Hi Jakub,

ldap_id_mapping was set to "false" on this server. Once I set it to "true", both id and getent started working. But the user authentication via SSH still does not go through.

We see the following in SSSD logs(Debug level set to 5)

(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=first.last]
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local'
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local:3268'
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6]
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/server_hostname.x.y.local
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17466] finished successfully.
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'RODC.x.y.local' as 'working'
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [set_server_common_status] (0x0100): Marking server 'RODC.x.y.local' as 'working'
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for SID S-1-5-21-<....ID....>
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler] (0x0100): Got request with the following data
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): domain: x.y.local
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): user: first.last
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): service: sshd
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): tty: ssh
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): ruser:
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): rhost: remote_host.x.y.local
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): authtok type: 1
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): priv: 1
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): cli_pid: 17465
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): logon name: not set
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [krb5_auth_send] (0x0100): Home directory for user [first.last] not known.
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local'
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local'
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][x.y.local]
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][x.y.local]
(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17467] finished successfully.



And the following under /var/log/secure

Feb 20 11:15:30 hostname sshd[17499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local  user=first.last
Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last
Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): received for user first.last: 4 (System error)
Feb 20 11:15:37 hostname sshd[17496]: error: PAM: Authentication failure for first.last from remote_host.x.y.local


Under krb5_child.log

(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxx] gid [yyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [first.last@COMPANY.COM]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:xxxxxxxx] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [check_use_fast] (0x0100): Not using FAST.
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [become_user] (0x0200): Trying to become user [xxxxxxxx][yyyyyyyy].
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last\@COMPANY.COM@x.y.local] might not be correct.
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [create_ccache] (0x0020): 733: [13][Permission denied]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [map_krb5_error] (0x0020): 1301: [1432158209][Unknown code UUz 1]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [k5c_send_data] (0x0200): Received error code 1432158209



Config for password-auth

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so
auth        required      pam_deny.so



Many Thanks,

~ Abhi




On Tue, Feb 14, 2017 at 11:36 AM, Abhijit Tikekar <abhijittikekar@gmail.com> wrote:
Hi,

Has anyone had any success while setting up SSSD with RODC AD Server? We are setting this up on CentOS 6.8 machines but doesn't seem to work.

Computer object is created and replicated to RODC. Verified that all configuration file parameters are identical to the ones mentioned in the link below.
https://access.redhat.com/discussions/2838371

I assume we still have to join the server to RODC? Is the joining process still the same as we do for a Writable DC.

When using "net ads join" I get the following error:

Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)


in the logs, we also get the following( Debug level set to 7)

(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for testdmzlin@X.Y.LOCAL in default keytab
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching testdmzlin@X.Y.LOCAL found in keytab.
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching TESTDMZLIN$@X.Y.LOCAL found in keytab.
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/testdmzlin@X.Y.LOCAL found in keytab.
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching *$@X.Y.LOCAL found in keytab.
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/*@X.Y.LOCAL found in keytab.
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/*@(null) found in keytab.


But if i try to query this RODC using "ldapsearch" it works.

ldapsearch -H ldap://RODC_ServerName.x.y.local/ -Y GSSAPI -N -b "dc=x,dc=y,dc=local" "(&(objectClass=user)(sAMAccountName=firstname.lastname))"

What else can I check to troubleshoot this issue?


Thanks,

~ Abhi