Last login: Thu Nov 6 09:51:49 2014 from
-sh-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_
127283727_JccPrK7786
Valid starting Expires Service principal
renew until 11/13/14 09:57:13
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
> Hi All,
> I have a properly functioning integration between RHEL6.6/Cento6.6 and
> Active Directory 2008 using adcli tool and sssd-ad (
> http://jhrozek.livejournal.com/3581.html):
>
> # adcli join acme.example.com -U userdomain
>
> # adcli info acme.example.com
> [domain]
> domain-name = acme.example.com
> domain-short = ACME
> domain-forest = example.com
> domain-controller = dom1.acme.example.com
> domain-controller-site = CENTRAL
> domain-controller-flags = gc ldap ds kdc timeserv closest writable
> full-secret ads-web
> domain-controller-usable = yes
> domain-controllers = dom1.acme.example.com dom2.acme.example.com
> [computer]
> computer-site = CENTRAL
>
> The sssd.conf :
>
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
> domains = ACME.EXAMPLE.COM
> debug_level = 7
>
> [domain/ACME.EXAMPLE.COM]
> krb5_use_enterprise_principal = false
> krb5_realm = ACME.EXAMPLE.COM
> ldap_force_upper_case_realm = true
> ldap_account_expire_policy = ad
> override_homedir = /home/%d/%u
> ldap_id_mapping = true
> subdomain_enumerate = true
> ldap_schema = ad
> ad_access_filter =
> memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com
> ad_enable_gc = false
> ldap_access_order = filter, expire
> enumerate = false
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> subdomains_provider = ad
> chpass_provider = ad
> ad_server = dom1.acme.example.com, dom2.acme.example.com
> ad_domain = acme.example.com
> ad_hostname = client1.acme.example.com
> ad_enable_dns_sites = false
> dyndns_update = false
> debug_level = 7
>
>
> /etc/krb5.conf:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = acme.example.com
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = true
> ignore_acceptor_hostname = true
>
> [realms]
> acme.example.com = {
> kdc = acme.example.com
> admin_server = acme.example.com
> }
>
> [domain_realm]
> .acme.example.com = acme.example.com
> acme.example.com = acme.example.com
> .example.com = acme.example.com
> example.com = acme.example.com
>
> [appdefaults]
> debug = true
>
>
>
> I can log in with user/password from AD to RHEL/Centos, I can change the
> password, lock the account from AD, etc. It all works.
>
>
> The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt
> work. I see in logs:
>
> Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure.
> Minor code may provide more information\nNo key table entry found matching
> host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the
connection of a client?
What principal are shown by 'klist -k' ?
bye,
Sumit
>
>
> Any idea what could be the reason? All I want to achieve is to get SSH-SSO
> working, directly from AD desktop machine to Linux systems without password
> prompt.
>
>
> /lm
> _______________________________________________
> sssd-users mailing list
> sssd-users at lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users