol all debug 1

and send me logs from /var/log/samba.






2. Ensure that SSSD on IPA client resolves AD user properly:

   getent passwd user@ad.domain

   Should return non-empty entry.


[root@snapshot-test ~]# getent passwd sdain...@miovision.corp
[root@snapshot-test ~]#

Once we solve it for IPA master, we can continue with this part.





3. Ensure that Kerberos infrastructure works:

   kinit user@ad.domain
   kvno -S host ipa.client.domain


[root@ipa1 ~]# kinit sdain...@miovision.corp
Password for sdain...@miovision.corp:
kinit: KDC reply did not match expectations while getting initial
credentials
Expected (realm is case-sensitive).


[root@ipa1 ~]# kinit sdain...@miovision.corp
Password for sdain...@miovision.corp:

[root@ipa1 ~]# kvno cifs/dc1.miovision.c...@miovision.corp
cifs/dc1.miovision.c...@miovision.corp: kvno = 41

[root@ipa1 ~]# kvno -S host ipa1.miolinux.corp
host/ipa1.miolinux.c...@miolinux.corp: kvno = 2

[root@ipa1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sdain...@miovision.corp

Valid starting     Expires            Service principal
02/06/14 11:54:55  02/06/14 21:54:57  krbtgt/miovision.c...@miovision.corp
renew until 02/07/14 11:54:55
02/06/14 11:55:38  02/06/14 21:54:57  cifs/dc1.miovision.c...@miovision.corp
renew until 02/07/14 11:54:55
02/06/14 11:56:50  02/06/14 21:54:57  krbtgt/miolinux.c...@miovision.corp
renew until 02/07/14 11:54:55
02/06/14 11:57:05  02/06/14 21:54:57  host/ipa1.miolinux.c...@miolinux.corp
renew until 02/07/14 11:54:55
Kerberos infrastructure works fine.


--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to