The Direct Integration between SSSD and Active Directory , Access Control via GPO, logon to server failed uncertain
by 程 波
Hi Expert,
1. Environment
* Windows Server 2012 R2 Active Directory.
* sudoRule schema extended
* CentOS 7.3 (1611) Client, joined to domain by using realm
* selinux -> permissive
2. Configuration file
* sssd.conf
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam, sudo
[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_gpo_access_control = enforcing
* smb.conf
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
* nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
sudoers: files sss
3. problem description
* after joining the CentOS7 to Active Directory domain , it's not stable that a domain user logon to the machina via ssh.
* /var/log/secure show
Jul 10 17:37:47 MyIssueMachine sshd[42400]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.150.15 user=MyUser(a)mydomain.com
Jul 10 17:37:47 MyIssueMachine sshd[42400]: pam_sss(sshd:account): Access denied for user MyUser(a)mydomain.com: 4 (System error)
Jul 10 17:37:47 MyIssueMachine sshd[42400]: Failed password for MyUser(a)mydomain.com from 192.168.150.15 port 51594 ssh2
Jul 10 17:37:47 MyIssueMachine sshd[42400]: fatal: Access denied for user MyUser(a)mydomain.com by PAM account configuration [preauth]
*
/var/log/sssd/sssd_pam.log
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][mydomain.com]
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error.
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 30
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7fe3abac60a0][23]
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7fe3abac60a0][23]
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Jul 10 16:02:24 2017) [sssd[pam]] [client_close_fn] (0x2000): Terminated client [0x7fe3abac60a0][23]
Thanks in advance!
6 years, 8 months
Users cannot authenticate. sss_send_pac failed group membership issues.
by Abhijit Tikekar
> Hi,
>
> We are having some trouble authenticating users via SSSD. Server has an established JOIN with the DC and we are able to use “id” and “getent passwd” without any issues. But authentication fails with the following messages:
>
> Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhost.x.y.local user=first.last
> Jul 12 08:38:19 hostname sshd[25967]: pam_sss(sshd:auth): received for user first.last: 4 (System error)
> Jul 12 08:38:21 hostname sshd[25963]: error: PAM: Permission denied for first.last from rhost.x.y.local
>
>
> Under krb5_child.log, we see the following even though the user is a member of one of the groups added under “ad_access_filter”
>
> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last\@COMPANY.COM(a)X.Y.LOCAL] might not be correct.
> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_child_krb5_trace_cb] (0x4000): [25625] 1499864410.696457: Destroying ccache MEMORY:rd_req2
> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_233006683_XXXXXX]
> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal first.last(a)X.Y.LOCAL in cache collection]
> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [create_ccache] (0x0020): 733: [13][Permission denied]
> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [map_krb5_error] (0x0020): 1301: [1432158209][Unknown code UUz 1]
> (Wed Jul 12 08:00:10 2017) [[sssd[krb5_child[25625]]]] [k5c_send_data] (0x0200): Received error code 1432158209
>
>
> [root@hostname sssd]# net ads testjoin
> Join is OK
> [root@hostname sssd]# net ads info
> LDAP server: X.X.90.128
> LDAP server name: AD-Server.x.y.local
> Realm: X.Y.LOCAL
> Bind Path: dc=X,dc=Y,dc=LOCAL
> LDAP port: 389
> Server time: Wed, 12 Jul 2017 09:03:08 CDT
> KDC server: X.X.90.128
> Server time offset: 0
> Last machine account password change: Wed, 12 Jul 2017 07:41:59 CDT
>
>
> SSSD Configuration:
>
> [sssd]
> domains = X.Y.LOCAL
> services = nss, pam, sudo
> config_file_version = 2
> debug_level = 0
> [nss]
> [pam]
> [sudo]
> debug_level=2
> [domain/x.y.local]
> debug_level=2
> ad_server = AD-Server.x.y.local
> auth_provider = ad
> access_provider = ad
> ldap_id_mapping = true
> ldap_use_tokengroups = true
> krb5_realm = X.Y.LOCAL
> ldap_access_order = filter, expire
> ldap_account_expire_policy = ad
>
> ad_access_filter = …….
>
> cache_credentials = true
> override_homedir = /home/%d/%u
> default_shell = /bin/bash
> ldap_schema = ad
>
> Attached are sssd_x.y.local, krb5_child.log & ldap_child.log (level 10)
>
> Also tried with ad_gpo_access_control = permissive & access_provider = permit but that didn’t allow auth either.
>
> Any suggestions are highly appreciated.
>
> Thanks in advance,
>
> ~ Abhi
>
>
>
>
>
6 years, 8 months
1.15.3/1.16 release timeframe?
by Lachlan Musicman
Hi all,
I noticed a while ago that 1.15.3 was versioned in the repo but I've not
seen anything released? I'm mostly looking on the COPR
(
https://pagure.io/SSSD/sssd/c/012ee7c3fe24a5e75d9b0465268c1bb8187b8337?br...
)
This is purely selfish - I love all that you do, and I'm aware that there
has been some fairly comprehensive infrastructural change.
I'm just waiting on that one fix and have no roadmap visibility :)
cheers
L.
------
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*
6 years, 8 months
Expected one user entry and got 2
by TomK
Hey All,
We're receiving the following message on an older installation of SSSD
and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and
got 2" be thrown and if it's fixed in higher SSSD versions.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
6 years, 8 months
Received error from KDC: -1765328378/Client not found in Kerberos database
by TomK
Hey All,
We are connecting a set of servers directly with AD. The AD computer
object is created for the host and is associated to a service account.
This service account works well with other hosts on the same domain.
Since this is a direct SSSD to AD setup, we are using adcli to establish
a connection to AD.
adcli populates a /etc/krb5.keytab file with a number of entries including:
* Added the entries to the keytab:
host/longhostname-host01.xyz.abc.com(a)COMPANY.COM: FILE:/etc/krb5.keytab
and runs successfully, without errors, to completion. However when
starting up sssd, we see the following in the log files:
.
.
[[sssd[ldap_child[11774]]]] [main] (0x0400): ldap_child started.
[[sssd[ldap_child[11774]]]] [main] (0x2000): context initialized
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): total buffer size: 71
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): realm_str size: 12
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): got realm_str:
COMPANY.COM
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): princ_str size: 35
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): got princ_str:
host/longhostname-host01.xyz.abc.co
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): keytab_name size: 0
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): lifetime: 86400
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x0200): Will run as [0][0].
[[sssd[ldap_child[11774]]]] [privileged_krb5_setup] (0x2000): Kerberos
context initialized
[[sssd[ldap_child[11774]]]] [main] (0x2000): Kerberos context initialized
[[sssd[ldap_child[11774]]]] [become_user] (0x0200): Trying to become
user [0][0].
[[sssd[ldap_child[11774]]]] [become_user] (0x0200): Already user [0].
[[sssd[ldap_child[11774]]]] [main] (0x2000): Running as [0][0].
[[sssd[ldap_child[11774]]]] [main] (0x2000): getting TGT sync
got princ_str: host/longhostname-host01.xyz.abc.com(a)COMPANY.COM
.
.
Principal name is: [host/longhostname-host01.xyz.abc.com(a)COMPANY.COM]
.
.
followed by:
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.219837: Looked up etypes in keytab: des-cbc-crc, des,
des-cbc-crc, rc4-hmac, aes128-cts, aes256-cts
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.219898: Sending request (224 bytes) to COMPANY.COM
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.220151: Initiating TCP connection to stream 1.2.3.4:88
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.222555: Sending TCP request to stream 1.2.3.4:88
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.226128: Received answer from stream 1.2.3.4:88
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.226205: Response was from master KDC
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.226238: Received error from KDC: -1765328378/Client not found
in Kerberos database
Verified that the krb5.keytab has the principal and it matches exactly.
The OS is RHEL 6.7. Wondering if anyone ran into this and what could be
some of the problems that could be causing this? Do we need something
extra to be done on the AD side besides creating the computer object?
We'd take it from there to dig further since I realize I can't provide
all the details without first editing things out as I did above.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
6 years, 8 months
Centos 7 - RHEL Support
by Rodrigo M
Hi! Does anyone use SSSD 1.15 in rhel 7 ?
I was looking for the package for rhel 7 or centos 7 to be tested but I
can't find them.
And I notice that the build instructions are not available in the pagure
docs
From the RHEL repositories I get only the 1.14 version.
Thanks in advance!
Rodrigo
6 years, 8 months