Hello,
I was told by a user in
linuxquestions.org to try this list for help.
So we've been trying to get SSSD working with AD on RHEL 6 for about a week
now. we've been trying to following
http://www.redhat.com/resourcelibrary/reference-architectures/integrating...
As 1.8.0-32 is part of the latest install of RHEL 6, that's the version we
need to use.
We can get configuration number 6.4 kerboros/ldap working just fine and SSH
with that, but we want option 6.3 SSSD/kerboros/ldap for the caching
features.
When 6.3 option is enabled, we can do a ldapsearch just fine with
ldapsearch -Y GSSAPI -N "(sAMAccountName=username)"
It's when we try to SSH on the server is when we are unable to get it to
work. We do ssh -vvvv username@servername and get a permission denied when
we do the password
In /var/log/messages we get:
GSSAPI Error: Unspecified GSS failure. Minor code may prove more
information (Matching credential not found)
In /var/log/secure, we get:
Invalid user username from ipaddress
input_userauth_request: invalid user username
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth: authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=servername
pam_succeed_if(sshd:auth): error retriving information about user username
Failed password for invalid user username from ipaddress port portid SSH2
Here is the /var/sssd/sssd.conf file:
[sssd]
services = nss, pam
config_file_version = 2
debug_level = 9
domains = default
[nss]
[pam]
[domain/default]
debug_level = 9
enumerate = false
id_provider = ldap
chpass_provider = krb5
case_sensitive = false
ldap_uri = ldap://ldapservername.domain.domain.domain
ldap_search_base = dc=domain,dc=domain,dc=domain
ldap_user_search_base = dc=domain,dc=domain,dc=domain
ldap_group_search_base = dc=domain,dc=domain,dc=domain
ldap_id_use_start_tls = true
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
ldap_force_upper_case_realm = true
ldap_krb5_keytab = /etc/krb5.keytab
ldap_sasl_authid = host/servername.domain.domain.domain(a)DOMAIN.DOMAIN.DOMAIN
auth_provider = krb5
cache_credentials = true
krb5_realm = DOMAIN.DOMAIN.DOMAIN
krb5_server = ldapservername.DOMAIN.DOMAIN.DOMAIN
krb5_ccachedir = /tmp
krb5_auth_timeout = 15
ldap_user_object_class = user
ldap_user_modify_timestamp = whenChanged
ldap_user_home_directory = unixHomeDirectory
ldap_user_princical = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_shell = loginShell
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_group_object_class = group
ldap_group_modify_timestamp = whenChanged
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber
krb5_kpasswd = ldapservername.domain.domain.domain
access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_disable_referrals = true
[sudo]
[autofs]
[ssh]
I've tried changing around access_provider to simple or permit and it
didn't work. I tried added ladp_access_filter to allow my id and tried
objectClass=user and it didn't work. I modified the sssd.conf file based on
another one I found at
zews.org/rhel6-active-directory
Here is the password_auth file:
auth required pam_env.so
auth sufficient pam.unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry_3 type=
password sufficient pam_unix.so shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_sss.so
nsswitch.conf has the following:
passwd: files sss
shadow: files sss
group: files sss
ldap_child.log gives me the following:
[unpack_buffer] (0x1000): total buffer size 94
[unpack_buffer] (0x1000): realm_str size: 15
[unpack_buffer] (0x1000): got realm_str: DOMAIN.DOMAIN.DOMAIN
[unpack_buffer] (0x1000): princ_str size: 47
[unpack_buffer] (0x1000): got princ_str:
host/server.domain.domain.domain(a)DOMAIN.DOMAIN.DOMAIN
[unpack_buffer] (0x1000): keytab_name size = 16
[unpack_buffer] (0x1000): got keytab_name: /etc/krb5.keytab
[unpack_buffer] (0x1000): lifetime: 86400
[ldap_child_get_tgt_sync] (0x0100): Principal name is:
[host/server.domain.domain.domain(a)DOMAIN.DOMAIN.DOMAIN]
That's it. The AD side sees that we are doing the query and doesn't see
anything on their end in terms of errors and such.
At a loss right now on what configuration we are doing wrong that works
with option 6.3. We have a working key tab for kerboros. We know we can see
AD with ldapsearch. We just can't get it to work with SSSD and SSH.
Thank you for the detailed problem description. At a glance, I don't see
anything in your configuration that would strike me as wrong.
I assume you are not able to get the user data with "getent passwd user"
on the server?
Are you able to kinit with the keytab as
host/server.domain.domain.domain(a)DOMAIN.DOMAIN.DOMAIN ?
Can you paste a bigger portion of the logs?