Hi guys,
I'm in a pickle: I'm trying to configure a domain in SSSD to both perform all the usual AD authentication wizardry, and at the same time perform LDAP Sudo lookup in the directory too. The AD schema has been extended.
It seems it doesn't like both LDAP and AD directives in the same domain, but doesn't Sudo require LDAP and not AD? I know that's how it works for IPA.
Has anyone gotten this working? I'm scratching my head. It works without the sudo bit.
SSSD.conf:
[sssd] domains = ad.example.com services = nss,pam,sudo config_file_version = 2 debug_level = 3
[nss] filter_groups = root filter_users = root
[sudo]
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/ad.example.com] # This is for testing enumerate = true
id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad
# These values should auto-detect, but to be sure... ad_server = server.ad.example.com ad_hostname = client.ad.example.com ad_domain = ad.example.com
# Provide default values for the Unix specifics fallback_homedir = /home/%u default_shell = /bin/bash
# LDAP SUDO must be done the old fashioned way sudo_provider = ldap
# Provide LDAP params ldap_uri = ldap://server.ad.example.com/ ldap_sudo_search_base = OU=SUDOers,DC=ad,DC=example,DC=com ldap_sudo_full_refresh_interval=86400 ldap_sudo_smart_refresh_interval=300
# Configure Machine Authentication krb5_server = server.ad.example.com ldap_sasl_realm = AD.EXMAPLE.COM ldap_sasl_mech = GSSAPI ldap_sasl_authid = client$ #Yes, I tried host/client ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400
Cheers, Jacob Neil Taylor
On Wed, Apr 23, 2014 at 03:33:44PM +1000, Jacob Taylor wrote:
Hi guys,
I'm in a pickle: I'm trying to configure a domain in SSSD to both perform all the usual AD authentication wizardry, and at the same time perform LDAP Sudo lookup in the directory too. The AD schema has been extended.
It seems it doesn't like both LDAP and AD directives in the same domain, but doesn't Sudo require LDAP and not AD? I know that's how it works for IPA.
Has anyone gotten this working? I'm scratching my head. It works without the sudo bit.
Does it work if you drop the enumerate=true line? We've had a bug recently, where, if you configured two provider types (like ldap and ad in your case) the enumeration tasks would clash: https://fedorahosted.org/sssd/ticket/2153
If it still doesn't work, can you enable debug_level in the sudo and domain sections to see if the logs shed any light?
The client$ principal is usually the right one, btw. host/client.fqdn is often not allowed to acquire a TGT (it's a service account only).
And finally, the recent versions of sssd include a sudo_provider=ad to cover exactly this use-case: https://fedorahosted.org/sssd/ticket/2256
I hope this helps.
On (23/04/14 15:33), Jacob Taylor wrote:
Hi guys,
I'm in a pickle: I'm trying to configure a domain in SSSD to both perform all the usual AD authentication wizardry, and at the same time perform LDAP Sudo lookup in the directory too. The AD schema has been extended.
It seems it doesn't like both LDAP and AD directives in the same domain, but doesn't Sudo require LDAP and not AD? I know that's how it works for IPA.
Has anyone gotten this working? I'm scratching my head. It works without the sudo bit.
SSSD.conf:
[sssd] domains = ad.example.com services = nss,pam,sudo config_file_version = 2 debug_level = 3
[nss] filter_groups = root filter_users = root
[sudo]
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/ad.example.com] # This is for testing enumerate = true
id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad
# These values should auto-detect, but to be sure... ad_server = server.ad.example.com ad_hostname = client.ad.example.com ad_domain = ad.example.com
# Provide default values for the Unix specifics fallback_homedir = /home/%u default_shell = /bin/bash
# LDAP SUDO must be done the old fashioned way sudo_provider = ldap
# Provide LDAP params ldap_uri = ldap://server.ad.example.com/ ldap_sudo_search_base = OU=SUDOers,DC=ad,DC=example,DC=com ldap_sudo_full_refresh_interval=86400 ldap_sudo_smart_refresh_interval=300
# Configure Machine Authentication krb5_server = server.ad.example.com ldap_sasl_realm = AD.EXMAPLE.COM ldap_sasl_mech = GSSAPI ldap_sasl_authid = client$ #Yes, I tried host/client ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400
Cheers, Jacob Neil Taylor
Which version of sssd do you use? (which distribution)
LS
sssd-users@lists.fedorahosted.org