SSSD Kerberos/LDAP authentication issues with AD
Hi, I've come across an issue with authentication using Kerberos/LDAP to an AD server. I want to be able to log in to Computer1 using the AD credentials. The network setup is as follows:
Computer 1 <--> FW1 <--> FW2 <--> AD Server The setup is based on the following article: http://people.redhat.com/mskinner/rh...hel6_to_ad.pdf Computer 1 is a RHEL 7 and the AD server is a Windows Server 2012 r2. DNS is hosted on the DC and NTP is configured and working properly. I've generated a keytab file in the AD and transferred it to the RHEL computer. The keytab file works as intended when running kinit -k and kinit -k -t host/Computer1.<domain>@<realm>. After receiving the ticket I'm also able to do an LDAP search and can use getent passwd <user> to get the UNIX attributes of <user>. I've also configured sssd to use Kerberos and LDAP, but it does not seem to get a ticket upon logging in. Here's the sssd.conf file: ------------------------------------ [sssd] config_file_version = 2 domains = default services = nss, pam debug level = 0 [nss] [pam] [domain/default] cache_credentials = true enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/rhel.mydomain.com@MYDOMAIN.COM ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true krb5_realm = MYDOMAIN.COM ------------------------------------ Looking at the network dump from an authentication attempt I can see that the RHEL computer is trying to send a TGS-REQ message (which fails with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) but no AS-REQ messages. It seems like sssd does not try to get a TGT and hence cannot authenticate the user. Does anyone know what might be the issue? Regards, D |
All times are GMT -5. The time now is 05:15 PM. |