Hi,
I'm having issues trying to get my RHEL 6 box to authenticate against an Active Directory 2008 R2 DC using just kerberos / LDAP / SSSD - not Winbind.
I think I'm close with my config, I just can't seem to authenticate via SSH for some reason. The error I get in /var/log/sssd/krb5_child.log is:
Code:
[get_and_save_tgt] (1): 721: [-1765328360] [Preauthentication failed]
[tgt_req_child] (1): 980: [-1765328360] [Preauthentication failed]
I have tried disabling pre-authentication (bad idea, but had to test) in AD but that doesn't work either.
Obviously this is the first step - once kerberos has authenticated the account it will then communicate via LDAP to get group memberships etc. I just can't figure out why it won't authenticate (obviously the password I'm using is correct).
Here are my config files:
/etc/sssd/sssd.conf
Code:
[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2
[nss]
filter_groups = root
filter_users = root
[pam]
offline_credentials_expiration = 0
[domain/LDAP]
debug_level = 9
enumerate = false
min_id = 1000
access_provider = ldap
# ldap_access_filter = memberOf="cn=Unix_users,ou=Groups,ou=Managed,dc=nl,dc=test,dc=ad"
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://dc.nl.test.ad/
ldap_search_base = dc=nl,dc=test,dc=ad
ldap_default_bind_dn = cn=sa_ldap,ou=Service Accounts,ou=Users,ou=Managed,dc=nl,dc=test,dc=ad
ldap_default_authtok_type = password
ldap_default_authtok = HardP@ssw0rd1
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_group_object_class = group
ldap_force_upper_case_realm = true
ldap_group_uuid = objectGUID
ldap_user_uuid = objectGUID
ldap_user_gid_number = gidNumber
ldap_user_uid_number = uidNumber
# kerberos config
krb5_server = dc.test.ad
krb5_realm = NL.TEST.AD
krb5_changepw_principle = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
cache_credentials = True
krb5_renewable_lifetime = 36000
krb5_lifetime = 36000
#krb5_use_fast = try
/etc/krb5.conf
Code:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
NL.TEST.AD = {
kdc = dc.nl.test.ad:88
admin_server = dc.nl.test.ad:749
default_domain = nl.test.ad
}
[domain_realm]
.nl.test.ad = NL.TEST.AD
nl.test.ad = NL.TEST.AD
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/nsswitch.conf
Code:
passwd: files sss
shadow: files sss
group: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files sss
publickey: nisplus
automount: files ldap
aliases: files nisplus
/etc/pam.d/password-auth
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_sss.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
The system time is synced to the DC and correct. The RHEL box has an account in AD and I have kerberos ticket for it. The keytab is present and correct and is shown by doing:
This all worked perfectly under RHEL 5 (although using /etc/ldap.conf and not SSSD!) but this is killing me!
If anyone has any pointers I'd be extremely grateful!
Many thanks,
-Mark
