Hi all,
I'm having problems having sssd authenticate a user in a parent domain
in the same
forest with SSSD. In brief, it's an Ubuntu 18.04 box with sssd 1.16.1:
the box was
joined to the domain 'development.cseserve.com' with 'realm join'. Users
in the
that domain can authenticate successfully, but users in the parent
domain
cseserve.com cannot.
After some reading, I found the sssctl command, and that the sssd.conf
file needed
a tweak to add 'ifp' to the list of services, which gave access to the
user-checks. Configuration file and output of various sssctl checks is
at the bottom of this email.
If I attempt authenticate as user in
cseserv.com, I get:
root@hs-svn-02:/var/log/sssd# sssctl user-checks
chris.johnson(a)cseserv.com -a auth
user: chris.johnson(a)cseserv.com
action: auth
service: system-auth
SSSD nss user lookup result:
- user name: chris.johnson(a)cseserv.com
- user id: 715601141
- group id: 715601141
- gecos: Chris Johnson
- home directory: /home/chris.johnson(a)cseserv.com
- shell: /bin/bash
SSSD InfoPipe user lookup result:
- name: chris.johnson(a)cseserv.com
- uidNumber: 715601141
- gidNumber: 715601141
- gecos: Chris Johnson
- homeDirectory:
- loginShell:
testing pam_authenticate
Password:
pam_authenticate for user [chris.johnson(a)cseserv.com]: Authentication
failure
PAM Environment:
- no env -
root@hs-svn-02:/var/log/sssd#
Now in /var/log/syslog, when I tail -f during sssctl user-checks, I get
the error:
Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found
in Kerberos database
Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found
in Kerberos database
I can't see any other pertinent errors in log files, but I'm happy to
provide more
if I know what to send over :-)
This error does not occur for a user in the
development.cseserv.com
domain, which
completes successfully:
[...deleted the preamble...]
testing pam_authenticate
Password:
pam_authenticate for user [cjohnson(a)development.cseserve.com]: Success
PAM Environment:
- KRB5CCNAME=FILE:/tmp/krb5cc_376801009_vS8U1c
I've tried various things based on various searches, including creating
a /etc/krb5.conf
file to specify encryption protocols, and after a restart this did not
change
the behaviour:
[libdefaults]
allow_weak_crypto = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
rdns=false
dns_lookup_kdc = true
Additionally I've tried explicitly declaring the cseserv domain as a
trusted domain in sssd.conf (based on
https://docs.pagure.org/SSSD.sssd/users/ad_provider.html#etc-sssd-sssd-conf),
and this failed as well:
[sssd]
domains =
development.cseserv.com,
cseserv.com
{...rest unchanged...}
[
domain/development.cseserve.com/cseserve.com]
ad_server =
hs-dc-01.cseserve.com
What obvious thing am I missing? From what I'm reading, this should
work.
Regards,
Chris
====================================================================
Sanity checking the domain configuration:
realm list gives:
root@hs-svn-02:/var/log/sssd# realm list
development.cseserv.com
type: kerberos
realm-name:
DEVELOPMENT.CSESERV.COM
domain-name:
development.cseserv.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U(a)development.cseserv.com
login-policy: allow-realm-logins
root@hs-svn-02:/var/log/sssd#
sssctl domain-list shows that the parent domain was auto-discovered:
root@hs-svn-02:/var/log/sssd# sssctl domain-list
development.cseserve.com
test.cseserve.com
hst.cseserve.com
cseserve.com
root@hs-svn-02:/var/log/sssd#
sssctl domain-status
development.cseserv.com gives:
Online status: Online
Active servers:
AD Global Catalog:
hs-dc-01.development.cseserv.com
AD Domain Controller:
hs-dc-01.development.cseserv.com
Discovered AD Global Catalog servers:
-
hs-dc-01.development.cseserv.com
-
hs-dc-02.development.cseserv.com
-
gsh-dc-04.cseserv.com
-
gsh-dc-05.cseserv.com
-
gsh-dc-01.cseserv.com
Discovered AD Domain Controller servers:
-
hs-dc-01.development.cseserv.com
-
hs-dc-02.development.cseserv.com
sssctl domain-status
cseserv.com gives:
root@hs-svn-02:/var/log/sssd# sssctl domain-status
cseserv.com
Online status: Online
Active servers:
AD Domain Controller:
gsh-dc-04.cseserv.com
AD Global Catalog:
hs-dc-01.development.cseserv.com
Discovered AD Domain Controller servers:
-
gsh-dc-04.cseserv.com
-
gsh-dc-01.cseserv.com
-
gsh-dc-05.cseserv.com
-
gln-dc-01.cseserv.com
Discovered AD Global Catalog servers:
-
hs-dc-01.development.cseserv.com
-
hs-dc-02.development.cseserv.com
-
gsh-dc-04.cseserv.com
-
gsh-dc-05.cseserv.com
-
gsh-dc-01.cseserv.com
My sssd.conf file:
[sssd]
domains =
development.cseserve.com
config_file_version = 2
services = nss, pam, ifp
debug_level = 9
[
domain/development.cseserve.com]
ad_domain =
development.cseserve.com
krb5_realm =
DEVELOPMENT.CSESERVE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad