Hi Team,
I am new member of this group and ofcourse this is my first post. :)
I have configured SSSD manually by updating sssd.conf , smb.conf and krb5.conf. Used authconfig to update pam files and also manually done. System joins to domain but AD user login fails. while running sometimes i get error Kerberos pre-authentication failed ..sometimes its joined without error. But both times AD login fails.
KRB5.CONF [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = TEST.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true
WIPRO.COM = { kdc = sss.test.com admin_server = sss.test.com }
[domain_realm] .test.com = TEST.COMtest.com = TEST.COM
SSSD.CONF config_file_version = 2
# Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam
# SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. domains = TEST.COM #domains = LOCAL [domain/TETS.COM] id_provider = ad access_provider = ad ldap_schema = ad override_homedir = /home/%d/%u ldap_id_mapping = false
[nss] # The following prevents SSSD from searching for the root user/group in # all domains (you can add here a comma-separated list of system accounts that # are always going to be /etc/passwd users, or that you want to filter out). filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
# The entry_cache_nowait_percentage indicates the percentage of the # entry_cache_timeout to wait before updating the cache out-of-band. # (NSS requests will still be returned from cache until the full # entry_cache_timeout). Setting this value to 0 turns this feature # off (default). ; entry_cache_nowait_percentage = 300
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
SMB.CONF [global] #--authconfig--start-line--
# Generated by authconfig on 2017/02/07 12:37:55 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future
workgroup = TETS password server = * realm = TEST.COM security = ads idmap config * : range = 16777216-33554431 template shell = /bin/bash winbind use default domain = false winbind offline logon = false
As part of troubleshooting ,i have tried with sssd debug mode etc. Major error message i get is related to Kerberos.Hope this forum gives me success.
Regards Pavan
On Wed, Feb 08, 2017 at 06:27:33AM -0000, pavan.kumar21@wipro.com wrote:
Hi Team,
I am new member of this group and ofcourse this is my first post. :)
I have configured SSSD manually by updating sssd.conf , smb.conf and krb5.conf. Used authconfig to update pam files and also manually done. System joins to domain but AD user login fails. while running sometimes i get error Kerberos pre-authentication failed ..sometimes its joined without error. But both times AD login fails.
Please see https://fedorahosted.org/sssd/wiki/Troubleshooting, logs are needed here.
I have used adcli tool to add the rhel6 to AD but failed with ! Couldn't set service principals on computer account error. Below are the logs. [root@ADTESTRH6 ~]# adcli join -v -S server.test.com -U user * Sending netlogon pings to domain controller: cldap://10.10.10.10 * Received NetLogon info from: server.test.com * Discovered domain name: wipro.com * Calculated computer account name from fqdn: ADTESTRH6 * Calculated domain realm from name: TEST.COM * Wrote out krb5.conf snippet to /tmp/adcli-krb5-EkYR7x/krb5.d/adcli-krb5-conf-ihgEaF Password for user@TEST.COM: * Authenticated as user: user@TEST.COM * Looked up short domain name: TEST * Using fully qualified name: ADTESTRH6 * Using domain name: test.com * Using computer account name: ADTESTRH6 * Using domain realm: test.com * Calculated computer account name from fqdn: ADTESTRH6 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Computer account for ADTESTRH6$ does not exist * Found well known computer container at: OU=Test Computers,DC=test,DC=com * Calculated computer account: CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com * Created computer account: CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com * Set computer password * Retrieved kvno '2' for computer account in directory: CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com * Modifying computer account: dNSHostName * Modifying computer account: userAccountControl * Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack * Modifying computer account: userPrincipalName ! Couldn't set service principals on computer account CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com: 00002083: AtrErr: DSID-03151785, #1: 0: 00002083: DSID-03151785, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName)
* Cleared old entries from keytab: FILE:/etc/krb5.keytab * Discovered which keytab salt to use * Added the entries to the keytab: ADTESTRH6$@TEST.COM: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/ADTESTRH6@TEST.COM: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/ADTESTRH6@TEST.COM: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/ADTESTRH6@TEST.COM: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/ADTESTRH6@TEST.COM: FILE:/etc/krb5.keytab
So mentioned the SPN in command itself. #adcli join -v -S server.test.com --host-fqdn=adtestrh6.test.com --user-principal=host/adtestrh6.test.com@TEST.COM -U user
and server joined to domain as per below log. [root@ADTESTRH6 ~]# adcli join -v -S server.test.com --host-fqdn=adtestrh6.test.com -U user * Using fully qualified name: adtestrh6.test.com * Sending netlogon pings to domain controller: cldap://10.10.10.10 * Received NetLogon info from: server.test.com * Discovered domain name: TEST.com * Calculated computer account name from fqdn: ADTESTRH6 * Calculated domain realm from name: TEST.COM * Wrote out krb5.conf snippet to /tmp/adcli-krb5-Zu1kcU/krb5.d/adcli-krb5-conf-fJ0qtq Password for user@TEST.COM: * Authenticated as user: user@TEST.COM * Looked up short domain name: TEST * Using fully qualified name: adtestrh6.TEST.com * Using domain name: test.com * Using computer account name: ADTESTRH6 * Using domain realm: test.com * Calculated computer account name from fqdn: ADTESTRH6 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for ADTESTRH6$ at: CN=ADTESTRH6,OU=TEST Computers,DC=test,DC=com * Set computer password * Retrieved kvno '3' for computer account in directory: CN=ADTESTRH6,OU=TEST Computers,DC=test,DC=com * Modifying computer account: dNSHostName * Modifying computer account: userAccountControl * Modifying computer account: operatingSystemVersion, operatingSystemServicePack * Modifying computer account: userPrincipalName * Discovered which keytab salt to use * Added the entries to the keytab: ADTESTRH6$@TEST.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/ADTESTRH6@TEST.COM: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/adtestrh6.TEST.com@TEST.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/ADTESTRH6@TEST.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/adtestrh6.wipro.com@TEST.COM: FILE:/etc/krb5.keytab
But still not able to login as user. Restarted sssd etc. PAM files
[root@ADTESTRH6 pam.d]# cat system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so [root@ADTESTRH6 pam.d]# cat password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so [root@ADTESTRH6 pam.d]#
Strangely there is no sss logs which is useful. Regards Pavan
On Fri, 2017-02-10 at 13:12 +0000, pavan.kumar21@wipro.com wrote:
I have used adcli tool to add the rhel6 to AD but failed with ! Couldn't set service principals on computer account error. Below are the logs.
Try setting your hostname to FQDN, adtestrh6.test.com if short form hostname is used, sssd will not work 100%(DYN DNS will not work)
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Joakim Tjernlund -
pavan.kumar21@wipro.com