I progressed a bit on that issue. I am able to ssh to server on the same domain as my user, as I always could withtout password with kerberos. kinit tbouillon ssh [email protected] # works
I am able to connect to my server in child.domain.com with fully qualified domain user. Which is normal otherwise sssd tries to resolc it as [email protected] so: ssh myserver.child.example.com -l [email protected] # also works BUT I must enter my AD password. My kerberos ticket is not recognized. I haven't push to far on krb5 conf So I guess sssd works pretty well. To answer Jakub question : id [email protected] now returns AD groups so this works as well. Maybe I'll try to give a quick look to use only short names in my trusted domains. I think I saw something on that, domain resolution order, but this is in the next sssd version. On 7 August 2017 at 17:25, Jakub Hrozek <[email protected]> wrote: > > On 3 Aug 2017, at 10:22, Tristan Bouillon > <[email protected]> wrote: > > Thanks for your time guys. > > Looking through sssd stuff I almost forgot y main goal was to ssh to a > server. > I did a little test with ssh, server and user in the same domain. > > If I do: > $ ssh server -l tbouillon # It works > but: > $ ssh server -l '[email protected]' # Permission denied. > > From early debug it seems like ssh sees my user like > [email protected]@example.com on the second line. > So i should find a way to make ssh understand this is a domain > extension OR for child.example.com configure the default domain when > login as example.com > > > I’ve never seen this issue. I don’t think the quotes are needed, and in my > environment, this works fine: > ssh localhost -l [email protected] > [email protected]@localhost's password: > Last login: Mon Aug 7 17:24:19 2017 from ::1 > Could not chdir to home directory /home/[email protected]: > Permission denied > -bash: /home/[email protected]/.bash_profile: Permission denied > -bash-4.3$ id > uid=1156200500(administrator) gid=1156200513(domain users) > groups=1156200513(domain users),1156200512(domain admins),1156200518(schema > admins),1156200519(enterprise admins),1156200520(group policy creator > owners),1156200572(denied rodc password replication group) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > -bash-4.3$ > > What is the output of “id [email protected]” ? > > On 2 August 2017 at 19:40, Michal Židek <[email protected]> wrote: > > On 08/02/2017 06:01 PM, Tristan Bouillon wrote: > > > OK, tried to be clear but looks like I'm not :) > No big deal let's try again > > Use case > I'm connected to a linux jumpbox (let's say jb.example.com) which is > in domain example.com. > I do: "$ kinit tbouillon" and get a working ticket. I can connect with > user tbouillon via ssh to all servers in example.com domain via SSSD. > Now I have this server which is in child.example.com, and I want to > connect from jb.example.com to server1.child.example.com > > I do [email protected] $ ssh server1.child.example.com -l > '[email protected]' > I get this result: Permission denied > (publickey,gssapi-keyex,gssapi-with-mic). > > > > I am not completely sure, but this looks like wrong sshd configuration on > the server1.child.example.com. Did you do something with the sshd > configuration there? SSH tried to authenticate you using your public > key but failed to do so. > > Sorry, I can not help you with OpenSSH much, but it does not look like > you are facing an SSSD issue. > > > Obvisouly I expected a shell like: [email protected] > > So the ssh command doesn't work well also when on > server1.child.examplel.com I get > kinit [email protected] > Password for [email protected]: > kinit: KDC reply did not match expectations while getting initial > credentials > > Here is the sssd.conf, sshd.log from server1, sssd.log > > On 2 August 2017 at 16:41, Michal Židek <[email protected]> wrote: > > > Hi Tristan, > > I understand your topology from what you wrote, but I still > do not know what is your problem. See question inline. > > > On 08/02/2017 03:48 PM, Tristan Bouillon wrote: > > > > Hi Michal > Thanks for answering > > For the missing part : > OS : Centos 7.3 with latest updates > SSSD: 1.14.0 release 43 > > So, I removed all traces of server1 (which is indeed a linux host) > from AD and tried to re join with the realm command. > > Good points: > The sssd.conf provided by the realm command was not far from the one I > had. I guess my understanding of how sssd and kerberos work together > wasn't that bad. > it added: > realmd_tags = manages-system joined-with-samba > ldap_id_mapping = True > > Now I have the same error basicly. Reminder, I want my server in > child.example.com but users are in parent domain example.com > My server1 has successfully joined domain child.example.com and has a > keytab > when trying to connect sssd succesffuly find the multiple AD servers > and SSSD ad backend is seen as online. > > [ad_get_client_site_done] (0x0400): Found forest: example.com > [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup > servers > [fo_add_server_to_list] (0x0400): Inserted primary server > 'ff1pdc01.child.example.com:3268' to service 'AD_GC' # Domain > controller for child.example.com > [fo_add_server_to_list] (0x0400): Inserted primary server > 'ff1gdc01.example.com:3268' to service 'AD_GC' # Domain > controller for example.com > > After that I have some sucessful ldap connection to different AD > servers and then it searches for my user. But it looks like the search > never goes to domain child.example.com > and after that it fails because the user doesn't exists in > child.example.com > > > > > For what purpose is something searching for your user? Again... please > tell me what is not working for you. Below you say that 'id' lookup is > successful, that means SSSD's NSS responder is working. What command is > not working for you (su, ssh, getent, id, etc.)? > > Sorry, I am simple person :) > > Please answer in format: > I am doing this command: (for example) getent passwd [email protected] > (or) ssh localhost -l [email protected] > I get this result: ... > I expected this result: ... > Here is my sssd.conf: > Logs from /var/log/sssd/ are in attachment. > > > > [sdap_save_user] (0x1000): Mapping user [[email protected]] > objectSID [S-1-5-21-481120694-805105173-3562786754-5671] to unix ID > [sdap_save_user] (0x0400): Original memberOf is not available for > [[email protected]]. > [sdap_save_user] (0x0400): Adding user principal [[email protected]] > to attributes of [[email protected]]. > [sdap_save_user] (0x0400): Storing info for user [email protected] > [sysdb_search_by_name] (0x0400): No such entry > [sysdb_store_user] (0x1000): User [email protected] does not exist. > > On a classical shell if I do: "$ id user1.example.com" I have a correct > answer. > > On 2 August 2017 at 13:19, Michal Židek <[email protected]> wrote: > > > > Hi, > > You did not mention what SSSD version and what OS you are using. > I have few questions, see inline. > > On 08/02/2017 10:59 AM, Tristan Bouillon wrote: > > > > > Hi > > I have this case I'm working on and it's driving me crazy. I try to > setup something like this: > > AD setup is like this with be-directional approbation: > - example.com > \-- chlld.example.com > > Have users registered in example.com => [email protected] > computers are registered in child.eample.com => > [email protected] > > I want to connect with user1 to server1 with ssh and sssd. > > > > > > So, server1 is a Linux host, right? You can add it to the > child.example.com domain using 'realm join CHILD.EXAMPLE.COM'. It > will automatically add server1 to the child.example.com > domain (so it did not have to be there before). > > Before any debug process I want to make sure this is possible because > i'm running in circle. > > When setting up sssd et krb5 confs with child.example.com: > > > > > > IF you set up SSSD manually there is a lot of room for errors, > I recommend using realm join and then just tweak the sssd.conf > in case something does not work the way you want. > > -- sssd nss says: example.com is created as a subdomain of > child.example.com > > > > > > This is OK. The 'subdomain' may be a little bit confusing, because this > refers to an internal C code structure that represents a trusted > domain, > not an actual subdomain in the DNS sense. IIRC we changed the message > recently to be less confusing. > > -- but AD backend is online for child.example.com and i can query it > > > > > > You mean SSSD AD backend is running on the Linux host server1, right? > > -- the query for [email protected] works great but the AD server in > child.example.com does not know the user and can't query his master AD > server. > > > > > > I do not understand what you mean here. So, on the Linux host > (server1), > if you query the [email protected], user info is returned. So what > operation on the Linux host is not working? (getent, su, ssh ... copy > paste the problematic commands and see our troubleshooting page). > > > When setting up sssd et krb5 confs with example.com > > > > > > Again, realm join should set up everything for you. If you join the > EXAMPLE.COM realm then the server1 host will be added to the > example.com > domain (you said you wanted them in the child.example.com, so I am > not sure if this what you want to do, but you can try it if it works > for you). > > -- it attempts kinit with host/server1.child.example.com and fails > to get a tgt. AD is set to offline and it cannot query it. > > When trying to mix up theses solutions I find something similar to the > cases above. > If it is possible can someone point me towards the configuration I'm > suppose to make. > > > > > > Try using the realm join command from the Linux host to avoid hand > crafting the configuration. Note that the AD domain controller for > the domain you are joining to must be DNS resolvable from the Linux > host. > > > Don't know if it's the place but GG for the debugging options provides > with SSSD, it is clear and powerful. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to > [email protected] > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
