On Mon, Apr 16, 2018 at 04:28:59PM -0400, James Ralston wrote:
Has anyone figured out how to make sssd utilize a Microsoft
read-only
Domain Controller (RODC)?
The host we want to join to AD is already behind the RODC. So, we are
trying to "join" the host to the RODC by pre-creating a computer
account object in AD (via a RWDC), then exporting a Kerberos keytab
file to install on the client host.
On the client host, in the /etc/krb5.conf file, we have overridden the
"kdc" setting for our domain, pointing it to the RODC. In
/etc/sssd/sssd.conf, we have set "ad_server" for our domain, pointing
it to the RODC. Using the exported keytab file, we can run "kinit -k"
successfully.
But no matter how we create the computer account object, or how we
export the Kerberos keytab, sssd cannot use the resulting keytab file
to authenticate to the RODC: when sssd sends the AS-REQ, the RODC
always replies with KRB5KDC_ERR_PREAUTH_FAILED.
I'm beginning to suspect that sssd just doesn't work with RODCs: if
"kinit -k" can successfully authenticate and acquire a service
principal using the keytab file we exported to the client from the
RWDC, then why can't sssd successfully use it?
If 'kinit -k' works, SSSD should work as well. Can you send the SSSD
logs with debug_level=9, most important would be the domain log and the
ldap_child.log files.
For comparison it would be good to see the output of
KRB5_TRACE=/dev/stdout kinit -k ....
as well.
bye,
Sumit
>
> Can anyone confirm that you have sssd successfully speaking to a
> Microsoft RODC?
>
> If so, did you join the client host to a RWDC and then move it behind
> the RODC? Or did you pre-create the machine account on the RWDC and
> export the Kerberos keytab to the client? If the latter, do you have
> the exact net/admod/ktpass commands you used to pre-create the
> computer account and export the keytab in a way that is compatible
> with sssd?
>
> Thanks in advance for any pointers or advice!
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org