Hi, On Tue, Oct 24, 2017 at 10:03 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
> > > > On these 2 servers, authentication works for testu...@sub1.example.com. > I > > can authenticate with my_u...@example.com on the ubuntu 14 with sssd > > 1.11.But I cannot authenticate with my_u...@example.com on the ubuntu 16 > > with sssd 1.13. > > This is quite a new version, which already supports discovering trusted > domains in the same forest, so defining the root domain (example.com) > shouldn't be even required. The subdomain provider (which defaults to "ad", > same as the id_provider's value) should discover example.com on its own. > Hum, not quite : root@<servername>:~# id my_user uid=10000(my_user) gid=10001(ggs_admin_linux) groups=10001(ggs_admin_linux),10006(ggs_sa mba_logs),10002(ggs_samba_users) root@<servername>:~# id test_user uid=11400(test_user) gid=11400(test_group) groups=11400(test_group) In between, I comment the main domain root@<servername>:~# grep -v "^$\|^#" /etc/sssd/sssd.conf [sssd] config_file_version = 2 debug_level =0 domains = sub1.example.com services = nss, pam [domain/sub1.example.com] dns_discovery_domain = cy2._sites.sub1.example.com ad_server = ad1.sub1.example.com,ad2.sub1.example.com debug_level = 7 id_provider = ad access_provider = ad ldap_id_mapping = false root@<servername>:~# id my_user id: ‘my_user’: no such user root@<servername>:~# id test_user uid=11400(test_user) gid=11400(test_group) groups=11400(test_group) root@<servername>:~# id my_u...@example.com uid=10000(my_u...@example.com) gid=10001 groups=10001 my_user (without domain specification) is not found as it does not belong to the subdomain, and the groups are not resolved to their names anymore. It is possible (I am no expert on that matter) that without posix attributes it would be easier, as it would search through the domain for SID's... > > (Actually, with your setup, I would even think the explicitly defined > example.com domain is ignored at sssd would query the autodiscovered > subdomain of sub1.example.com if you ask it for any entry from example.com > ) > Well it seems it is not ignored :-) > > > It's easier to use: > ad_site = cy2 > with a recent version. But I guess this won't work with 1.11.. > I take note for when we will be only with recent OS's ;-) > > > debug_level = 7 > > id_provider = ad > > access_provider = ad > > ldap_id_mapping = false > > > > I have played with ad_hostname, ldap_sasl_authid, ldap_sasl_realm with > > little succes (I am not even sure ldap_sasl_* variables are useful with > > id_provider =ad...) > > > > There is only one tiny difference I see in the SPN's : my ubuntu 16 is > the > > only of my servers that has a host/SERVERNAME SPN, all the others have > > HOST/SERVERNAME (Capital HOST). I cannot not understand though why that > > would allow the auth to the subdomain but not to the main, but I know > > kerberos is very sensible to the case, so just in case. And anyway, that > is > > coherent with the keytab. > > First, sssd should not select the host/hostname principal to connect to > AD LDAP, but it should use the SHORTNAME$@REALM principal. You can search > for messages from "select_principal_from_keytab" to see what principal did > SSSD match, for example this is how my setup looks like: > > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > [sdap_set_sasl_options] (0x0100): Will look for > adclient.win.trust.t...@win.trust.test > in default keytab > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > [select_principal_from_keytab] (0x0200): trying to select the most > appropriate principal from keytab > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > [find_principal_in_keytab] (0x4000): Trying to find principal > adclient.win.trust.t...@win.trust.test in keytab. > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > [find_principal_in_keytab] (0x0400): No principal matching > adclient.win.trust.t...@win.trust.test found in keytab. > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > [find_principal_in_keytab] (0x4000): Trying to find principal > ADCLIENT$@WIN.TRUST.TEST in keytab. > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [match_principal] > (0x1000): Principal matched to the sample (ADCLIENT$@WIN.TRUST.TEST). > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > [select_principal_from_keytab] (0x0200): Selected primary: ADCLIENT$ > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > [select_principal_from_keytab] (0x0200): Selected realm: WIN.TRUST.TEST > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to ADCLIENT$ > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to > WIN.TRUST.TEST sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ sub1.example.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected primary: SERVERNAME$ sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected realm: SUB1.EXAMPLE.COM sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ sub1.example.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected primary: SERVERNAME$ sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected realm: SUB1.EXAMPLE.COM sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] [select_principal_from_keytab] (0x0200): Selected primary: host/SERVERNAME sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] [select_principal_from_keytab] (0x0200): Selected realm: SUB1.EXAMPLE.COM sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] [select_principal_from_keytab] (0x0200): Selected primary: host/SERVERNAME sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] [select_principal_from_keytab] (0x0200): Selected realm: SUB1.EXAMPLE.COM sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] [select_principal_from_keytab] (0x0200): Selected primary: host/SERVERNAME sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] [select_principal_from_keytab] (0x0200): Selected realm: SUB1.EXAMPLE.COM sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ sub1.example.com]]] [match_principal] (0x1000): Principal matched to the sample (SERVERNAME$@SUB1.EXAMPLE.COM). sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ sub1.example.com]]] [match_principal] (0x1000): Principal matched to the sample (SERVERNAME$@SUB1.EXAMPLE.COM). sssd_example.com.log.1:(Mon Oct 23 09:37:28 2017) [sssd[be[example.com]]] [match_principal] (0x1000): Principal matched to the sample (SERVERNAME$@ SUB1.EXAMPLE.COM). sssd_example.com.log.1:(Mon Oct 23 09:37:28 2017) [sssd[be[example.com]]] [match_principal] (0x1000): Principal matched to the sample (host/*@(null)). sssd_example.com.log.1:(Mon Oct 23 09:37:28 2017) [sssd[be[example.com]]] [match_principal] (0x1000): Principal matched to the sample (host/*@(null)). sssd_example.com.log.1:(Mon Oct 23 14:41:10 2017) [sssd[be[example.com]]] [match_principal] (0x1000): Principal matched to the sample (SERVERNAME$@ SUB1.EXAMPLE.COM). sssd_example.com.log.1:(Mon Oct 23 14:41:10 2017) [sssd[be[example.com]]] [match_principal] (0x1000): Principal matched to the sample (host/*@(null)). > > I would also discourage enumerate=True, currently the performance is not > the best with large domains.. > > I did it, even if we have a small AD, so performance is not the issue here. > So all in all, I would check which principal does sssd choose..trimming > the config file by disabling the root domain and disabling enumeration > might help as well, at least as far as log files readability goes. > _______________________________________________ > > And this is what I get for 3 authentication tries Oct 25 15:36:42 servername sshd[9487]: pam_unix(sshd:auth): check pass; user unknown Oct 25 15:36:42 servername sshd[9487]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.35.22 Oct 25 15:36:42 servername sshd[9487]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.35.22 user=my_user Oct 25 15:36:42 servername sshd[9487]: pam_sss(sshd:auth): received for user my_user: 10 (User not known to the underlying authentication module) Oct 25 15:37:25 servername sshd[9595]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.35.22 user=test_user Oct 25 15:37:25 servername sshd[9595]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.35.22 user=test_user Oct 25 15:37:25 servername sshd[9595]: pam_unix(sshd:session): session opened for user test_user by (uid=0) Oct 25 15:37:25 servername systemd: pam_unix(systemd-user:session): session opened for user test_user by (uid=0) Oct 25 15:38:25 servername sshd[9768]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.35.22 user= my_u...@example.com Oct 25 15:38:25 servername sshd[9768]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.20.35.22 user= my_u...@example.com Oct 25 15:38:25 servername sshd[9768]: pam_sss(sshd:auth): received for user my_u...@example.com: 9 (Authentication service cannot retrieve authentication info) Jeremy
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org