LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   SSSD Kerberos/LDAP authentication issues with AD (https://www.linuxquestions.org/questions/linux-networking-3/sssd-kerberos-ldap-authentication-issues-with-ad-4175525746/)

turbosur 11-18-2014 03:59 AM
SSSD Kerberos/LDAP authentication issues with AD
 
Hi, I've come across an issue with authentication using Kerberos/LDAP to an AD server. I want to be able to log in to Computer1 using the AD credentials. The network setup is as follows:

Computer 1 <--> FW1 <--> FW2 <--> AD Server

The setup is based on the following article: http://people.redhat.com/mskinner/rh...hel6_to_ad.pdf

Computer 1 is a RHEL 7 and the AD server is a Windows Server 2012 r2. DNS is hosted on the DC and NTP is configured and working properly.

I've generated a keytab file in the AD and transferred it to the RHEL computer. The keytab file works as intended when running kinit -k and kinit -k -t host/Computer1.<domain>@<realm>.

After receiving the ticket I'm also able to do an LDAP search and can use getent passwd <user> to get the UNIX attributes of <user>.

I've also configured sssd to use Kerberos and LDAP, but it does not seem to get a ticket upon logging in.

Here's the sssd.conf file:
------------------------------------
[sssd]
config_file_version = 2
domains = default
services = nss, pam
debug level = 0

[nss]

[pam]

[domain/default]
cache_credentials = true
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/rhel.mydomain.com@MYDOMAIN.COM
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
krb5_realm = MYDOMAIN.COM
------------------------------------

Looking at the network dump from an authentication attempt I can see that the RHEL computer is trying to send a TGS-REQ message (which fails with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) but no AS-REQ messages. It seems like sssd does not try to get a TGT and hence cannot authenticate the user.

Does anyone know what might be the issue?

Regards,
D


All times are GMT -5. The time now is 05:15 PM.