Hi all,
I'm having problems having sssd authenticate a user in a parent domain
in the same
forest with SSSD. In brief, it's an Ubuntu 18.04 box with sssd 1.16.1:
the box was
joined to the domain 'development.cseserve.com' with 'realm join'. Users
in the
that domain can authenticate successfully, but users in the parent
domain
cseserve.com cannot.
After some reading, I found the sssctl command, and that the sssd.conf
file needed
a tweak to add 'ifp' to the list of services, which gave access to the
user-checks. Configuration file and output of various sssctl checks is
at the bottom of this email.
If I attempt authenticate as user in cseserv.com, I get:
root@hs-svn-02:/var/log/sssd# sssctl user-checks
[email protected] -a auth
user: [email protected]
action: auth
service: system-auth
SSSD nss user lookup result:
- user name: [email protected]
- user id: 715601141
- group id: 715601141
- gecos: Chris Johnson
- home directory: /home/[email protected]
- shell: /bin/bash
SSSD InfoPipe user lookup result:
- name: [email protected]
- uidNumber: 715601141
- gidNumber: 715601141
- gecos: Chris Johnson
- homeDirectory:
- loginShell:
testing pam_authenticate
Password:
pam_authenticate for user [[email protected]]: Authentication
failure
PAM Environment:
- no env -
root@hs-svn-02:/var/log/sssd#
Now in /var/log/syslog, when I tail -f during sssctl user-checks, I get
the error:
Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found
in Kerberos database
Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found
in Kerberos database
I can't see any other pertinent errors in log files, but I'm happy to
provide more
if I know what to send over :-)
This error does not occur for a user in the development.cseserv.com
domain, which
completes successfully:
[...deleted the preamble...]
testing pam_authenticate
Password:
pam_authenticate for user [[email protected]]: Success
PAM Environment:
- KRB5CCNAME=FILE:/tmp/krb5cc_376801009_vS8U1c
I've tried various things based on various searches, including creating
a /etc/krb5.conf
file to specify encryption protocols, and after a restart this did not
change
the behaviour:
[libdefaults]
allow_weak_crypto = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
rdns=false
dns_lookup_kdc = true
Additionally I've tried explicitly declaring the cseserv domain as a
trusted domain in sssd.conf (based on
https://docs.pagure.org/SSSD.sssd/users/ad_provider.html#etc-sssd-sssd-conf),
and this failed as well:
[sssd]
domains = development.cseserv.com, cseserv.com
{...rest unchanged...}
[domain/development.cseserve.com/cseserve.com]
ad_server = hs-dc-01.cseserve.com
What obvious thing am I missing? From what I'm reading, this should
work.
Regards,
Chris
====================================================================
Sanity checking the domain configuration:
realm list gives:
root@hs-svn-02:/var/log/sssd# realm list
development.cseserv.com
type: kerberos
realm-name: DEVELOPMENT.CSESERV.COM
domain-name: development.cseserv.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %[email protected]
login-policy: allow-realm-logins
root@hs-svn-02:/var/log/sssd#
sssctl domain-list shows that the parent domain was auto-discovered:
root@hs-svn-02:/var/log/sssd# sssctl domain-list
development.cseserve.com
test.cseserve.com
hst.cseserve.com
cseserve.com
root@hs-svn-02:/var/log/sssd#
sssctl domain-status development.cseserv.com gives:
Online status: Online
Active servers:
AD Global Catalog: hs-dc-01.development.cseserv.com
AD Domain Controller: hs-dc-01.development.cseserv.com
Discovered AD Global Catalog servers:
- hs-dc-01.development.cseserv.com
- hs-dc-02.development.cseserv.com
- gsh-dc-04.cseserv.com
- gsh-dc-05.cseserv.com
- gsh-dc-01.cseserv.com
Discovered AD Domain Controller servers:
- hs-dc-01.development.cseserv.com
- hs-dc-02.development.cseserv.com
sssctl domain-status cseserv.com gives:
root@hs-svn-02:/var/log/sssd# sssctl domain-status cseserv.com
Online status: Online
Active servers:
AD Domain Controller: gsh-dc-04.cseserv.com
AD Global Catalog: hs-dc-01.development.cseserv.com
Discovered AD Domain Controller servers:
- gsh-dc-04.cseserv.com
- gsh-dc-01.cseserv.com
- gsh-dc-05.cseserv.com
- gln-dc-01.cseserv.com
Discovered AD Global Catalog servers:
- hs-dc-01.development.cseserv.com
- hs-dc-02.development.cseserv.com
- gsh-dc-04.cseserv.com
- gsh-dc-05.cseserv.com
- gsh-dc-01.cseserv.com
My sssd.conf file:
[sssd]
domains = development.cseserve.com
config_file_version = 2
services = nss, pam, ifp
debug_level = 9
[domain/development.cseserve.com]
ad_domain = development.cseserve.com
krb5_realm = DEVELOPMENT.CSESERVE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
