LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page SSSD Kerberos/LDAP authentication issues with AD
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-18-2014, 03:59 AM   #1
turbosur
LQ Newbie
 
Registered: May 2011
Posts: 7

Rep: Reputation: Disabled
SSSD Kerberos/LDAP authentication issues with AD

Hi, I've come across an issue with authentication using Kerberos/LDAP to an AD server. I want to be able to log in to Computer1 using the AD credentials. The network setup is as follows:

Computer 1 <--> FW1 <--> FW2 <--> AD Server

The setup is based on the following article: http://people.redhat.com/mskinner/rh...hel6_to_ad.pdf

Computer 1 is a RHEL 7 and the AD server is a Windows Server 2012 r2. DNS is hosted on the DC and NTP is configured and working properly.

I've generated a keytab file in the AD and transferred it to the RHEL computer. The keytab file works as intended when running kinit -k and kinit -k -t host/Computer1.<domain>@<realm>.

After receiving the ticket I'm also able to do an LDAP search and can use getent passwd <user> to get the UNIX attributes of <user>.

I've also configured sssd to use Kerberos and LDAP, but it does not seem to get a ticket upon logging in.

Here's the sssd.conf file:
------------------------------------
[sssd]
config_file_version = 2
domains = default
services = nss, pam
debug level = 0

[nss]

[pam]

[domain/default]
cache_credentials = true
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/rhel.mydomain.com@MYDOMAIN.COM
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
krb5_realm = MYDOMAIN.COM
------------------------------------

Looking at the network dump from an authentication attempt I can see that the RHEL computer is trying to send a TGS-REQ message (which fails with KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) but no AS-REQ messages. It seems like sssd does not try to get a TGT and hence cannot authenticate the user.

Does anyone know what might be the issue?

Regards,
D
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] sssd ldap authentication against samba4 not working anindyameister Linux - Newbie 1 09-30-2013 07:16 AM
SSO SSSD/Kerberos/LDAP with Active Directory yuanjunliang Linux - Server 1 09-13-2013 02:59 PM
SSSD/Kerberos/LDAP- Permission denied using ssh R09u3Bull Linux - Server 6 11-16-2012 01:04 AM
rhel6 sssd ldap for authentication and local files for userNumber (unix uid). mwd Linux - Enterprise 1 08-22-2011 07:14 AM
Kerberos, LDAP, THEN Local authentication? cckid Linux - Server 2 10-20-2009 01:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:54 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration