On Mon, Sep 19, 2016 at 05:38:05AM -0000, klin938(a)gmail.com wrote:
Hi all,
I am configuring AD authentication by using SSSD+kerberos on our CentOS 6.7 cluster. The
solution works fine so far except that we could not use ldap_access_filter.
Whenever I enabled ldap_access_filter (add filter to ldap_access_order), all SSH logins
are denied. And the error messages are:
==> /var/log/sssd/ldap_child.log <==
(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [ldap_child_get_tgt_sync]
(0x0010): Failed to init credentials: Client
'host/nerv-geofront.local(a)AD.EXAMPLE.EDU.AU' not found in Kerberos database
(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [main] (0x0020):
ldap_child_get_tgt_sync failed.
(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [ldap_child_get_tgt_sync]
(0x0010): Failed to init credentials: Client
'host/nerv-geofront.local(a)AD.EXAMPLE.EDU.AU' not found in Kerberos database
(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [main] (0x0020):
ldap_child_get_tgt_sync failed.
(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [ldap_child_get_tgt_sync]
(0x0010): Failed to init credentials: Client
'host/nerv-geofront.local(a)AD.EXAMPLE.EDU.AU' not found in Kerberos database
(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [main] (0x0020):
ldap_child_get_tgt_sync failed.
(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [ldap_child_get_tgt_sync]
(0x0010): Failed to init credentials: Client
'host/nerv-geofront.local(a)AD.EXAMPLE.EDU.AU' not found in Kerberos database
(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [main] (0x0020):
ldap_child_get_tgt_sync failed.
(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [ldap_child_get_tgt_sync]
(0x0010): Failed to init credentials: Client
'host/nerv-geofront.local(a)AD.EXAMPLE.EDU.AU' not found in Kerberos database
(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [main] (0x0020):
ldap_child_get_tgt_sync failed.
But I believe the entry is in the keytab file already:
The message is coming from the KDC and since you are using AD
'NERV-GEOFRONT$(a)AD.EXAMPLE.EDU.AU' whould be the right principal to use
becasue AD makes a difference between user-principal-names which can be
used for kinit and service-principal-names which can be only used for
services.
Do you have 'ldap_sasl_authid = NERV-GEOFRONT$(a)AD.EXAMPLE.EDU.AU' set in
the domain section of your sssd.conf? If not please try if it works
after adding it.
[root@nerv-geofront ~]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 host/nerv-geofront.local(a)AD.EXAMPLE.EDU.AU (des-cbc-crc)
5 host/nerv-geofront.local(a)AD.EXAMPLE.EDU.AU (des-cbc-md5)
5 host/nerv-geofront.local(a)AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96)
5 host/nerv-geofront.local(a)AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96)
5 host/nerv-geofront.local(a)AD.EXAMPLE.EDU.AU (arcfour-hmac)
5 host/nerv-geofront(a)AD.EXAMPLE.EDU.AU (des-cbc-crc)
5 host/nerv-geofront(a)AD.EXAMPLE.EDU.AU (des-cbc-md5)
5 host/nerv-geofront(a)AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96)
5 host/nerv-geofront(a)AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96)
5 host/nerv-geofront(a)AD.EXAMPLE.EDU.AU (arcfour-hmac)
5 NERV-GEOFRONT$(a)AD.EXAMPLE.EDU.AU (des-cbc-crc)
5 NERV-GEOFRONT$(a)AD.EXAMPLE.EDU.AU (des-cbc-md5)
5 NERV-GEOFRONT$(a)AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96)
5 NERV-GEOFRONT$(a)AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96)
5 NERV-GEOFRONT$(a)AD.EXAMPLE.EDU.AU (arcfour-hmac)
The error messages above appear only when I enabled ldap_access_filter, so I think this
is related to the kerberos keytab.
The ldap_access_filter based check is evaluated by the access_provider
in SSSD which can be configured independently of e.g. the id_provider.
If e.g. you use the ad id_provider, it will figure out the right
principal automatically. The ldap access_provider must be configured
explicitly to use it because it will pick the first entry from the
keytab which matches the realm.
HTH
bye,
Sumit
>
> I am testing on sssd 1.12.4, samba 3.6.23.
>
> Any idea will be appreciated.
>
> Cheers,
> Derrick
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org