Hi All, I have a properly functioning integration between RHEL6.6/Cento6.6 and Active Directory 2008 using adcli tool and sssd-ad ( http://jhrozek.livejournal.com/3581.html):
# adcli join acme.example.com -U userdomain
# adcli info acme.example.com [domain] domain-name = acme.example.com domain-short = ACME domain-forest = example.com domain-controller = dom1.acme.example.com domain-controller-site = CENTRAL domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = dom1.acme.example.com dom2.acme.example.com [computer] computer-site = CENTRAL
The sssd.conf :
[sssd] services = nss, pam, ssh config_file_version = 2 domains = ACME.EXAMPLE.COM debug_level = 7
[domain/ACME.EXAMPLE.COM] krb5_use_enterprise_principal = false krb5_realm = ACME.EXAMPLE.COM ldap_force_upper_case_realm = true ldap_account_expire_policy = ad override_homedir = /home/%d/%u ldap_id_mapping = true subdomain_enumerate = true ldap_schema = ad ad_access_filter = memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com ad_enable_gc = false ldap_access_order = filter, expire enumerate = false id_provider = ad auth_provider = ad access_provider = ad subdomains_provider = ad chpass_provider = ad ad_server = dom1.acme.example.com, dom2.acme.example.com ad_domain = acme.example.com ad_hostname = client1.acme.example.com ad_enable_dns_sites = false dyndns_update = false debug_level = 7
/etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = acme.example.com dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = true ignore_acceptor_hostname = true
[realms] acme.example.com = { kdc = acme.example.com admin_server = acme.example.com }
[domain_realm] .acme.example.com = acme.example.com acme.example.com = acme.example.com .example.com = acme.example.com example.com = acme.example.com
[appdefaults] debug = true
I can log in with user/password from AD to RHEL/Centos, I can change the password, lock the account from AD, etc. It all works.
The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt work. I see in logs:
Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Any idea what could be the reason? All I want to achieve is to get SSH-SSO working, directly from AD desktop machine to Linux systems without password prompt.
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
Hi All, I have a properly functioning integration between RHEL6.6/Cento6.6 and Active Directory 2008 using adcli tool and sssd-ad ( http://jhrozek.livejournal.com/3581.html):
# adcli join acme.example.com -U userdomain
# adcli info acme.example.com [domain] domain-name = acme.example.com domain-short = ACME domain-forest = example.com domain-controller = dom1.acme.example.com domain-controller-site = CENTRAL domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = dom1.acme.example.com dom2.acme.example.com [computer] computer-site = CENTRAL
The sssd.conf :
[sssd] services = nss, pam, ssh config_file_version = 2 domains = ACME.EXAMPLE.COM debug_level = 7
[domain/ACME.EXAMPLE.COM] krb5_use_enterprise_principal = false krb5_realm = ACME.EXAMPLE.COM ldap_force_upper_case_realm = true ldap_account_expire_policy = ad override_homedir = /home/%d/%u ldap_id_mapping = true subdomain_enumerate = true ldap_schema = ad ad_access_filter = memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com ad_enable_gc = false ldap_access_order = filter, expire enumerate = false id_provider = ad auth_provider = ad access_provider = ad subdomains_provider = ad chpass_provider = ad ad_server = dom1.acme.example.com, dom2.acme.example.com ad_domain = acme.example.com ad_hostname = client1.acme.example.com ad_enable_dns_sites = false dyndns_update = false debug_level = 7
/etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = acme.example.com dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = true ignore_acceptor_hostname = true
[realms] acme.example.com = { kdc = acme.example.com admin_server = acme.example.com }
[domain_realm] .acme.example.com = acme.example.com acme.example.com = acme.example.com .example.com = acme.example.com example.com = acme.example.com
[appdefaults] debug = true
I can log in with user/password from AD to RHEL/Centos, I can change the password, lock the account from AD, etc. It all works.
The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt work. I see in logs:
Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
Any idea what could be the reason? All I want to achieve is to get SSH-SSO working, directly from AD desktop machine to Linux systems without password prompt.
/lm
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
crony -
Sumit Bose