On Mon, Apr 16, 2018 at 04:28:59PM -0400, James Ralston wrote:
> Has anyone figured out how to make sssd utilize a Microsoft read-only
> Domain Controller (RODC)?
> 
> The host we want to join to AD is already behind the RODC. So, we are
> trying to "join" the host to the RODC by pre-creating a computer
> account object in AD (via a RWDC), then exporting a Kerberos keytab
> file to install on the client host.
> 
> On the client host, in the /etc/krb5.conf file, we have overridden the
> "kdc" setting for our domain, pointing it to the RODC. In
> /etc/sssd/sssd.conf, we have set "ad_server" for our domain, pointing
> it to the RODC. Using the exported keytab file, we can run "kinit -k"
> successfully.
> 
> But no matter how we create the computer account object, or how we
> export the Kerberos keytab, sssd cannot use the resulting keytab file
> to authenticate to the RODC: when sssd sends the AS-REQ, the RODC
> always replies with KRB5KDC_ERR_PREAUTH_FAILED.
> 
> I'm beginning to suspect that sssd just doesn't work with RODCs: if
> "kinit -k" can successfully authenticate and acquire a service
> principal using the keytab file we exported to the client from the
> RWDC, then why can't sssd successfully use it?

If 'kinit -k' works, SSSD should work as well. Can you send the SSSD
logs with debug_level=9, most important would be the domain log and the
ldap_child.log files.

For comparison it would be good to see the output of

    KRB5_TRACE=/dev/stdout kinit -k ....

as well.

bye,
Sumit

> 
> Can anyone confirm that you have sssd successfully speaking to a
> Microsoft RODC?
> 
> If so, did you join the client host to a RWDC and then move it behind
> the RODC? Or did you pre-create the machine account on the RWDC and
> export the Kerberos keytab to the client? If the latter, do you have
> the exact net/admod/ktpass commands you used to pre-create the
> computer account and export the keytab in a way that is compatible
> with sssd?
> 
> Thanks in advance for any pointers or advice!
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to