Authentication with AD Using SSSD
Hello,
I am attempting to get my SLES11 SP3 system to authenticate against a AD domain using SSSD, however after setting everything up following this tutorial, I'm having some issues.
First off let me share my configurations (note that I'm using generic domain, computer and user names for this post).
/etc/krb5.conf:
Code:
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = yes
clockskew = 300
[realms]
AD.DOMAIN.COM = {
kdc = MYDOMAIN.COM
default_domain = mydomain.com
admin_server = mydomain.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.MYDOMAIN.COM = mydomain.com
MYDOMAIN.COM= mydomain.com
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
external = sshd
use_shmem = sshd
}
Then from the Windows Server 2008, I ran the following:
Code:
setspn -A host/mycomputer.mydomain.com@MYDOMAIN.COM mycomputer
setspn -L mycomputer
ktpass /princ host/mycomputer.mydomain.com@MYDOMAIN.COM /out client-krb5.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser MYDOMAIN\mycomputer$ /pass *
I then copied the keytab to the client as "/etc/krb5.keytab".
Here is the output of klist -ke:
Code:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/mycomputer.mydomain.com@MYDOMAIN.COM (DES cbc mode with CRC-32)
4 host/mycomputer.mydomain.com@MYDOMAIN.COM (DES cbc mode with RSA-MD5)
4 host/mycomputer.mydomain.com@MYDOMAIN.COM (ArcFour with HMAC/md5)
4 host/mycomputer.mydomain.com@MYDOMAIN.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 host/mycomputer.mydomain.com@MYDOMAIN.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
I then generate my TGT:
Code:
kinit -k -t /etc/krb5.keytab 'host/mycomputer.mydomain.com@MYDOMAIN.COM'
kinit user@MYDOMAIN.COM
I can list my TGT:
Code:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@MYDOMAIN.COM
Valid starting Expires Service principal
12/14/15 16:50:22 12/15/15 02:50:20 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 12/21/15 16:50:22
12/14/15 16:51:12 12/15/15 02:50:20 krbtgt/mydomain.com@MYDOMAIN.COM
renew until 12/21/15 16:50:22
However, if I try to run 'id user', it returns "No such user".
/etc/sssd/sssd.conf:
Code:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
debug_level = 10
domains = MYDOMAIN.COM
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/MYDOMAIN.COM]
enumerate = false
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldap://mydomain.com
ldap_schema = rfc2307bis
ldap_user_search_base = dc=mydomain,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = LoginShell
ldap_group_search_base = dc=mydomain,dc=com
ldap_group_object_class = group
ldap_force_upper_case_realm = false
ldap_access_order = expire
ldap_account_expire_policy = ad
krb5_realm = MYDOMAIN.COM
krb5_server = mydomain.com
ldap_sasl_mech = gssapi
ldap_krb5_init_creds = true
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_ticket_lifetime = 86400
ldap_sasl_authid = host/mycomputer.mydomain.com@MYDOMAIN.COM
If I attempt to SSH into this client as the domain user, it complains:
Code:
Dec 14 16:41:52 mycomputer sshd[24942]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11.184.166 user=user
Dec 14 16:41:52 mycomputer sshd[24942]: pam_sss(sshd:auth): received for user user: 10 (User not known to the underlying authentication module)
I know this is a lot. Any ideas or thoughts in regards to this will be much appreciated. |
