Hi
I'm trying to setup active directory authentication ussing sssd.
The unusual thing is that I'm trying to use a regular user account (not computer account) as the KRB5 principal (the company I'm doing this for doesn't want to register its Linux machines in AD - they only want AD to manage the users). Is this possible? I've been getting some unusual behaviour..
I've created a keytab on the AD sever using the following command:
C:\Users\Administrator>ktpass /out krb5.keytab /princ myaduser@MYDOMAIN.COM /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser myaduser@mydomain.com /pass mypassword
where MYDOMAIN is the domain and myaduser is a regular user account
I copied the keytab to the Linux host and setup sssd.conf as you would normally with the addition of:
ldap_sasl_authid = myaduser@MYDOMAIN.COM # since we're not using the default host/hostname.mydomain.com@MYDOMAIN.COM
I then run:
# kinit -k -t /etc/krb5.keytab 'myaduser@MYDOMAIN.COM'
# klist
Ticket cache: KEYRING: persistent:0:0
Default principal: myaduser@MYDOMAIN.COM
Valid starting Expires Service principal
06/24/2014 11:21:40 06/24/2014 21:21:40 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/01/2014 11:21:40
Is this a valid ticket? It appears to be, since I can then use ldapsearch successfully using KRB5:
/usr/bin/ldapsearch -H ldap://adserver.mydomain.com/ -Y GSSAPI -N -b "ou=corp,dc=mydomain,dc=com" "(&(objectClass=user)(sAMAccountName=myaduser) )"
..
..
output removed...
The problem is that getent returns immediately without results and obviously authentication fails as well.
This is my sssd.conf:
[sssd]
config_file_version = 2
domains = default
services = nss, pam, autofs
[domain/default]
ldap_referrals = false
cache_credentials = True
enumerate = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
#access_provider = ldap
# Uncomment if service discovery is not working
ldap_uri = ldap://adserver.mydomain.com
ldap_sasl_mech = GSSAPI
# Uncomment and adjust if the default principal host/fqdn@REALM is not available
ldap_sasl_authid = myaduser@MYDOMAIN.COM
ldap_user_search_base = ou=Users,ou=corp,dc=mydomain,dc=com
ldap_group_search_base = ou=Group,ou=corp,dc=mydomain,dc=com
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
krb5_realm = MYDOMAIN.COM
ldap_search_base = ou=corp,dc=,mydomain,dc=com
# Uncomment if DNS discovery of you AD servers isn't working.
# krb5_server = adserver.mydomain.com
krb5_store_password_if_offline = True
# Probably required with sssd 1.8.x and newer
krb5_canonicalize = false
krb5_kpasswd = adserver.mydomain.com
ldap_tls_cacertdir = /etc/openldap/cacerts
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news, nscd
[pam]
[sudo]
[autofs]
[ssh]
[pac]
This is my /etc/pam.d/system-auth:
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Any ideas anyone?