[SSSD-users] Re: Cannot authenticate user from parent domain in a child-domain joined server

Tue, 11 Dec 2018 04:33:10 -0800 

On Tue, Dec 11, 2018 at 11:30:05AM +0000, Chris J wrote:
> Hi all,
> 
> I'm having problems having sssd authenticate a user in a parent domain in
> the same
> forest with SSSD. In brief, it's an Ubuntu 18.04 box with sssd 1.16.1: the
> box was
> joined to the domain 'development.cseserve.com' with 'realm join'. Users in
> the
> that domain can authenticate successfully, but users in the parent domain
> cseserve.com cannot.
> 
> After some reading, I found the sssctl command, and that the sssd.conf file
> needed
> a tweak to add 'ifp' to the list of services, which gave access to the
> user-checks. Configuration file and output of various sssctl checks is at
> the bottom of this email.
> 
> If I attempt authenticate as user in cseserv.com, I get:
> 
>       root@hs-svn-02:/var/log/sssd# sssctl user-checks 
> [email protected]
> -a auth
>       user: [email protected]
>       action: auth
>       service: system-auth
> 
>       SSSD nss user lookup result:
>        - user name: [email protected]
>        - user id: 715601141
>        - group id: 715601141
>        - gecos: Chris Johnson
>        - home directory: /home/[email protected]
>        - shell: /bin/bash
> 
>       SSSD InfoPipe user lookup result:
>        - name: [email protected]
>        - uidNumber: 715601141
>        - gidNumber: 715601141
>        - gecos: Chris Johnson
>        - homeDirectory:
>        - loginShell:
> 
>       testing pam_authenticate
> 
>       Password:
>       pam_authenticate for user [[email protected]]: Authentication
> failure
> 
>       PAM Environment:
>        - no env -
>       root@hs-svn-02:/var/log/sssd#
> 
> Now in /var/log/syslog, when I tail -f during sssctl user-checks, I get the
> error:
> 
>       Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found in
> Kerberos database
>       Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found in
> Kerberos database

This might be related to Kerberos ticket validation. Please try to add

    krb5_validate = False

to the [domain/...] section of sssd.conf, restart SSSD and try again.

Even if this works it would be good to see the output of

    klist -k

as well to see what can be done to make ticket validation work.

HTH

bye,
Sumit

> 
> I can't see any other pertinent errors in log files, but I'm happy to
> provide more
> if I know what to send over :-)
> 
> This error does not occur for a user in the development.cseserv.com domain,
> which
> completes successfully:
> 
>       [...deleted the preamble...]
> 
>       testing pam_authenticate
> 
>       Password:
>       pam_authenticate for user [[email protected]]: Success
> 
>       PAM Environment:
>        - KRB5CCNAME=FILE:/tmp/krb5cc_376801009_vS8U1c
> 
> 
> I've tried various things based on various searches, including creating a
> /etc/krb5.conf
> file to specify encryption protocols, and after a restart this did not
> change
> the behaviour:
> 
>       [libdefaults]
>       allow_weak_crypto = true
>       default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>       default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>       rdns=false
>       dns_lookup_kdc = true
> 
> Additionally I've tried explicitly declaring the cseserv domain as a trusted
> domain in sssd.conf (based on
> https://docs.pagure.org/SSSD.sssd/users/ad_provider.html#etc-sssd-sssd-conf),
> and this failed as well:
> 
>       [sssd]
>       domains = development.cseserv.com, cseserv.com
> 
>       {...rest unchanged...}
> 
>       [domain/development.cseserve.com/cseserve.com]
>       ad_server = hs-dc-01.cseserve.com
> 
> 
> What obvious thing am I missing? From what I'm reading, this should work.
> 
> Regards,
> 
> Chris
> 
> ====================================================================
> 
> Sanity checking the domain configuration:
> 
> realm list gives:
> 
>       root@hs-svn-02:/var/log/sssd# realm list
>       development.cseserv.com
>         type: kerberos
>         realm-name: DEVELOPMENT.CSESERV.COM
>         domain-name: development.cseserv.com
>         configured: kerberos-member
>         server-software: active-directory
>         client-software: sssd
>         required-package: sssd-tools
>         required-package: sssd
>         required-package: libnss-sss
>         required-package: libpam-sss
>         required-package: adcli
>         required-package: samba-common-bin
>         login-formats: %[email protected]
>         login-policy: allow-realm-logins
>       root@hs-svn-02:/var/log/sssd#
> 
> sssctl domain-list shows that the parent domain was auto-discovered:
> 
>       root@hs-svn-02:/var/log/sssd# sssctl domain-list
>       development.cseserve.com
>       test.cseserve.com
>       hst.cseserve.com
>       cseserve.com
>       root@hs-svn-02:/var/log/sssd#
> 
> sssctl domain-status development.cseserv.com gives:
> 
>       Online status: Online
> 
>       Active servers:
>       AD Global Catalog: hs-dc-01.development.cseserv.com
>       AD Domain Controller: hs-dc-01.development.cseserv.com
> 
>       Discovered AD Global Catalog servers:
>       - hs-dc-01.development.cseserv.com
>       - hs-dc-02.development.cseserv.com
>       - gsh-dc-04.cseserv.com
>       - gsh-dc-05.cseserv.com
>       - gsh-dc-01.cseserv.com
> 
>       Discovered AD Domain Controller servers:
>       - hs-dc-01.development.cseserv.com
>       - hs-dc-02.development.cseserv.com
> 
> sssctl domain-status cseserv.com gives:
> 
>       root@hs-svn-02:/var/log/sssd# sssctl domain-status cseserv.com
>       Online status: Online
> 
>       Active servers:
>       AD Domain Controller: gsh-dc-04.cseserv.com
>       AD Global Catalog: hs-dc-01.development.cseserv.com
> 
>       Discovered AD Domain Controller servers:
>       - gsh-dc-04.cseserv.com
>       - gsh-dc-01.cseserv.com
>       - gsh-dc-05.cseserv.com
>       - gln-dc-01.cseserv.com
> 
>       Discovered AD Global Catalog servers:
>       - hs-dc-01.development.cseserv.com
>       - hs-dc-02.development.cseserv.com
>       - gsh-dc-04.cseserv.com
>       - gsh-dc-05.cseserv.com
>       - gsh-dc-01.cseserv.com
> 
> My sssd.conf file:
> 
>       [sssd]
>       domains = development.cseserve.com
>       config_file_version = 2
>       services = nss, pam, ifp
>       debug_level = 9
> 
>       [domain/development.cseserve.com]
>       ad_domain = development.cseserve.com
>       krb5_realm = DEVELOPMENT.CSESERVE.COM
>       realmd_tags = manages-system joined-with-adcli
>       cache_credentials = True
>       id_provider = ad
>       krb5_store_password_if_offline = True
>       default_shell = /bin/bash
>       ldap_id_mapping = True
>       use_fully_qualified_names = True
>       fallback_homedir = /home/%u@%d
>       access_provider = ad
> 
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to