Hello, I was told by a user in linuxquestions.org to try this list for help.
So we've been trying to get SSSD working with AD on RHEL 6 for about a week now. we've been trying to following http://www.redhat.com/resourcelibrary/reference-architectures/integrating-red-hat-enterprise-linux-6-with-active-directory As 1.8.0-32 is part of the latest install of RHEL 6, that's the version we need to use. We can get configuration number 6.4 kerboros/ldap working just fine and SSH with that, but we want option 6.3 SSSD/kerboros/ldap for the caching features. When 6.3 option is enabled, we can do a ldapsearch just fine with ldapsearch -Y GSSAPI -N "(sAMAccountName=username)" It's when we try to SSH on the server is when we are unable to get it to work. We do ssh -vvvv username@servername and get a permission denied when we do the password In /var/log/messages we get: GSSAPI Error: Unspecified GSS failure. Minor code may prove more information (Matching credential not found) In /var/log/secure, we get: Invalid user username from ipaddress input_userauth_request: invalid user username pam_unix(sshd:auth): check pass; user unknown pam_unix(sshd:auth: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=servername pam_succeed_if(sshd:auth): error retriving information about user username Failed password for invalid user username from ipaddress port portid SSH2 Here is the /var/sssd/sssd.conf file: [sssd] services = nss, pam config_file_version = 2 debug_level = 9 domains = default [nss] [pam] [domain/default] debug_level = 9 enumerate = false id_provider = ldap chpass_provider = krb5 case_sensitive = false ldap_uri = ldap://ldapservername.domain.domain.domain ldap_search_base = dc=domain,dc=domain,dc=domain ldap_user_search_base = dc=domain,dc=domain,dc=domain ldap_group_search_base = dc=domain,dc=domain,dc=domain ldap_id_use_start_tls = true ldap_schema = rfc2307bis ldap_sasl_mech = GSSAPI ldap_force_upper_case_realm = true ldap_krb5_keytab = /etc/krb5.keytab ldap_sasl_authid = host/[email protected] auth_provider = krb5 cache_credentials = true krb5_realm = DOMAIN.DOMAIN.DOMAIN krb5_server = ldapservername.DOMAIN.DOMAIN.DOMAIN krb5_ccachedir = /tmp krb5_auth_timeout = 15 ldap_user_object_class = user ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory ldap_user_princical = userPrincipalName ldap_user_name = sAMAccountName ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_group_object_class = group ldap_group_modify_timestamp = whenChanged ldap_group_name = sAMAccountName ldap_group_gid_number = gidNumber krb5_kpasswd = ldapservername.domain.domain.domain access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad ldap_tls_cacertdir = /etc/openldap/cacerts ldap_disable_referrals = true [sudo] [autofs] [ssh] I've tried changing around access_provider to simple or permit and it didn't work. I tried added ladp_access_filter to allow my id and tried objectClass=user and it didn't work. I modified the sssd.conf file based on another one I found at zews.org/rhel6-active-directory Here is the password_auth file: auth required pam_env.so auth sufficient pam.unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry_3 type= password sufficient pam_unix.so shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so nsswitch.conf has the following: passwd: files sss shadow: files sss group: files sss ldap_child.log gives me the following: [unpack_buffer] (0x1000): total buffer size 94 [unpack_buffer] (0x1000): realm_str size: 15 [unpack_buffer] (0x1000): got realm_str: DOMAIN.DOMAIN.DOMAIN [unpack_buffer] (0x1000): princ_str size: 47 [unpack_buffer] (0x1000): got princ_str: host/[email protected] [unpack_buffer] (0x1000): keytab_name size = 16 [unpack_buffer] (0x1000): got keytab_name: /etc/krb5.keytab [unpack_buffer] (0x1000): lifetime: 86400 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/[email protected]] That's it. The AD side sees that we are doing the query and doesn't see anything on their end in terms of errors and such. At a loss right now on what configuration we are doing wrong that works with option 6.3. We have a working key tab for kerboros. We know we can see AD with ldapsearch. We just can't get it to work with SSSD and SSH.
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
