Hello,
I was told by a user in linuxquestions.org to try this list for help.
So we've been trying to get SSSD working with AD on RHEL 6 for about a week now. we've been trying to following http://www.redhat.com/resourcelibrary/reference-architectures/integrating-re...
As 1.8.0-32 is part of the latest install of RHEL 6, that's the version we need to use.
We can get configuration number 6.4 kerboros/ldap working just fine and SSH with that, but we want option 6.3 SSSD/kerboros/ldap for the caching features.
When 6.3 option is enabled, we can do a ldapsearch just fine with ldapsearch -Y GSSAPI -N "(sAMAccountName=username)"
It's when we try to SSH on the server is when we are unable to get it to work. We do ssh -vvvv username@servername and get a permission denied when we do the password
In /var/log/messages we get: GSSAPI Error: Unspecified GSS failure. Minor code may prove more information (Matching credential not found)
In /var/log/secure, we get: Invalid user username from ipaddress input_userauth_request: invalid user username pam_unix(sshd:auth): check pass; user unknown pam_unix(sshd:auth: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=servername pam_succeed_if(sshd:auth): error retriving information about user username Failed password for invalid user username from ipaddress port portid SSH2
Here is the /var/sssd/sssd.conf file: [sssd] services = nss, pam config_file_version = 2 debug_level = 9 domains = default
[nss]
[pam]
[domain/default] debug_level = 9 enumerate = false id_provider = ldap chpass_provider = krb5 case_sensitive = false ldap_uri = ldap://ldapservername.domain.domain.domain ldap_search_base = dc=domain,dc=domain,dc=domain ldap_user_search_base = dc=domain,dc=domain,dc=domain ldap_group_search_base = dc=domain,dc=domain,dc=domain ldap_id_use_start_tls = true ldap_schema = rfc2307bis ldap_sasl_mech = GSSAPI ldap_force_upper_case_realm = true ldap_krb5_keytab = /etc/krb5.keytab ldap_sasl_authid = host/servername.domain.domain.domain@DOMAIN.DOMAIN.DOMAIN
auth_provider = krb5 cache_credentials = true krb5_realm = DOMAIN.DOMAIN.DOMAIN krb5_server = ldapservername.DOMAIN.DOMAIN.DOMAIN krb5_ccachedir = /tmp krb5_auth_timeout = 15
ldap_user_object_class = user ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory ldap_user_princical = userPrincipalName ldap_user_name = sAMAccountName ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_group_object_class = group ldap_group_modify_timestamp = whenChanged ldap_group_name = sAMAccountName ldap_group_gid_number = gidNumber
krb5_kpasswd = ldapservername.domain.domain.domain
access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad ldap_tls_cacertdir = /etc/openldap/cacerts ldap_disable_referrals = true
[sudo]
[autofs]
[ssh]
I've tried changing around access_provider to simple or permit and it didn't work. I tried added ladp_access_filter to allow my id and tried objectClass=user and it didn't work. I modified the sssd.conf file based on another one I found at zews.org/rhel6-active-directory
Here is the password_auth file: auth required pam_env.so auth sufficient pam.unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry_3 type= password sufficient pam_unix.so shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
nsswitch.conf has the following: passwd: files sss shadow: files sss group: files sss
ldap_child.log gives me the following: [unpack_buffer] (0x1000): total buffer size 94 [unpack_buffer] (0x1000): realm_str size: 15 [unpack_buffer] (0x1000): got realm_str: DOMAIN.DOMAIN.DOMAIN [unpack_buffer] (0x1000): princ_str size: 47 [unpack_buffer] (0x1000): got princ_str: host/server.domain.domain.domain@DOMAIN.DOMAIN.DOMAIN [unpack_buffer] (0x1000): keytab_name size = 16 [unpack_buffer] (0x1000): got keytab_name: /etc/krb5.keytab [unpack_buffer] (0x1000): lifetime: 86400 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/server.domain.domain.domain@DOMAIN.DOMAIN.DOMAIN]
That's it. The AD side sees that we are doing the query and doesn't see anything on their end in terms of errors and such.
At a loss right now on what configuration we are doing wrong that works with option 6.3. We have a working key tab for kerboros. We know we can see AD with ldapsearch. We just can't get it to work with SSSD and SSH.
On Thu, Nov 08, 2012 at 11:01:33AM -0600, James Chambers wrote:
Hello,
I was told by a user in linuxquestions.org to try this list for help.
So we've been trying to get SSSD working with AD on RHEL 6 for about a week now. we've been trying to following http://www.redhat.com/resourcelibrary/reference-architectures/integrating-re...
As 1.8.0-32 is part of the latest install of RHEL 6, that's the version we need to use.
We can get configuration number 6.4 kerboros/ldap working just fine and SSH with that, but we want option 6.3 SSSD/kerboros/ldap for the caching features.
When 6.3 option is enabled, we can do a ldapsearch just fine with ldapsearch -Y GSSAPI -N "(sAMAccountName=username)"
It's when we try to SSH on the server is when we are unable to get it to work. We do ssh -vvvv username@servername and get a permission denied when we do the password
In /var/log/messages we get: GSSAPI Error: Unspecified GSS failure. Minor code may prove more information (Matching credential not found)
In /var/log/secure, we get: Invalid user username from ipaddress input_userauth_request: invalid user username pam_unix(sshd:auth): check pass; user unknown pam_unix(sshd:auth: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=servername pam_succeed_if(sshd:auth): error retriving information about user username Failed password for invalid user username from ipaddress port portid SSH2
Here is the /var/sssd/sssd.conf file: [sssd] services = nss, pam config_file_version = 2 debug_level = 9 domains = default
[nss]
[pam]
[domain/default] debug_level = 9 enumerate = false id_provider = ldap chpass_provider = krb5 case_sensitive = false ldap_uri = ldap://ldapservername.domain.domain.domain ldap_search_base = dc=domain,dc=domain,dc=domain ldap_user_search_base = dc=domain,dc=domain,dc=domain ldap_group_search_base = dc=domain,dc=domain,dc=domain ldap_id_use_start_tls = true ldap_schema = rfc2307bis ldap_sasl_mech = GSSAPI ldap_force_upper_case_realm = true ldap_krb5_keytab = /etc/krb5.keytab ldap_sasl_authid = host/servername.domain.domain.domain@DOMAIN.DOMAIN.DOMAIN
auth_provider = krb5 cache_credentials = true krb5_realm = DOMAIN.DOMAIN.DOMAIN krb5_server = ldapservername.DOMAIN.DOMAIN.DOMAIN krb5_ccachedir = /tmp krb5_auth_timeout = 15
ldap_user_object_class = user ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory ldap_user_princical = userPrincipalName ldap_user_name = sAMAccountName ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_group_object_class = group ldap_group_modify_timestamp = whenChanged ldap_group_name = sAMAccountName ldap_group_gid_number = gidNumber
krb5_kpasswd = ldapservername.domain.domain.domain
access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad ldap_tls_cacertdir = /etc/openldap/cacerts ldap_disable_referrals = true
[sudo]
[autofs]
[ssh]
I've tried changing around access_provider to simple or permit and it didn't work. I tried added ladp_access_filter to allow my id and tried objectClass=user and it didn't work. I modified the sssd.conf file based on another one I found at zews.org/rhel6-active-directory
Here is the password_auth file: auth required pam_env.so auth sufficient pam.unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry_3 type= password sufficient pam_unix.so shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
nsswitch.conf has the following: passwd: files sss shadow: files sss group: files sss
ldap_child.log gives me the following: [unpack_buffer] (0x1000): total buffer size 94 [unpack_buffer] (0x1000): realm_str size: 15 [unpack_buffer] (0x1000): got realm_str: DOMAIN.DOMAIN.DOMAIN [unpack_buffer] (0x1000): princ_str size: 47 [unpack_buffer] (0x1000): got princ_str: host/server.domain.domain.domain@DOMAIN.DOMAIN.DOMAIN [unpack_buffer] (0x1000): keytab_name size = 16 [unpack_buffer] (0x1000): got keytab_name: /etc/krb5.keytab [unpack_buffer] (0x1000): lifetime: 86400 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/server.domain.domain.domain@DOMAIN.DOMAIN.DOMAIN]
That's it. The AD side sees that we are doing the query and doesn't see anything on their end in terms of errors and such.
At a loss right now on what configuration we are doing wrong that works with option 6.3. We have a working key tab for kerboros. We know we can see AD with ldapsearch. We just can't get it to work with SSSD and SSH.
Thank you for the detailed problem description. At a glance, I don't see anything in your configuration that would strike me as wrong.
I assume you are not able to get the user data with "getent passwd user" on the server?
Are you able to kinit with the keytab as host/server.domain.domain.domain@DOMAIN.DOMAIN.DOMAIN ?
Can you paste a bigger portion of the logs?
sssd-users@lists.fedorahosted.org