Your search både looks wrong
ldap_search_base = cn=users,cn=users,dc=intra,dc=domain-a,dc=com
And is a mismatch the path the bind DN uses
Regards
Davor
-- Skickat från mobilusken! --
----- Ursprungligt meddelande -----
Från: "thierry DeTheGeek" <dethegeek(a)gmail.com>
Skickat: 2015-06-13 20:25
Till: "sssd-users(a)lists.fedorahosted.org"
<sssd-users(a)lists.fedorahosted.org>
Ämne: [SSSD-users] get_and_save_tgt :Preauthentication failed on debian 7 +sssd 1.8.4
againts a samba 4 host
Hi
I'm working on a centalized user accounts setup, thanks to samba 4
SSSD is setup on a Debian 7 host, version 1.8.4 as provided by the repository. This host
will authenticate users agains several domains :
INTRA.DOMAIN-A.COM and
INTRA.DOMAIN-B.COM. The later domain is not set up yet because this work will be nearly a
copy/paste from the first one.
I need to make my users authenticate with a login in the form jdoe(a)domain-a.com . This
will prevent a conflict if the user jdoe exists on both domains.
Notice I want to drop the "intra." part in the login; making my users not bored
with technical details.
I built successfully a sssd.conf in a Debian Jessie host, but when reproducing the setup
on Debian 7, user authentication fails.
Here is the sssd.conf file, with password and domain not revealed,
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains =
domain-a.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
# entry_cache_nowait_percentage = 300
[pam]
reconnection_retries = 3
# Example LOCAL domain that stores all users natively in the SSSD internal
# directory. These local users and groups are not visible in /etc/passwd; it
# now contains only root and system accounts.
# [domain/LOCAL]
# description = LOCAL Users domain
# id_provider = local
# enumerate = true
# min_id = 500
# max_id = 999
[
domain/domain-a.com]
; Using enumerate = true leads to high load and slow response
enumerate = true
cache_credentials = false
entry_cache_timeout = 5400
# account_cache_expiration = 365
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri =
ldap://intra.domain-a.com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_schema = rfc2307bis
ldap_default_bind_dn = cn=ldap-deb7,cn=users,dc=intra,dc=domain-a,dc=com
ldap_default_authok_type = password
ldap_default_authtok = p@ssw0rd
ldap_search_base = cn=users,cn=users,dc=intra,dc=domain-a,dc=com
ldap_user_object_class = person
#ldap_user_principal = userPrincipalName
ldap_user_principal = sAMAccountname
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_force_upper_case_realm = true
krb5_server =
intra.domain-a.com
krb5_realm =
INTRA.DOMAIN-A.COM
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
use_fully_qualified_names = true
# re_expression =
((intra\.(?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@$
# full_name_format = %1$s(a)intra.%2$s
# not available on Wheezy - sssd < 1.9.0
# override_shell = /usr/sbin/nologin
override_homedir = /media/homedrive/%d/users/%u
- gentent passwd shows my users
- kinit jdoe(a)INTRA.DOMAIN-A.COM asks for password and succeeds
- If logged as root, su jdoe(a)intra.domain-a.com succeeds
- ssh localhost -l jdoe(a)domain-a.com fails
running sssd -i -d 0xFFF0 shows a huge amount of log, and it appears that kerberos
authentication fails.
(Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]] [become_user] (0x4000): Trying to
become user [10000][10001].
(Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]] [child_handler_setup] (0x2000): Signal
handler set up for pid [30421]
(Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]] [write_pipe_handler] (0x0400): All
data has been sent!
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [main] (0x0400): krb5_child
started.
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup] (0x1000): Cannot
read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup] (0x1000): Cannot
read [SSSD_KRB5_LIFETIME] from environment.
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup] (0x4000): Not
using FAST.
(Sat Jun 13 20:16:11 2015) [[sssd[krb5_child[30421]]]] [get_and_save_tgt] (0x0020): 682:
[-1765328360][Preauthentication failed]
(Sat Jun 13 20:16:11 2015) [[sssd[krb5_child[30421]]]] [tgt_req_child] (0x0020): 944:
[-1765328360][Preauthentication failed]
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [read_pipe_handler] (0x0400): EOF
received, client finished
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [krb5_child_done] (0x4000): child
response [17][1][25].
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [check_wait_queue] (0x1000): Wait
queue for user [jdoe] is empty.
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [be_pam_handler_callback] (0x0100):
Backend returned: (0, 17, <NULL>) [Success]
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [be_pam_handler_callback] (0x0100):
Sending result [
17][domain-a.com]
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [be_pam_handler_callback] (0x0100):
Sent result [
17][domain-a.com]
I think my issue is here, but I don't know how to check the kerberos authenticationn.
I'm suspecting sssd sends something with the wrong domain part.
I got a LXC container running Debian 8, and this setup seems to work exactly as I'm
expecting.
Any idea on how to trouble shoot my issue ?
Regards,