I'm having trouble authenticating to an AD domain with a disjointed namespace using SSSD. Here's what I'm up against:
netbios domain name: BLAH domain (& kerberos realm): DS.BLAH.COM UPNs: username@BLAH.COM
to join to the domain I have to have workgroup: BLAH in smb.conf, which is not generally how smb and winbind are config'ed (usually it would be DS instead of BLAH). I can create a kerberos ticket for user@DS.BLAH.COM. I can do an "id user@ds.blah.com" and get valid response. but when I try to "su user@ds.blah.com" I get an invalid password, and a log entry indicating "[sssd[krb5_child[29198]]]: Cannot resolve servers for KDC in realm "BLAH.COM"". I'm assuming that it's looking for the KDC there because of the setting in smb.conf.
I'm running SSSD 1.9.2 on CentOS 6.5.
I've tried various settings googling around, and so my current sssd.conf file looks like:
[sssd] services = nss, pam, ssh, pac config_file_version = 2
domains = ds.blah.com
debug_level = 10 [nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[domain/ds.blah.com] cache_credentials = False krb5_store_password_if_offline = False id_provider = ad auth_provider = ad access_provider = ad ad_server = dc1.ds.blah.com ad_hostname = host.ds.blah.com krb5_realm = DS.BLAH.COM ad_domain = ds.blah.com ad_enable_dns_sites = True krb5_canonicalize = false
debug_level = 5
Any suggestions would be greatly appreciated.
=================================== *Daniel Shown,* Linux Systems Administrator Advanced Technology Group Information Technology Services http://www.slu.edu/its at Saint Louis University http://www.slu.edu/.
314-977-2583 ===================================
"The aim of education is the knowledge, not of facts, but of values." — William S. Burroughs
"I’m supposed to be a scientific person but I use intuition more than logic in making basic decisions." — Seymour R. Cray
On Wed, Aug 13, 2014 at 12:03:55PM -0500, Daniel Shown wrote:
I'm having trouble authenticating to an AD domain with a disjointed namespace using SSSD. Here's what I'm up against:
netbios domain name: BLAH domain (& kerberos realm): DS.BLAH.COM UPNs: username@BLAH.COM
to join to the domain I have to have workgroup: BLAH in smb.conf, which is not generally how smb and winbind are config'ed (usually it would be DS instead of BLAH). I can create a kerberos ticket for user@DS.BLAH.COM. I can do an "id user@ds.blah.com" and get valid response. but when I try to "su user@ds.blah.com" I get an invalid password, and a log entry indicating "[sssd[krb5_child[29198]]]: Cannot resolve servers for KDC in realm "BLAH.COM"". I'm assuming that it's looking for the KDC there because of the setting in smb.conf.
I'm running SSSD 1.9.2 on CentOS 6.5.
With sssd-1.11 which is coming to 6.6, this would work out of the box. In 1.9, you can use a workaround.
Can you try setting: ldap_user_principal = nosuchattribute # yes, literally
Normally, sssd uses the UPN attribute of the user. But if you override the LDAP UPN attribute to something that doesn't exist, SSSD would try to 'guess' the UPN with username@REALM.
I hope this helps.
I've tried various settings googling around, and so my current sssd.conf file looks like:
[sssd] services = nss, pam, ssh, pac
^^^ Do you really use the SSH integration, that is, do you have the knownhosts set in sshd_conf? If not, you can remove the ssh responder.
config_file_version = 2
domains = ds.blah.com
debug_level = 10 [nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[domain/ds.blah.com] cache_credentials = False krb5_store_password_if_offline = False
The two above are defaults, you can safely remove them.
id_provider = ad auth_provider = ad access_provider = ad ad_server = dc1.ds.blah.com ad_hostname = host.ds.blah.com krb5_realm = DS.BLAH.COM ad_domain = ds.blah.com ad_enable_dns_sites = True krb5_canonicalize = false
debug_level = 5
Any suggestions would be greatly appreciated.
Jakub, you are my hero. :DS
=================================== *Daniel Shown,* Linux Systems Administrator Advanced Technology Group Information Technology Services http://www.slu.edu/its at Saint Louis University http://www.slu.edu/.
314-977-2583 ===================================
"The aim of education is the knowledge, not of facts, but of values." — William S. Burroughs
"I’m supposed to be a scientific person but I use intuition more than logic in making basic decisions." — Seymour R. Cray
On Thu, Aug 14, 2014 at 1:55 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Wed, Aug 13, 2014 at 12:03:55PM -0500, Daniel Shown wrote:
I'm having trouble authenticating to an AD domain with a disjointed namespace using SSSD. Here's what I'm up against:
netbios domain name: BLAH domain (& kerberos realm): DS.BLAH.COM UPNs: username@BLAH.COM
to join to the domain I have to have workgroup: BLAH in smb.conf, which
is
not generally how smb and winbind are config'ed (usually it would be DS instead of BLAH). I can create a kerberos ticket for user@DS.BLAH.COM. I can do an "id user@ds.blah.com" and get valid response. but when I try to "su user@ds.blah.com" I get an invalid password, and a log entry indicating "[sssd[krb5_child[29198]]]: Cannot resolve servers
for
KDC in realm "BLAH.COM"". I'm assuming that it's looking for the KDC
there
because of the setting in smb.conf.
I'm running SSSD 1.9.2 on CentOS 6.5.
With sssd-1.11 which is coming to 6.6, this would work out of the box. In 1.9, you can use a workaround.
Can you try setting: ldap_user_principal = nosuchattribute # yes, literally
Normally, sssd uses the UPN attribute of the user. But if you override the LDAP UPN attribute to something that doesn't exist, SSSD would try to 'guess' the UPN with username@REALM.
I hope this helps.
I've tried various settings googling around, and so my current sssd.conf file looks like:
[sssd] services = nss, pam, ssh, pac
^^^
Do you really use the SSH integration, that is, do you have the knownhosts set in sshd_conf? If not, you can remove the ssh responder.
config_file_version = 2
domains = ds.blah.com
debug_level = 10 [nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[domain/ds.blah.com] cache_credentials = False krb5_store_password_if_offline = False
The two above are defaults, you can safely remove them.
id_provider = ad auth_provider = ad access_provider = ad ad_server = dc1.ds.blah.com ad_hostname = host.ds.blah.com krb5_realm = DS.BLAH.COM ad_domain = ds.blah.com ad_enable_dns_sites = True krb5_canonicalize = false
debug_level = 5
Any suggestions would be greatly appreciated.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org