Hi All,
I have a properly functioning integration between RHEL6.6/Cento6.6 and
Active Directory 2008 using adcli tool and sssd-ad (
http://jhrozek.livejournal.com/3581.html):
# adcli join
acme.example.com -U userdomain
# adcli info
acme.example.com
[domain]
domain-name =
acme.example.com
domain-short = ACME
domain-forest =
example.com
domain-controller =
dom1.acme.example.com
domain-controller-site = CENTRAL
domain-controller-flags = gc ldap ds kdc timeserv closest writable
full-secret ads-web
domain-controller-usable = yes
domain-controllers =
dom1.acme.example.com dom2.acme.example.com
[computer]
computer-site = CENTRAL
The sssd.conf :
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains =
ACME.EXAMPLE.COM
debug_level = 7
[
domain/ACME.EXAMPLE.COM]
krb5_use_enterprise_principal = false
krb5_realm =
ACME.EXAMPLE.COM
ldap_force_upper_case_realm = true
ldap_account_expire_policy = ad
override_homedir = /home/%d/%u
ldap_id_mapping = true
subdomain_enumerate = true
ldap_schema = ad
ad_access_filter =
memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com
ad_enable_gc = false
ldap_access_order = filter, expire
enumerate = false
id_provider = ad
auth_provider = ad
access_provider = ad
subdomains_provider = ad
chpass_provider = ad
ad_server =
dom1.acme.example.com,
dom2.acme.example.com
ad_domain =
acme.example.com
ad_hostname =
client1.acme.example.com
ad_enable_dns_sites = false
dyndns_update = false
debug_level = 7
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm =
acme.example.com
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = true
ignore_acceptor_hostname = true
[realms]
acme.example.com = {
kdc =
acme.example.com
admin_server =
acme.example.com
}
[domain_realm]
.acme.example.com =
acme.example.com
acme.example.com =
acme.example.com
.example.com =
acme.example.com
example.com =
acme.example.com
[appdefaults]
debug = true
I can log in with user/password from AD to RHEL/Centos, I can change the
password, lock the account from AD, etc. It all works.
The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt
work. I see in logs:
Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure.
Minor code may provide more information\nNo key table entry found matching
host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the
connection of a client?
What principal are shown by 'klist -k' ?
bye,
Sumit
Any idea what could be the reason? All I want to achieve is to get SSH-SSO
working, directly from AD desktop machine to Linux systems without password
prompt.
/lm
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users