LinuxQuestions.org

LinuxQuestions.org (http://www.linuxquestions.org/questions/index.php)
-   Red Hat (http://www.linuxquestions.org/questions/forumdisplay.php?f=31)
-   -   RHEL 6 / Active Directory 2008 R2 issues (http://www.linuxquestions.org/questions/showthread.php?t=946861)

brooky9999 05-25-2012 01:34 PM

RHEL 6 / Active Directory 2008 R2 issues
 
Hi,

I'm having issues trying to get my RHEL 6 box to authenticate against an Active Directory 2008 R2 DC using just kerberos / LDAP / SSSD - not Winbind.

I think I'm close with my config, I just can't seem to authenticate via SSH for some reason. The error I get in /var/log/sssd/krb5_child.log is:

Code:

[get_and_save_tgt] (1): 721: [-1765328360] [Preauthentication failed]
[tgt_req_child] (1): 980: [-1765328360] [Preauthentication failed]

I have tried disabling pre-authentication (bad idea, but had to test) in AD but that doesn't work either.

Obviously this is the first step - once kerberos has authenticated the account it will then communicate via LDAP to get group memberships etc. I just can't figure out why it won't authenticate (obviously the password I'm using is correct).

Here are my config files:

/etc/sssd/sssd.conf
Code:

[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2

[nss]
filter_groups = root
filter_users = root

[pam]
offline_credentials_expiration = 0

[domain/LDAP]
debug_level = 9
enumerate = false
min_id = 1000
access_provider = ldap
# ldap_access_filter = memberOf="cn=Unix_users,ou=Groups,ou=Managed,dc=nl,dc=test,dc=ad"
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://dc.nl.test.ad/
ldap_search_base = dc=nl,dc=test,dc=ad
ldap_default_bind_dn = cn=sa_ldap,ou=Service Accounts,ou=Users,ou=Managed,dc=nl,dc=test,dc=ad
ldap_default_authtok_type = password
ldap_default_authtok = HardP@ssw0rd1
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_group_object_class = group
ldap_force_upper_case_realm = true
ldap_group_uuid = objectGUID
ldap_user_uuid = objectGUID
ldap_user_gid_number = gidNumber
ldap_user_uid_number = uidNumber

# kerberos config
krb5_server = dc.test.ad
krb5_realm = NL.TEST.AD
krb5_changepw_principle = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
cache_credentials = True
krb5_renewable_lifetime = 36000
krb5_lifetime = 36000
#krb5_use_fast = try

/etc/krb5.conf
Code:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 NL.TEST.AD = {
  kdc = dc.nl.test.ad:88
  admin_server = dc.nl.test.ad:749
  default_domain = nl.test.ad
 }

[domain_realm]
 .nl.test.ad = NL.TEST.AD
 nl.test.ad = NL.TEST.AD

[appdefaults]
 pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
 }

/etc/nsswitch.conf
Code:

passwd:    files sss
shadow:    files sss
group:      files sss

#hosts:    db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:  nisplus [NOTFOUND=return] files
#networks:  nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:    nisplus [NOTFOUND=return] files
#netmasks:  nisplus [NOTFOUND=return] files   

bootparams: nisplus [NOTFOUND=return] files

ethers:    files
netmasks:  files
networks:  files
protocols:  files
rpc:        files
services:  files

netgroup:  files sss

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

/etc/pam.d/password-auth
Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_sss.so use_first_pass
auth        requisite    pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account    required      pam_unix.so broken_shadow
account    sufficient    pam_localuser.so
account    sufficient    pam_succeed_if.so uid < 500 quiet
account    [default=bad success=ok user_unknown=ignore] pam_sss.so
account    required      pam_permit.so

password    requisite    pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session    optional      pam_keyinit.so revoke
session    required      pam_limits.so
session    optional      pam_oddjob_mkhomedir.so
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required      pam_unix.so
session    optional      pam_sss.so

The system time is synced to the DC and correct. The RHEL box has an account in AD and I have kerberos ticket for it. The keytab is present and correct and is shown by doing:

Code:

klist -keK
This all worked perfectly under RHEL 5 (although using /etc/ldap.conf and not SSSD!) but this is killing me!

If anyone has any pointers I'd be extremely grateful!

Many thanks,


-Mark

kbp 05-29-2012 12:41 AM

It won't work with 'access_provider = ldap' enabled and 'ldap_access_filter' commented out, if I'd known you were coming I'd have baked a script (like this):
Code:

#!/bin/bash

DOMAIN=company.tld
KRBREALM=COMPANY.TLD
DC1=dc01.company.tld
DC2=dc01.company.tld
BASEDN="dc=company,dc=tld"
BINDACCTDN="cn=xxx,ou=xxx,dc=company,dc=tld"
BINDACCTOBFUSPW='xxxx'
ADMINACCTFILTER='*_admin'


echo "[*] Installing required authentication packages"
for package in sssd pam_krb5 krb5-libs krb5-workstation openldap-clients
do
  rpm -q ${package} >/dev/null 2>&1
  if [[ $? -ne 0 ]]
  then
    echo "... installing ${package}"
    yum -y install ${package} >/dev/null 2>&1
    if [[ $? -ne 0 ]]
    then
      echo "${package} installation failed"
      exit 1
    fi
  fi
done


echo "[*] Configuring Kerberos, LDAP and SSSD"
authconfig \
--enableldap \
--ldapserver=${DC1},${DC2} \
--ldapbasedn=${BASEDN} \
--disableldaptls \
--enablekrb5 \
--krb5realm ${KRBREALM} \
--krb5kdc ${DC1},${DC2} \
--krb5adminserver ${DC1},${DC2} \
--enablekrb5kdcdns \
--enablekrb5realmdns \
--enablemkhomedir \
--enablesssd \
--enablesssdauth \
--update &> /dev/null


echo "[*] Creating /etc/sssd/sssd.conf"
cat <<EOF> /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = ${KRBREALM}

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
enum_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
pam_verbosity = 2
pam_pwd_expiration_warning = 14

[domain/${KRBREALM}]
description = LDAP naming with kerberos auth to AD
enumerate = true
timeout = 30
id_provider = ldap
chpass_provider = krb5
access_provider = ldap

ldap_uri = ldap://${DC1}/, ldap://${DC2}/
ldap_access_filter = &(objectClass=user)(cn=${ADMINACCTFILTER})
ldap_search_base = ${BASEDN}
ldap_default_bind_dn = ${BINDACCTDN}
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = ${BINDACCTOBFUSPW}
ldap_pwd_policy = none
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_gecos = displayName
ldap_force_upper_case_realm = true

auth_provider = krb5
krb5_server = ${DC1}, ${DC2}
krb5_realm = ${KRBREALM}
krb5_auth_timeout = 15

cache_credentials = true
min_id = 10000
max_id = 65535
EOF


echo "[*] Modifying SSHD to support PAM authentication"
grep -e '^UsePAM.*' /etc/ssh/sshd_config >/dev/null 2>&1
if [[ $? -ne 0 ]]
then
cat << EOF >> /etc/ssh/sshd_config
UsePAM yes
EOF
else
perl -pi -e 's|^UsePAM.*|UsePAM yes|' /etc/ssh/sshd_config
fi

echo "[*] Modifying pam_mkhomedir arguments"
perl -pi -e 's|(.*pam_mkhomedir\.so).*|$1 skel=/etc/skel umask=077|' /etc/pam.d/system-auth*

echo "[*] Restarting services"
service sssd restart


brooky9999 05-29-2012 07:46 AM

Wow kbp - thanks!

I actually re-did all the configs and the pre-authentication errors went away. I obviously then came up against the access_provider problem, which I resolved pretty quickly.

So for those who are struggling getting RHEL 6 + Active Directory 2008 with kerberos/LDAP/SSSD - I can vouch that this config works.

I will now try out your script. Many thanks!


-Mark

jmp242 06-11-2012 03:56 PM

Is there a way to have this get the UID and GIDs from AD attributes (so we can manually set them on the server)?

kbp 06-11-2012 11:14 PM

Not sure what you mean .. any AD user wanting to log in will need to have their attributes populated on the 'Unix Attributes' tab before they're considered a valid user, uid is automatically generated to ensure that it's unique (they start at 10000 by default).

jmp242 06-12-2012 08:36 AM

I mean I have historical UIDs / GIDs from the Unix side I need to maintain, so I need to be able to set in AD (manually) the UID / GIDs...

kbp 06-19-2012 07:46 PM

Why is the specific uid/gid required? .. can't you just 'chown -R <ad_user> <some_dir>' ?

jmp242 06-20-2012 08:30 AM

Politics / legacy stuff. It's a requirement I've been given...

kbp 06-20-2012 10:25 AM

Try changing them in AD, it autogenerates but I don't think that will stop you changing them. Don't forget to change the range in sssd.conf to cover them if you need to.

R09u3Bull 11-10-2012 02:42 AM

MY RHEL box doesnt have an account in AD (Windows 2008 R2). What do I need to do inorder for it to show up there?

R09u3Bull 11-26-2012 02:45 AM

Quote:

Originally Posted by R09u3Bull (Post 4826313)
MY RHEL box doesnt have an account in AD (Windows 2008 R2). What do I need to do inorder for it to show up there?

I figured this has to be done manually by adding an entry in AD under the Computers section if you are using SSSD/LDAP/kerberos configuration. Is there a way to automate this? Like in Samba/Winbind, I believe this happens automatically. Is there a way to include this functionality in SSSD/LDAP/kerberos configs too ?


All times are GMT -5. The time now is 07:36 PM.