Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - General
User Name
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.


  Search this Thread
Old 12-11-2012, 01:57 PM   #1
Registered: Oct 2008
Posts: 40

Rep: Reputation: 16
Kerberos/OpenLDAP/ActiveDirectory/sssd configuration problems


I'm trying to set up a CentOS 6.3 server to authenticate from my Active Directory domain controller using MIT Kerberos, OpenLDAP, and sssd. Pretend my domain is I created a keytab on the Active Directory controller using
ktpass -princ host/ -pass somepassword -mapuser DOMAIN\CLIENT -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out client.keytab
I copied this to the client using SSH, when I run klist -k I get
12 host/
kinit -k gives no output, after running it klist gives
Default principal: host/

Valid starting    Expires       Service principal
<some time>       <some time>   krbtgt/DOMAIN.NET@DOMAIN.NET
   renew until <some time>
At this point typing ldapsearch with no arguments gives the contents of the domain server as it should. After running ldapsearch klist now includes a ticket entry for ldap/controller@DOMAIN.NET.

When I start sssd, no errors are shown and nothing bad appears in the log. But when I try to get a user's information:
getent -s sss passwd bob
the log file says (among many many other things)
(Tue Dec 11 11:51:43 2012) [sssd[be[]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_DOMAIN.NET], expired on [1355291503]
(Tue Dec 11 11:51:43 2012) [sssd[be[]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/
(Tue Dec 11 11:52:46 2012) [sssd[be[]]] [get_server_status] (0x1000): Status of server 'controller.domain' is 'name resolved'
(Tue Dec 11 11:52:46 2012) [sssd[be[]]] [get_port_status] (0x1000): Port status of port 389 for server 'controller.domain' is 'not working'
(Tue Dec 11 11:52:46 2012) [sssd[be[]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
The port is marked unusable, and nothing is returned by getent.

What's going on here? Any ideas? Repeated googlings and tweakings have found nothing.

The relevant config files are below.

Thanks for your help.

Last edited by EmrldDrgn; 12-11-2012 at 02:11 PM.
Old 12-11-2012, 02:09 PM   #2
Registered: Oct 2008
Posts: 40

Original Poster
Rep: Reputation: 16
Config files

# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=domain,dc=net
URI ldap://controller.domain/

#DEREF		never

TLS_CACERTDIR /etc/openldap/cacerts
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = DOMAIN.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

  kdc = controller.domain:88
  admin_server = controller.domain:749
  default_domain =

[domain_realm] = DOMAIN.NET = DOMAIN.NET
config_file_version = 2
domains =

# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3

# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam

# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
debug_level = 9
filter_groups = root
filter_users = root
reconnection_retries = 3

# The entry_cache_nowait_percentage indicates the percentage of the
# entry_cache_timeout to wait before updating the cache out-of-band.
# (NSS requests will still be returned from cache until the full
# entry_cache_timeout). Setting this value to 0 turns this feature
# off (default).
# entry_cache_nowait_percentage = 300

reconnection_retries = 3

debug_level = 9
ldap_id_use_start_tls = False
ldap_search_base = dc=domain,dc=net
krb5_server = controller.domain:88
krb5_kpasswd = controller.domain:749
ldap_tls_cacertdir = /etc/openldap/cacerts

cache_credentials = true
enumerate = false
min_id = 1000
max_id = 3000
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://controller.domain/
ldap_schema = rfc2307bis
ldap_user_search_base = cn=Users,dc=domain,dc=net
ldap_user_object_class = person
ldap_user_modify_timestamp = whenChanged
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_search_base = ou=Groups,dc=domain,dc=net
ldap_group_object_class = group
ldap_group_modify_timestamp = whenChanged
ldap_group_nesting_level = 5
ldap_account_expire_policy = ad
ldap_sasl_authid = host/
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
ldap_pwd_policy = mit_kerberos
chpass_provider = krb5
ldap_sasl_mech = GSSAPI
krb5_realm = domain.NET
krb5_validate = true
ldap_force_upper_case_realm = True
The relevant pam and nss config files have sss as an option, like this example:
passwd: files sss

Last edited by EmrldDrgn; 12-11-2012 at 02:13 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSSD/Kerberos/LDAP- Permission denied using ssh R09u3Bull Linux - Server 6 11-16-2012 01:04 AM
Integrating Kerberos into OpenLdap sunveer Linux - Newbie 1 10-14-2012 11:53 AM
Linux LDAP vs. Kerberos Authentication with Microsoft ActiveDirectory geek.ksa Linux - Security 4 11-22-2009 04:29 PM
What is the configuration in OpenLDAP to use Kerberos ? guigonza Linux - Server 1 01-30-2009 12:14 PM
OpenLDAP authenticate against Kerberos? licht Linux - Server 0 07-31-2007 12:58 PM > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 05:00 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration