file provider with multiple kerberos realms
by Techie
Main goal is to authenticate against multiple Kerberos Realms, AD domains
without joining the Linux box to AD.
We have an AD forest with 2 trusted domains and as a result 2 kerberos
realms, 1 per domain. On RHEL5,6,7 I used pam_krb5 for authentication and
passwd/group files for the user store. This allowed me to authenticate
against AD for users in the passwd file that match the KBR5 principal. In
system-auth/password-auth I would stack pam entries for each KRB5 REALM
Parent: EXAMPLE.COM
Domain1: ADA.EXAMPLE.COM
Domain2:ADB.EXAMPLE.COM
passwd user: joe_doe
krb5 principal: joe_doe(a)ADA.EXAMPLE.COM
passwd user: joe_blow
krb5 principal: joe_blow(a)ADB.EXAMPLE.COM
system-auth
auth sufficient pam_krb5.so realm=ADA.EXAMPLE.COM use_first_pass
auth sufficient pam_krb5.so realm=ADB.EXAMPLE.COM use_first_pass
In this case either joe_doe or joe_blow can log in via AD credentials and
pam would iterate through the stacked pam_krb5 entries to locate the
matching krb5 principal
I am trying to replicate this on redhat enterprise linux 8. I am aware
pam_krb5 is not an option and that sssd is the default for this use case.
What I cannot figure out is how to authenticate against multiple Domains in
SSSD. If I define 1 domain in sssd.conf with id_provider = files. I can
authenticate fine against the single domain/kerberos5 realm.
If I add multiple domains, sssd does not iterate through them, it fails if
it does not find the user in the first domain.
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = ADA.EXAMPLE.COM,ADB.EXAMPLE.COM
[pam]
#pam_local_domains = all
[domain/ADA.EXAMPLE.COM]
id_provider = files
auth_provider=krb5
krb5_server = adadc.ada.example.com
krb5_kpasswd = adadc.ada.example.com
krb5_realm = ADA.EXAMPLE.COM
dns_discovery_domain =ADA.EXAMPLE.COM
krb5_validate = false
[domain/ADB.EXAMPLE.COM
id_provider = files
auth_provider=krb5
krb5_server = adbdc.adb.example.com
krb5_kpasswd = adbdc.adb.example.com
krb5_realm =ADB.EXAMPLE.COM
dns_discovery_domain = ADB.EXAMPLE.COM
krb5_validate = false
Is what I am attempting possible without joining AD and using the provider
of AD? I would like to avoid this at all costs.
Thanks
1 month, 1 week
sssd-krb5, krb5_ccachedir, DIR-cache-store...
by Jostein Fossheim
We are working with several kerberos-REALMS and are trying to get our clients to store their kerberos tickets in a DIRECTORY. This seems to work nicely for clients not authenticating at login, with the following configuration set in /etc/krb5.conf.
...
[libdefaults]
...
default_ccache_name = DIR:/tmp/krb5cc_%{uid}
...
user@server:~$ klist
Ticket cache: DIR::/tmp/krb5cc_888/tkt
Default principal: user@REALM
Valid starting Expires Service principal
09/22/19 17:35:50 09/23/19 17:35:48 krbtgt/user@REALM
Each ticket is stored in a separate file.
For clients using sssd for login, I want to set up the same behavior. But when I attempt to login the system creates an "/tmp/krb5cc_${UiD}" - but here the directory don't get the excutable bit set (that is the directory get 0600-permission), and the login fails.
In the man-page from Debian-buster (sssd-version: 1.16.3), there are to settings that seems to regulate this behaviour :
krb5_ccachedir (string)
Directory to store credential caches. All the substitution sequences of krb5_ccname_template can be used here, too, except %d and %P. The directory is created as private and owned by the user, with permissions set to 0700.
Default: /tmp
krb5_ccname_template (string)
Location of the user's credential cache. Three credential cache types are currently supported: "FILE", "DIR" and "KEYRING:persistent". The cache can be specified either as TYPE:RESIDUAL, or as an absolute path, which implies the "FILE" type. In the template, the following sequences are substituted:
[...]
If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe way.
When using KEYRING types, the only supported mechanism is "KEYRING:persistent:%U", which uses the Linux kernel keyring to store credentials on a per-UID basis. This is also the recommended choice, as it is the most secure and predictable method.
The default value for the credential cache name is sourced from the profile stored in the system wide krb5.conf configuration file in the [libdefaults] section. The option name is default_ccache_name. See krb5.conf(5)'s PARAMETER EXPANSION paragraph for additional information on the expansion format defined by krb5.conf.
NOTE: Please be aware that libkrb5 ccache expansion template from krb5.conf(5) uses different expansion sequences than SSSD.
Default: (from libkrb5)
...
I have tried to both set and unset, the two parameters in question like this:
krb5_ccachedir = /tmp/krb5cc_%U
krb5_ccname_template = DIR: %d
krb5_ccname_template = DIR:%d/krb5cc_%U_XXXXXX
But the configuration-options seems to be ignored, no matter what I do, and I have the same behavior: A non-executable directory is created and the user is unable to login.
If I set the +x bit on the directory manually as the root-user, everything works.
1 month, 1 week
sssd with samba
by Edouard Guigné
Dear sssd users,
I would like to get informations about the use of sssd with samba
(centos 7, samba 4.8.3).
I need it because I configured a samba share, accessible with sssd.
The authentication is against a windows AD.
My /etc/nsswitch.cnf is configured only with sssd :
/passwd: files sss//
//shadow: files sss//
//group: files sss/
For an other purpose, I set an sftpd access also configured with sssd
against the AD.
I followed some discussions on the samba user list about samba + sssd.
I would like to understand if there are some issues with sssd and samba
4.8.3 on centos 7 ?
Or is it with next RHEL 8 ?
/The RHEL 8 documentation states this: //
////
//"Red Hat only supports running Samba as a server with the winbindd //
//service to provide domain users and groups to the local system. Due to //
//certain limitations, such as missing Windows access control list (ACL) //
//support and NT LAN Manager (NTLM) fallback, SSSD is not supported." //
////
//https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers////
////
//What's confusing is that the RHEL 7 documentation says: //
////
//"Prior to Red Hat Enterprise Linux 7.1, only Winbind provided this //
//functionality. In Red Hat Enterprise Linux 7.1 and later, you no longer //
//need to run Winbind and SSSD in parallel to access SMB shares. For //
//example, accessing the Access Control Lists (ACLs) no longer requires //
//Winbind on SSSD clients." //
////
//and //
////
//"4.2.2. Determining Whether to Use SSSD or Winbind for SMB Shares //
//For most SSSD clients, using SSSD is recommended:" //
////
//and most worrisome, in my use case: //
////
//"In environments with direct Active Directory integration where the //
//clients use SSSD for general Active Directory user mappings, using //
//Winbind for the SMB ID mapping instead of SSSD can result in //
//inconsistent mapping."
/
In my case, running samba 4.8.3 with SSSD on centos 7 do I need to :
- enable and start winbind service , in conjunction to sssd ?
- or only sssd is enough with samba ?
- Do I have to fear issues in next release of sssd for the support of
samba ? especially for acls support ?/
/
A nsswitch.conf like :
passwd: files sss winbind
shadow: files sss winbind
group: files sss winbind
or
passwd: files winbind sss
shadow: files winbind sss
group: files winbind sss
Does not seem to work... I test and this is not stable.
Best Regards,
Edouard
2 months, 1 week
Migrating to new LDAP server in sssd.conf
by Vjay
Hi Friends,
As a security requirement, we have to migrate LDAP servers from one active directory domain to other active directory domain. Old active directory LDAP servers are providing unix attributes for linux servers(centos 7) while new active directory LDAP servers don't so we have to migrate unix attribute management to sssd, which will change userid and groupid of all users.
Does SSSD provide feature to keep / store userid and groupid from old domain of users so we don't have change file ownership on linux server side for the files owned by active directory users?
Regards,
Vjay
5 months, 3 weeks
Re: [External] - Re: How to authenticate machine with Kerberos to Active Directory?
by Spike White
Wes,
In addition, make sure all your DNS entries are correct. Forward and
reverse.
Cannot find host in Kerberos database can arise from:
1. missing entry in your /etc/krb5.conf file (James spoke to this
clearly)
2. missing machine account in AD, (unlikely, because your AD
join succeeded)
3. missing DNS entries or
4. not able to determine your AD domain (kerberos realm) from your DNS
domain. (unlikely, because your AD join succeeded).
Spike
On Thu, Jul 30, 2020 at 11:18 AM Wesley Taylor <wesley.taylor(a)numerica.us>
wrote:
> Sorry I asked this question in the wrong place, but thank you for the
> awesome
> answer James!
>
>
> Public Content
>
> -----Original Message-----
> From: James Ralston <ralston(a)pobox.com>
> Sent: Wednesday, July 29, 2020 11:05 PM
> To: End-user discussions about the System Security Services Daemon
> <sssd-users(a)lists.fedorahosted.org>
> Subject: [External] - [SSSD-users] Re: How to authenticate machine with
> Kerberos to Active Directory?
>
> CAUTION: This email originated from outside of the organization. Do not
> click
> links or open attachments unless you recognize the sender and know the
> content
> is safe.
>
>
> On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor <wesley.taylor(a)numerica.us>
> wrote:
>
> > I have a program I am trying to set up which tries to authenticate
> > with the principal host\machine-FQDN@REALM using Kerberos.
> >
> > However, when I run kinit -k, the machine isn't found in the Kerberos
> > database.
>
> "kinit -k" (with no arguments) defaults to attempting to obtain a TGT for
> (e.g.) host/mymachine.example.org(a)EXAMPLE.ORG, which only works if you
> set
> userPrincipalName to host/mymachine.example.org(a)EXAMPLE.ORG
> when you joined the host to Active Directory.
>
> Running "kinit -k MYMACHINE\$" (that is, using the value of the
> sAMAccountName
> attribute as the argument to "kinit -k") should always work.
>
> > From what I have read, SSSD is responsible for being the glue between
> > MIT Kerberos (what Linux uses) and Microsoft Kerberos (which Active
> > Directory uses).
>
> This has nothing to do with sssd; it's all about setting userPrincipalName
> correctly when you join the host to AD if you want "kinit -k" (with no
> arguments) to work.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
> unsubscribe
> send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fdocs.f...
> List Guidelines:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Ffedora...
> List Archives:
>
> https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists....
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
6 months
offline auth and system upgrades
by xcorvis@gmail.com
I've been using sssd + AD to do auth for a few years now. Offline authentication is enabled and works normally. In that time I've upgraded my Ubuntu laptop several times, and each time I noticed that after the update, I cannot log in unless I'm on the corp network with direct access to AD. That hasn't really been a problem until now. I'm working from home over vpn all the time and don't have to option of going in to get on the corp network.
I know the workaround is to use a local account, get on the VPN, authenticate with my AD account and populate the cache, but IT doesn't like me creating local users and it's a pain. I haven't tried the latest update yet (19.10 -> 20.04, sssd currently 2.2.0).
Since something in the upgrade process is presumably destroying the cache, I was wondering if there's a "nice" way around this? Ubuntu upgrades for sssd seem like they're just upgrading sssd via apt, so I'm wondering why these major updates seem to operate differently from minor ones, and if that's intentional.
Thanks!
6 months
Re: How to authenticate machine with Kerberos to Active Directory?
by James Ralston
On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor <wesley.taylor(a)numerica.us> wrote:
> I have a program I am trying to set up which tries to authenticate
> with the principal host\machine-FQDN@REALM using Kerberos.
>
> However, when I run kinit -k, the machine isn't found in the Kerberos
> database.
"kinit -k" (with no arguments) defaults to attempting to obtain a TGT
for (e.g.) host/mymachine.example.org(a)EXAMPLE.ORG, which only works if
you set userPrincipalName to host/mymachine.example.org(a)EXAMPLE.ORG
when you joined the host to Active Directory.
Running "kinit -k MYMACHINE\$" (that is, using the value of the
sAMAccountName attribute as the argument to "kinit -k") should always
work.
> From what I have read, SSSD is responsible for being the glue
> between MIT Kerberos (what Linux uses) and Microsoft Kerberos (which
> Active Directory uses).
This has nothing to do with sssd; it's all about setting
userPrincipalName correctly when you join the host to AD if you want
"kinit -k" (with no arguments) to work.
6 months
How to authenticate machine with Kerberos to Active Directory?
by Wesley Taylor
Hello,
I have a program I am trying to set up which tries to authenticate with the
principal host\machine-FQDN@REALM using Kerberos.
However, when I run kinit -k, the machine isn't found in the Kerberos
database.
The reason I think this question belongs here is I used realm join to
configure Kerberos, SSSD, and PAM automagically to work with an Active
Directory based domain controller. All my domain user accounts are able to
get tickets just fine, but the default Kerberos keytab cannot. From what I
have read, SSSD is responsible for being the glue between MIT Kerberos (what
Linux uses) and Microsoft Kerberos (which Active Directory uses).
I am just scratching my head here on how I can get access to the principal
used by the machine itself to get Kerberos tickets. Is there a good way to
go about this? Is SSSD responsible for this information, or is my domain
controller configured incorrectly for this kind of setup?
Thank you,
Wes
Public Content
6 months
Does sssd use initgroups?
by Spike White
All,
sssd front-end, AD back-end. Does sssd use initgroups to use initial
group membership?
I was recently debugging a sssd connection problem in the
/var/log/sssd/sssd* logs (debug level 9). and I thought I saw a reference
to initgroups. or getgrouplist().
my /etc/nsswitch.conf file has:
passwd: files systemd sss
group: files systemd sss
Should I also have a line with:
initgroups: files systemd sss
Spike White
6 months
id_provider=ldap with auth_provider=proxy
by Jonathon Anderson
I'm working a RHEL7.6 case (02704264, if that's useful to anyone)
where the tech is claiming that our domain setup of id_provider=ldap
with auth_provider=proxy doesn't work. This is counter to our past and
current experience, but I'm afraid of this being a red herring that
will block us from troubleshooting the hanging issue we're
experiencing.
The tech is citing table 7.1 at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...,
which lists "Available Combinations of Identity and Authentication
Providers" and, since this combination isn't listed, they're saying
this combination doesn't work.
We use auth_provider=proxy to dispatch auth through a Duo authentication proxy.
Can someone confirm whether there's any reason this shouldn't work?
Again, it *does* work, but we're experiencing a failure mode where
sssd becomes unresponsive after some time or event, as yet
undetermined.
Thanks for your help.
~jonathon
6 months