[Freeipa-users] Cross domain trust
Alexander Bokovoy
abokovoy at redhat.com
Thu Feb 6 16:14:27 UTC 2014
On Thu, 06 Feb 2014, Steve Dainard wrote:
>So I've completed the setup, and can see the trust on the Windows side.
>
>I've joined a client to the IPA realm, and can login with a IPA user. When
>I try to login (console, ssh, su -) as a domain user I get:
>
>--------CLIENT SIDE--------
>
>[root at rhel6-client ~]# su - sdainard at miovision
>su: user sdainard at miovision does not exist
>[root at rhel6-client ~]# su - sdainard at MIOVISION.CORP
>su: user sdainard at MIOVISION.CORP does not exist
>[root at rhel6-client ~]# su - sdainard at miovision.corp
>su: user sdainard at miovision.corp does not exist
>
>
>[root at rhel6-client ~]# ssh sdainard at miovision@localhost
>sdainard at miovision@localhost's password:
>Permission denied, please try again.
>
>
>/var/log/secure:
>Feb 6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): check pass; user
>unknown
>Feb 6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
>Feb 6 10:13:09 rhel6 sshd[2435]: pam_succeed_if(sshd:auth): error
>retrieving information about user sdainard at miovision
>Feb 6 10:13:10 rhel6 sshd[2435]: Failed password for invalid user
>sdainard at miovision from ::1 port 47391 ssh2
>Feb 6 10:13:20 rhel6 sshd[2436]: Connection closed by ::1
>Feb 6 10:13:25 rhel6 sshd[2709]: Invalid user sdainard at miovision from ::1
>Feb 6 10:13:25 rhel6 sshd[2710]: input_userauth_request: invalid user
>sdainard at miovision
>Feb 6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): check pass; user
>unknown
>Feb 6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
>Feb 6 10:13:38 rhel6 sshd[2709]: pam_succeed_if(sshd:auth): error
>retrieving information about user sdainard at miovision
>Feb 6 10:13:40 rhel6 sshd[2709]: Failed password for invalid user
>sdainard at miovision from ::1 port 47417 ssh2
Note that there are no logs from sssd above which means sssd never
consulted.
>
>No logs for sssd;
># pwd
>/var/log/sssd
>[root at snapshot-test sssd]# ll
>total 0
>-rw-------. 1 root root 0 Feb 5 17:38 krb5_child.log
>-rw-------. 1 root root 0 Feb 5 17:38 ldap_child.log
>-rw-------. 1 root root 0 Feb 5 17:37 sssd.log
>-rw-------. 1 root root 0 Feb 5 17:38 sssd_miolinux.corp.log
>-rw-------. 1 root root 0 Feb 5 17:38 sssd_nss.log
>-rw-------. 1 root root 0 Feb 5 17:38 sssd_pac.log
>-rw-------. 1 root root 0 Feb 5 17:38 sssd_pam.log
>-rw-------. 1 root root 0 Feb 5 17:38 sssd_ssh.log
sssd doesn't log if not asked. Each section of /etc/sssd/sssd.conf can
have
debug_level = <value>
line. For more details see sssd.conf(5).
>
>/etc/sssd/sssd.conf:
>[domain/miolinux.corp]
>
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = miolinux.corp
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = rhel6-client.miolinux.corp
>chpass_provider = ipa
>ipa_server = _srv_, ipa1.miolinux.corp
>ldap_tls_cacert = /etc/ipa/ca.crt
you are missing SSSD configuration for trusts:
subdomains_provider = ipa
>[sssd]
>services = nss, pam, ssh
and here also service 'pac' has to be referenced in the 'services = '
line
>config_file_version = 2
>
>domains = miolinux.corp
>[nss]
>
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>
>
Basically, situation should look like this:
1. IPA master server configured to talk to AD DC, by means of using winbindd in
background (on RHEL 6.x, in current Fedora it is done by directly
talking to AD LDAP services by SSSD). SSSD on IPA master uses it to resolve IDs for AD users
and groups. This requires special setup of SSSD on IPA master, with
[domain/...]
subdomains_provider = ipa
and
[sssd]
services = ..., pac
In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
automatically by setting
ipa_master_mode = True
On RHEL 6.x one needs to add the parameters manually.
2. /etc/krb5.conf has to contain auth_to_local rules that map AD
principals to lower-cased versions because some applications (SSH)
are very picky about user/principal name mapping. This has to be done
on both IPA masters and IPA clients.
3. On IPA clients SSSD needs to have following in the
/etc/sssd/sssd.conf
[domain/...]
subdomains_provider = ipa
and
[sssd]
services = ..., pac
With these changes SSSD on IPA client will recognize AD users and
request IPA master to perform name/SID/etc resolution, and also will
make an attempt to parse special part of the Kerberos ticket
generated by AD DC (MS-PAC) that contains signed cached copy of group
ownership for AD users.
SSSD needs restart after each config change.
You can do checks step by step to see whether things are working:
1. Ensure that SSSD on IPA master resolves AD user properly:
getent passwd user at ad.domain
Should return non-empty entry.
2. Ensure that SSSD on IPA client resolves AD user properly:
getent passwd user at ad.domain
Should return non-empty entry.
3. Ensure that Kerberos infrastructure works:
kinit user at ad.domain
kvno -S host ipa.client.domain
4. Attempt to use Kerberos ticket:
ssh -l user at ad.domain ipa.client.domain
At this point if everything works fine, SSHd will authenticate
user at ad.domain by its Kerberos ticket and authorize its access.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list