On Thu, Nov 08, 2012 at 11:01:33AM -0600, James Chambers wrote: > Hello, > > I was told by a user in linuxquestions.org to try this list for help. > > So we've been trying to get SSSD working with AD on RHEL 6 for about a week > now. we've been trying to following > http://www.redhat.com/resourcelibrary/reference-architectures/integrating-red-hat-enterprise-linux-6-with-active-directory > > As 1.8.0-32 is part of the latest install of RHEL 6, that's the version we > need to use. > > We can get configuration number 6.4 kerboros/ldap working just fine and SSH > with that, but we want option 6.3 SSSD/kerboros/ldap for the caching > features. > > When 6.3 option is enabled, we can do a ldapsearch just fine with > ldapsearch -Y GSSAPI -N "(sAMAccountName=username)" > > It's when we try to SSH on the server is when we are unable to get it to > work. We do ssh -vvvv username@servername and get a permission denied when > we do the password > > In /var/log/messages we get: > GSSAPI Error: Unspecified GSS failure. Minor code may prove more > information (Matching credential not found) > > In /var/log/secure, we get: > Invalid user username from ipaddress > input_userauth_request: invalid user username > pam_unix(sshd:auth): check pass; user unknown > pam_unix(sshd:auth: authentication failure; logname= uid=0 euid=0 tty=ssh > ruser= rhost=servername > pam_succeed_if(sshd:auth): error retriving information about user username > Failed password for invalid user username from ipaddress port portid SSH2 > > Here is the /var/sssd/sssd.conf file: > [sssd] > services = nss, pam > config_file_version = 2 > debug_level = 9 > domains = default > > [nss] > > [pam] > > [domain/default] > debug_level = 9 > enumerate = false > id_provider = ldap > chpass_provider = krb5 > case_sensitive = false > ldap_uri = ldap://ldapservername.domain.domain.domain > ldap_search_base = dc=domain,dc=domain,dc=domain > ldap_user_search_base = dc=domain,dc=domain,dc=domain > ldap_group_search_base = dc=domain,dc=domain,dc=domain > ldap_id_use_start_tls = true > ldap_schema = rfc2307bis > ldap_sasl_mech = GSSAPI > ldap_force_upper_case_realm = true > ldap_krb5_keytab = /etc/krb5.keytab > ldap_sasl_authid = host/[email protected] > > auth_provider = krb5 > cache_credentials = true > krb5_realm = DOMAIN.DOMAIN.DOMAIN > krb5_server = ldapservername.DOMAIN.DOMAIN.DOMAIN > krb5_ccachedir = /tmp > krb5_auth_timeout = 15 > > ldap_user_object_class = user > ldap_user_modify_timestamp = whenChanged > ldap_user_home_directory = unixHomeDirectory > ldap_user_princical = userPrincipalName > ldap_user_name = sAMAccountName > ldap_user_shell = loginShell > ldap_user_uid_number = uidNumber > ldap_user_gid_number = gidNumber > ldap_group_object_class = group > ldap_group_modify_timestamp = whenChanged > ldap_group_name = sAMAccountName > ldap_group_gid_number = gidNumber > > krb5_kpasswd = ldapservername.domain.domain.domain > > access_provider = ldap > ldap_access_order = expire > ldap_account_expire_policy = ad > ldap_tls_cacertdir = /etc/openldap/cacerts > ldap_disable_referrals = true > > [sudo] > > [autofs] > > [ssh] > > I've tried changing around access_provider to simple or permit and it > didn't work. I tried added ladp_access_filter to allow my id and tried > objectClass=user and it didn't work. I modified the sssd.conf file based on > another one I found at zews.org/rhel6-active-directory > > Here is the password_auth file: > auth required pam_env.so > auth sufficient pam.unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry_3 type= > password sufficient pam_unix.so shadow nullok try_first_pass use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_oddjob_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in crond quiet > use_uid > session required pam_unix.so > session optional pam_sss.so > > nsswitch.conf has the following: > passwd: files sss > shadow: files sss > group: files sss > > ldap_child.log gives me the following: > [unpack_buffer] (0x1000): total buffer size 94 > [unpack_buffer] (0x1000): realm_str size: 15 > [unpack_buffer] (0x1000): got realm_str: DOMAIN.DOMAIN.DOMAIN > [unpack_buffer] (0x1000): princ_str size: 47 > [unpack_buffer] (0x1000): got princ_str: > host/[email protected] > [unpack_buffer] (0x1000): keytab_name size = 16 > [unpack_buffer] (0x1000): got keytab_name: /etc/krb5.keytab > [unpack_buffer] (0x1000): lifetime: 86400 > [ldap_child_get_tgt_sync] (0x0100): Principal name is: > [host/[email protected]] > > That's it. The AD side sees that we are doing the query and doesn't see > anything on their end in terms of errors and such. > > At a loss right now on what configuration we are doing wrong that works > with option 6.3. We have a working key tab for kerboros. We know we can see > AD with ldapsearch. We just can't get it to work with SSSD and SSH.
Thank you for the detailed problem description. At a glance, I don't see anything in your configuration that would strike me as wrong. I assume you are not able to get the user data with "getent passwd user" on the server? Are you able to kinit with the keytab as host/[email protected] ? Can you paste a bigger portion of the logs? _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
