[Freeipa-users] Cross domain trust

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 6 16:14:27 UTC 2014 

On Thu, 06 Feb 2014, Steve Dainard wrote:
>So I've completed the setup, and can see the trust on the Windows side.
>
>I've joined a client to the IPA realm, and can login with a IPA user. When
>I try to login (console, ssh, su -) as a domain user I get:
>
>--------CLIENT SIDE--------
>
>[root at rhel6-client ~]# su - sdainard at miovision
>su: user sdainard at miovision does not exist
>[root at rhel6-client ~]# su - sdainard at MIOVISION.CORP
>su: user sdainard at MIOVISION.CORP does not exist
>[root at rhel6-client ~]# su - sdainard at miovision.corp
>su: user sdainard at miovision.corp does not exist
>
>
>[root at rhel6-client ~]# ssh sdainard at miovision@localhost
>sdainard at miovision@localhost's password:
>Permission denied, please try again.
>
>
>/var/log/secure:
>Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): check pass; user
>unknown
>Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
>Feb  6 10:13:09 rhel6 sshd[2435]: pam_succeed_if(sshd:auth): error
>retrieving information about user sdainard at miovision
>Feb  6 10:13:10 rhel6 sshd[2435]: Failed password for invalid user
>sdainard at miovision from ::1 port 47391 ssh2
>Feb  6 10:13:20 rhel6 sshd[2436]: Connection closed by ::1
>Feb  6 10:13:25 rhel6 sshd[2709]: Invalid user sdainard at miovision from ::1
>Feb  6 10:13:25 rhel6 sshd[2710]: input_userauth_request: invalid user
>sdainard at miovision
>Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): check pass; user
>unknown
>Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
>Feb  6 10:13:38 rhel6 sshd[2709]: pam_succeed_if(sshd:auth): error
>retrieving information about user sdainard at miovision
>Feb  6 10:13:40 rhel6 sshd[2709]: Failed password for invalid user
>sdainard at miovision from ::1 port 47417 ssh2
Note that there are no logs from sssd above which means sssd never
consulted.

>
>No logs for sssd;
># pwd
>/var/log/sssd
>[root at snapshot-test sssd]# ll
>total 0
>-rw-------. 1 root root 0 Feb  5 17:38 krb5_child.log
>-rw-------. 1 root root 0 Feb  5 17:38 ldap_child.log
>-rw-------. 1 root root 0 Feb  5 17:37 sssd.log
>-rw-------. 1 root root 0 Feb  5 17:38 sssd_miolinux.corp.log
>-rw-------. 1 root root 0 Feb  5 17:38 sssd_nss.log
>-rw-------. 1 root root 0 Feb  5 17:38 sssd_pac.log
>-rw-------. 1 root root 0 Feb  5 17:38 sssd_pam.log
>-rw-------. 1 root root 0 Feb  5 17:38 sssd_ssh.log
sssd doesn't log if not asked. Each section of /etc/sssd/sssd.conf can
have 
   debug_level = <value>
line. For more details see sssd.conf(5).

>
>/etc/sssd/sssd.conf:
>[domain/miolinux.corp]
>
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = miolinux.corp
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = rhel6-client.miolinux.corp
>chpass_provider = ipa
>ipa_server = _srv_, ipa1.miolinux.corp
>ldap_tls_cacert = /etc/ipa/ca.crt
you are missing SSSD configuration for trusts:

subdomains_provider = ipa

>[sssd]
>services = nss, pam, ssh
and here also service 'pac' has to be referenced in the 'services = '
line

>config_file_version = 2
>
>domains = miolinux.corp
>[nss]
>
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>
>

Basically, situation should look like this:

1. IPA master server configured to talk to AD DC, by means of using winbindd in
    background (on RHEL 6.x, in current Fedora it is done by directly
    talking to AD LDAP services by SSSD). SSSD on IPA master uses it to resolve IDs for AD users
    and groups. This requires special setup of SSSD on IPA master, with

    [domain/...]
    subdomains_provider = ipa

    and

    [sssd]
      services = ..., pac

    In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
    automatically by setting 
    
    ipa_master_mode = True

    On RHEL 6.x one needs to add the parameters manually.

2. /etc/krb5.conf has to contain auth_to_local rules that map AD
    principals to lower-cased versions because some applications (SSH)
    are very picky about user/principal name mapping. This has to be done
    on both IPA masters and IPA clients.

3. On IPA clients SSSD needs to have following in the
    /etc/sssd/sssd.conf

    [domain/...]
    subdomains_provider = ipa

    and

    [sssd]
    services = ..., pac

    With these changes SSSD on IPA client will recognize AD users and
    request IPA master to perform name/SID/etc resolution, and also will
    make an attempt to parse special part of the Kerberos ticket
    generated by AD DC (MS-PAC) that contains signed cached copy of group
    ownership for AD users.

SSSD needs restart after each config change.

You can do checks step by step to see whether things are working:

1. Ensure that SSSD on IPA master resolves AD user properly:

    getent passwd user at ad.domain

    Should return non-empty entry.

2. Ensure that SSSD on IPA client resolves AD user properly:

    getent passwd user at ad.domain

    Should return non-empty entry.

3. Ensure that Kerberos infrastructure works:

    kinit user at ad.domain
    kvno -S host ipa.client.domain

4. Attempt to use Kerberos ticket:

    ssh -l user at ad.domain ipa.client.domain

    At this point if everything works fine, SSHd will authenticate
    user at ad.domain by its Kerberos ticket and authorize its access.


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list