LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 12-11-2012, 02:57 PM   #1
EmrldDrgn
Member
 
Registered: Oct 2008
Posts: 40

Rep: Reputation: 16
Kerberos/OpenLDAP/ActiveDirectory/sssd configuration problems


Hello,

I'm trying to set up a CentOS 6.3 server to authenticate from my Active Directory domain controller using MIT Kerberos, OpenLDAP, and sssd. Pretend my domain is domain.net. I created a keytab on the Active Directory controller using
Code:
ktpass -princ host/client.domain.net@DOMAIN.NET -pass somepassword -mapuser DOMAIN\CLIENT -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out client.keytab
I copied this to the client using SSH, when I run klist -k I get
Code:
12 host/client.domain.net@DOMAIN.NET
kinit -k gives no output, after running it klist gives
Code:
Default principal: host/client.domain.net@DOMAIN.NET

Valid starting    Expires       Service principal
<some time>       <some time>   krbtgt/DOMAIN.NET@DOMAIN.NET
   renew until <some time>
At this point typing ldapsearch with no arguments gives the contents of the domain server as it should. After running ldapsearch klist now includes a ticket entry for ldap/controller@DOMAIN.NET.

When I start sssd, no errors are shown and nothing bad appears in the log. But when I try to get a user's information:
Code:
getent -s sss passwd bob
the log file sssd_domain.net.log says (among many many other things)
Code:
(Tue Dec 11 11:51:43 2012) [sssd[be[domain.net]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_DOMAIN.NET], expired on [1355291503]
(Tue Dec 11 11:51:43 2012) [sssd[be[domain.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/client.domain.net@DOMAIN.NET
(Tue Dec 11 11:52:46 2012) [sssd[be[domain.net]]] [get_server_status] (0x1000): Status of server 'controller.domain' is 'name resolved'
(Tue Dec 11 11:52:46 2012) [sssd[be[domain.net]]] [get_port_status] (0x1000): Port status of port 389 for server 'controller.domain' is 'not working'
(Tue Dec 11 11:52:46 2012) [sssd[be[domain.net]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
The port is marked unusable, and nothing is returned by getent.

What's going on here? Any ideas? Repeated googlings and tweakings have found nothing.

The relevant config files are below.

Thanks for your help.

Last edited by EmrldDrgn; 12-11-2012 at 03:11 PM.
 
Old 12-11-2012, 03:09 PM   #2
EmrldDrgn
Member
 
Registered: Oct 2008
Posts: 40

Original Poster
Rep: Reputation: 16
Config files

/etc/openldap/ldap.conf
Code:
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=domain,dc=net
URI ldap://controller.domain/

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

TLS_CACERTDIR /etc/openldap/cacerts
/etc/krb5.conf
Code:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

[realms]
 DOMAIN.NET = {
  kdc = controller.domain:88
  admin_server = controller.domain:749
  default_domain = domain.net
 }

[domain_realm]
 .domain.net = DOMAIN.NET
 domain.net = DOMAIN.NET
/etc/sssd/sssd.conf
Code:
[sssd]
config_file_version = 2
domains = domain.net

# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3

# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam

[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
debug_level = 9
filter_groups = root
filter_users = root
reconnection_retries = 3

# The entry_cache_nowait_percentage indicates the percentage of the
# entry_cache_timeout to wait before updating the cache out-of-band.
# (NSS requests will still be returned from cache until the full
# entry_cache_timeout). Setting this value to 0 turns this feature
# off (default).
# entry_cache_nowait_percentage = 300

[pam]
reconnection_retries = 3

[domain/domain.net]
debug_level = 9
ldap_id_use_start_tls = False
ldap_search_base = dc=domain,dc=net
krb5_server = controller.domain:88
krb5_kpasswd = controller.domain:749
ldap_tls_cacertdir = /etc/openldap/cacerts

cache_credentials = true
enumerate = false
min_id = 1000
max_id = 3000
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://controller.domain/
ldap_schema = rfc2307bis
ldap_user_search_base = cn=Users,dc=domain,dc=net
ldap_user_object_class = person
ldap_user_modify_timestamp = whenChanged
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_search_base = ou=Groups,dc=domain,dc=net
ldap_group_object_class = group
ldap_group_modify_timestamp = whenChanged
ldap_group_nesting_level = 5
ldap_account_expire_policy = ad
ldap_sasl_authid = host/client.domain.net@DOMAIN.NET
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
ldap_pwd_policy = mit_kerberos
chpass_provider = krb5
ldap_sasl_mech = GSSAPI
krb5_realm = domain.NET
krb5_validate = true
ldap_force_upper_case_realm = True
The relevant pam and nss config files have sss as an option, like this example:
Code:
passwd: files sss

Last edited by EmrldDrgn; 12-11-2012 at 03:13 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSSD/Kerberos/LDAP- Permission denied using ssh R09u3Bull Linux - Server 6 11-16-2012 02:04 AM
Integrating Kerberos into OpenLdap sunveer Linux - Newbie 1 10-14-2012 12:53 PM
Linux LDAP vs. Kerberos Authentication with Microsoft ActiveDirectory geek.ksa Linux - Security 4 11-22-2009 05:29 PM
What is the configuration in OpenLDAP to use Kerberos ? guigonza Linux - Server 1 01-30-2009 01:14 PM
OpenLDAP authenticate against Kerberos? licht Linux - Server 0 07-31-2007 01:58 PM


All times are GMT -5. The time now is 07:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration