[Freeipa-users] Cross domain trust
Steve Dainard
sdainard at miovision.com
Thu Feb 6 17:23:41 UTC 2014
On Thu, Feb 6, 2014 at 11:14 AM, Alexander Bokovoy <abokovoy at redhat.com>wrote:
> On Thu, 06 Feb 2014, Steve Dainard wrote:
>
>> So I've completed the setup, and can see the trust on the Windows side.
>>
>> I've joined a client to the IPA realm, and can login with a IPA user. When
>> I try to login (console, ssh, su -) as a domain user I get:
>>
>> --------CLIENT SIDE--------
>>
>> [root at rhel6-client ~]# su - sdainard at miovision
>> su: user sdainard at miovision does not exist
>> [root at rhel6-client ~]# su - sdainard at MIOVISION.CORP
>> su: user sdainard at MIOVISION.CORP does not exist
>> [root at rhel6-client ~]# su - sdainard at miovision.corp
>> su: user sdainard at miovision.corp does not exist
>>
>>
>> [root at rhel6-client ~]# ssh sdainard at miovision@localhost
>> sdainard at miovision@localhost's password:
>> Permission denied, please try again.
>>
>>
>> /var/log/secure:
>> Feb 6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Feb 6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
>> Feb 6 10:13:09 rhel6 sshd[2435]: pam_succeed_if(sshd:auth): error
>> retrieving information about user sdainard at miovision
>> Feb 6 10:13:10 rhel6 sshd[2435]: Failed password for invalid user
>> sdainard at miovision from ::1 port 47391 ssh2
>> Feb 6 10:13:20 rhel6 sshd[2436]: Connection closed by ::1
>> Feb 6 10:13:25 rhel6 sshd[2709]: Invalid user sdainard at miovision from
>> ::1
>> Feb 6 10:13:25 rhel6 sshd[2710]: input_userauth_request: invalid user
>> sdainard at miovision
>> Feb 6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Feb 6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
>> Feb 6 10:13:38 rhel6 sshd[2709]: pam_succeed_if(sshd:auth): error
>> retrieving information about user sdainard at miovision
>> Feb 6 10:13:40 rhel6 sshd[2709]: Failed password for invalid user
>> sdainard at miovision from ::1 port 47417 ssh2
>>
> Note that there are no logs from sssd above which means sssd never
> consulted.
>
>
>
>> No logs for sssd;
>> # pwd
>> /var/log/sssd
>> [root at snapshot-test sssd]# ll
>> total 0
>> -rw-------. 1 root root 0 Feb 5 17:38 krb5_child.log
>> -rw-------. 1 root root 0 Feb 5 17:38 ldap_child.log
>> -rw-------. 1 root root 0 Feb 5 17:37 sssd.log
>> -rw-------. 1 root root 0 Feb 5 17:38 sssd_miolinux.corp.log
>> -rw-------. 1 root root 0 Feb 5 17:38 sssd_nss.log
>> -rw-------. 1 root root 0 Feb 5 17:38 sssd_pac.log
>> -rw-------. 1 root root 0 Feb 5 17:38 sssd_pam.log
>> -rw-------. 1 root root 0 Feb 5 17:38 sssd_ssh.log
>>
> sssd doesn't log if not asked. Each section of /etc/sssd/sssd.conf can
> have debug_level = <value>
> line. For more details see sssd.conf(5).
>
>
>
>> /etc/sssd/sssd.conf:
>> [domain/miolinux.corp]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = miolinux.corp
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = rhel6-client.miolinux.corp
>> chpass_provider = ipa
>> ipa_server = _srv_, ipa1.miolinux.corp
>> ldap_tls_cacert = /etc/ipa/ca.crt
>>
> you are missing SSSD configuration for trusts:
>
> subdomains_provider = ipa
>
>
> [sssd]
>> services = nss, pam, ssh
>>
> and here also service 'pac' has to be referenced in the 'services = '
> line
>
>
> config_file_version = 2
>>
>> domains = miolinux.corp
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>>
>>
>>
> Basically, situation should look like this:
>
> 1. IPA master server configured to talk to AD DC, by means of using
> winbindd in
> background (on RHEL 6.x, in current Fedora it is done by directly
> talking to AD LDAP services by SSSD). SSSD on IPA master uses it to
> resolve IDs for AD users
> and groups. This requires special setup of SSSD on IPA master, with
>
> [domain/...]
> subdomains_provider = ipa
>
> and
>
> [sssd]
> services = ..., pac
>
Server side looks right:
[domain/miolinux.corp]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = miolinux.corp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.miolinux.corp
chpass_provider = ipa
ipa_server = ipa1.miolinux.corp
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
[sssd]
services = nss, pam, ssh, pac
config_file_version = 2
domains = miolinux.corp
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
>
> In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
> automatically by setting ipa_master_mode = True
>
> On RHEL 6.x one needs to add the parameters manually.
>
> 2. /etc/krb5.conf has to contain auth_to_local rules that map AD
> principals to lower-cased versions because some applications (SSH)
> are very picky about user/principal name mapping. This has to be done
> on both IPA masters and IPA clients.
>
This was done on the IPA server, but the RHEL 6.5 client doesn't have this
file.
On the IPA server:
[realms]
MIOLINUX.CORP = {
kdc = ipa1.miolinux.corp:88
master_kdc = ipa1.miolinux.corp:88
admin_server = ipa1.miolinux.corp:749
default_domain = miolinux.corp
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION$)s/@MIOVISION/@miovision/
auth_to_local = DEFAULT
[root at ipa1 ~]# kinit sdainard at miovision.corp
Password for sdainard at miovision.corp:
kinit: KDC reply did not match expectations while getting initial
credentials
A CentOS 6.5 client has this file. The docs didn't mention the manual
client config, I just assumed the IPA server would proxy the request. After
adding, no change.
>
> 3. On IPA clients SSSD needs to have following in the
> /etc/sssd/sssd.conf
>
> [domain/...]
> subdomains_provider = ipa
>
> and
>
> [sssd]
> services = ..., pac
>
Added.
>
> With these changes SSSD on IPA client will recognize AD users and
> request IPA master to perform name/SID/etc resolution, and also will
> make an attempt to parse special part of the Kerberos ticket
> generated by AD DC (MS-PAC) that contains signed cached copy of group
> ownership for AD users.
>
> SSSD needs restart after each config change.
>
> You can do checks step by step to see whether things are working:
>
> 1. Ensure that SSSD on IPA master resolves AD user properly:
>
> getent passwd user at ad.domain
>
> Should return non-empty entry.
>
Returns no values.
[root at ipa1 ~]# getent passwd sdainard at miovision.corp
[root at ipa1 ~]#
>
> 2. Ensure that SSSD on IPA client resolves AD user properly:
>
> getent passwd user at ad.domain
>
> Should return non-empty entry.
>
[root at snapshot-test ~]# getent passwd sdainard at miovision.corp
[root at snapshot-test ~]#
>
> 3. Ensure that Kerberos infrastructure works:
>
> kinit user at ad.domain
> kvno -S host ipa.client.domain
>
[root at ipa1 ~]# kinit sdainard at miovision.corp
Password for sdainard at miovision.corp:
kinit: KDC reply did not match expectations while getting initial
credentials
[root at ipa1 ~]# kinit sdainard at MIOVISION.CORP
Password for sdainard at MIOVISION.CORP:
[root at ipa1 ~]# kvno cifs/dc1.miovision.corp at MIOVISION.CORP
cifs/dc1.miovision.corp at MIOVISION.CORP: kvno = 41
[root at ipa1 ~]# kvno -S host ipa1.miolinux.corp
host/ipa1.miolinux.corp at MIOLINUX.CORP: kvno = 2
[root at ipa1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sdainard at MIOVISION.CORP
Valid starting Expires Service principal
02/06/14 11:54:55 02/06/14 21:54:57 krbtgt/MIOVISION.CORP at MIOVISION.CORP
renew until 02/07/14 11:54:55
02/06/14 11:55:38 02/06/14 21:54:57 cifs/dc1.miovision.corp at MIOVISION.CORP
renew until 02/07/14 11:54:55
02/06/14 11:56:50 02/06/14 21:54:57 krbtgt/MIOLINUX.CORP at MIOVISION.CORP
renew until 02/07/14 11:54:55
02/06/14 11:57:05 02/06/14 21:54:57 host/ipa1.miolinux.corp at MIOLINUX.CORP
renew until 02/07/14 11:54:55
It appears the rewrite rules in krb5.conf are not working, not sure what I
missed.
>
> 4. Attempt to use Kerberos ticket:
>
> ssh -l user at ad.domain ipa.client.domain
>
> At this point if everything works fine, SSHd will authenticate
> user at ad.domain by its Kerberos ticket and authorize its access.
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140206/22c0bb89/attachment.htm>
More information about the Freeipa-users
mailing list