Hi Folks, I currently have SSSD-AD working exactly as I want it, less one drawback - I have to include the AD domain prefix everywhere to get things working.
For example, we are whoi.edu, and in non-AD DNS, all of our hosts are $hostname.whoi.edu. We'll call our AD domain 'adwhoi' for this discussion.
To get things working cleanly, Ansible reconfigures each host right before the AD join to use the hostname $hostname.adwhoi.whoi.edu instead of $hostname.whoi.edu.
Hosts join AD via adcli and set the usual UPN and SPNs. AD-based identity and authentication works just fine. GSSAPI auth works fine. Users are granted a valid TGT upon login. Root can kinit the host keytab fine.
Deploying a new major release of Linux is always an opportunity to make a clean break and fix annoyances like this, so I'd love to know how we can get all of the above working, but without having to include the domain prefix in our hostnames and in our ssh references.
I've done a fair bit of digging on this while setting up our AD join scheme and authoring our Ansible code, but I've never been able to crack this issue, so I'd love it if someone could clue me in.
Here's some of the relevant files in case they are helpful: =========================================================================================== /etc/sssd/sssd.conf: [sssd] domains = adwhoi.whoi.edu services = nss, pam debug_level = 3 [domain/adwhoi.whoi.edu] krb5_store_password_if_offline = True cache_credentials = True krb5_realm = ADWHOI.WHOI.EDU id_provider = ad fallback_homedir = /home/%u override_homedir = /home/%u default_shell = /bin/bash ad_domain = adwhoi.whoi.edu use_fully_qualified_names = False ldap_id_mapping = False access_provider = ad ad_gpo_access_control = disabled ad_server = jimbob.adwhoi.whoi.edu,cleetus.adwhoi.whoi.edu ad_backup_server = jedidiah.adwhoi.whoi.edu ad_maximum_machine_account_password_age = 0 ldap_referrals = False =========================================================================== /etc/krb5.conf [libdefaults] default_realm = ADWHOI.WHOI.EDU rdns = False dns_canonicalize_hostname = False
# The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true
[realms] ADWHOI.WHOI.EDU = { kdc = jimbob.adwhoi.whoi.edu kdc = cleetus.adwhoi.whoi.edu kdc = jedidiah.adwhoi.whoi.edu
admin_server = jimbob.adwhoi.whoi.edu default_domain = adwhoi.whoi.edu }
[domain_realm] .adwhoi.whoi.edu = ADWHOI.WHOI.EDU adwhoi.whoi.edu = ADWHOI.WHOI.EDU =========================================================================== Example keytab: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 SOMEHOST$@ADWHOI.WHOI.EDU (arcfour-hmac) 2 SOMEHOST$@ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 SOMEHOST$@ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 host/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (arcfour-hmac) 2 host/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 host/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 host/SOMEHOST@ADWHOI.WHOI.EDU (arcfour-hmac) 2 host/SOMEHOST@ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 host/SOMEHOST@ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/SOMEHOST@ADWHOI.WHOI.EDU (arcfour-hmac) 2 RestrictedKrbHost/SOMEHOST@ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/SOMEHOST@ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (arcfour-hmac) 2 RestrictedKrbHost/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) ==========================================================================
Thanks! - Kodiak Firesmith
Sent with [Proton Mail](https://proton.me/) secure email.
Kodiak,
I think when your DNS domain != your kerberos realm, you have to do this:
/etc/krb5.conf:
[domain_realm] .whoi.edu http://adwhoi.whoi.edu/ = ADWHOI.WHOI.EDU http://adwhoi.whoi.edu/
i.e., this DNS domain (whoi.edu) == this kerberos realm (aka AD domain) .
/etc/sssd/sssd.conf: [sssd] domains = whoi.edu http://adwhoi.whoi.edu/ ... [domain/whoi.edu http://adwhoi.whoi.edu/] .. krb5_realm = ADWHOI.WHOI.EDU http://adwhoi.whoi.edu/ ... ad_domain = adwhoi.whoi.edu
I think your adcli join would be something like this:
export KRB5CCNAME="FILE:/tmp/krb5cc_${SVCNAME}" kinit ${ACCOUNTNAME} JOINDOMAIN=adwhoi.whoi.edu adcli join --domain="$JOINDOMAIN" --login-user=${ACCOUNTNAME} --login-ccache="/tmp/krb5cc_$SVCNAME" --service-name='host' --service-name='RestrictedKrbHost' --os-name="$OS_NAME" --os-version="$OS_VERSION_FULL " --domain-ou="$OU_CONTAINER" --show-details --host-keytab=/etc/krb5.keytab --host-fqdn=$FQDN --user-principal="host/$FQDN@$JOINDOMAIN"
If I've missed a step please advise.
Spike White
On Tue, Oct 18, 2022 at 2:39 PM Kodiak Firesmith firesmith@protonmail.com wrote:
Hi Folks, I currently have SSSD-AD working exactly as I want it, less one drawback - I have to include the AD domain prefix everywhere to get things working.
For example, we are whoi.edu, and in non-AD DNS, all of our hosts are $ hostname.whoi.edu. We'll call our AD domain 'adwhoi' for this discussion.
To get things working cleanly, Ansible reconfigures each host right before the AD join to use the hostname $hostname.adwhoi.whoi.edu instead of $hostname.whoi.edu.
Hosts join AD via adcli and set the usual UPN and SPNs. AD-based identity and authentication works just fine. GSSAPI auth works fine. Users are granted a valid TGT upon login. Root can kinit the host keytab fine.
Deploying a new major release of Linux is always an opportunity to make a clean break and fix annoyances like this, so I'd love to know how we can get all of the above working, but without having to include the domain prefix in our hostnames and in our ssh references.
I've done a fair bit of digging on this while setting up our AD join scheme and authoring our Ansible code, but I've never been able to crack this issue, so I'd love it if someone could clue me in.
Here's some of the relevant files in case they are helpful:
=========================================================================================== /etc/sssd/sssd.conf: [sssd] domains = adwhoi.whoi.edu services = nss, pam debug_level = 3 [domain/adwhoi.whoi.edu] krb5_store_password_if_offline = True cache_credentials = True krb5_realm = ADWHOI.WHOI.EDU id_provider = ad fallback_homedir = /home/%u override_homedir = /home/%u default_shell = /bin/bash ad_domain = adwhoi.whoi.edu use_fully_qualified_names = False ldap_id_mapping = False access_provider = ad ad_gpo_access_control = disabled ad_server = jimbob.adwhoi.whoi.edu,cleetus.adwhoi.whoi.edu ad_backup_server = jedidiah.adwhoi.whoi.edu ad_maximum_machine_account_password_age = 0 ldap_referrals = False =========================================================================== /etc/krb5.conf [libdefaults] default_realm = ADWHOI.WHOI.EDU rdns = False dns_canonicalize_hostname = False
# The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true
[realms] ADWHOI.WHOI.EDU = { kdc = jimbob.adwhoi.whoi.edu kdc = cleetus.adwhoi.whoi.edu kdc = jedidiah.adwhoi.whoi.edu
admin_server = jimbob.adwhoi.whoi.edu default_domain = adwhoi.whoi.edu }[domain_realm] .adwhoi.whoi.edu = ADWHOI.WHOI.EDU adwhoi.whoi.edu = ADWHOI.WHOI.EDU =========================================================================== Example keytab: Keytab name: FILE:/etc/krb5.keytab KVNO Principal
2 SOMEHOST$@ADWHOI.WHOI.EDU (arcfour-hmac) 2 SOMEHOST$@ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 SOMEHOST$@ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 host/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (arcfour-hmac) 2 host/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 host/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 host/SOMEHOST@ADWHOI.WHOI.EDU (arcfour-hmac) 2 host/SOMEHOST@ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 host/SOMEHOST@ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/SOMEHOST@ADWHOI.WHOI.EDU (arcfour-hmac) 2 RestrictedKrbHost/SOMEHOST@ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/SOMEHOST@ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (arcfour-hmac) 2 RestrictedKrbHost/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/somehost.adwhoi.whoi.edu@ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) ==========================================================================
Thanks!
- Kodiak Firesmith
Sent with Proton Mail https://proton.me/ secure email. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org
-
Kodiak Firesmith -
Spike White