By the way I tried to build a fresh LXC container with Debian 7 (without my appliance because it cannot run in a container) and installed sssd with my config file. it works, ant it was unexpected. Now I think my issue should be in my operating system (package or some config) rather than sssd.I did this mistake while writing the mail, and replacing my real domain by the dummy ones. In the server cn=users appears only once. This is confirmed un the logs of sssd : the LDAP queries are successful and getent passwd returns my users.Hi DavorYes, I noticed that when comparing several versions of my sssd.conf with my emailI'm following the advice of Lukas, and I began to compile sssd 1.12. I'll feedback th results.2015-06-14 17:13 GMT+02:00 Davor Vusir <davortvusir@gmail.com>:_______________________________________________Your search både looks wrong
ldap_search_base = cn=users,cn=users,dc=intra,dc=domain-a,dc=com
And is a mismatch the path the bind DN uses
Regards
Davor
-- Skickat från mobilusken! --
Från: thierry DeTheGeek
Skickat: 2015-06-13 20:25
Till: sssd-users@lists.fedorahosted.org
Ämne: [SSSD-users] get_and_save_tgt :Preauthentication failed on debian 7 +sssd 1.8.4 againts a samba 4 hostHiI'm working on a centalized user accounts setup, thanks to samba 4SSSD is setup on a Debian 7 host, version 1.8.4 as provided by the repository. This host will authenticate users agains several domains : INTRA.DOMAIN-A.COM and INTRA.DOMAIN-B.COM. The later domain is not set up yet because this work will be nearly a copy/paste from the first one.I need to make my users authenticate with a login in the form jdoe@domain-a.com . This will prevent a conflict if the user jdoe exists on both domains.Notice I want to drop the "intra." part in the login; making my users not bored with technical details.I built successfully a sssd.conf in a Debian Jessie host, but when reproducing the setup on Debian 7, user authentication fails.Here is the sssd.conf file, with password and domain not revealed,[sssd]- gentent passwd shows my users
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = domain-a.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
# entry_cache_nowait_percentage = 300
[pam]
reconnection_retries = 3
# Example LOCAL domain that stores all users natively in the SSSD internal
# directory. These local users and groups are not visible in /etc/passwd; it
# now contains only root and system accounts.
# [domain/LOCAL]
# description = LOCAL Users domain
# id_provider = local
# enumerate = true
# min_id = 500
# max_id = 999
[domain/domain-a.com]
; Using enumerate = true leads to high load and slow response
enumerate = true
cache_credentials = false
entry_cache_timeout = 5400
# account_cache_expiration = 365
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://intra.domain-a.com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_schema = rfc2307bis
ldap_default_bind_dn = cn=ldap-deb7,cn=users,dc=intra,dc=domain-a,dc=com
ldap_default_authok_type = password
ldap_default_authtok = p@ssw0rd
ldap_search_base = cn=users,cn=users,dc=intra,dc=domain-a,dc=com
ldap_user_object_class = person
#ldap_user_principal = userPrincipalName
ldap_user_principal = sAMAccountname
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_force_upper_case_realm = true
krb5_server = intra.domain-a.com
krb5_realm = INTRA.DOMAIN-A.COM
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
use_fully_qualified_names = true
# re_expression = ((intra\.(?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@$
# full_name_format = %1$s@intra.%2$s
# not available on Wheezy - sssd < 1.9.0
# override_shell = /usr/sbin/nologin
override_homedir = /media/homedrive/%d/users/%u- kinit jdoe@INTRA.DOMAIN-A.COM asks for password and succeeds- If logged as root, su jdoe@intra.domain-a.com succeedsrunning sssd -i -d 0xFFF0 shows a huge amount of log, and it appears that kerberos authentication fails.(Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]] [become_user] (0x4000): Trying to become user [10000][10001].I think my issue is here, but I don't know how to check the kerberos authenticationn. I'm suspecting sssd sends something with the wrong domain part.
(Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30421]
(Sat Jun 13 20:16:10 2015) [sssd[be[domain-a.com]]] [write_pipe_handler] (0x0400): All data has been sent!
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [main] (0x0400): krb5_child started.
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Sat Jun 13 20:16:10 2015) [[sssd[krb5_child[30421]]]] [krb5_child_setup] (0x4000): Not using FAST.
(Sat Jun 13 20:16:11 2015) [[sssd[krb5_child[30421]]]] [get_and_save_tgt] (0x0020): 682: [-1765328360][Preauthentication failed]
(Sat Jun 13 20:16:11 2015) [[sssd[krb5_child[30421]]]] [tgt_req_child] (0x0020): 944: [-1765328360][Preauthentication failed]
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [krb5_child_done] (0x4000): child response [17][1][25].
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [check_wait_queue] (0x1000): Wait queue for user [jdoe] is empty.
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>) [Success]
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [be_pam_handler_callback] (0x0100): Sending result [17][domain-a.com]
(Sat Jun 13 20:16:11 2015) [sssd[be[domain-a.com]]] [be_pam_handler_callback] (0x0100): Sent result [17][domain-a.com]I got a LXC container running Debian 8, and this setup seems to work exactly as I'm expecting.Any idea on how to trouble shoot my issue ?Regards,
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users