6:53 a.m.
Hi
I compiled SSSD 1.12.5 and tried it, but several things needs to be
disabled to be successfully compiled on Wheezy. I then tried SSSD 1.9.7,
and after installation there is some more work on some .so not linked into
.so.0. I need to find out what has not been done in make install.
In the mean time I built a VM with the exact same setup as the one which
bugs me : a wheezy host (with my appliance) and a LXC container running
Jessie and samba 4 (same domain, passwords, and my test user acccount).
After a copy paste of my sssd.conf, it runs at my first try !
This proves there is no bug in SSSD preventing my setup to run. This is
rather an issue somewhere in ldap our krb ? Would be useful I check some
mandatory packages ?
Can I have more details on how SSSD works with krb5 ?
2015-06-14 19:30 GMT+02:00 thierry DeTheGeek <dethegeek(a)gmail.com>:
Hi Davor
Yes, I noticed that when comparing several versions of my sssd.conf with
my email
I did this mistake while writing the mail, and replacing my real domain by
the dummy ones. In the server cn=users appears only once. This is confirmed
un the logs of sssd : the LDAP queries are successful and getent passwd
returns my users.
By the way I tried to build a fresh LXC container with Debian 7 (without
my appliance because it cannot run in a container) and installed sssd with
my config file. it works, ant it was unexpected. Now I think my issue
should be in my operating system (package or some config) rather than sssd.
I'm following the advice of Lukas, and I began to compile sssd 1.12. I'll
feedback th results.
2015-06-14 17:13 GMT+02:00 Davor Vusir <davortvusir(a)gmail.com>:
> Your search både looks wrong
>
> ldap_search_base = cn=users,cn=users,dc=intra,dc=domain-a,dc=com
>
> And is a mismatch the path the bind DN uses
>
> Regards
> Davor
>
> -- Skickat från mobilusken! --
> ------------------------------
> Från: thierry DeTheGeek <dethegeek(a)gmail.com>
> Skickat: 2015-06-13 20:25
> Till: sssd-users(a)lists.fedorahosted.org
> Ämne: [SSSD-users] get_and_save_tgt :Preauthentication failed on debian
> 7 +sssd 1.8.4 againts a samba 4 host
>
> Hi
>
> I'm working on a centalized user accounts setup, thanks to samba 4
>
> SSSD is setup on a Debian 7 host, version 1.8.4 as provided by the
> repository. This host will authenticate users agains several domains :
> INTRA.DOMAIN-A.COM and INTRA.DOMAIN-B.COM. The later domain is not set
> up yet because this work will be nearly a copy/paste from the first one.
>
> I need to make my users authenticate with a login in the form
> jdoe(a)domain-a.com . This will prevent a conflict if the user jdoe exists
> on both domains.
>
> Notice I want to drop the "intra." part in the login; making my users not
> bored with technical details.
>
> I built successfully a sssd.conf in a Debian Jessie host, but when
> reproducing the setup on Debian 7, user authentication fails.
>
> Here is the sssd.conf file, with password and domain not revealed,
>
> [sssd]
> config_file_version = 2
> reconnection_retries = 3
> sbus_timeout = 30
> services = nss, pam
> domains = domain-a.com
>
> [nss]
> filter_groups = root
> filter_users = root
> reconnection_retries = 3
> # entry_cache_nowait_percentage = 300
>
> [pam]
> reconnection_retries = 3
>
> # Example LOCAL domain that stores all users natively in the SSSD internal
> # directory. These local users and groups are not visible in /etc/passwd;
> it
> # now contains only root and system accounts.
> # [domain/LOCAL]
> # description = LOCAL Users domain
> # id_provider = local
> # enumerate = true
> # min_id = 500
> # max_id = 999
>
> [domain/domain-a.com]
> ; Using enumerate = true leads to high load and slow response
> enumerate = true
> cache_credentials = false
> entry_cache_timeout = 5400
> # account_cache_expiration = 365
>
> id_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
>
> ldap_uri = ldap://intra.domain-a.com
> ldap_tls_reqcert = demand
> ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
> ldap_schema = rfc2307bis
> ldap_default_bind_dn = cn=ldap-deb7,cn=users,dc=intra,dc=domain-a,dc=com
> ldap_default_authok_type = password
> ldap_default_authtok = p@ssw0rd
> ldap_search_base = cn=users,cn=users,dc=intra,dc=domain-a,dc=com
> ldap_user_object_class = person
> #ldap_user_principal = userPrincipalName
> ldap_user_principal = sAMAccountname
> ldap_group_object_class = group
> ldap_user_home_directory = unixHomeDirectory
> ldap_force_upper_case_realm = true
>
> krb5_server = intra.domain-a.com
> krb5_realm = INTRA.DOMAIN-A.COM
> krb5_changepw_principle = kadmin/changepw
> krb5_auth_timeout = 15
> use_fully_qualified_names = true
> # re_expression =
> ((intra\.(?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@$
> # full_name_format = %1$s(a)intra.%2$s
> # not available on Wheezy - sssd < 1.9.0
> # override_shell = /usr/sbin/nologin
> override_homedir = /media/homedrive/%d/users/%u
>
> - gentent passwd shows my users
> - kinit jdoe(a)INTRA.DOMAIN-A.COM asks for password and succeeds
> - If logged as root, su jdoe(a)intra.domain-a.com succeeds
> - ssh localhost -l jdoe(a)domain-a.com fails
>
> running sssd -i -d 0xFFF0 shows a huge amount of log, and it appears that
> kerberos authentication fails.
>
> (Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]] [become_user]
> (0x4000): Trying to become user [10000][10001].
> (Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]]
> [child_handler_setup] (0x2000): Signal handler set up for pid [30421]
> (Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]] [write_pipe_handler]
> (0x0400): All data has been sent!
> (Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [main] (0x0400):
> krb5_child started.
> (Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup]
> (0x1000): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> (Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup]
> (0x1000): Cannot read [SSSD_KRB5_LIFETIME] from environment.
> (Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup]
> (0x4000): Not using FAST.
> (Sat Jun 13 20:16:11 2015) [[sssd[krb5_child[30421]]]] [get_and_save_tgt]
> (0x0020): 682: [-1765328360][Preauthentication failed]
> (Sat Jun 13 20:16:11 2015) [[sssd[krb5_child[30421]]]] [tgt_req_child]
> (0x0020): 944: [-1765328360][Preauthentication failed]
> (Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [read_pipe_handler]
> (0x0400): EOF received, client finished
> (Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [krb5_child_done]
> (0x4000): child response [17][1][25].
> (Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [check_wait_queue]
> (0x1000): Wait queue for user [jdoe] is empty.
> (Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]]
> [be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>)
> [Success]
> (Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]]
> [be_pam_handler_callback] (0x0100): Sending result [17][domain-a.com]
> (Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]]
> [be_pam_handler_callback] (0x0100): Sent result [17][domain-a.com]
>
> I think my issue is here, but I don't know how to check the kerberos
> authenticationn. I'm suspecting sssd sends something with the wrong domain
> part.
>
> I got a LXC container running Debian 8, and this setup seems to work
> exactly as I'm expecting.
>
> Any idea on how to trouble shoot my issue ?
>
> Regards,
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
>