Hi, I've come across an issue with authentication using Kerberos/LDAP to an AD server. I want to be able to log in to Computer1 using the AD credentials. The network setup is as follows:
Computer 1 <--> FW1 <--> FW2 <--> AD Server
The setup is based on the following article:
http://people.redhat.com/mskinner/rh...hel6_to_ad.pdf
Computer 1 is a RHEL 7 and the AD server is a Windows Server 2012 r2. DNS is hosted on the DC and NTP is configured and working properly.
I've generated a keytab file in the AD and transferred it to the RHEL computer. The keytab file works as intended when running kinit -k and kinit -k -t host/Computer1.<domain>@<realm>.
After receiving the ticket I'm also able to do an LDAP search and can use getent passwd <user> to get the UNIX attributes of <user>.
I've also configured sssd to use Kerberos and LDAP, but it does not seem to get a ticket upon logging in.
Here's the sssd.conf file:
------------------------------------
[sssd]
config_file_version = 2
domains = default
services = nss, pam
debug level = 0
[nss]
[pam]
[domain/default]
cache_credentials = true
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/rhel.mydomain.com@MYDOMAIN.COM
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
krb5_realm = MYDOMAIN.COM
------------------------------------
Looking at the network dump from an authentication attempt I can see that the RHEL computer is trying to send a TGS-REQ message (which fails with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) but no AS-REQ messages. It seems like sssd does not try to get a TGT and hence cannot authenticate the user.
Does anyone know what might be the issue?
Regards,
D