HI, Sorry for delay... In attachments sssd_nss.log and default domain log sssd_a.c.realm .
Login with UPN (mail name) does not work here:
root@adm-lnx438:/tmp# getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000:XXXXX XXXXX:/home/user1:/bin/bash
my sssd.conf: [nss] debug_level = 9 filter_groups = root filter_users = root
[sssd] debug_level = 9
domains = a.c.realm config_file_version = 2 services = nss,pam,ssh
[pam] pam_verbosity = 3 debug_level = 9
[domain/a.c.realm] debug_level = 9
ad_domain = a.c.realm ad_site = SITE ad_hostname = adm-lnx438.a.c.realm
id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad
dyndns_update = true dyndns_update_ptr = false
krb5_realm = A.C.REALM krb5_use_fast = try krb5_lifetime = 10h krb5_renewable_lifetime = 7d krb5_renew_interval = 1h krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d ###
use_fully_qualified_names = true ldap_id_mapping = false ldap_use_tokengroup = false ad_gpo_access_control = disabled
best, Longina
On Wed, Jan 06, 2016 at 01:11:50PM +0000, Longina Przybyszewska wrote:
Thank you for the answers. There are still some issues:
I tried login with setup for UPN/sAMAccountName login- without
success.
Is login with cross realm's UPN or short sAMAccoutName supported
in
this
sssd version?
In database for default domain cache_a.c.realm.db user object has
following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
The plain sAMAccoutName 'user1' will not work because use_fully_qualified_names = true. What should work is 'DOM\user1' where DOM is the NetBIOS domain name of n.c.realm domain.
Additionally I would expect that user1@REALM should work.
Right. user1@n.c.realm and DOM\user1 login works.
Login as user1@REALM (and user1@realm) does not work.
hm, that's odd, can you send me the logs when trying to login with user1@REALM?
getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000::/home/user1:/bin/bash
'user1@n.c.realm@a.c.realm' looks odd, do you map the user name to an attribute other than sAMAccoutName?
I use " id_provider = ad" and do not map specifically user name to any attribute..
Attributes in AD: uid = user1 userPrincipalName = user1@realm sAMAccountName = user1
SSSD defaults: ldap_user_name = uid ldap_user_principal = krbPrincipalName
krb5_use_enterprise_principal = true
There is no krbPrincipalName attribute in user object in AD .
Sssd.conf:
[nss] debug_level = 9 filter_groups = root filter_users = root
[sssd] debug_level = 9
domains = a.c.realm config_file_version = 2 services = nss, pam,ssh
[pam] pam_verbosity = 3 debug_level = 9
[domain/a.c.realm] debug_level = 9
ldap_use_tokengroup = false dyndns_update = true dyndns_update_ptr = true
id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad
krb5_realm = A.C.REALM krb5_use_fast = try krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d
ad_domain = a.c.realm ad_site = SITE ad_hostname = adm-lnx438.a.c.realm
use_fully_qualified_names = true ldap_id_mapping = false
The best would be able to login with sAMAccountName; The next best with upn, then with fqdn.
I tried without success the following setup for login with short names : [nss] subdomain_inherit = ldap_user_principal
[domain/a.c.realm] .. ldap_user_principal = sAMAccountName
this won't work because ldap_user_principal value is used as a Kerberos principal without further processing.
You might want to try the 'default_domain_suffix' option, see man sssd.conf for details.
Manual says, that 'default_domain_suffix' is usable if all users are located in trusted domain while computer's are in primary domain. With this option, users can login with short names. Our users are in several trusted domains; what should be the value of 'default_domain_suffix' ?
Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
no, SSSD expects the directory to be present, it should be create during the package installation.
This is the content of /var/lib/sss/pubconf :
ls /var/lib/sss/pubconf/ kdcinfo A.C.REALM krb5.conf.d krb5.include.d
'krb5.conf.d' I have created manually ; After removing everything in /var/lib/sss/{db,mc,pubconf}/* and restarting sssd 'krb5.include.d'
disappeared.
yes, as said, SSSD does not create the directory for the krb5 config
snippets.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the
temp file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ]
for domain-realm mappings failed.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]:
[2]: No such file or directory ....
ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put krb5_confd_path in the right [domain/..] section?
Yes. ... [domain/a.c.realm] ... krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
I still cannot reproduce this with my Fedora builds. Maybe it is an issue in the Ubuntu build, I'll try to reproduce on Ubuntu.
I changed the krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d and the localauth snippet is written to it.
Longina _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd- users@lists.fedorahosted.org