On Mon, Sep 19, 2016 at 05:38:05AM -0000, klin...@gmail.com wrote:
> Hi all,
> 
> I am configuring AD authentication by using SSSD+kerberos on our CentOS 6.7 
> cluster. The solution works fine so far except that we could not use 
> ldap_access_filter.
> 
> Whenever I enabled ldap_access_filter (add filter to ldap_access_order), all 
> SSH logins are denied. And the error messages are:
> 
> ==> /var/log/sssd/ldap_child.log <==
> (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] 
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
> 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
> (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [main] (0x0020): 
> ldap_child_get_tgt_sync failed.
> (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] 
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
> 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
> (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [main] (0x0020): 
> ldap_child_get_tgt_sync failed.
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] 
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
> 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [main] (0x0020): 
> ldap_child_get_tgt_sync failed.
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] 
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
> 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [main] (0x0020): 
> ldap_child_get_tgt_sync failed.
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] 
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
> 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [main] (0x0020): 
> ldap_child_get_tgt_sync failed.
> 
> But I believe the entry is in the keytab file already:

The message is coming from the KDC and since you are using AD
'NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU' whould be the right principal to use
becasue AD makes a difference between user-principal-names which can be
used for kinit and service-principal-names which can be only used for
services.

Do you have 'ldap_sasl_authid = NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU' set in
the domain section of your sssd.conf? If not please try if it works
after adding it.

> 
> [root@nerv-geofront ~]# klist -ke
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    5 host/nerv-geofront.lo...@ad.example.edu.au (des-cbc-crc)
>    5 host/nerv-geofront.lo...@ad.example.edu.au (des-cbc-md5)
>    5 host/nerv-geofront.lo...@ad.example.edu.au (aes128-cts-hmac-sha1-96)
>    5 host/nerv-geofront.lo...@ad.example.edu.au (aes256-cts-hmac-sha1-96)
>    5 host/nerv-geofront.lo...@ad.example.edu.au (arcfour-hmac)
>    5 host/nerv-geofr...@ad.example.edu.au (des-cbc-crc)
>    5 host/nerv-geofr...@ad.example.edu.au (des-cbc-md5)
>    5 host/nerv-geofr...@ad.example.edu.au (aes128-cts-hmac-sha1-96)
>    5 host/nerv-geofr...@ad.example.edu.au (aes256-cts-hmac-sha1-96)
>    5 host/nerv-geofr...@ad.example.edu.au (arcfour-hmac)
>    5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-crc)
>    5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-md5)
>    5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96)
>    5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96)
>    5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (arcfour-hmac)
> 
> The error messages above appear only when I enabled ldap_access_filter, so I 
> think this is related to the kerberos keytab.

The ldap_access_filter based check is evaluated by the access_provider
in SSSD which can be configured independently of e.g. the id_provider.
If e.g. you use the ad id_provider, it will figure out the right
principal automatically. The ldap access_provider must be configured
explicitly to use it because it will pick the first entry from the
keytab which matches the realm.

HTH

bye,
Sumit

> 
> I am testing on sssd 1.12.4, samba 3.6.23.
> 
> Any idea will be appreciated.
> 
> Cheers,
> Derrick
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to