Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 12-14-2015, 04:33 PM   #1
LQ Newbie
Registered: Nov 2015
Posts: 3

Rep: Reputation: Disabled
Authentication with AD Using SSSD


I am attempting to get my SLES11 SP3 system to authenticate against a AD domain using SSSD, however after setting everything up following this tutorial, I'm having some issues.

First off let me share my configurations (note that I'm using generic domain, computer and user names for this post).

    default_realm = MYDOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    rdns = false
    forwardable = yes
    clockskew = 300

        kdc = MYDOMAIN.COM
        default_domain =
        admin_server =

    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log


    pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
        external = sshd
        use_shmem = sshd
Then from the Windows Server 2008, I ran the following:
setspn -A host/ mycomputer
setspn -L mycomputer
ktpass /princ host/ /out client-krb5.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser MYDOMAIN\mycomputer$ /pass *
I then copied the keytab to the client as "/etc/krb5.keytab".

Here is the output of klist -ke:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 host/ (DES cbc mode with CRC-32) 
   4 host/ (DES cbc mode with RSA-MD5) 
   4 host/ (ArcFour with HMAC/md5) 
   4 host/ (AES-256 CTS mode with 96-bit SHA-1 HMAC) 
   4 host/ (AES-128 CTS mode with 96-bit SHA-1 HMAC)
I then generate my TGT:
kinit -k -t /etc/krb5.keytab 'host/'

kinit user@MYDOMAIN.COM
I can list my TGT:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@MYDOMAIN.COM

Valid starting     Expires            Service principal
12/14/15 16:50:22  12/15/15 02:50:20  krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
	renew until 12/21/15 16:50:22
12/14/15 16:51:12  12/15/15 02:50:20  krbtgt/
	renew until 12/21/15 16:50:22
However, if I try to run 'id user', it returns "No such user".

config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
debug_level = 10
domains = MYDOMAIN.COM

filter_groups = root
filter_users = root
reconnection_retries = 3

reconnection_retries = 3

enumerate = false
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldap://
ldap_schema = rfc2307bis
ldap_user_search_base = dc=mydomain,dc=com
ldap_user_object_class = user 
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = LoginShell
ldap_group_search_base = dc=mydomain,dc=com
ldap_group_object_class = group
ldap_force_upper_case_realm = false
ldap_access_order = expire
ldap_account_expire_policy = ad
krb5_realm = MYDOMAIN.COM
krb5_server =
ldap_sasl_mech = gssapi
ldap_krb5_init_creds = true
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_ticket_lifetime = 86400
ldap_sasl_authid = host/
If I attempt to SSH into this client as the domain user, it complains:
Dec 14 16:41:52 mycomputer sshd[24942]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=user
Dec 14 16:41:52 mycomputer sshd[24942]: pam_sss(sshd:auth): received for user user: 10 (User not known to the underlying authentication module)
I know this is a lot. Any ideas or thoughts in regards to this will be much appreciated.

Last edited by pies; 12-14-2015 at 10:24 PM.
Old 12-15-2015, 08:41 AM   #2
LQ Newbie
Registered: Nov 2015
Posts: 3

Original Poster
Rep: Reputation: Disabled
Just to update.

Here are some logs from SSSD:

(Tue Dec 15 09:09:48 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping
(Tue Dec 15 09:09:48 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping
(Tue Dec 15 09:09:58 2015) [sssd] [ping_check] (0x0100): Service MYDOMAIN.COM replied to ping
As you can see, the service can communicate with NSS, PAM and the domain.

Now if I run try to query LDAP, I get the following error:

# /usr/bin/ldapsearch -H ldap:// -Y GSSAPI -N -b "dc=mydomain,dc=com" "(&(objectclass=user)(sAMAccountName=user))"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot find KDC for requested realm)
Perhaps the problem is SSSD is not able to query information from AD?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Winbind or SSSD for Active Directory authentication megamaced Linux - Networking 2 12-20-2014 02:39 PM
SSSD Kerberos/LDAP authentication issues with AD turbosur Linux - Networking 0 11-19-2014 12:45 PM
[SOLVED] sssd ldap authentication against samba4 not working anindyameister Linux - Newbie 1 09-30-2013 07:16 AM
[SOLVED] SSSD and AD with RHEL 6 ZeroCleric Linux - Server 12 11-09-2012 03:43 PM
rhel6 sssd ldap for authentication and local files for userNumber (unix uid). mwd Linux - Enterprise 1 08-22-2011 07:14 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:01 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration