Your search både looks wrong

ldap_search_base = cn=users,cn=users,dc=intra,dc=domain-a,dc=com

And is a mismatch the path the bind DN uses

Regards
Davor

-- Skickat från mobilusken! --
Från: thierry DeTheGeek
Skickat: ‎2015-‎06-‎13 20:25
Till: sssd-users@lists.fedorahosted.org
Ämne: [SSSD-users] get_and_save_tgt :Preauthentication failed on debian 7 +sssd 1.8.4 againts a samba 4 host

Hi

I'm working on a centalized user accounts setup, thanks to samba 4

SSSD is setup on a Debian 7 host, version 1.8.4 as provided by the repository. This host will authenticate users agains several domains : INTRA.DOMAIN-A.COM and INTRA.DOMAIN-B.COM. The later domain is not set up yet because this work will be nearly a copy/paste from the first one.

I need to make my users authenticate with a login in the form jdoe@domain-a.com . This will prevent a conflict if the user jdoe exists on both domains.

Notice I want to drop the "intra." part in the login; making my users not bored with technical details.

I built successfully a sssd.conf in a Debian Jessie host, but when reproducing the setup on Debian 7, user authentication fails.

Here is the sssd.conf file, with password and domain not revealed,

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = domain-a.com

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
# entry_cache_nowait_percentage = 300

[pam]
reconnection_retries = 3

# Example LOCAL domain that stores all users natively in the SSSD internal
# directory. These local users and groups are not visible in /etc/passwd; it
# now contains only root and system accounts.
# [domain/LOCAL]
# description = LOCAL Users domain
# id_provider = local
# enumerate = true
# min_id = 500
# max_id = 999

[domain/domain-a.com]
; Using enumerate = true leads to high load and slow response
enumerate = true
cache_credentials = false
entry_cache_timeout = 5400
# account_cache_expiration = 365

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://intra.domain-a.com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_schema = rfc2307bis
ldap_default_bind_dn = cn=ldap-deb7,cn=users,dc=intra,dc=domain-a,dc=com
ldap_default_authok_type = password
ldap_default_authtok = p@ssw0rd
ldap_search_base = cn=users,cn=users,dc=intra,dc=domain-a,dc=com
ldap_user_object_class = person
#ldap_user_principal = userPrincipalName
ldap_user_principal = sAMAccountname
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_force_upper_case_realm = true

krb5_server = intra.domain-a.com
krb5_realm = INTRA.DOMAIN-A.COM
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
use_fully_qualified_names = true
# re_expression = ((intra\.(?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@$
# full_name_format = %1$s@intra.%2$s
# not available on Wheezy - sssd < 1.9.0
# override_shell = /usr/sbin/nologin
override_homedir = /media/homedrive/%d/users/%u

- gentent passwd shows my users
- kinit jdoe@INTRA.DOMAIN-A.COM asks for password and succeeds
- If logged as root, su jdoe@intra.domain-a.com succeeds
- ssh localhost -l jdoe@domain-a.com fails

running sssd -i -d 0xFFF0 shows a huge amount of log, and it appears that kerberos authentication fails.

(Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]] [become_user] (0x4000): Trying to become user [10000][10001].
(Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30421]
(Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]] [write_pipe_handler] (0x0400): All data has been sent!
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [main] (0x0400): krb5_child started.
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup] (0x4000): Not using FAST.
(Sat Jun 13 20:16:11 2015) [[sssd[krb5_child[30421]]]] [get_and_save_tgt] (0x0020): 682: [-1765328360][Preauthentication failed]
(Sat Jun 13 20:16:11 2015) [[sssd[krb5_child[30421]]]] [tgt_req_child] (0x0020): 944: [-1765328360][Preauthentication failed]
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [krb5_child_done] (0x4000): child response [17][1][25].
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [check_wait_queue] (0x1000): Wait queue for user [jdoe] is empty.
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>) [Success]
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [be_pam_handler_callback] (0x0100): Sending result [17][domain-a.com]
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [be_pam_handler_callback] (0x0100): Sent result [17][domain-a.com]

I think my issue is here, but I don't know how to check the kerberos authenticationn. I'm suspecting sssd sends something with the wrong domain part.

I got a LXC container running Debian 8, and this setup seems to work exactly as I'm expecting.

Any idea on how to trouble shoot my issue ?

Regards,