2:38 p.m.
Hi Folks,
I currently have SSSD-AD working exactly as I want it, less one drawback - I have to
include the AD domain prefix everywhere to get things working.
For example, we are whoi.edu, and in non-AD DNS, all of our hosts are $hostname.whoi.edu.
We'll call our AD domain 'adwhoi' for this discussion.
To get things working cleanly, Ansible reconfigures each host right before the AD join to
use the hostname $hostname.adwhoi.whoi.edu instead of $hostname.whoi.edu.
Hosts join AD via adcli and set the usual UPN and SPNs. AD-based identity and
authentication works just fine. GSSAPI auth works fine. Users are granted a valid TGT upon
login. Root can kinit the host keytab fine.
Deploying a new major release of Linux is always an opportunity to make a clean break and
fix annoyances like this, so I'd love to know how we can get all of the above working,
but without having to include the domain prefix in our hostnames and in our ssh
references.
I've done a fair bit of digging on this while setting up our AD join scheme and
authoring our Ansible code, but I've never been able to crack this issue, so I'd
love it if someone could clue me in.
Here's some of the relevant files in case they are helpful:
===========================================================================================
/etc/sssd/sssd.conf:
[sssd]
domains = adwhoi.whoi.edu
services = nss, pam
debug_level = 3
[domain/adwhoi.whoi.edu]
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = ADWHOI.WHOI.EDU
id_provider = ad
fallback_homedir = /home/%u
override_homedir = /home/%u
default_shell = /bin/bash
ad_domain = adwhoi.whoi.edu
use_fully_qualified_names = False
ldap_id_mapping = False
access_provider = ad
ad_gpo_access_control = disabled
ad_server = jimbob.adwhoi.whoi.edu,cleetus.adwhoi.whoi.edu
ad_backup_server = jedidiah.adwhoi.whoi.edu
ad_maximum_machine_account_password_age = 0
ldap_referrals = False
===========================================================================
/etc/krb5.conf
[libdefaults]
default_realm = ADWHOI.WHOI.EDU
rdns = False
dns_canonicalize_hostname = False
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ADWHOI.WHOI.EDU = {
kdc = jimbob.adwhoi.whoi.edu
kdc = cleetus.adwhoi.whoi.edu
kdc = jedidiah.adwhoi.whoi.edu
admin_server = jimbob.adwhoi.whoi.edu
default_domain = adwhoi.whoi.edu
}
[domain_realm]
.adwhoi.whoi.edu = ADWHOI.WHOI.EDU
adwhoi.whoi.edu = ADWHOI.WHOI.EDU
===========================================================================
Example keytab:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 SOMEHOST$(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 SOMEHOST$(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96)
2 SOMEHOST$(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96)
2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96)
2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2
RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
==========================================================================
Thanks!
- Kodiak Firesmith
Sent with [Proton Mail](https://proton.me/) secure email.
4:30 p.m.
New subject: How to correctly omit the AD domain prefix from hostnames etc
Kodiak,
I think when your DNS domain != your kerberos realm, you have to do this:
/etc/krb5.conf:
[domain_realm]
.whoi.edu <http://adwhoi.whoi.edu/> = ADWHOI.WHOI.EDU
<http://adwhoi.whoi.edu/>
i.e., this DNS domain (whoi.edu) == this kerberos realm (aka AD domain) .
/etc/sssd/sssd.conf:
[sssd]
domains = whoi.edu <http://adwhoi.whoi.edu/>
...
[domain/whoi.edu <http://adwhoi.whoi.edu/>]
..
krb5_realm = ADWHOI.WHOI.EDU <http://adwhoi.whoi.edu/>
...
ad_domain = adwhoi.whoi.edu
I think your adcli join would be something like this:
export KRB5CCNAME="FILE:/tmp/krb5cc_${SVCNAME}"
kinit ${ACCOUNTNAME}
JOINDOMAIN=adwhoi.whoi.edu
adcli join --domain="$JOINDOMAIN" --login-user=${ACCOUNTNAME}
--login-ccache="/tmp/krb5cc_$SVCNAME" --service-name='host'
--service-name='RestrictedKrbHost' --os-name="$OS_NAME"
--os-version="$OS_VERSION_FULL " --domain-ou="$OU_CONTAINER"
--show-details
--host-keytab=/etc/krb5.keytab --host-fqdn=$FQDN
--user-principal="host/$FQDN@$JOINDOMAIN"
If I've missed a step please advise.
Spike White
On Tue, Oct 18, 2022 at 2:39 PM Kodiak Firesmith <firesmith(a)protonmail.com>
wrote:
Hi Folks,
I currently have SSSD-AD working exactly as I want it, less one drawback -
I have to include the AD domain prefix everywhere to get things working.
For example, we are whoi.edu, and in non-AD DNS, all of our hosts are $
hostname.whoi.edu.
We'll call our AD domain 'adwhoi' for this discussion.
To get things working cleanly, Ansible reconfigures each host right
before the AD join to use the hostname $hostname.adwhoi.whoi.edu instead
of $hostname.whoi.edu.
Hosts join AD via adcli and set the usual UPN and SPNs. AD-based identity
and authentication works just fine. GSSAPI auth works fine. Users are
granted a valid TGT upon login. Root can kinit the host keytab fine.
Deploying a new major release of Linux is always an opportunity to make a
clean break and fix annoyances like this, so I'd love to know how we can
get all of the above working, but without having to include the domain
prefix in our hostnames and in our ssh references.
I've done a fair bit of digging on this while setting up our AD join
scheme and authoring our Ansible code, but I've never been able to crack
this issue, so I'd love it if someone could clue me in.
Here's some of the relevant files in case they are helpful:
===========================================================================================
/etc/sssd/sssd.conf:
[sssd]
domains = adwhoi.whoi.edu
services = nss, pam
debug_level = 3
[domain/adwhoi.whoi.edu]
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = ADWHOI.WHOI.EDU
id_provider = ad
fallback_homedir = /home/%u
override_homedir = /home/%u
default_shell = /bin/bash
ad_domain = adwhoi.whoi.edu
use_fully_qualified_names = False
ldap_id_mapping = False
access_provider = ad
ad_gpo_access_control = disabled
ad_server = jimbob.adwhoi.whoi.edu,cleetus.adwhoi.whoi.edu
ad_backup_server = jedidiah.adwhoi.whoi.edu
ad_maximum_machine_account_password_age = 0
ldap_referrals = False
===========================================================================
/etc/krb5.conf
[libdefaults]
default_realm = ADWHOI.WHOI.EDU
rdns = False
dns_canonicalize_hostname = False
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ADWHOI.WHOI.EDU = {
kdc = jimbob.adwhoi.whoi.edu
kdc = cleetus.adwhoi.whoi.edu
kdc = jedidiah.adwhoi.whoi.edu
admin_server = jimbob.adwhoi.whoi.edu
default_domain = adwhoi.whoi.edu
}
[domain_realm]
.adwhoi.whoi.edu = ADWHOI.WHOI.EDU
adwhoi.whoi.edu = ADWHOI.WHOI.EDU
===========================================================================
Example keytab:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 SOMEHOST$(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 SOMEHOST$(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96)
2 SOMEHOST$(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU
(aes128-cts-hmac-sha1-96)
2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU
(aes256-cts-hmac-sha1-96)
2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96)
2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU
(arcfour-hmac)
2 RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU
(aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU
(aes256-cts-hmac-sha1-96)
==========================================================================
Thanks!
- Kodiak Firesmith
Sent with Proton Mail <https://proton.me/> secure email.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
104
days inactive
104
days old
sssd-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Kodiak Firesmith -
Spike White