Kodiak,
I think when your DNS domain != your kerberos realm, you have to do this:
/etc/krb5.conf:
[domain_realm]
.whoi.edu <http://adwhoi.whoi.edu/> = ADWHOI.WHOI.EDU
<http://adwhoi.whoi.edu/>
i.e., this DNS domain (whoi.edu) == this kerberos realm (aka AD domain) .
/etc/sssd/sssd.conf:
[sssd]
domains = whoi.edu <http://adwhoi.whoi.edu/>
...
[domain/whoi.edu <http://adwhoi.whoi.edu/>]
..
krb5_realm = ADWHOI.WHOI.EDU <http://adwhoi.whoi.edu/>
...
ad_domain = adwhoi.whoi.edu
I think your adcli join would be something like this:
export KRB5CCNAME="FILE:/tmp/krb5cc_${SVCNAME}"
kinit ${ACCOUNTNAME}
JOINDOMAIN=adwhoi.whoi.edu
adcli join --domain="$JOINDOMAIN" --login-user=${ACCOUNTNAME}
--login-ccache="/tmp/krb5cc_$SVCNAME" --service-name='host'
--service-name='RestrictedKrbHost' --os-name="$OS_NAME"
--os-version="$OS_VERSION_FULL " --domain-ou="$OU_CONTAINER" --show-details
--host-keytab=/etc/krb5.keytab --host-fqdn=$FQDN
--user-principal="host/$FQDN@$JOINDOMAIN"
If I've missed a step please advise.
Spike White
On Tue, Oct 18, 2022 at 2:39 PM Kodiak Firesmith <[email protected]>
wrote:
> Hi Folks,
> I currently have SSSD-AD working exactly as I want it, less one drawback -
> I have to include the AD domain prefix everywhere to get things working.
>
> For example, we are whoi.edu, and in non-AD DNS, all of our hosts are $
> hostname.whoi.edu.
> We'll call our AD domain 'adwhoi' for this discussion.
>
> To get things working cleanly, Ansible reconfigures each host right
> before the AD join to use the hostname $hostname.adwhoi.whoi.edu instead
> of $hostname.whoi.edu.
>
> Hosts join AD via adcli and set the usual UPN and SPNs. AD-based identity
> and authentication works just fine. GSSAPI auth works fine. Users are
> granted a valid TGT upon login. Root can kinit the host keytab fine.
>
> Deploying a new major release of Linux is always an opportunity to make a
> clean break and fix annoyances like this, so I'd love to know how we can
> get all of the above working, but without having to include the domain
> prefix in our hostnames and in our ssh references.
>
> I've done a fair bit of digging on this while setting up our AD join
> scheme and authoring our Ansible code, but I've never been able to crack
> this issue, so I'd love it if someone could clue me in.
>
> Here's some of the relevant files in case they are helpful:
>
> ===========================================================================================
> /etc/sssd/sssd.conf:
> [sssd]
> domains = adwhoi.whoi.edu
> services = nss, pam
> debug_level = 3
> [domain/adwhoi.whoi.edu]
> krb5_store_password_if_offline = True
> cache_credentials = True
> krb5_realm = ADWHOI.WHOI.EDU
> id_provider = ad
> fallback_homedir = /home/%u
> override_homedir = /home/%u
> default_shell = /bin/bash
> ad_domain = adwhoi.whoi.edu
> use_fully_qualified_names = False
> ldap_id_mapping = False
> access_provider = ad
> ad_gpo_access_control = disabled
> ad_server = jimbob.adwhoi.whoi.edu,cleetus.adwhoi.whoi.edu
> ad_backup_server = jedidiah.adwhoi.whoi.edu
> ad_maximum_machine_account_password_age = 0
> ldap_referrals = False
> ===========================================================================
> /etc/krb5.conf
> [libdefaults]
> default_realm = ADWHOI.WHOI.EDU
> rdns = False
> dns_canonicalize_hostname = False
>
> # The following krb5.conf variables are only for MIT Kerberos.
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
> fcc-mit-ticketflags = true
>
> [realms]
> ADWHOI.WHOI.EDU = {
> kdc = jimbob.adwhoi.whoi.edu
> kdc = cleetus.adwhoi.whoi.edu
> kdc = jedidiah.adwhoi.whoi.edu
>
> admin_server = jimbob.adwhoi.whoi.edu
> default_domain = adwhoi.whoi.edu
> }
>
> [domain_realm]
> .adwhoi.whoi.edu = ADWHOI.WHOI.EDU
> adwhoi.whoi.edu = ADWHOI.WHOI.EDU
> ===========================================================================
> Example keytab:
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 2 [email protected] (arcfour-hmac)
> 2 [email protected] (aes128-cts-hmac-sha1-96)
> 2 [email protected] (aes256-cts-hmac-sha1-96)
> 2 host/[email protected] (arcfour-hmac)
> 2 host/[email protected]
> (aes128-cts-hmac-sha1-96)
> 2 host/[email protected]
> (aes256-cts-hmac-sha1-96)
> 2 host/[email protected] (arcfour-hmac)
> 2 host/[email protected] (aes128-cts-hmac-sha1-96)
> 2 host/[email protected] (aes256-cts-hmac-sha1-96)
> 2 RestrictedKrbHost/[email protected] (arcfour-hmac)
> 2 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
> 2 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
> 2 RestrictedKrbHost/[email protected]
> (arcfour-hmac)
> 2 RestrictedKrbHost/[email protected]
> (aes128-cts-hmac-sha1-96)
> 2 RestrictedKrbHost/[email protected]
> (aes256-cts-hmac-sha1-96)
> ==========================================================================
>
> Thanks!
> - Kodiak Firesmith
>
> Sent with Proton Mail <https://proton.me/> secure email.
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
