12:27 a.m.
Hi Team,
I am new member of this group and ofcourse this is my first post. :)
I have configured SSSD manually by updating sssd.conf , smb.conf and krb5.conf. Used
authconfig to update pam files and also manually done.
System joins to domain but AD user login fails.
while running sometimes i get error Kerberos pre-authentication failed ..sometimes its
joined without error. But both times AD login fails.
KRB5.CONF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
WIPRO.COM = {
kdc = sss.test.com
admin_server = sss.test.com
}
[domain_realm]
.test.com = TEST.COMtest.com = TEST.COM
SSSD.CONF
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = TEST.COM
#domains = LOCAL
[domain/TETS.COM]
id_provider = ad
access_provider = ad
ldap_schema = ad
override_homedir = /home/%d/%u
ldap_id_mapping = false
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
# The entry_cache_nowait_percentage indicates the percentage of the
# entry_cache_timeout to wait before updating the cache out-of-band.
# (NSS requests will still be returned from cache until the full
# entry_cache_timeout). Setting this value to 0 turns this feature
# off (default).
; entry_cache_nowait_percentage = 300
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
SMB.CONF
[global]
#--authconfig--start-line--
# Generated by authconfig on 2017/02/07 12:37:55
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = TETS
password server = *
realm = TEST.COM
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
As part of troubleshooting ,i have tried with sssd debug mode etc. Major error message i
get is related to Kerberos.Hope this forum gives me success.
Regards
Pavan
2:38 a.m.
On Wed, Feb 08, 2017 at 06:27:33AM -0000, pavan.kumar21(a)wipro.com wrote:
Hi Team,
I am new member of this group and ofcourse this is my first post. :)
I have configured SSSD manually by updating sssd.conf , smb.conf and krb5.conf. Used
authconfig to update pam files and also manually done.
System joins to domain but AD user login fails.
while running sometimes i get error Kerberos pre-authentication failed ..sometimes its
joined without error. But both times AD login fails.
Please see https://fedorahosted.org/sssd/wiki/Troubleshooting, logs are
needed here.
7:12 a.m.
I have used adcli tool to add the rhel6 to AD but failed with ! Couldn't set service
principals on computer account error. Below are the logs.
[root@ADTESTRH6 ~]# adcli join -v -S server.test.com -U user
* Sending netlogon pings to domain controller: cldap://10.10.10.10
* Received NetLogon info from: server.test.com
* Discovered domain name: wipro.com
* Calculated computer account name from fqdn: ADTESTRH6
* Calculated domain realm from name: TEST.COM
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-EkYR7x/krb5.d/adcli-krb5-conf-ihgEaF
Password for user(a)TEST.COM:
* Authenticated as user: user(a)TEST.COM
* Looked up short domain name: TEST
* Using fully qualified name: ADTESTRH6
* Using domain name: test.com
* Using computer account name: ADTESTRH6
* Using domain realm: test.com
* Calculated computer account name from fqdn: ADTESTRH6
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Computer account for ADTESTRH6$ does not exist
* Found well known computer container at: OU=Test Computers,DC=test,DC=com
* Calculated computer account: CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com
* Created computer account: CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com
* Set computer password
* Retrieved kvno '2' for computer account in directory: CN=ADTESTRH6,OU=Test
Computers,DC=test,DC=com
* Modifying computer account: dNSHostName
* Modifying computer account: userAccountControl
* Modifying computer account: operatingSystem, operatingSystemVersion,
operatingSystemServicePack
* Modifying computer account: userPrincipalName
! Couldn't set service principals on computer account CN=ADTESTRH6,OU=Test
Computers,DC=test,DC=com: 00002083: AtrErr: DSID-03151785, #1:
0: 00002083: DSID-03151785, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303
(servicePrincipalName)
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Discovered which keytab salt to use
* Added the entries to the keytab: ADTESTRH6$(a)TEST.COM: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/ADTESTRH6(a)TEST.COM: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/ADTESTRH6(a)TEST.COM: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/ADTESTRH6(a)TEST.COM:
FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/ADTESTRH6(a)TEST.COM:
FILE:/etc/krb5.keytab
So mentioned the SPN in command itself.
#adcli join -v -S server.test.com --host-fqdn=adtestrh6.test.com
--user-principal=host/adtestrh6.test.com(a)TEST.COM -U user
and server joined to domain as per below log.
[root@ADTESTRH6 ~]# adcli join -v -S server.test.com --host-fqdn=adtestrh6.test.com -U
user
* Using fully qualified name: adtestrh6.test.com
* Sending netlogon pings to domain controller: cldap://10.10.10.10
* Received NetLogon info from: server.test.com
* Discovered domain name: TEST.com
* Calculated computer account name from fqdn: ADTESTRH6
* Calculated domain realm from name: TEST.COM
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-Zu1kcU/krb5.d/adcli-krb5-conf-fJ0qtq
Password for user(a)TEST.COM:
* Authenticated as user: user(a)TEST.COM
* Looked up short domain name: TEST
* Using fully qualified name: adtestrh6.TEST.com
* Using domain name: test.com
* Using computer account name: ADTESTRH6
* Using domain realm: test.com
* Calculated computer account name from fqdn: ADTESTRH6
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for ADTESTRH6$ at: CN=ADTESTRH6,OU=TEST
Computers,DC=test,DC=com
* Set computer password
* Retrieved kvno '3' for computer account in directory: CN=ADTESTRH6,OU=TEST
Computers,DC=test,DC=com
* Modifying computer account: dNSHostName
* Modifying computer account: userAccountControl
* Modifying computer account: operatingSystemVersion, operatingSystemServicePack
* Modifying computer account: userPrincipalName
* Discovered which keytab salt to use
* Added the entries to the keytab: ADTESTRH6$(a)TEST.COM: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/ADTESTRH6(a)TEST.COM: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/adtestrh6.TEST.com(a)TEST.COM:
FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/ADTESTRH6(a)TEST.COM:
FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/adtestrh6.wipro.com(a)TEST.COM:
FILE:/etc/krb5.keytab
But still not able to login as user. Restarted sssd etc.
PAM files
[root@ADTESTRH6 pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[root@ADTESTRH6 pam.d]# cat password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[root@ADTESTRH6 pam.d]#
Strangely there is no sss logs which is useful.
Regards
Pavan
7:43 a.m.
On Fri, 2017-02-10 at 13:12 +0000, pavan.kumar21(a)wipro.com wrote:
I have used adcli tool to add the rhel6 to AD but failed with !
Couldn't set service principals on computer account error. Below are the logs.
Try setting your hostname to FQDN, adtestrh6.test.com
if short form hostname is used, sssd will not work 100%(DYN DNS will not work)
2625
days inactive
2627
days old
sssd-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
Jakub Hrozek -
Joakim Tjernlund -
pavan.kumar21@wipro.com