LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices

Reply
 
Search this Thread
Old 05-25-2012, 01:34 PM   #1
brooky9999
Member
 
Registered: May 2006
Location: Marlow, UK
Distribution: Slackware 12.2
Posts: 232

Rep: Reputation: 30
RHEL 6 / Active Directory 2008 R2 issues


Hi,

I'm having issues trying to get my RHEL 6 box to authenticate against an Active Directory 2008 R2 DC using just kerberos / LDAP / SSSD - not Winbind.

I think I'm close with my config, I just can't seem to authenticate via SSH for some reason. The error I get in /var/log/sssd/krb5_child.log is:

Code:
[get_and_save_tgt] (1): 721: [-1765328360] [Preauthentication failed]
[tgt_req_child] (1): 980: [-1765328360] [Preauthentication failed]
I have tried disabling pre-authentication (bad idea, but had to test) in AD but that doesn't work either.

Obviously this is the first step - once kerberos has authenticated the account it will then communicate via LDAP to get group memberships etc. I just can't figure out why it won't authenticate (obviously the password I'm using is correct).

Here are my config files:

/etc/sssd/sssd.conf
Code:
[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2

[nss]
filter_groups = root
filter_users = root

[pam]
offline_credentials_expiration = 0

[domain/LDAP]
debug_level = 9
enumerate = false
min_id = 1000
access_provider = ldap
# ldap_access_filter = memberOf="cn=Unix_users,ou=Groups,ou=Managed,dc=nl,dc=test,dc=ad"
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://dc.nl.test.ad/
ldap_search_base = dc=nl,dc=test,dc=ad
ldap_default_bind_dn = cn=sa_ldap,ou=Service Accounts,ou=Users,ou=Managed,dc=nl,dc=test,dc=ad
ldap_default_authtok_type = password
ldap_default_authtok = HardP@ssw0rd1
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_group_object_class = group
ldap_force_upper_case_realm = true
ldap_group_uuid = objectGUID
ldap_user_uuid = objectGUID
ldap_user_gid_number = gidNumber
ldap_user_uid_number = uidNumber

# kerberos config
krb5_server = dc.test.ad
krb5_realm = NL.TEST.AD
krb5_changepw_principle = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
cache_credentials = True
krb5_renewable_lifetime = 36000
krb5_lifetime = 36000
#krb5_use_fast = try
/etc/krb5.conf
Code:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 NL.TEST.AD = {
  kdc = dc.nl.test.ad:88
  admin_server = dc.nl.test.ad:749
  default_domain = nl.test.ad
 }

[domain_realm]
 .nl.test.ad = NL.TEST.AD
 nl.test.ad = NL.TEST.AD

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
/etc/nsswitch.conf
Code:
passwd:     files sss
shadow:     files sss
group:      files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files sss

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus
/etc/pam.d/password-auth
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_sss.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
The system time is synced to the DC and correct. The RHEL box has an account in AD and I have kerberos ticket for it. The keytab is present and correct and is shown by doing:

Code:
klist -keK
This all worked perfectly under RHEL 5 (although using /etc/ldap.conf and not SSSD!) but this is killing me!

If anyone has any pointers I'd be extremely grateful!

Many thanks,


-Mark

Last edited by brooky9999; 05-27-2012 at 07:57 PM.
 
Old 05-29-2012, 12:41 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
It won't work with 'access_provider = ldap' enabled and 'ldap_access_filter' commented out, if I'd known you were coming I'd have baked a script (like this):
Code:
#!/bin/bash

DOMAIN=company.tld
KRBREALM=COMPANY.TLD
DC1=dc01.company.tld
DC2=dc01.company.tld
BASEDN="dc=company,dc=tld"
BINDACCTDN="cn=xxx,ou=xxx,dc=company,dc=tld"
BINDACCTOBFUSPW='xxxx'
ADMINACCTFILTER='*_admin'


echo "[*] Installing required authentication packages"
for package in sssd pam_krb5 krb5-libs krb5-workstation openldap-clients
do
  rpm -q ${package} >/dev/null 2>&1
  if [[ $? -ne 0 ]]
  then
    echo "... installing ${package}"
    yum -y install ${package} >/dev/null 2>&1
    if [[ $? -ne 0 ]]
    then
      echo "${package} installation failed"
      exit 1
    fi
  fi
done


echo "[*] Configuring Kerberos, LDAP and SSSD"
authconfig \
--enableldap \
--ldapserver=${DC1},${DC2} \
--ldapbasedn=${BASEDN} \
--disableldaptls \
--enablekrb5 \
--krb5realm ${KRBREALM} \
--krb5kdc ${DC1},${DC2} \
--krb5adminserver ${DC1},${DC2} \
--enablekrb5kdcdns \
--enablekrb5realmdns \
--enablemkhomedir \
--enablesssd \
--enablesssdauth \
--update &> /dev/null


echo "[*] Creating /etc/sssd/sssd.conf"
cat <<EOF> /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = ${KRBREALM}

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
enum_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
pam_verbosity = 2
pam_pwd_expiration_warning = 14

[domain/${KRBREALM}]
description = LDAP naming with kerberos auth to AD
enumerate = true
timeout = 30
id_provider = ldap
chpass_provider = krb5
access_provider = ldap

ldap_uri = ldap://${DC1}/, ldap://${DC2}/
ldap_access_filter = &(objectClass=user)(cn=${ADMINACCTFILTER})
ldap_search_base = ${BASEDN}
ldap_default_bind_dn = ${BINDACCTDN}
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = ${BINDACCTOBFUSPW}
ldap_pwd_policy = none
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_gecos = displayName
ldap_force_upper_case_realm = true

auth_provider = krb5
krb5_server = ${DC1}, ${DC2}
krb5_realm = ${KRBREALM}
krb5_auth_timeout = 15

cache_credentials = true
min_id = 10000
max_id = 65535
EOF


echo "[*] Modifying SSHD to support PAM authentication"
grep -e '^UsePAM.*' /etc/ssh/sshd_config >/dev/null 2>&1
if [[ $? -ne 0 ]]
then
cat << EOF >> /etc/ssh/sshd_config
UsePAM yes
EOF
else
perl -pi -e 's|^UsePAM.*|UsePAM yes|' /etc/ssh/sshd_config
fi

echo "[*] Modifying pam_mkhomedir arguments"
perl -pi -e 's|(.*pam_mkhomedir\.so).*|$1 skel=/etc/skel umask=077|' /etc/pam.d/system-auth*

echo "[*] Restarting services"
service sssd restart
 
Old 05-29-2012, 07:46 AM   #3
brooky9999
Member
 
Registered: May 2006
Location: Marlow, UK
Distribution: Slackware 12.2
Posts: 232

Original Poster
Rep: Reputation: 30
Wow kbp - thanks!

I actually re-did all the configs and the pre-authentication errors went away. I obviously then came up against the access_provider problem, which I resolved pretty quickly.

So for those who are struggling getting RHEL 6 + Active Directory 2008 with kerberos/LDAP/SSSD - I can vouch that this config works.

I will now try out your script. Many thanks!


-Mark
 
Old 06-11-2012, 03:56 PM   #4
jmp242
LQ Newbie
 
Registered: Jan 2011
Posts: 9

Rep: Reputation: 0
Is there a way to have this get the UID and GIDs from AD attributes (so we can manually set them on the server)?
 
Old 06-11-2012, 11:14 PM   #5
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Not sure what you mean .. any AD user wanting to log in will need to have their attributes populated on the 'Unix Attributes' tab before they're considered a valid user, uid is automatically generated to ensure that it's unique (they start at 10000 by default).
 
Old 06-12-2012, 08:36 AM   #6
jmp242
LQ Newbie
 
Registered: Jan 2011
Posts: 9

Rep: Reputation: 0
I mean I have historical UIDs / GIDs from the Unix side I need to maintain, so I need to be able to set in AD (manually) the UID / GIDs...
 
Old 06-19-2012, 07:46 PM   #7
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Why is the specific uid/gid required? .. can't you just 'chown -R <ad_user> <some_dir>' ?
 
Old 06-20-2012, 08:30 AM   #8
jmp242
LQ Newbie
 
Registered: Jan 2011
Posts: 9

Rep: Reputation: 0
Politics / legacy stuff. It's a requirement I've been given...
 
Old 06-20-2012, 10:25 AM   #9
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Try changing them in AD, it autogenerates but I don't think that will stop you changing them. Don't forget to change the range in sssd.conf to cover them if you need to.
 
Old 11-10-2012, 02:42 AM   #10
R09u3Bull
LQ Newbie
 
Registered: Nov 2012
Posts: 15

Rep: Reputation: Disabled
MY RHEL box doesnt have an account in AD (Windows 2008 R2). What do I need to do inorder for it to show up there?
 
Old 11-26-2012, 02:45 AM   #11
R09u3Bull
LQ Newbie
 
Registered: Nov 2012
Posts: 15

Rep: Reputation: Disabled
Quote:
Originally Posted by R09u3Bull View Post
MY RHEL box doesnt have an account in AD (Windows 2008 R2). What do I need to do inorder for it to show up there?
I figured this has to be done manually by adding an entry in AD under the Computers section if you are using SSSD/LDAP/kerberos configuration. Is there a way to automate this? Like in Samba/Winbind, I believe this happens automatically. Is there a way to include this functionality in SSSD/LDAP/kerberos configs too ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind DNS and Active Directory (Windows 2008) wirekof Linux - Server 3 01-04-2012 06:35 PM
Connecting Linux VM to Windows 2008 Active Directory user9999 Linux - Newbie 1 01-18-2011 03:46 AM
Squid 3 authentication Active directory 2008 multiple forest kud0s Linux - Networking 1 10-18-2010 10:38 AM
squid authentication with active directory 2008 fernfrancis Linux - Newbie 0 07-07-2010 10:13 AM
Having Problems with Active Directory with Windows Server 2008 PatrickBEN Linux - Server 1 05-31-2008 04:18 AM


All times are GMT -5. The time now is 05:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration