Hi Folks,
I currently have SSSD-AD working exactly as I want it, less one drawback - I have to
include the AD domain prefix everywhere to get things working.
For example, we are
whoi.edu, and in non-AD DNS, all of our hosts are $hostname.whoi.edu.
We'll call our AD domain 'adwhoi' for this discussion.
To get things working cleanly, Ansible reconfigures each host right before the AD join to
use the hostname $hostname.adwhoi.whoi.edu instead of $hostname.whoi.edu.
Hosts join AD via adcli and set the usual UPN and SPNs. AD-based identity and
authentication works just fine. GSSAPI auth works fine. Users are granted a valid TGT upon
login. Root can kinit the host keytab fine.
Deploying a new major release of Linux is always an opportunity to make a clean break and
fix annoyances like this, so I'd love to know how we can get all of the above working,
but without having to include the domain prefix in our hostnames and in our ssh
references.
I've done a fair bit of digging on this while setting up our AD join scheme and
authoring our Ansible code, but I've never been able to crack this issue, so I'd
love it if someone could clue me in.
Here's some of the relevant files in case they are helpful:
===========================================================================================
/etc/sssd/sssd.conf:
[sssd]
domains =
adwhoi.whoi.edu
services = nss, pam
debug_level = 3
[
domain/adwhoi.whoi.edu]
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm =
ADWHOI.WHOI.EDU
id_provider = ad
fallback_homedir = /home/%u
override_homedir = /home/%u
default_shell = /bin/bash
ad_domain =
adwhoi.whoi.edu
use_fully_qualified_names = False
ldap_id_mapping = False
access_provider = ad
ad_gpo_access_control = disabled
ad_server =
jimbob.adwhoi.whoi.edu,cleetus.adwhoi.whoi.edu
ad_backup_server =
jedidiah.adwhoi.whoi.edu
ad_maximum_machine_account_password_age = 0
ldap_referrals = False
===========================================================================
/etc/krb5.conf
[libdefaults]
default_realm =
ADWHOI.WHOI.EDU
rdns = False
dns_canonicalize_hostname = False
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ADWHOI.WHOI.EDU = {
kdc =
jimbob.adwhoi.whoi.edu
kdc =
cleetus.adwhoi.whoi.edu
kdc =
jedidiah.adwhoi.whoi.edu
admin_server =
jimbob.adwhoi.whoi.edu
default_domain =
adwhoi.whoi.edu
}
[domain_realm]
.adwhoi.whoi.edu =
ADWHOI.WHOI.EDU
adwhoi.whoi.edu =
ADWHOI.WHOI.EDU
===========================================================================
Example keytab:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 SOMEHOST$(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 SOMEHOST$(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96)
2 SOMEHOST$(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96)
2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96)
2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (arcfour-hmac)
2 RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2
RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96)
==========================================================================
Thanks!
- Kodiak Firesmith
Sent with [Proton Mail](https://proton.me/) secure email.