Hello!
We are trying to join a RHEL8.4-server to our Active Directory with the realm name ourlab.se.
Our first attempt was to follow the RedHat-guide (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory#discovering-and-joining-an-ad-domain-using-sssd_connecting-directly-to-ad)
to join RHEL8.4 to an AD, also covering the installation and configuration of SSSD and the machine seem to have got joined to the AD (the computer account appears and both adcli info ourlab.se as well as the id
USERNAME@ourlab.se commands return valid lookup-results from the Active Directory)… The TGT also seems to be fetched successfully.
However, we cannot log on to the system with any AD-account and /var/log/sssd/krb5_child.log contains the errors below (please view the attached log-files for a complete log-listing), hitting
the critical failure (SSSDBG_CRIT_FAILURE), emitting the internal error “[111][Connection refused]” already at the call to the function krb5_cc_cache_match(), called from the function create_ccache():
(2021-11-18 11:02:16): [krb5_child[3585]] [sss_send_pac] (0x0080): failed to contact PAC responder
(2021-11-18 11:02:16): [krb5_child[3585]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [aron.kelemen\@OURLAB.SE@OURLAB.SE] might not be correct.
(2021-11-18 11:02:16): [krb5_child[3585]] [sss_child_krb5_trace_cb] (0x4000): [3585] 1637229736.192904: Destroying ccache MEMORY:rd_req2
(2021-11-18 11:02:16): [krb5_child[3585]] [get_and_save_tgt] (0x2000): Running as [285279201][285200513].
(2021-11-18 11:02:16): [krb5_child[3585]] [sss_get_ccache_name_for_principal] (0x4000): Location: [KCM:]
(2021-11-18 11:02:16): [krb5_child[3585]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [111][Connection refused]
(2021-11-18 11:02:16): [krb5_child[3585]] [create_ccache] (0x0020): 1000: [111][Connection refused]
(2021-11-18 11:02:16): [krb5_child[3585]] [map_krb5_error] (0x0020): 1853: [111][Connection refused]
(2021-11-18 11:02:16): [krb5_child[3585]] [k5c_send_data] (0x0200): Received error code 1432158209
(2021-11-18 11:02:16): [krb5_child[3585]] [pack_response_packet] (0x2000): response packet size: [20]
(2021-11-18 11:02:16): [krb5_child[3585]] [k5c_send_data] (0x4000): Response sent.
(2021-11-18 11:02:16): [krb5_child[3585]] [main] (0x0400): krb5_child completed successfully
Interestingly, the following lines appeared in /var/log/secure when performing the logon-attempt above (with the AD-user kelaro):
Nov 18 13:12:50 test0003 sshd[4183]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.17.111.92 user=kelaro
Nov 18 13:12:50 test0003 sshd[4183]: pam_sss(sshd:auth): received for user kelaro: 4 (System error)
Nov 18 13:12:52 test0003 sshd[4183]: Failed password for kelaro from 172.17.111.92 port 54138 ssh2
/etc/sssd/sssd.conf contains the following settings:
[sssd]
domains = ourlab.se
config_file_version = 2
services = nss, pam
default_domain_suffix = ourlab.se
[domain/ourlab.se]
ad_domain = ourlab.se
krb5_realm = OURLAB.SE
debug_level = 10
ad_server = STLBYDCVPLV003.ourlab.se
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
ad_hostname = test0003.ourlab.se
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
We have also tried to:
1. Set krb5_validate to false as well as setting the default_ccache_name = FILE:/tmp/krb5cc_:%{uid} but none of these changes helped either.
2. Set the system crypto-policy from DEFAULT to DEFAULT:AD-SUPPORT (update-crypto-policies --set DEFAULT:AD-SUPPORT) did not help either.
3. Remove the host from the realm (realm leave), deleted it’s computer account from the Active Directory and tried to set it’s hostname as FDQN (hostnamectl set-hostname test0003.ourlab.se) and
then re-joined it again (realm join), but still with the same results…
4. Apply the realm permit --realm=ourlab.se --all command, but we could still not log in with our user (kelaro@ourlab.se). User principal for
kelaro@ourlab.se is aron.kelemen\@OURLAB.SE@OURLAB.SE.
5. Set realmd_tags to “manages-system joined-with-adcli”, but the problem still remained
6. Follow several other similar tutorials (for example
https://www.redhat.com/sysadmin/linux-active-directory) to join the host to the AD, however all of them resulted in the same error described here.
The following SSSD and KRB5 package-versions are installed on the host:
sssd-client-2.5.2-2.el8_5.1.x86_64
sssd-krb5-2.5.2-2.el8_5.1.x86_64
sssd-2.5.2-2.el8_5.1.x86_64
sssd-nfs-idmap-2.4.0-9.el8_4.2.x86_64
sssd-common-2.5.2-2.el8_5.1.x86_64
sssd-ldap-2.5.2-2.el8_5.1.x86_64
sssd-proxy-2.5.2-2.el8_5.1.x86_64
sssd-ipa-2.5.2-2.el8_5.1.x86_64
sssd-kcm-2.5.2-2.el8_5.1.x86_64
sssd-tools-2.5.2-2.el8_5.1.x86_64
sssd-krb5-common-2.5.2-2.el8_5.1.x86_64
sssd-common-pac-2.5.2-2.el8_5.1.x86_64
sssd-ad-2.5.2-2.el8_5.1.x86_64
sssd-dbus-2.5.2-2.el8_5.1.x86_64
krb5-libs-1.18.2-8.3.el8_4.x86_64
I have also attached the krb5_child.log and ldap_child.log (created with log-level 0x3ff0) after my latest logon-attempt (as the user kelaro).
Any help/tips about:
…would be greatly appreciated!
Med Vänliga Hälsningar / Best Regards
Áron Kelemen Szabó
IT Data Center Administrator / Linux Engineer
aron.kelemen@stralfors.se
PostNord Strålfors AB