Thanks for your time guys. Looking through sssd stuff I almost forgot y main goal was to ssh to a server. I did a little test with ssh, server and user in the same domain.
If I do: $ ssh server -l tbouillon # It works but: $ ssh server -l '[email protected]' # Permission denied. From early debug it seems like ssh sees my user like [email protected]@example.com on the second line. So i should find a way to make ssh understand this is a domain extension OR for child.example.com configure the default domain when login as example.com On 2 August 2017 at 19:40, Michal Židek <[email protected]> wrote: > On 08/02/2017 06:01 PM, Tristan Bouillon wrote: >> >> OK, tried to be clear but looks like I'm not :) >> No big deal let's try again >> >> Use case >> I'm connected to a linux jumpbox (let's say jb.example.com) which is >> in domain example.com. >> I do: "$ kinit tbouillon" and get a working ticket. I can connect with >> user tbouillon via ssh to all servers in example.com domain via SSSD. >> Now I have this server which is in child.example.com, and I want to >> connect from jb.example.com to server1.child.example.com >> >> I do [email protected] $ ssh server1.child.example.com -l >> '[email protected]' >> I get this result: Permission denied >> (publickey,gssapi-keyex,gssapi-with-mic). > > > I am not completely sure, but this looks like wrong sshd configuration on > the server1.child.example.com. Did you do something with the sshd > configuration there? SSH tried to authenticate you using your public > key but failed to do so. > > Sorry, I can not help you with OpenSSH much, but it does not look like > you are facing an SSSD issue. > > >> Obvisouly I expected a shell like: [email protected] >> >> So the ssh command doesn't work well also when on >> server1.child.examplel.com I get >> kinit [email protected] >> Password for [email protected]: >> kinit: KDC reply did not match expectations while getting initial >> credentials >> >> Here is the sssd.conf, sshd.log from server1, sssd.log >> >> On 2 August 2017 at 16:41, Michal Židek <[email protected]> wrote: >>> >>> Hi Tristan, >>> >>> I understand your topology from what you wrote, but I still >>> do not know what is your problem. See question inline. >>> >>> >>> On 08/02/2017 03:48 PM, Tristan Bouillon wrote: >>>> >>>> >>>> Hi Michal >>>> Thanks for answering >>>> >>>> For the missing part : >>>> OS : Centos 7.3 with latest updates >>>> SSSD: 1.14.0 release 43 >>>> >>>> So, I removed all traces of server1 (which is indeed a linux host) >>>> from AD and tried to re join with the realm command. >>>> >>>> Good points: >>>> The sssd.conf provided by the realm command was not far from the one I >>>> had. I guess my understanding of how sssd and kerberos work together >>>> wasn't that bad. >>>> it added: >>>> realmd_tags = manages-system joined-with-samba >>>> ldap_id_mapping = True >>>> >>>> Now I have the same error basicly. Reminder, I want my server in >>>> child.example.com but users are in parent domain example.com >>>> My server1 has successfully joined domain child.example.com and has a >>>> keytab >>>> when trying to connect sssd succesffuly find the multiple AD servers >>>> and SSSD ad backend is seen as online. >>>> >>>> [ad_get_client_site_done] (0x0400): Found forest: example.com >>>> [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup >>>> servers >>>> [fo_add_server_to_list] (0x0400): Inserted primary server >>>> 'ff1pdc01.child.example.com:3268' to service 'AD_GC' # Domain >>>> controller for child.example.com >>>> [fo_add_server_to_list] (0x0400): Inserted primary server >>>> 'ff1gdc01.example.com:3268' to service 'AD_GC' # Domain >>>> controller for example.com >>>> >>>> After that I have some sucessful ldap connection to different AD >>>> servers and then it searches for my user. But it looks like the search >>>> never goes to domain child.example.com >>>> and after that it fails because the user doesn't exists in >>>> child.example.com >>> >>> >>> >>> For what purpose is something searching for your user? Again... please >>> tell me what is not working for you. Below you say that 'id' lookup is >>> successful, that means SSSD's NSS responder is working. What command is >>> not working for you (su, ssh, getent, id, etc.)? >>> >>> Sorry, I am simple person :) >>> >>> Please answer in format: >>> I am doing this command: (for example) getent passwd [email protected] >>> (or) ssh localhost -l [email protected] >>> I get this result: ... >>> I expected this result: ... >>> Here is my sssd.conf: >>> Logs from /var/log/sssd/ are in attachment. >>> >>> >>>> >>>> [sdap_save_user] (0x1000): Mapping user [[email protected]] >>>> objectSID [S-1-5-21-481120694-805105173-3562786754-5671] to unix ID >>>> [sdap_save_user] (0x0400): Original memberOf is not available for >>>> [[email protected]]. >>>> [sdap_save_user] (0x0400): Adding user principal [[email protected]] >>>> to attributes of [[email protected]]. >>>> [sdap_save_user] (0x0400): Storing info for user [email protected] >>>> [sysdb_search_by_name] (0x0400): No such entry >>>> [sysdb_store_user] (0x1000): User [email protected] does not exist. >>>> >>>> On a classical shell if I do: "$ id user1.example.com" I have a correct >>>> answer. >>>> >>>> On 2 August 2017 at 13:19, Michal Židek <[email protected]> wrote: >>>>> >>>>> >>>>> Hi, >>>>> >>>>> You did not mention what SSSD version and what OS you are using. >>>>> I have few questions, see inline. >>>>> >>>>> On 08/02/2017 10:59 AM, Tristan Bouillon wrote: >>>>>> >>>>>> >>>>>> >>>>>> Hi >>>>>> >>>>>> I have this case I'm working on and it's driving me crazy. I try to >>>>>> setup something like this: >>>>>> >>>>>> AD setup is like this with be-directional approbation: >>>>>> - example.com >>>>>> \-- chlld.example.com > >>>>>> Have users registered in example.com => [email protected] >>>>>> computers are registered in child.eample.com => >>>>>> [email protected] >>>>>> >>>>>> I want to connect with user1 to server1 with ssh and sssd. >>>>> >>>>> >>>>> >>>>> >>>>> So, server1 is a Linux host, right? You can add it to the >>>>> child.example.com domain using 'realm join CHILD.EXAMPLE.COM'. It >>>>> will automatically add server1 to the child.example.com >>>>> domain (so it did not have to be there before). >>>>> >>>>>> Before any debug process I want to make sure this is possible because >>>>>> i'm running in circle. >>>>>> >>>>>> When setting up sssd et krb5 confs with child.example.com: >>>>> >>>>> >>>>> >>>>> >>>>> IF you set up SSSD manually there is a lot of room for errors, >>>>> I recommend using realm join and then just tweak the sssd.conf >>>>> in case something does not work the way you want. >>>>> >>>>>> -- sssd nss says: example.com is created as a subdomain of >>>>>> child.example.com >>>>> >>>>> >>>>> >>>>> >>>>> This is OK. The 'subdomain' may be a little bit confusing, because this >>>>> refers to an internal C code structure that represents a trusted >>>>> domain, >>>>> not an actual subdomain in the DNS sense. IIRC we changed the message >>>>> recently to be less confusing. >>>>> >>>>>> -- but AD backend is online for child.example.com and i can query it >>>>> >>>>> >>>>> >>>>> >>>>> You mean SSSD AD backend is running on the Linux host server1, right? >>>>> >>>>>> -- the query for [email protected] works great but the AD server in >>>>>> child.example.com does not know the user and can't query his master AD >>>>>> server. >>>>> >>>>> >>>>> >>>>> >>>>> I do not understand what you mean here. So, on the Linux host >>>>> (server1), >>>>> if you query the [email protected], user info is returned. So what >>>>> operation on the Linux host is not working? (getent, su, ssh ... copy >>>>> paste the problematic commands and see our troubleshooting page). >>>>> >>>>>> >>>>>> When setting up sssd et krb5 confs with example.com >>>>> >>>>> >>>>> >>>>> >>>>> Again, realm join should set up everything for you. If you join the >>>>> EXAMPLE.COM realm then the server1 host will be added to the >>>>> example.com >>>>> domain (you said you wanted them in the child.example.com, so I am >>>>> not sure if this what you want to do, but you can try it if it works >>>>> for you). >>>>> >>>>>> -- it attempts kinit with host/server1.child.example.com and fails >>>>>> to get a tgt. AD is set to offline and it cannot query it. >>>>>> >>>>>> When trying to mix up theses solutions I find something similar to the >>>>>> cases above. >>>>>> If it is possible can someone point me towards the configuration I'm >>>>>> suppose to make. >>>>> >>>>> >>>>> >>>>> >>>>> Try using the realm join command from the Linux host to avoid hand >>>>> crafting the configuration. Note that the AD domain controller for >>>>> the domain you are joining to must be DNS resolvable from the Linux >>>>> host. >>>>> >>>>>> >>>>>> Don't know if it's the place but GG for the debugging options provides >>>>>> with SSSD, it is clear and powerful. >>>>>> _______________________________________________ >>>>>> sssd-users mailing list -- [email protected] >>>>>> To unsubscribe send an email to >>>>>> [email protected] >>>>>> >>>>> _______________________________________________ >>>>> sssd-users mailing list -- [email protected] >>>>> To unsubscribe send an email to [email protected] >>>> >>>> >>>> _______________________________________________ >>>> sssd-users mailing list -- [email protected] >>>> To unsubscribe send an email to [email protected] >>>> >>> _______________________________________________ >>> sssd-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> >>> >>> _______________________________________________ >>> sssd-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
