-   Red Hat (
-   -   RHEL 6 / Active Directory 2008 R2 issues (

brooky9999 05-25-2012 01:34 PM

RHEL 6 / Active Directory 2008 R2 issues

I'm having issues trying to get my RHEL 6 box to authenticate against an Active Directory 2008 R2 DC using just kerberos / LDAP / SSSD - not Winbind.

I think I'm close with my config, I just can't seem to authenticate via SSH for some reason. The error I get in /var/log/sssd/krb5_child.log is:


[get_and_save_tgt] (1): 721: [-1765328360] [Preauthentication failed]
[tgt_req_child] (1): 980: [-1765328360] [Preauthentication failed]

I have tried disabling pre-authentication (bad idea, but had to test) in AD but that doesn't work either.

Obviously this is the first step - once kerberos has authenticated the account it will then communicate via LDAP to get group memberships etc. I just can't figure out why it won't authenticate (obviously the password I'm using is correct).

Here are my config files:


domains = LDAP
services = nss, pam
config_file_version = 2

filter_groups = root
filter_users = root

offline_credentials_expiration = 0

debug_level = 9
enumerate = false
min_id = 1000
access_provider = ldap
# ldap_access_filter = memberOf="cn=Unix_users,ou=Groups,ou=Managed,dc=nl,dc=test,dc=ad"
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://
ldap_search_base = dc=nl,dc=test,dc=ad
ldap_default_bind_dn = cn=sa_ldap,ou=Service Accounts,ou=Users,ou=Managed,dc=nl,dc=test,dc=ad
ldap_default_authtok_type = password
ldap_default_authtok = HardP@ssw0rd1
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_group_object_class = group
ldap_force_upper_case_realm = true
ldap_group_uuid = objectGUID
ldap_user_uuid = objectGUID
ldap_user_gid_number = gidNumber
ldap_user_uid_number = uidNumber

# kerberos config
krb5_server =
krb5_realm = NL.TEST.AD
krb5_changepw_principle = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
cache_credentials = True
krb5_renewable_lifetime = 36000
krb5_lifetime = 36000
#krb5_use_fast = try


 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

  kdc =
  admin_server =
  default_domain =

[domain_realm] = NL.TEST.AD = NL.TEST.AD

 pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false


passwd:    files sss
shadow:    files sss
group:      files sss

#hosts:    db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:  nisplus [NOTFOUND=return] files
#networks:  nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:    nisplus [NOTFOUND=return] files
#netmasks:  nisplus [NOTFOUND=return] files   

bootparams: nisplus [NOTFOUND=return] files

ethers:    files
netmasks:  files
networks:  files
protocols:  files
rpc:        files
services:  files

netgroup:  files sss

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus


# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass
auth        sufficient use_first_pass
auth        requisite uid >= 500 quiet
auth        required

account    required broken_shadow
account    sufficient
account    sufficient uid < 500 quiet
account    [default=bad success=ok user_unknown=ignore]
account    required

password    requisite try_first_pass retry=3 type=
password    sufficient sha512 shadow nullok try_first_pass use_authtok
password    sufficient use_authtok
password    required

session    optional revoke
session    required
session    optional
session    [success=1 default=ignore] service in crond quiet use_uid
session    required
session    optional

The system time is synced to the DC and correct. The RHEL box has an account in AD and I have kerberos ticket for it. The keytab is present and correct and is shown by doing:


klist -keK
This all worked perfectly under RHEL 5 (although using /etc/ldap.conf and not SSSD!) but this is killing me!

If anyone has any pointers I'd be extremely grateful!

Many thanks,


kbp 05-29-2012 12:41 AM

It won't work with 'access_provider = ldap' enabled and 'ldap_access_filter' commented out, if I'd known you were coming I'd have baked a script (like this):



echo "[*] Installing required authentication packages"
for package in sssd pam_krb5 krb5-libs krb5-workstation openldap-clients
  rpm -q ${package} >/dev/null 2>&1
  if [[ $? -ne 0 ]]
    echo "... installing ${package}"
    yum -y install ${package} >/dev/null 2>&1
    if [[ $? -ne 0 ]]
      echo "${package} installation failed"
      exit 1

echo "[*] Configuring Kerberos, LDAP and SSSD"
authconfig \
--enableldap \
--ldapserver=${DC1},${DC2} \
--ldapbasedn=${BASEDN} \
--disableldaptls \
--enablekrb5 \
--krb5realm ${KRBREALM} \
--krb5kdc ${DC1},${DC2} \
--krb5adminserver ${DC1},${DC2} \
--enablekrb5kdcdns \
--enablekrb5realmdns \
--enablemkhomedir \
--enablesssd \
--enablesssdauth \
--update &> /dev/null

echo "[*] Creating /etc/sssd/sssd.conf"
cat <<EOF> /etc/sssd/sssd.conf
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = ${KRBREALM}

filter_groups = root
filter_users = root
reconnection_retries = 3
enum_cache_timeout = 300
entry_cache_nowait_percentage = 75

reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
pam_verbosity = 2
pam_pwd_expiration_warning = 14

description = LDAP naming with kerberos auth to AD
enumerate = true
timeout = 30
id_provider = ldap
chpass_provider = krb5
access_provider = ldap

ldap_uri = ldap://${DC1}/, ldap://${DC2}/
ldap_access_filter = &(objectClass=user)(cn=${ADMINACCTFILTER})
ldap_search_base = ${BASEDN}
ldap_default_bind_dn = ${BINDACCTDN}
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = ${BINDACCTOBFUSPW}
ldap_pwd_policy = none
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_gecos = displayName
ldap_force_upper_case_realm = true

auth_provider = krb5
krb5_server = ${DC1}, ${DC2}
krb5_realm = ${KRBREALM}
krb5_auth_timeout = 15

cache_credentials = true
min_id = 10000
max_id = 65535

echo "[*] Modifying SSHD to support PAM authentication"
grep -e '^UsePAM.*' /etc/ssh/sshd_config >/dev/null 2>&1
if [[ $? -ne 0 ]]
cat << EOF >> /etc/ssh/sshd_config
UsePAM yes
perl -pi -e 's|^UsePAM.*|UsePAM yes|' /etc/ssh/sshd_config

echo "[*] Modifying pam_mkhomedir arguments"
perl -pi -e 's|(.*pam_mkhomedir\.so).*|$1 skel=/etc/skel umask=077|' /etc/pam.d/system-auth*

echo "[*] Restarting services"
service sssd restart

brooky9999 05-29-2012 07:46 AM

Wow kbp - thanks!

I actually re-did all the configs and the pre-authentication errors went away. I obviously then came up against the access_provider problem, which I resolved pretty quickly.

So for those who are struggling getting RHEL 6 + Active Directory 2008 with kerberos/LDAP/SSSD - I can vouch that this config works.

I will now try out your script. Many thanks!


jmp242 06-11-2012 03:56 PM

Is there a way to have this get the UID and GIDs from AD attributes (so we can manually set them on the server)?

kbp 06-11-2012 11:14 PM

Not sure what you mean .. any AD user wanting to log in will need to have their attributes populated on the 'Unix Attributes' tab before they're considered a valid user, uid is automatically generated to ensure that it's unique (they start at 10000 by default).

jmp242 06-12-2012 08:36 AM

I mean I have historical UIDs / GIDs from the Unix side I need to maintain, so I need to be able to set in AD (manually) the UID / GIDs...

kbp 06-19-2012 07:46 PM

Why is the specific uid/gid required? .. can't you just 'chown -R <ad_user> <some_dir>' ?

jmp242 06-20-2012 08:30 AM

Politics / legacy stuff. It's a requirement I've been given...

kbp 06-20-2012 10:25 AM

Try changing them in AD, it autogenerates but I don't think that will stop you changing them. Don't forget to change the range in sssd.conf to cover them if you need to.

R09u3Bull 11-10-2012 02:42 AM

MY RHEL box doesnt have an account in AD (Windows 2008 R2). What do I need to do inorder for it to show up there?

R09u3Bull 11-26-2012 02:45 AM


Originally Posted by R09u3Bull (Post 4826313)
MY RHEL box doesnt have an account in AD (Windows 2008 R2). What do I need to do inorder for it to show up there?

I figured this has to be done manually by adding an entry in AD under the Computers section if you are using SSSD/LDAP/kerberos configuration. Is there a way to automate this? Like in Samba/Winbind, I believe this happens automatically. Is there a way to include this functionality in SSSD/LDAP/kerberos configs too ?

All times are GMT -5. The time now is 03:08 AM.