Hi all,
I'm having problems having sssd authenticate a user in a parent domain in the same forest with SSSD. In brief, it's an Ubuntu 18.04 box with sssd 1.16.1: the box was joined to the domain 'development.cseserve.com' with 'realm join'. Users in the that domain can authenticate successfully, but users in the parent domain cseserve.com cannot.
After some reading, I found the sssctl command, and that the sssd.conf file needed a tweak to add 'ifp' to the list of services, which gave access to the user-checks. Configuration file and output of various sssctl checks is at the bottom of this email.
If I attempt authenticate as user in cseserv.com, I get:
root@hs-svn-02:/var/log/sssd# sssctl user-checks chris.johnson@cseserv.com -a auth user: chris.johnson@cseserv.com action: auth service: system-auth
SSSD nss user lookup result: - user name: chris.johnson@cseserv.com - user id: 715601141 - group id: 715601141 - gecos: Chris Johnson - home directory: /home/chris.johnson@cseserv.com - shell: /bin/bash
SSSD InfoPipe user lookup result: - name: chris.johnson@cseserv.com - uidNumber: 715601141 - gidNumber: 715601141 - gecos: Chris Johnson - homeDirectory: - loginShell:
testing pam_authenticate
Password: pam_authenticate for user [chris.johnson@cseserv.com]: Authentication failure
PAM Environment: - no env - root@hs-svn-02:/var/log/sssd#
Now in /var/log/syslog, when I tail -f during sssctl user-checks, I get the error:
Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found in Kerberos database Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found in Kerberos database
I can't see any other pertinent errors in log files, but I'm happy to provide more if I know what to send over :-)
This error does not occur for a user in the development.cseserv.com domain, which completes successfully:
[...deleted the preamble...]
testing pam_authenticate
Password: pam_authenticate for user [cjohnson@development.cseserve.com]: Success
PAM Environment: - KRB5CCNAME=FILE:/tmp/krb5cc_376801009_vS8U1c
I've tried various things based on various searches, including creating a /etc/krb5.conf file to specify encryption protocols, and after a restart this did not change the behaviour:
[libdefaults] allow_weak_crypto = true default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 rdns=false dns_lookup_kdc = true
Additionally I've tried explicitly declaring the cseserv domain as a trusted domain in sssd.conf (based on https://docs.pagure.org/SSSD.sssd/users/ad_provider.html#etc-sssd-sssd-conf), and this failed as well:
[sssd] domains = development.cseserv.com, cseserv.com
{...rest unchanged...}
[domain/development.cseserve.com/cseserve.com] ad_server = hs-dc-01.cseserve.com
What obvious thing am I missing? From what I'm reading, this should work.
Regards,
Chris
====================================================================
Sanity checking the domain configuration:
realm list gives:
root@hs-svn-02:/var/log/sssd# realm list development.cseserv.com type: kerberos realm-name: DEVELOPMENT.CSESERV.COM domain-name: development.cseserv.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U@development.cseserv.com login-policy: allow-realm-logins root@hs-svn-02:/var/log/sssd#
sssctl domain-list shows that the parent domain was auto-discovered:
root@hs-svn-02:/var/log/sssd# sssctl domain-list development.cseserve.com test.cseserve.com hst.cseserve.com cseserve.com root@hs-svn-02:/var/log/sssd#
sssctl domain-status development.cseserv.com gives:
Online status: Online
Active servers: AD Global Catalog: hs-dc-01.development.cseserv.com AD Domain Controller: hs-dc-01.development.cseserv.com
Discovered AD Global Catalog servers: - hs-dc-01.development.cseserv.com - hs-dc-02.development.cseserv.com - gsh-dc-04.cseserv.com - gsh-dc-05.cseserv.com - gsh-dc-01.cseserv.com
Discovered AD Domain Controller servers: - hs-dc-01.development.cseserv.com - hs-dc-02.development.cseserv.com
sssctl domain-status cseserv.com gives:
root@hs-svn-02:/var/log/sssd# sssctl domain-status cseserv.com Online status: Online
Active servers: AD Domain Controller: gsh-dc-04.cseserv.com AD Global Catalog: hs-dc-01.development.cseserv.com
Discovered AD Domain Controller servers: - gsh-dc-04.cseserv.com - gsh-dc-01.cseserv.com - gsh-dc-05.cseserv.com - gln-dc-01.cseserv.com
Discovered AD Global Catalog servers: - hs-dc-01.development.cseserv.com - hs-dc-02.development.cseserv.com - gsh-dc-04.cseserv.com - gsh-dc-05.cseserv.com - gsh-dc-01.cseserv.com
My sssd.conf file:
[sssd] domains = development.cseserve.com config_file_version = 2 services = nss, pam, ifp debug_level = 9
[domain/development.cseserve.com] ad_domain = development.cseserve.com krb5_realm = DEVELOPMENT.CSESERVE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad
sssd-users@lists.fedorahosted.org