Rocky Linux fails when tries to authenticate users using SSSD service

Hi team,

I’ve installed and configured the necessary packages for allow a recent Rocky Linux install to authenticate againts an AD domain. After installing such packages and registering the server to the AD this is failing when it tries to authenticate users.

These are the packages I installed:

realmd
sssd
adcli
samba-common
samba-common-tools
krb5-workstation
authconfig

This is my current sssd.conf config(with some changes for security reasons):

[sssd]
domains = area1.abcxyz.local
config_file_version = 2
services = nss, pam

[nss]
filter_groups = root
filter_users = root

[pam]
offline_credentials_expiration = 3

[domain/area1.abcxyz.local]
ad_domain = area1.abcxyz.local
ad_server = EUSERVER012.area1.abcxyz.local
ad_backup_server = EUSERVER002.area1.abcxyz.local
krb5_realm = AREA1.ABCXYZ.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u

ignore_group_members = True
ad_enable_gc = False
cache_credentials = true
account_cache_expiration = 7
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = enforcing
GSSAPIAuthentication = no
dyndns_update = false

krb5_validate = false

access_provider = simple
simple_allow_groups = WO_Linux_Admins

debug=8

This is my /etc/krb5.conf config:

# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    default_realm = AREA1.ABCXYZ.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
#    default_realm = EXAMPLE.COM
#    default_ccache_name = KEYRING:persistent:%{uid}
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5


[realms]
# EXAMPLE.COM = {
#     kdc = kerberos.example.com
#     admin_server = kerberos.example.com
# }

[realms]
 AREA1.ABCXYZ.LOCAL = {
  kdc = EUSERVER012.area1.abcxyz.local
  admin_server = EUSERVER012.area1.abcxyz.local
  default_domain = area1.abcxyz.local
 }


[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

[domain_realm]
 .area1.eurofins.local = AREA1.ABCXYZ.LOCAL
 area1.eurofins.local = AREA1.ABCXYZ.LOCAL

pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

The service shows it’s working and gets the users from AD (partially) but even though it’s not allowing to authenticate.

Checking the logs I’ve found this:

Do you know why SSSD is making a request to port 0 to the AD, isn’t suppose it has to make such request to port 389/TCP or 636/TCP ?

Just in case, this same config is working fine in both RHEL 8 and CentOS 8, with a slight difference, it shows all groups where the AD account belongs to

[root@eu50wevp296 ~ ]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)
[root@eu50wevp296 ~ ]# id adm_w7ea
uid=1344378677(adm_w7ea) gid=968200513(domain users) groups=968200513(domain users),352346990(eu_comlims_commercialcustomerframeworkandquotationdmzusers_bx),352346976(eu_comlims_commercialcustomerframeworkandquotationdmzusers_de),352346968(eu_comlims_commercialcustomerframeworkandquotationdmzusers_fr),352346982(eu_comlims_commercialcustomerframeworkandquotationdmzusers_ph)
.
.
. (Output ommited)

Are you filtering ICMP at all?

Not really, in fact, firewalld service is currently down:

[root@eu50apvt951 ~ ]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@eu50apvt951 ~ ]#

Please make sure that communication to the AD servers back to the client are allowed by verifying any firewalls or security groups between where the client and AD servers are located.

The port 0 piece of sssd you’re seeing is normal. If it is saying it’s not working, that indicates communication back from AD to your client is not coming back or is blocked somewhere, and will not continue to check the other ports (389, 636, 3268).

Communication with AD servers is working fine between Rocky Linux machine and AD servers as you can see below:

This is a testing machine and use to run with RHEL and CentOS boths 7 & 8 and didn’t present any issue with AD authentication, unfortunatelly Rocky is not working as I expected and I have no idea why

Server was able to register inside AD with no issues as you can see in attached screenshots, this is showing it’s well connected on realm output as well:

Is there anything else I could check in order to see why this machine with rocky Linux is not authenticating with AD? Please let me know.

rockyAD1770×770 76.8 KB

rockyAD2696×794 67.3 KB

Hello,

Finally I’ve resolved AD authentication issues using SSSD in Rocky Linux.
I’ve just removed the following lines that works fine with RHEL and CentOS 7/8 but they’re giving issues

#ignore_group_members = True
#ad_enable_gc = False
#cache_credentials = true
#account_cache_expiration = 7
#ad_gpo_ignore_unreadable = True
#ad_gpo_access_control = enforcing
#GSSAPIAuthentication = no

After that, I restarted the service and could login into the server with no issues.