Thanks for your time guys.
Looking through sssd stuff I almost forgot y main goal was to ssh to a server.
I did a little test with ssh, server and user in the same domain.
If I do:
$ ssh server -l tbouillon # It works
but:
$ ssh server -l 'tbouillon(a)example.com' # Permission denied.
From early debug it seems like ssh sees my user like
tbouillon@example.com(a)example.com on the second line.
So i should find a way to make ssh understand this is a domain
extension OR for
child.example.com configure the default domain when
login as
example.com
On 2 August 2017 at 19:40, Michal Židek <mzidek(a)redhat.com> wrote:
> On 08/02/2017 06:01 PM, Tristan Bouillon wrote:
>>
>> OK, tried to be clear but looks like I'm not :)
>> No big deal let's try again
>>
>> Use case
>> I'm connected to a linux jumpbox (let's say
jb.example.com) which is
>> in domain
example.com.
>> I do: "$ kinit tbouillon" and get a working ticket. I can connect with
>> user tbouillon via ssh to all servers in
example.com domain via SSSD.
>> Now I have this server which is in
child.example.com, and I want to
>> connect from
jb.example.com to
server1.child.example.com
>>
>> I do tbouillon(a)jb.example.com $ ssh
server1.child.example.com -l
>> 'tbouillon(a)example.com'
>> I get this result: Permission denied
>> (publickey,gssapi-keyex,gssapi-with-mic).
>
>
> I am not completely sure, but this looks like wrong sshd configuration on
> the
server1.child.example.com. Did you do something with the sshd
> configuration there? SSH tried to authenticate you using your public
> key but failed to do so.
>
> Sorry, I can not help you with OpenSSH much, but it does not look like
> you are facing an SSSD issue.
>
>
>> Obvisouly I expected a shell like: tbouillon(a)server1.child.example.com
>>
>> So the ssh command doesn't work well also when on
>>
server1.child.examplel.com I get
>> kinit tbouillon(a)example.com
>> Password for tbouillon(a)example.com:
>> kinit: KDC reply did not match expectations while getting initial
>> credentials
>>
>> Here is the sssd.conf, sshd.log from server1, sssd.log
>>
>> On 2 August 2017 at 16:41, Michal Židek <mzidek(a)redhat.com> wrote:
>>>
>>> Hi Tristan,
>>>
>>> I understand your topology from what you wrote, but I still
>>> do not know what is your problem. See question inline.
>>>
>>>
>>> On 08/02/2017 03:48 PM, Tristan Bouillon wrote:
>>>>
>>>>
>>>> Hi Michal
>>>> Thanks for answering
>>>>
>>>> For the missing part :
>>>> OS : Centos 7.3 with latest updates
>>>> SSSD: 1.14.0 release 43
>>>>
>>>> So, I removed all traces of server1 (which is indeed a linux host)
>>>> from AD and tried to re join with the realm command.
>>>>
>>>> Good points:
>>>> The sssd.conf provided by the realm command was not far from the one I
>>>> had. I guess my understanding of how sssd and kerberos work together
>>>> wasn't that bad.
>>>> it added:
>>>> realmd_tags = manages-system joined-with-samba
>>>> ldap_id_mapping = True
>>>>
>>>> Now I have the same error basicly. Reminder, I want my server in
>>>>
child.example.com but users are in parent domain
example.com
>>>> My server1 has successfully joined domain
child.example.com and has a
>>>> keytab
>>>> when trying to connect sssd succesffuly find the multiple AD servers
>>>> and SSSD ad backend is seen as online.
>>>>
>>>> [ad_get_client_site_done] (0x0400): Found forest:
example.com
>>>> [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup
>>>> servers
>>>> [fo_add_server_to_list] (0x0400): Inserted primary server
>>>> 'ff1pdc01.child.example.com:3268' to service 'AD_GC' #
Domain
>>>> controller for
child.example.com
>>>> [fo_add_server_to_list] (0x0400): Inserted primary server
>>>> 'ff1gdc01.example.com:3268' to service 'AD_GC' #
Domain
>>>> controller for
example.com
>>>>
>>>> After that I have some sucessful ldap connection to different AD
>>>> servers and then it searches for my user. But it looks like the search
>>>> never goes to domain
child.example.com
>>>> and after that it fails because the user doesn't exists in
>>>>
child.example.com
>>>
>>>
>>>
>>> For what purpose is something searching for your user? Again... please
>>> tell me what is not working for you. Below you say that 'id' lookup
is
>>> successful, that means SSSD's NSS responder is working. What command is
>>> not working for you (su, ssh, getent, id, etc.)?
>>>
>>> Sorry, I am simple person :)
>>>
>>> Please answer in format:
>>> I am doing this command: (for example) getent passwd user1(a)example.com
>>> (or) ssh localhost -l user1(a)example.com
>>> I get this result: ...
>>> I expected this result: ...
>>> Here is my sssd.conf:
>>> Logs from /var/log/sssd/ are in attachment.
>>>
>>>
>>>>
>>>> [sdap_save_user] (0x1000): Mapping user [tbouillon(a)example.com]
>>>> objectSID [S-1-5-21-481120694-805105173-3562786754-5671] to unix ID
>>>> [sdap_save_user] (0x0400): Original memberOf is not available for
>>>> [tbouillon(a)example.com].
>>>> [sdap_save_user] (0x0400): Adding user principal [tbouillon(a)CCMP.INTL]
>>>> to attributes of [tbouillon(a)example.com].
>>>> [sdap_save_user] (0x0400): Storing info for user tbouillon(a)example.com
>>>> [sysdb_search_by_name] (0x0400): No such entry
>>>> [sysdb_store_user] (0x1000): User tbouillon(a)example.com does not exist.
>>>>
>>>> On a classical shell if I do: "$ id user1.example.com" I have a
correct
>>>> answer.
>>>>
>>>> On 2 August 2017 at 13:19, Michal Židek <mzidek(a)redhat.com> wrote:
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> You did not mention what SSSD version and what OS you are using.
>>>>> I have few questions, see inline.
>>>>>
>>>>> On 08/02/2017 10:59 AM, Tristan Bouillon wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> I have this case I'm working on and it's driving me
crazy. I try to
>>>>>> setup something like this:
>>>>>>
>>>>>> AD setup is like this with be-directional approbation:
>>>>>> -
example.com
>>>>>> \--
chlld.example.com >
>>>>>> Have users registered in
example.com => user1(a)example.com
>>>>>> computers are registered in
child.eample.com =>
>>>>>> server1(a)child.example.com
>>>>>>
>>>>>> I want to connect with user1 to server1 with ssh and sssd.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> So, server1 is a Linux host, right? You can add it to the
>>>>>
child.example.com domain using 'realm join
CHILD.EXAMPLE.COM'. It
>>>>> will automatically add server1 to the
child.example.com
>>>>> domain (so it did not have to be there before).
>>>>>
>>>>>> Before any debug process I want to make sure this is possible
because
>>>>>> i'm running in circle.
>>>>>>
>>>>>> When setting up sssd et krb5 confs with
child.example.com:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> IF you set up SSSD manually there is a lot of room for errors,
>>>>> I recommend using realm join and then just tweak the sssd.conf
>>>>> in case something does not work the way you want.
>>>>>
>>>>>> -- sssd nss says:
example.com is created as a subdomain of
>>>>>>
child.example.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> This is OK. The 'subdomain' may be a little bit confusing,
because this
>>>>> refers to an internal C code structure that represents a trusted
>>>>> domain,
>>>>> not an actual subdomain in the DNS sense. IIRC we changed the
message
>>>>> recently to be less confusing.
>>>>>
>>>>>> -- but AD backend is online for
child.example.com and i can query
it
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> You mean SSSD AD backend is running on the Linux host server1,
right?
>>>>>
>>>>>> -- the query for user1(a)example.com works great but the AD server
in
>>>>>>
child.example.com does not know the user and can't query his
master AD
>>>>>> server.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I do not understand what you mean here. So, on the Linux host
>>>>> (server1),
>>>>> if you query the user1(a)example.com, user info is returned. So what
>>>>> operation on the Linux host is not working? (getent, su, ssh ...
copy
>>>>> paste the problematic commands and see our troubleshooting page).
>>>>>
>>>>>>
>>>>>> When setting up sssd et krb5 confs with
example.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Again, realm join should set up everything for you. If you join the
>>>>>
EXAMPLE.COM realm then the server1 host will be added to the
>>>>>
example.com
>>>>> domain (you said you wanted them in the
child.example.com, so I am
>>>>> not sure if this what you want to do, but you can try it if it works
>>>>> for you).
>>>>>
>>>>>> -- it attempts kinit with
host/server1.child.example.com and
fails
>>>>>> to get a tgt. AD is set to offline and it cannot query it.
>>>>>>
>>>>>> When trying to mix up theses solutions I find something similar
to the
>>>>>> cases above.
>>>>>> If it is possible can someone point me towards the configuration
I'm
>>>>>> suppose to make.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Try using the realm join command from the Linux host to avoid hand
>>>>> crafting the configuration. Note that the AD domain controller for
>>>>> the domain you are joining to must be DNS resolvable from the Linux
>>>>> host.
>>>>>
>>>>>>
>>>>>> Don't know if it's the place but GG for the debugging
options provides
>>>>>> with SSSD, it is clear and powerful.
>>>>>> _______________________________________________
>>>>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>>>>> To unsubscribe send an email to
>>>>>> sssd-users-leave(a)lists.fedorahosted.org
>>>>>>
>>>>> _______________________________________________
>>>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>>>> To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
>>>>
>>>>
>>>> _______________________________________________
>>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>>>
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>>
>>>
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org