[Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
Chris Dagdigian
dag at sonsorol.org
Wed Dec 7 16:34:12 UTC 2016
Our problem is largely solved but we are using some "do not use in
production!" settings so I wanted to both recap our solution and ask
some follow up questions.
Our setup:
-------------
- FreeIPA 4.2 running on CentOS-7 in AWS VPC
- Edge-case split DNS setup. Our cloud clients are "company-aws.org"
while IPA is "company-ipa.org" realm/domain
- Massive need to authenticate against AD Forest COMPANY.COM which
includes a ton of child domains (NAFTA.COMPANY.COM, etc.)
Problem
-----------
- AD users are recognized and can be enumerated as long as I use
username at NAFTA.COMPANY.COM
- "su - <user>" works as root to become the AD user
- All methods that require password check (SSH login mainly) failed
The breakthrough was the advice from Sumit to add the
ldap_user_principal and subdomain_inherit settings. The core problem on
our end seemed to be issues with having the AD user UPN get sorted out.
Something was failing when user at NAFTA.COMPANY.COM was shortened to
user at COMPANY.COM and we saw the recurring error about " ... UPN is quite
different ... " in the sssd domain logs.
Solution (Server Side)
-----------------------------
In /etc/sssd/sssd.conf:
ldap_user_principal = nosuchattr
subdomain_inherit = ldap_user_principal
krb5_validate = false
Solution (IPA client side)
--------------------------------
In /etc/sssd/sssd.conf:
krb5_validate = false
I think the main problem is obvious. Even Sumit was clear to state that
"krb5_validate = false" should be used for testing only.
However if we remove that setting password checking breaks.
So the basic "what next question" for the experts is:
1. Do we chase down whatever config error we have that requires
krb5_validate=false ?
2. Or do we assume that that problem is related to the UPN problem and
related AD-across-child-domains that appear to be resolved in IPA-4.4? I
keep getting the sense that massive AD-related things have been improved
recently in 4.3 and 4.4
My gut feeling is that it is our odd UPN issue that is breaking things
so rather than bend over backwards to try to figure out why
krb5_validate=false on our IPA-4.2 setup I'm sort of leaning towards
trying to go for an upgrade to IPA-4.4 and hope that whatever issue
forced us to disable krb5_validate is resolved in the new updates.
Am I being stupid (again?) Obviously the krb5_validate=false setting
needs to be fixed. Just not sure if I should work on a fix within 4.2 or
move to 4.4 and see if it gets resolved as part of other changes.
Regards,
Chris
More information about the Freeipa-users
mailing list