On 3 Aug 2017, at 10:22, Tristan Bouillon <tristan.bouillon@cheetahdigital.com> wrote:

Thanks for your time guys.

Looking through sssd stuff I almost forgot y main goal was to ssh to a server.
I did a little test with ssh, server and user in the same domain.

If I do:
$ ssh server -l tbouillon  # It works
but:
$ ssh server -l 'tbouillon@example.com' # Permission denied.

From early debug it seems like ssh sees my user like
tbouillon@example.com@example.com on the second line.
So i should find a way to make ssh understand this is a domain
extension OR for child.example.com configure the default domain when
login as example.com


I’ve never seen this issue. I don’t think the quotes are needed, and in my environment, this works fine:
ssh localhost -l administrator@win.trust.test
administrator@win.trust.test@localhost's password:
Last login: Mon Aug  7 17:24:19 2017 from ::1
Could not chdir to home directory /home/administrator@win.trust.test: Permission denied
-bash: /home/administrator@win.trust.test/.bash_profile: Permission denied
-bash-4.3$ id
uid=1156200500(administrator) gid=1156200513(domain users) groups=1156200513(domain users),1156200512(domain admins),1156200518(schema admins),1156200519(enterprise admins),1156200520(group policy creator owners),1156200572(denied rodc password replication group) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.3$

What is the output of “id tbouillon@example.com” ?

On 2 August 2017 at 19:40, Michal Židek <mzidek@redhat.com> wrote:
On 08/02/2017 06:01 PM, Tristan Bouillon wrote:

OK, tried to be clear but looks like I'm not :)
No big deal let's try again

Use case
I'm connected to a linux jumpbox (let's say jb.example.com) which is
in domain example.com.
I do: "$ kinit tbouillon" and get a working ticket. I can connect with
user tbouillon via ssh to all servers in example.com domain via SSSD.
Now I have this server which is in child.example.com, and I want to
connect from jb.example.com to server1.child.example.com

I do tbouillon@jb.example.com $ ssh server1.child.example.com -l
'tbouillon@example.com'
I get this result: Permission denied
(publickey,gssapi-keyex,gssapi-with-mic).


I am not completely sure, but this looks like wrong sshd configuration on
the server1.child.example.com. Did you do something with the sshd
configuration there? SSH tried to authenticate you using your public
key but failed to do so.

Sorry, I can not help you with OpenSSH much, but it does not look like
you are facing an SSSD issue.


Obvisouly I expected a shell like: tbouillon@server1.child.example.com

So the ssh command doesn't work well also when on
server1.child.examplel.com I get
kinit tbouillon@example.com
Password for tbouillon@example.com:
kinit: KDC reply did not match expectations while getting initial
credentials

Here is the sssd.conf, sshd.log from server1, sssd.log

On 2 August 2017 at 16:41, Michal Židek <mzidek@redhat.com> wrote:

Hi Tristan,

I understand your topology from what you wrote, but I still
do not know what is your problem. See question inline.


On 08/02/2017 03:48 PM, Tristan Bouillon wrote:


Hi Michal
Thanks for answering

For the missing part :
OS : Centos 7.3 with latest updates
SSSD: 1.14.0 release 43

So, I removed all traces of server1 (which is indeed a linux host)
from AD and tried to re join with the realm command.

Good points:
The sssd.conf provided by the realm command was not far from the one I
had. I guess my understanding of how sssd and kerberos work together
wasn't that bad.
it added:
   realmd_tags = manages-system joined-with-samba
   ldap_id_mapping = True

Now I have the same error basicly. Reminder, I want my server in
child.example.com but users are in parent domain example.com
My server1 has successfully joined domain child.example.com and has a
keytab
when trying to connect sssd succesffuly find the multiple AD servers
and SSSD ad backend is seen as online.

[ad_get_client_site_done] (0x0400): Found forest: example.com
[ad_srv_plugin_site_done] (0x0400): About to discover primary and backup
servers
[fo_add_server_to_list] (0x0400): Inserted primary server
'ff1pdc01.child.example.com:3268' to service 'AD_GC' # Domain
controller for child.example.com
[fo_add_server_to_list] (0x0400): Inserted primary server
'ff1gdc01.example.com:3268' to service 'AD_GC'       # Domain
controller for example.com

After that I have some sucessful ldap connection to different AD
servers and then it searches for my user. But it looks like the search
never goes to domain child.example.com
and after that it fails because the user doesn't exists in
child.example.com



For what purpose is something searching for your user? Again... please
tell me what is not working for you. Below you say that 'id' lookup is
successful, that means SSSD's NSS responder is working. What command is
not working for you (su, ssh, getent, id, etc.)?

Sorry, I am simple person :)

Please answer in format:
I am doing this command: (for example) getent passwd user1@example.com
                         (or) ssh localhost -l user1@example.com
I get this result: ...
I expected this result: ...
Here is my sssd.conf:
Logs from /var/log/sssd/ are in attachment.



[sdap_save_user] (0x1000): Mapping user [tbouillon@example.com]
objectSID [S-1-5-21-481120694-805105173-3562786754-5671] to unix ID
[sdap_save_user] (0x0400): Original memberOf is not available for
[tbouillon@example.com].
[sdap_save_user] (0x0400): Adding user principal [tbouillon@CCMP.INTL]
to attributes of [tbouillon@example.com].
[sdap_save_user] (0x0400): Storing info for user tbouillon@example.com
[sysdb_search_by_name] (0x0400): No such entry
[sysdb_store_user] (0x1000): User tbouillon@example.com does not exist.

On a classical shell if I do: "$ id user1.example.com" I have a correct
answer.

On 2 August 2017 at 13:19, Michal Židek <mzidek@redhat.com> wrote:


Hi,

You did not mention what SSSD version and what OS you are using.
I have few questions, see inline.

On 08/02/2017 10:59 AM, Tristan Bouillon wrote:



Hi

I have this case I'm working on and it's driving me crazy. I try to
setup something like this:

AD setup is like this with be-directional approbation:
- example.com
\-- chlld.example.com >
Have users registered in example.com => user1@example.com
computers are registered in child.eample.com =>
server1@child.example.com

I want to connect with  user1 to server1 with ssh and sssd.




So, server1 is a Linux host, right? You can add it to the
child.example.com domain using 'realm join CHILD.EXAMPLE.COM'. It
will automatically add server1 to the child.example.com
domain (so it did not have to be there before).

Before any debug process I want to make sure this is possible because
i'm running in circle.

When setting up sssd et krb5 confs with child.example.com:




IF you set up SSSD manually there is a lot of room for errors,
I recommend using realm join and then just tweak the sssd.conf
in case something does not work the way you want.

-- sssd nss says: example.com is created as a subdomain of
child.example.com




This is OK. The 'subdomain' may be a little bit confusing, because this
refers to an internal C code structure that represents a trusted
domain,
not an actual subdomain in the DNS sense. IIRC we changed the message
recently to be less confusing.

-- but AD backend is online for child.example.com and i can query it




You mean SSSD AD backend is running on the Linux host server1, right?

-- the query for user1@example.com works great but the AD server in
child.example.com does not know the user and can't query his master AD
server.




I do not understand what you mean here. So, on the Linux host
(server1),
if you query the user1@example.com, user info is returned. So what
operation on the Linux host is not working? (getent, su, ssh ... copy
paste the problematic commands and see our troubleshooting page).


When setting up sssd et krb5 confs with example.com




Again, realm join should set up everything for you. If you join the
EXAMPLE.COM realm then the server1 host will be added to the
example.com
domain (you said you wanted them in the child.example.com, so I am
not sure if this what you want to do, but you can try it if it works
for you).

-- it attempts kinit with   host/server1.child.example.com and fails
to get a tgt. AD is set to offline and it cannot query it.

When trying to mix up theses solutions I find something similar to the
cases above.
If it is possible can someone point me towards the configuration I'm
suppose to make.




Try using the realm join command from the Linux host to avoid hand
crafting the configuration. Note that the AD domain controller for
the domain you are joining to must be DNS resolvable from the Linux
host.


Don't know if it's the place but GG for the debugging options provides
with SSSD, it is clear and powerful.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org


_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org


_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org