Hi All,
[domain]
domain-short = ACME
domain-controller-site = CENTRAL
domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web
domain-controller-usable = yes
[computer]
computer-site = CENTRAL
The sssd.conf :
[sssd]
services = nss, pam, ssh
config_file_version = 2
debug_level = 7
krb5_use_enterprise_principal = false
ldap_force_upper_case_realm = true
ldap_account_expire_policy = ad
override_homedir = /home/%d/%u
ldap_id_mapping = true
subdomain_enumerate = true
ldap_schema = ad
ad_access_filter = memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com
ad_enable_gc = false
ldap_access_order = filter, expire
enumerate = false
id_provider = ad
auth_provider = ad
access_provider = ad
subdomains_provider = ad
chpass_provider = ad
ad_enable_dns_sites = false
dyndns_update = false
debug_level = 7
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = true
ignore_acceptor_hostname = true
[realms]
}
[domain_realm]
[appdefaults]
debug = true
I can log in with user/password from AD to RHEL/Centos, I can change the password, lock the account from AD, etc. It all works.
The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt work. I see in logs:
Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Any idea what could be the reason? All I want to achieve is to get SSH-SSO working, directly from AD desktop machine to Linux systems without password prompt.
/lm