OK, tried to be clear but looks like I'm not :)
No big deal let's try again
Use case
I'm connected to a linux jumpbox (let's say
jb.example.com) which is
in domain
example.com.
I do: "$ kinit tbouillon" and get a working ticket. I can connect with
user tbouillon via ssh to all servers in
example.com domain via SSSD.
Now I have this server which is in
child.example.com, and I want to
connect from
jb.example.com to
server1.child.example.com
I do tbouillon(a)jb.example.com $ ssh
server1.child.example.com -l
'tbouillon(a)example.com'
I get this result: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
. Did you do something with the sshd
configuration there? SSH tried to authenticate you using your public
key but failed to do so.
Sorry, I can not help you with OpenSSH much, but it does not look like
you are facing an SSSD issue.
Obvisouly I expected a shell like:
tbouillon(a)server1.child.example.com
So the ssh command doesn't work well also when on
server1.child.examplel.com I get
kinit tbouillon(a)example.com
Password for tbouillon(a)example.com:
kinit: KDC reply did not match expectations while getting initial credentials
Here is the sssd.conf, sshd.log from server1, sssd.log
On 2 August 2017 at 16:41, Michal Židek <mzidek(a)redhat.com> wrote:
> Hi Tristan,
>
> I understand your topology from what you wrote, but I still
> do not know what is your problem. See question inline.
>
>
> On 08/02/2017 03:48 PM, Tristan Bouillon wrote:
>>
>> Hi Michal
>> Thanks for answering
>>
>> For the missing part :
>> OS : Centos 7.3 with latest updates
>> SSSD: 1.14.0 release 43
>>
>> So, I removed all traces of server1 (which is indeed a linux host)
>> from AD and tried to re join with the realm command.
>>
>> Good points:
>> The sssd.conf provided by the realm command was not far from the one I
>> had. I guess my understanding of how sssd and kerberos work together
>> wasn't that bad.
>> it added:
>> realmd_tags = manages-system joined-with-samba
>> ldap_id_mapping = True
>>
>> Now I have the same error basicly. Reminder, I want my server in
>>
child.example.com but users are in parent domain
example.com
>> My server1 has successfully joined domain
child.example.com and has a
>> keytab
>> when trying to connect sssd succesffuly find the multiple AD servers
>> and SSSD ad backend is seen as online.
>>
>> [ad_get_client_site_done] (0x0400): Found forest:
example.com
>> [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup
>> servers
>> [fo_add_server_to_list] (0x0400): Inserted primary server
>> 'ff1pdc01.child.example.com:3268' to service 'AD_GC' # Domain
>> controller for
child.example.com
>> [fo_add_server_to_list] (0x0400): Inserted primary server
>> 'ff1gdc01.example.com:3268' to service 'AD_GC' # Domain
>> controller for
example.com
>>
>> After that I have some sucessful ldap connection to different AD
>> servers and then it searches for my user. But it looks like the search
>> never goes to domain
child.example.com
>> and after that it fails because the user doesn't exists in
>>
child.example.com
>
>
> For what purpose is something searching for your user? Again... please
> tell me what is not working for you. Below you say that 'id' lookup is
> successful, that means SSSD's NSS responder is working. What command is
> not working for you (su, ssh, getent, id, etc.)?
>
> Sorry, I am simple person :)
>
> Please answer in format:
> I am doing this command: (for example) getent passwd user1(a)example.com
> (or) ssh localhost -l user1(a)example.com
> I get this result: ...
> I expected this result: ...
> Here is my sssd.conf:
> Logs from /var/log/sssd/ are in attachment.
>
>
>>
>> [sdap_save_user] (0x1000): Mapping user [tbouillon(a)example.com]
>> objectSID [S-1-5-21-481120694-805105173-3562786754-5671] to unix ID
>> [sdap_save_user] (0x0400): Original memberOf is not available for
>> [tbouillon(a)example.com].
>> [sdap_save_user] (0x0400): Adding user principal [tbouillon(a)CCMP.INTL]
>> to attributes of [tbouillon(a)example.com].
>> [sdap_save_user] (0x0400): Storing info for user tbouillon(a)example.com
>> [sysdb_search_by_name] (0x0400): No such entry
>> [sysdb_store_user] (0x1000): User tbouillon(a)example.com does not exist.
>>
>> On a classical shell if I do: "$ id user1.example.com" I have a
correct
>> answer.
>>
>> On 2 August 2017 at 13:19, Michal Židek <mzidek(a)redhat.com> wrote:
>>>
>>> Hi,
>>>
>>> You did not mention what SSSD version and what OS you are using.
>>> I have few questions, see inline.
>>>
>>> On 08/02/2017 10:59 AM, Tristan Bouillon wrote:
>>>>
>>>>
>>>> Hi
>>>>
>>>> I have this case I'm working on and it's driving me crazy. I try
to
>>>> setup something like this:
>>>>
>>>> AD setup is like this with be-directional approbation:
>>>> -
example.com
>>>> \--
chlld.example.com >
>>>> Have users registered in
example.com => user1(a)example.com
>>>> computers are registered in
child.eample.com =>
>>>> server1(a)child.example.com
>>>>
>>>> I want to connect with user1 to server1 with ssh and sssd.
>>>
>>>
>>>
>>> So, server1 is a Linux host, right? You can add it to the
>>>
child.example.com domain using 'realm join CHILD.EXAMPLE.COM'. It
>>> will automatically add server1 to the
child.example.com
>>> domain (so it did not have to be there before).
>>>
>>>> Before any debug process I want to make sure this is possible because
>>>> i'm running in circle.
>>>>
>>>> When setting up sssd et krb5 confs with
child.example.com:
>>>
>>>
>>>
>>> IF you set up SSSD manually there is a lot of room for errors,
>>> I recommend using realm join and then just tweak the sssd.conf
>>> in case something does not work the way you want.
>>>
>>>> -- sssd nss says:
example.com is created as a subdomain of
>>>>
child.example.com
>>>
>>>
>>>
>>> This is OK. The 'subdomain' may be a little bit confusing, because
this
>>> refers to an internal C code structure that represents a trusted domain,
>>> not an actual subdomain in the DNS sense. IIRC we changed the message
>>> recently to be less confusing.
>>>
>>>> -- but AD backend is online for
child.example.com and i can query it
>>>
>>>
>>>
>>> You mean SSSD AD backend is running on the Linux host server1, right?
>>>
>>>> -- the query for user1(a)example.com works great but the AD server in
>>>>
child.example.com does not know the user and can't query his master
AD
>>>> server.
>>>
>>>
>>>
>>> I do not understand what you mean here. So, on the Linux host (server1),
>>> if you query the user1(a)example.com, user info is returned. So what
>>> operation on the Linux host is not working? (getent, su, ssh ... copy
>>> paste the problematic commands and see our troubleshooting page).
>>>
>>>>
>>>> When setting up sssd et krb5 confs with
example.com
>>>
>>>
>>>
>>> Again, realm join should set up everything for you. If you join the
>>>
EXAMPLE.COM realm then the server1 host will be added to the
example.com
>>> domain (you said you wanted them in the
child.example.com, so I am
>>> not sure if this what you want to do, but you can try it if it works
>>> for you).
>>>
>>>> -- it attempts kinit with
host/server1.child.example.com and fails
>>>> to get a tgt. AD is set to offline and it cannot query it.
>>>>
>>>> When trying to mix up theses solutions I find something similar to the
>>>> cases above.
>>>> If it is possible can someone point me towards the configuration I'm
>>>> suppose to make.
>>>
>>>
>>>
>>> Try using the realm join command from the Linux host to avoid hand
>>> crafting the configuration. Note that the AD domain controller for
>>> the domain you are joining to must be DNS resolvable from the Linux
>>> host.
>>>
>>>>
>>>> Don't know if it's the place but GG for the debugging options
provides
>>>> with SSSD, it is clear and powerful.
>>>> _______________________________________________
>>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>>>
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org