[SSSD-users] Re: How to authenticate machine with Kerberos to Active Directory?
On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor wrote: > I have a program I am trying to set up which tries to authenticate > with the principal host\machine-FQDN@REALM using Kerberos. > > However, when I run kinit -k, the machine isn't found in the Kerberos > database. "kinit -k" (with no arguments) defaults to attempting to obtain a TGT for (e.g.) host/mymachine.example@example.org, which only works if you set userPrincipalName to host/mymachine.example@example.org when you joined the host to Active Directory. Running "kinit -k MYMACHINE\$" (that is, using the value of the sAMAccountName attribute as the argument to "kinit -k") should always work. > From what I have read, SSSD is responsible for being the glue > between MIT Kerberos (what Linux uses) and Microsoft Kerberos (which > Active Directory uses). This has nothing to do with sssd; it's all about setting userPrincipalName correctly when you join the host to AD if you want "kinit -k" (with no arguments) to work. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] How to authenticate machine with Kerberos to Active Directory?
Hello, I have a program I am trying to set up which tries to authenticate with the principal host\machine-FQDN@REALM using Kerberos. However, when I run kinit -k, the machine isn't found in the Kerberos database. The reason I think this question belongs here is I used realm join to configure Kerberos, SSSD, and PAM automagically to work with an Active Directory based domain controller. All my domain user accounts are able to get tickets just fine, but the default Kerberos keytab cannot. From what I have read, SSSD is responsible for being the glue between MIT Kerberos (what Linux uses) and Microsoft Kerberos (which Active Directory uses). I am just scratching my head here on how I can get access to the principal used by the machine itself to get Kerberos tickets. Is there a good way to go about this? Is SSSD responsible for this information, or is my domain controller configured incorrectly for this kind of setup? Thank you, Wes Public Content smime.p7s Description: S/MIME cryptographic signature ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Does sssd use initgroups?
Thank you for thorough explanation. Spike On Tue, Jul 28, 2020 at 9:08 AM Pavel Březina wrote: > On 7/27/20 11:07 AM, Lukas Slebodnik wrote: > > On (26/07/20 12:08), Spike White wrote: > >> All, > >> > >> sssd front-end, AD back-end.Does sssd use initgroups to use initial > >> group membership? > >> > >> I was recently debugging a sssd connection problem in the > >> /var/log/sssd/sssd* logs (debug level 9). and I thought I saw a > reference > >> to initgroups. or getgrouplist(). > >> > >> my /etc/nsswitch.conf file has: > >> > >> passwd: files systemd sss > >> group: files systemd sss > >> > >> Should I also have a line with: > >> > >> initgroups: files systemd sss > >> > > > > glibc will try to use all possible modules if initgroups is missing in > > /etc/nsswitch.conf. > > > > I would not recommend adding such line to nsswitch.conf > > If initgroups line is present it behaves quite differently then what you > would expected and you need to add [SUCCESS=continue] after each module > to get the same result. > > If it is not preset it default to "group" map with sane behavior. > > This is nice explanation of the problem: > https://bugs.gentoo.org/682314#c2 > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] offline auth and system upgrades
I've been using sssd + AD to do auth for a few years now. Offline authentication is enabled and works normally. In that time I've upgraded my Ubuntu laptop several times, and each time I noticed that after the update, I cannot log in unless I'm on the corp network with direct access to AD. That hasn't really been a problem until now. I'm working from home over vpn all the time and don't have to option of going in to get on the corp network. I know the workaround is to use a local account, get on the VPN, authenticate with my AD account and populate the cache, but IT doesn't like me creating local users and it's a pain. I haven't tried the latest update yet (19.10 -> 20.04, sssd currently 2.2.0). Since something in the upgrade process is presumably destroying the cache, I was wondering if there's a "nice" way around this? Ubuntu upgrades for sssd seem like they're just upgrading sssd via apt, so I'm wondering why these major updates seem to operate differently from minor ones, and if that's intentional. Thanks! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org