Kerberos/OpenLDAP/ActiveDirectory/sssd configuration problems

EmrldDrgn · 12-11-2012, 01:57 PM

Hello,

I'm trying to set up a CentOS 6.3 server to authenticate from my Active Directory domain controller using MIT Kerberos, OpenLDAP, and sssd. Pretend my domain is domain.net. I created a keytab on the Active Directory controller using

Code:

ktpass -princ host/client.domain.net@DOMAIN.NET -pass somepassword -mapuser DOMAIN\CLIENT -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out client.keytab

I copied this to the client using SSH, when I run klist -k I get

Code:

12 host/client.domain.net@DOMAIN.NET

kinit -k gives no output, after running it klist gives

Code:

Default principal: host/client.domain.net@DOMAIN.NET

Valid starting    Expires       Service principal
<some time>       <some time>   krbtgt/DOMAIN.NET@DOMAIN.NET
   renew until <some time>

At this point typing ldapsearch with no arguments gives the contents of the domain server as it should. After running ldapsearch klist now includes a ticket entry for ldap/controller@DOMAIN.NET.

When I start sssd, no errors are shown and nothing bad appears in the log. But when I try to get a user's information:

Code:

getent -s sss passwd bob

the log file sssd_domain.net.log says (among many many other things)

Code:

(Tue Dec 11 11:51:43 2012) [sssd[be[domain.net]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_DOMAIN.NET], expired on [1355291503]
(Tue Dec 11 11:51:43 2012) [sssd[be[domain.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/client.domain.net@DOMAIN.NET
(Tue Dec 11 11:52:46 2012) [sssd[be[domain.net]]] [get_server_status] (0x1000): Status of server 'controller.domain' is 'name resolved'
(Tue Dec 11 11:52:46 2012) [sssd[be[domain.net]]] [get_port_status] (0x1000): Port status of port 389 for server 'controller.domain' is 'not working'
(Tue Dec 11 11:52:46 2012) [sssd[be[domain.net]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'

The port is marked unusable, and nothing is returned by getent.

What's going on here? Any ideas? Repeated googlings and tweakings have found nothing.

The relevant config files are below.

Thanks for your help.

EmrldDrgn · 12-11-2012, 02:09 PM

/etc/openldap/ldap.conf

Code:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=domain,dc=net
URI ldap://controller.domain/

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

TLS_CACERTDIR /etc/openldap/cacerts

/etc/krb5.conf

Code:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
 permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

[realms]
 DOMAIN.NET = {
  kdc = controller.domain:88
  admin_server = controller.domain:749
  default_domain = domain.net
 }

[domain_realm]
 .domain.net = DOMAIN.NET
 domain.net = DOMAIN.NET

/etc/sssd/sssd.conf

Code:

[sssd]
config_file_version = 2
domains = domain.net

# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3

# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam

[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
debug_level = 9
filter_groups = root
filter_users = root
reconnection_retries = 3

# The entry_cache_nowait_percentage indicates the percentage of the
# entry_cache_timeout to wait before updating the cache out-of-band.
# (NSS requests will still be returned from cache until the full
# entry_cache_timeout). Setting this value to 0 turns this feature
# off (default).
# entry_cache_nowait_percentage = 300

[pam]
reconnection_retries = 3

[domain/domain.net]
debug_level = 9
ldap_id_use_start_tls = False
ldap_search_base = dc=domain,dc=net
krb5_server = controller.domain:88
krb5_kpasswd = controller.domain:749
ldap_tls_cacertdir = /etc/openldap/cacerts

cache_credentials = true
enumerate = false
min_id = 1000
max_id = 3000
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://controller.domain/
ldap_schema = rfc2307bis
ldap_user_search_base = cn=Users,dc=domain,dc=net
ldap_user_object_class = person
ldap_user_modify_timestamp = whenChanged
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_search_base = ou=Groups,dc=domain,dc=net
ldap_group_object_class = group
ldap_group_modify_timestamp = whenChanged
ldap_group_nesting_level = 5
ldap_account_expire_policy = ad
ldap_sasl_authid = host/client.domain.net@DOMAIN.NET
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
ldap_pwd_policy = mit_kerberos
chpass_provider = krb5
ldap_sasl_mech = GSSAPI
krb5_realm = domain.NET
krb5_validate = true
ldap_force_upper_case_realm = True

The relevant pam and nss config files have sss as an option, like this example:

Code:

passwd: files sss