Main goal is to authenticate against multiple Kerberos Realms, AD domains without joining the Linux box to AD.
We have an AD forest with 2 trusted domains and as a result 2 kerberos realms, 1 per domain. On RHEL5,6,7 I used pam_krb5 for authentication and passwd/group files for the user store. This allowed me to authenticate against AD for users in the passwd file that match the KBR5 principal. In system-auth/password-auth I would stack pam entries for each KRB5 REALM
Parent: EXAMPLE.COM Domain1: ADA.EXAMPLE.COM Domain2:ADB.EXAMPLE.COM
passwd user: joe_doe krb5 principal: joe_doe@ADA.EXAMPLE.COM
passwd user: joe_blow krb5 principal: joe_blow@ADB.EXAMPLE.COM
system-auth auth sufficient pam_krb5.so realm=ADA.EXAMPLE.COM use_first_pass auth sufficient pam_krb5.so realm=ADB.EXAMPLE.COM use_first_pass
In this case either joe_doe or joe_blow can log in via AD credentials and pam would iterate through the stacked pam_krb5 entries to locate the matching krb5 principal
I am trying to replicate this on redhat enterprise linux 8. I am aware pam_krb5 is not an option and that sssd is the default for this use case. What I cannot figure out is how to authenticate against multiple Domains in SSSD. If I define 1 domain in sssd.conf with id_provider = files. I can authenticate fine against the single domain/kerberos5 realm.
If I add multiple domains, sssd does not iterate through them, it fails if it does not find the user in the first domain.
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = ADA.EXAMPLE.COM,ADB.EXAMPLE.COM
[pam] #pam_local_domains = all
[domain/ADA.EXAMPLE.COM] id_provider = files auth_provider=krb5 krb5_server = adadc.ada.example.com krb5_kpasswd = adadc.ada.example.com krb5_realm = ADA.EXAMPLE.COM dns_discovery_domain =ADA.EXAMPLE.COM krb5_validate = false
[domain/ADB.EXAMPLE.COM id_provider = files auth_provider=krb5 krb5_server = adbdc.adb.example.com krb5_kpasswd = adbdc.adb.example.com krb5_realm =ADB.EXAMPLE.COM dns_discovery_domain = ADB.EXAMPLE.COM krb5_validate = false
Is what I am attempting possible without joining AD and using the provider of AD? I would like to avoid this at all costs.
Thanks
On Fri, Jul 03, 2020 at 12:38:54PM -0700, Techie wrote:
Main goal is to authenticate against multiple Kerberos Realms, AD domains without joining the Linux box to AD.
We have an AD forest with 2 trusted domains and as a result 2 kerberos realms, 1 per domain. On RHEL5,6,7 I used pam_krb5 for authentication and passwd/group files for the user store. This allowed me to authenticate against AD for users in the passwd file that match the KBR5 principal. In system-auth/password-auth I would stack pam entries for each KRB5 REALM
Parent: EXAMPLE.COM Domain1: ADA.EXAMPLE.COM Domain2:ADB.EXAMPLE.COM
passwd user: joe_doe krb5 principal: joe_doe@ADA.EXAMPLE.COM
passwd user: joe_blow krb5 principal: joe_blow@ADB.EXAMPLE.COM
system-auth auth sufficient pam_krb5.so realm=ADA.EXAMPLE.COM use_first_pass auth sufficient pam_krb5.so realm=ADB.EXAMPLE.COM use_first_pass
In this case either joe_doe or joe_blow can log in via AD credentials and pam would iterate through the stacked pam_krb5 entries to locate the matching krb5 principal
I am trying to replicate this on redhat enterprise linux 8. I am aware pam_krb5 is not an option and that sssd is the default for this use case. What I cannot figure out is how to authenticate against multiple Domains in SSSD. If I define 1 domain in sssd.conf with id_provider = files. I can authenticate fine against the single domain/kerberos5 realm.
If I add multiple domains, sssd does not iterate through them, it fails if it does not find the user in the first domain.
Hi,
it is the other way round, SSSD finds the user already in the first domain because both domains have the same source for users and groups 'id_provider = files' and it tries to authenticate the use in the first domain as well and this fails. Since SSSD does not do try and error by default this error is treated as final and no other domains are looked at.
pam_sss.so has an option 'domains' which in theory can be used to create a similar PAM configuration as you are using with pam_krb5 but currently this would fails as well, because the allowed domains are evaluated too late and with the same source for users and groups it still won't be possible to authenticate users from the second domain.
As a workaround you can try to use fully-qualified names and split the source into two and use the passwd_files option of the files provider, see man sssd-files for details.
Since this is not the first time we were asked how to migrate this kind of pam_krb5 setup I created https://github.com/SSSD/sssd/pull/5234 which should allow to use multiple pam_sss.so lines with domains option in the PAM configuration to work without additional changes.
HTH
bye, Sumit
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = ADA.EXAMPLE.COM,ADB.EXAMPLE.COM
[pam] #pam_local_domains = all
[domain/ADA.EXAMPLE.COM] id_provider = files auth_provider=krb5 krb5_server = adadc.ada.example.com krb5_kpasswd = adadc.ada.example.com krb5_realm = ADA.EXAMPLE.COM dns_discovery_domain =ADA.EXAMPLE.COM krb5_validate = false
[domain/ADB.EXAMPLE.COM id_provider = files auth_provider=krb5 krb5_server = adbdc.adb.example.com krb5_kpasswd = adbdc.adb.example.com krb5_realm =ADB.EXAMPLE.COM dns_discovery_domain = ADB.EXAMPLE.COM krb5_validate = false
Is what I am attempting possible without joining AD and using the provider of AD? I would like to avoid this at all costs.
Thanks
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hello,
Thanks for the information. I looked at the link you provided. I see this which I think is what might help in my case. intg: krb5 auth and pam_sss domains option test:
I was wondering if you had any idea if and when the behavior of pam_krb5 with multiple domains using pam_sss would be available? I recently installed the latest version of RHEL and it still fails. I can use 2 different user stores and it works fine, however, this means maintaining different user stores and breaks shadow adherence.
Perhaps this functionality is available and I am setting up incorrectly.
Thank you
On Tue, Jul 7, 2020 at 8:23 AM Sumit Bose sbose@redhat.com wrote:
On Fri, Jul 03, 2020 at 12:38:54PM -0700, Techie wrote:
Main goal is to authenticate against multiple Kerberos Realms, AD
domains
without joining the Linux box to AD.
We have an AD forest with 2 trusted domains and as a result 2 kerberos realms, 1 per domain. On RHEL5,6,7 I used pam_krb5 for authentication and passwd/group files for the user store. This allowed me to authenticate against AD for users in the passwd file that match the KBR5 principal. In system-auth/password-auth I would stack pam entries for each KRB5 REALM
Parent: EXAMPLE.COM Domain1: ADA.EXAMPLE.COM Domain2:ADB.EXAMPLE.COM
passwd user: joe_doe krb5 principal: joe_doe@ADA.EXAMPLE.COM
passwd user: joe_blow krb5 principal: joe_blow@ADB.EXAMPLE.COM
system-auth auth sufficient pam_krb5.so realm=ADA.EXAMPLE.COM
use_first_pass
auth sufficient pam_krb5.so realm=ADB.EXAMPLE.COM
use_first_pass
In this case either joe_doe or joe_blow can log in via AD credentials and pam would iterate through the stacked pam_krb5 entries to locate the matching krb5 principal
I am trying to replicate this on redhat enterprise linux 8. I am aware pam_krb5 is not an option and that sssd is the default for this use case. What I cannot figure out is how to authenticate against multiple Domains
in
SSSD. If I define 1 domain in sssd.conf with id_provider = files. I can authenticate fine against the single domain/kerberos5 realm.
If I add multiple domains, sssd does not iterate through them, it fails
if
it does not find the user in the first domain.
Hi,
it is the other way round, SSSD finds the user already in the first domain because both domains have the same source for users and groups 'id_provider = files' and it tries to authenticate the use in the first domain as well and this fails. Since SSSD does not do try and error by default this error is treated as final and no other domains are looked at.
pam_sss.so has an option 'domains' which in theory can be used to create a similar PAM configuration as you are using with pam_krb5 but currently this would fails as well, because the allowed domains are evaluated too late and with the same source for users and groups it still won't be possible to authenticate users from the second domain.
As a workaround you can try to use fully-qualified names and split the source into two and use the passwd_files option of the files provider, see man sssd-files for details.
Since this is not the first time we were asked how to migrate this kind of pam_krb5 setup I created https://github.com/SSSD/sssd/pull/5234 which should allow to use multiple pam_sss.so lines with domains option in the PAM configuration to work without additional changes.
HTH
bye, Sumit
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = ADA.EXAMPLE.COM,ADB.EXAMPLE.COM
[pam] #pam_local_domains = all
[domain/ADA.EXAMPLE.COM] id_provider = files auth_provider=krb5 krb5_server = adadc.ada.example.com krb5_kpasswd = adadc.ada.example.com krb5_realm = ADA.EXAMPLE.COM dns_discovery_domain =ADA.EXAMPLE.COM krb5_validate = false
[domain/ADB.EXAMPLE.COM id_provider = files auth_provider=krb5 krb5_server = adbdc.adb.example.com krb5_kpasswd = adbdc.adb.example.com krb5_realm =ADB.EXAMPLE.COM dns_discovery_domain = ADB.EXAMPLE.COM krb5_validate = false
Is what I am attempting possible without joining AD and using the
provider
of AD? I would like to avoid this at all costs.
Thanks
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Wed, Dec 16, 2020 at 04:02:08PM -0700, Techie wrote:
Hello,
Thanks for the information. I looked at the link you provided. I see this which I think is what might help in my case. intg: krb5 auth and pam_sss domains option test:
I was wondering if you had any idea if and when the behavior of pam_krb5 with multiple domains using pam_sss would be available? I recently installed the latest version of RHEL and it still fails. I can use 2 different user stores and it works fine, however, this means maintaining different user stores and breaks shadow adherence.
Perhaps this functionality is available and I am setting up incorrectly.
Hi,
the fixes from https://github.com/SSSD/sssd/pull/5234 were release with sssd-2.4.0 which is already available for Fedora-32 and newer versions. Unfortunately it came too late for the current RHEL-8.3 release but it is planned for the next.
bye, Sumit
Thank you
On Tue, Jul 7, 2020 at 8:23 AM Sumit Bose sbose@redhat.com wrote:
On Fri, Jul 03, 2020 at 12:38:54PM -0700, Techie wrote:
Main goal is to authenticate against multiple Kerberos Realms, AD
domains
without joining the Linux box to AD.
We have an AD forest with 2 trusted domains and as a result 2 kerberos realms, 1 per domain. On RHEL5,6,7 I used pam_krb5 for authentication and passwd/group files for the user store. This allowed me to authenticate against AD for users in the passwd file that match the KBR5 principal. In system-auth/password-auth I would stack pam entries for each KRB5 REALM
Parent: EXAMPLE.COM Domain1: ADA.EXAMPLE.COM Domain2:ADB.EXAMPLE.COM
passwd user: joe_doe krb5 principal: joe_doe@ADA.EXAMPLE.COM
passwd user: joe_blow krb5 principal: joe_blow@ADB.EXAMPLE.COM
system-auth auth sufficient pam_krb5.so realm=ADA.EXAMPLE.COM
use_first_pass
auth sufficient pam_krb5.so realm=ADB.EXAMPLE.COM
use_first_pass
In this case either joe_doe or joe_blow can log in via AD credentials and pam would iterate through the stacked pam_krb5 entries to locate the matching krb5 principal
I am trying to replicate this on redhat enterprise linux 8. I am aware pam_krb5 is not an option and that sssd is the default for this use case. What I cannot figure out is how to authenticate against multiple Domains
in
SSSD. If I define 1 domain in sssd.conf with id_provider = files. I can authenticate fine against the single domain/kerberos5 realm.
If I add multiple domains, sssd does not iterate through them, it fails
if
it does not find the user in the first domain.
Hi,
it is the other way round, SSSD finds the user already in the first domain because both domains have the same source for users and groups 'id_provider = files' and it tries to authenticate the use in the first domain as well and this fails. Since SSSD does not do try and error by default this error is treated as final and no other domains are looked at.
pam_sss.so has an option 'domains' which in theory can be used to create a similar PAM configuration as you are using with pam_krb5 but currently this would fails as well, because the allowed domains are evaluated too late and with the same source for users and groups it still won't be possible to authenticate users from the second domain.
As a workaround you can try to use fully-qualified names and split the source into two and use the passwd_files option of the files provider, see man sssd-files for details.
Since this is not the first time we were asked how to migrate this kind of pam_krb5 setup I created https://github.com/SSSD/sssd/pull/5234 which should allow to use multiple pam_sss.so lines with domains option in the PAM configuration to work without additional changes.
HTH
bye, Sumit
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = ADA.EXAMPLE.COM,ADB.EXAMPLE.COM
[pam] #pam_local_domains = all
[domain/ADA.EXAMPLE.COM] id_provider = files auth_provider=krb5 krb5_server = adadc.ada.example.com krb5_kpasswd = adadc.ada.example.com krb5_realm = ADA.EXAMPLE.COM dns_discovery_domain =ADA.EXAMPLE.COM krb5_validate = false
[domain/ADB.EXAMPLE.COM id_provider = files auth_provider=krb5 krb5_server = adbdc.adb.example.com krb5_kpasswd = adbdc.adb.example.com krb5_realm =ADB.EXAMPLE.COM dns_discovery_domain = ADB.EXAMPLE.COM krb5_validate = false
Is what I am attempting possible without joining AD and using the
provider
of AD? I would like to avoid this at all costs.
Thanks
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org