[SSSD-users] Why is my sssd deployment not doing cross-subdomain AD authentication?

[Spike White]

sssd subject matter experts,

Why is my sssd deployment not doing cross-subdomain AD authentication?



*Background:*

I have a parent AD domain DELL.COM with trusted subdomains AMER.DELL.COM,
APAC.DELL.COM, EMEA.DELL.COM and JAPN.DELL.COM  Each subdomain has a
transitive trust with DELL.COM.

So all subdomains trust each other.

I set up a first test VM deployment using sssd.  I set up the cross
subdomain auth as in:

https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html

 It worked great – allowed cross subdomain authentication.  The only thing
it would not do was use tokengroups.  That is, the VM was fully functional,
but I had to add ‘ldap_use_tokengroups = false’  to the sssd.conf file.

My AD experts have advised me that ‘tokengroups’ are an important AD
optimization and I should use them, if at all possible.

Using ldapsearch, I was able to verify that machine account didn’t have the
necessary privileges to query a user’s tokengroups.  Thus, the fault was
mine – that this first sssd deployment couldn’t use tokengroups.

So I did another sssd deployment, using another test VM.  Apparently, I did
the realm join command correct this time, as it’s able to use tokengroups.

BUT!  This second test VM is not allowing cross subdomain authentication
and login.    How do I fix this so that I have use of both tokengroups and
cross subdomain authentication?

(BTW -- Both test VMs are still up and operational, as described above.)

*Details:*

Here is the realm join command used in the second test VM (spikerealmd02):

kinit serviceunixinstall

realm join -v --automatic-id-mapping=no
--computer-ou='OU=Servers,OU=UNIX,DC=AMER,DC=DELL,DC=COM'
--user-principal="host/`hostname
--fqdn`@AMER.DELL.COM"  AMER.DELL.COM



Here is the /etc/realmd.conf file from this second test VM:



[root@spikerealmd02 etc]# cat realmd.conf

[AMER.DELL.COM]

computer-ou = OU=SERVERS,OU=UNIX,DC=AMER,DC=DELL,DC=COM

automatic-id-mapping = no

manage-system = no

fully-qualified-names = no



# THIS FAILS AT DELL;  serviceunixinstall apparently not allowed to create
UPNs associated with machine account.

# Set the user-prinicpal to yes to create userPrincipalName attributes for
the computer account in the realm, in the form host/computer@REALM

#user-principal = yes



[active-directory]

default_client = sssd



[service]

automatic-install = no



[users]

# shouldn't need this;  should be set in AD for each UNIX-enabled user.

default-home = /home/%U

# shouldn't need this;  should be set in AD for each UNIX-enabled user.

default-shell = /bin/bash



Here’s the /etc/sssd/sssd.conf file for this second test VM:



[root@spikerealmd02 sssd]# cat sssd.conf



[sssd]

debug_level = 6

domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com

domain_resolution_order = amer.dell.com, emea.dell.com, apac.dell.com,
japn.dell.com

config_file_version = 2

services = nss,pam

#ldap_user_member_of = member



[pam]

pam_verbosity = 3

debug_level = 9



[nss]

debug_level = 9

filter_groups = root

filter_users = root

reconnection_retries = 3

#entry_cache_timeout = 300

entry_cache_nowait_percentage = 75



[domain/amer.dell.com]

debug_level = 9

auto_private_groups = True

use_fully_qualified_names = False

ad_domain = amer.dell.com

krb5_realm = AMER.DELL.COM

realmd_tags = joined-with-adcli

cache_credentials = True

id_provider = ad

auth_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = False

fallback_homedir = /home/%u

access_provider = simple

#access_provider = ad

ldap_schema = rfc2307bis

ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com

#ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM

#ldap_sasl_authid = spikerealm...@amer.dell.com

ad_enabled_domains = amer.dell.com,apac.dell.com,emea.dell.com,japn.dell.com
,dell.com

dyndns_update = False

subdomains_provider = none

ldap_use_tokengroups = true

simple_allow_groups = amerlinux...@amer.dell.com, amerlinux...@amer.dell.com,
emealinux...@emea.dell.com, AMER.DELL.COM, emealinux...@emea.dell.com,
apaclinux...@emea.dell.com, apaclinux...@emea.dell.com



# also look at
https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html



[domain/apac.dell.com]

debug_level = 9

auto_private_groups = True

use_fully_qualified_names = False

ad_domain = apac.dell.com

krb5_realm = APAC.DELL.COM

cache_credentials = True

id_provider = ad

auth_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = False

fallback_homedir = /home/%u

access_provider = simple

ldap_schema = rfc2307bis

ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com

#ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM

#ldap_sasl_authid = spikerealm...@amer.dell.com

ad_enabled_domains = amer.dell.com, apac.dell.com, apac.dell.com,
japn.dell.com, dell.com

dyndns_update = False

subdomains_provider = none

ldap_use_tokengroups = false

simple_allow_groups = apaclinux...@apac.dell.com, apaclinux...@apac.dell.com



[domain/emea.dell.com]

debug_level = 9

auto_private_groups = True

use_fully_qualified_names = False

ad_domain = emea.dell.com

krb5_realm = EMEA.DELL.COM

cache_credentials = True

id_provider = ad

auth_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = False

fallback_homedir = /home/%u

access_provider = simple

ldap_schema = rfc2307bis

ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com

#ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM

#ldap_sasl_authid = spikerealm...@amer.dell.com

ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com,
japn.dell.com, dell.com

dyndns_update = False

subdomains_provider = none

ldap_use_tokengroups = true

simple_allow_groups = emealinux...@emea.dell.com, emealinux...@emea.dell.com



[domain/japn.dell.com]

debug_level = 9

auto_private_groups = True

use_fully_qualified_names = False

ad_domain = japn.dell.com

krb5_realm = JAPN.DELL.COM

cache_credentials = True

id_provider = ad

auth_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = False

fallback_homedir = /home/%u

access_provider = simple

ldap_schema = rfc2307bis

ldap_sasl_authid = host/spikerealmd02.us.dell....@amer.dell.com

#ldap_sasl_authid = SPIKEREALMD02$@AMER.DELL.COM

#ldap_sasl_authid = spikerealm...@amer.dell.com

ad_enabled_domains = amer.dell.com, apac.dell.com, japn.dell.com,
japn.dell.com, dell.com

dyndns_update = False

subdomains_provider = none

ldap_use_tokengroups = true

simple_allow_groups = japnlinux...@japn.dell.com, japnlinux...@japn.dell.com



and here’s the /etc/krb5.conf file:



# Configuration snippets may be placed in this directory as well

includedir /etc/krb5.conf.d/



includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log



[libdefaults]

# SW mod 5/12/2018

# dns_lookup_realm = false

 dns_lookup_realm = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 rdns = false

# default_realm = EXAMPLE.COM

 default_ccache_name = KEYRING:persistent:%{uid}



 default_realm = AMER.DELL.COM

[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }



# AMER.DELL.COM = {

# }



[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

 amer.dell.com = AMER.DELL.COM

 .amer.dell.com = AMER.DELL.COM



*Comparing with first VM that does cross subdomain auth:*



Here’s /etc/realmd.conf of first test VM that does cross subdomain auth
(spikerealmd01):



[root@spikerealmd01 krb5.include.d]# cat /etc/realmd.conf

[AMER.DELL.COM]

computer-ou = OU=SERVERS,OU=UNIX,DC=AMER,DC=DELL,DC=COM

automatic-id-mapping = no

manage-system = no

fully-qualified-names = no



# THIS FAILS AT DELL;  serviceunixinstall apparently not allowed to create
UPNs associated with machine account.

# Set the user-prinicpal to yes to create userPrincipalName attributes for
the computer account in the realm, in the form host/computer@REALM

#user-principal = yes



[active-directory]

default_client = sssd



[service]

automatic-install = no



[users]

# shouldn't need this;  should be set in AD for each UNIX-enabled user.

default-home = /home/%U

# shouldn't need this;  should be set in AD for each UNIX-enabled user.

default-shell = /bin/bash



Here’s /etc/sssd/sssd.conf file from same first test VM:



[root@spikerealmd01 sssd]# cat sssd.conf



[sssd]

debug_level = 6

domains = amer.dell.com, apac.dell.com, emea.dell.com, japn.dell.com

domain_resolution_order = amer.dell.com, emea.dell.com, apac.dell.com,
japn.dell.com

config_file_version = 2

services = nss, pam

#ldap_user_member_of = member



[pam]

pam_verbosity = 3

debug_level = 9



[nss]

debug_level = 9

filter_groups = root

filter_users = root

reconnection_retries = 3

#entry_cache_timeout = 300

entry_cache_nowait_percentage = 75



[domain/amer.dell.com]

debug_level = 9

auto_private_groups = True

use_fully_qualified_names = False

ad_domain = amer.dell.com

krb5_realm = AMER.DELL.COM

realmd_tags = joined-with-adcli

cache_credentials = True

id_provider = ad

auth_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = False

fallback_homedir = /home/%u

access_provider = simple

ldap_schema = rfc2307bis

#ldap_sasl_authid = host/spikerealmd01.us.dell.com

#ldap_sasl_authid = SPIKEREALMD01$@AMER.DELL.COM

ldap_sasl_authid = spikerealm...@amer.dell.com

ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com,
japn.dell.com, dell.com

dyndns_update = False

subdomains_provider = none

ldap_use_tokengroups = false

simple_allow_groups = amerlinux...@amer.dell.com, amerlinux...@amer.dell.com



# also look at
https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html



[domain/apac.dell.com]

debug_level = 9

auto_private_groups = True

use_fully_qualified_names = False

ad_domain = apac.dell.com

krb5_realm = APAC.DELL.COM

realmd_tags = joined-with-adcli

cache_credentials = True

id_provider = ad

auth_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = False

fallback_homedir = /home/%u

access_provider = simple

ldap_schema = rfc2307bis

#ldap_sasl_authid = host/spikerealmd01.us.dell.com

#ldap_sasl_authid = SPIKEREALMD01$@AMER.DELL.COM

ldap_sasl_authid = spikerealm...@amer.dell.com

ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com,
japn.dell.com, dell.com

dyndns_update = False

subdomains_provider = none

ldap_use_tokengroups = false

simple_allow_groups = apaclinux...@apac.dell.com, apaclinux...@apac.dell.com



[domain/emea.dell.com]

debug_level = 9

auto_private_groups = True

use_fully_qualified_names = False

ad_domain = emea.dell.com

krb5_realm = EMEA.DELL.COM

realmd_tags = joined-with-adcli

cache_credentials = True

id_provider = ad

auth_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = False

fallback_homedir = /home/%u

access_provider = simple

ldap_schema = rfc2307bis

#ldap_sasl_authid = host/spikerealmd01.us.dell.com

#ldap_sasl_authid = SPIKEREALMD01$@AMER.DELL.COM

ldap_sasl_authid = spikerealm...@amer.dell.com

ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com,
japn.dell.com, dell.com

dyndns_update = False

subdomains_provider = none

ldap_use_tokengroups = false

simple_allow_groups = emealinux...@emea.dell.com, emealinux...@emea.dell.com



[domain/japn.dell.com]

debug_level = 9

auto_private_groups = True

use_fully_qualified_names = False

ad_domain = japn.dell.com

krb5_realm = JAPN.DELL.COM

realmd_tags = joined-with-adcli

cache_credentials = True

id_provider = ad

auth_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = False

fallback_homedir = /home/%u

access_provider = simple

ldap_schema = rfc2307bis

#ldap_sasl_authid = host/spikerealmd01.us.dell.com

#ldap_sasl_authid = SPIKEREALMD01$@AMER.DELL.COM

ldap_sasl_authid = spikerealm...@amer.dell.com

ad_enabled_domains = amer.dell.com, apac.dell.com, emea.dell.com,
japn.dell.com, dell.com

dyndns_update = False

subdomains_provider = none

ldap_use_tokengroups = false

simple_allow_groups = japnlinux...@japn.dell.com, japnlinux...@japn.dell.com,
linux-core-engineering, amer.dell.com



Here’s /etc/krb5.conf file:



[root@spikerealmd01 etc]# cat krb5.conf

# Configuration snippets may be placed in this directory as well

includedir /etc/krb5.conf.d/



includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log



[libdefaults]

# SW mod 5/12/2018

# dns_lookup_realm = false

 dns_lookup_realm = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 rdns = false

# default_realm = EXAMPLE.COM

 default_ccache_name = KEYRING:persistent:%{uid}



 default_realm = AMER.DELL.COM

[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }



# AMER.DELL.COM = {

# }



[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

 amer.dell.com = AMER.DELL.COM

 .amer.dell.com = AMER.DELL.COM

[root@spikerealmd01 etc]#



*Other details:*



If I query group membership of an engineer in APAC:



id admjesse_chan



on the good VM (spikerealmd01) I see all expected groups and I see  this in
the /var/log/sssd/sssd_apac.dell.com.log file:



…

(Sun Jul  1 15:14:30 2018) [sssd[be[apac.dell.com]]]
[sdap_initgr_rfc2307bis_next_base] (0x0400): Searching for parent groups
for user [CN=AdmJesse_Chan,OU=ADMAccounts,DC=apac,DC=dell,DC=com] with base
[DC=apac,DC=dell,DC=com]

(Sun Jul  1 15:14:30 2018) [sssd[be[apac.dell.com]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(member=CN=AdmJesse_Chan,OU=ADMAccounts,DC=apac,DC=dell,DC=com)(objectClass=group)(sAMAccountName=*))][DC=apac,DC=dell,DC=com].

(Sun Jul  1 15:14:31 2018) [sssd[be[apac.dell.com]]]
[sdap_initgr_rfc2307bis_process] (0x1000): Found 4 parent groups for user [
admjesse_c...@apac.dell.com]

(Sun Jul  1 15:14:31 2018) [sssd[be[apac.dell.com]]]
[sysdb_get_direct_parents] (0x2000): searching sysdb with filter
[(&(objectCategory=group)(member=name=admjesse_c...@apac.dell.com
,cn=users,cn=apac.dell.com,cn=sysdb))]

(Sun Jul  1 15:14:31 2018) [sssd[be[apac.dell.com]]]
[sysdb_get_direct_parents] (0x1000): admjesse_c...@apac.dell.com is a
member of 4 sysdb groups

(Sun Jul  1 15:14:31 2018) [sssd[be[apac.dell.com]]]
[save_rfc2307bis_user_memberships] (0x2000): Updating memberships for
admjesse_c...@apac.dell.com

(Sun Jul  1 15:14:31 2018) [sssd[be[apac.dell.com]]] [sysdb_set_entry_attr]
(0x0200): Entry
[name=admjesse_c...@apac.dell.com,cn=users,cn=apac.dell.com,cn=sysdb]
has set [ts_cache] attrs.

(Sun Jul  1 15:14:31 2018) [sssd[be[apac.dell.com]]]
[dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::apac.dell.com:
name=admjesse_c...@apac.dell.com] from reply table

(Sun Jul  1 15:14:35 2018) [sssd[be[apac.dell.com]]]
[sdap_asq_search_parse_entry] (0x2000): Matched objectclass [user] on DN
[CN=AdmJesse_Chan,OU=ADMAccounts,DC=apac,DC=dell,DC=com], will use
associated map

(Sun Jul  1 15:14:35 2018) [sssd[be[apac.dell.com]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[CN=AdmJesse_Chan,OU=ADMAccounts,DC=apac,DC=dell,DC=com].

(Sun Jul  1 15:14:35 2018) [sssd[be[apac.dell.com]]]
[sdap_asq_search_parse_entry] (0x2000): DN
[CN=AdmJesse_Chan,OU=ADMAccounts,DC=apac,DC=dell,DC=com] did not match the
objectClass [group]

(Sun Jul  1 15:14:36 2018) [sssd[be[apac.dell.com]]]
[sdap_nested_group_hash_insert] (0x4000): Inserting
[CN=AdmJesse_Chan,OU=ADMAccounts,DC=apac,DC=dell,DC=com] into hash table
[users]

(Sun Jul  1 15:14:37 2018) [sssd[be[apac.dell.com]]]
[sdap_get_primary_name] (0x0400): Processing object AdmJesse_Chan

(Sun Jul  1 15:14:37 2018) [sssd[be[apac.dell.com]]]
[sysdb_cache_search_users] (0x2000): Search users with filter:
(&(objectCategory=user)(originalDN=CN=AdmJesse_Chan,OU=ADMAccounts,DC=apac,DC=dell,DC=com))

(Sun Jul  1 15:14:37 2018) [sssd[be[apac.dell.com]]]
[sdap_find_entry_by_origDN] (0x4000): Searching cache for
[CN=AdmJesse_Chan,OU=ADMAccounts,DC=apac,DC=dell,DC=com].

(Sun Jul  1 15:14:37 2018) [sssd[be[apac.dell.com]]]
[sdap_fill_memberships] (0x1000):     member #2019 (CN=AdmJesse_Cha
,OU=ADMAccounts,DC=apac,DC=dell,DC=com): [name=admjesse_c...@apac.dell.com
,cn=users,cn=apac.dell.com,cn=sysdb]



If I do the same query on the bad VM (spikerealmd02):



[root@spikerealmd02 sssd]# id admjesse_chan

id: admjesse_chan: no such user



and I see nothing in the sssd_apac.dell.com.log file:



[root@spikerealmd02 sssd]# grep -i admjesse_chan sssd_apac.dell.com.log

[root@spikerealmd02 sssd]#



Please help,

Spike

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/HHNJ6AMXTSKF4UW3PLS6Y5MY5ADF6VCV/