Hi team,
I’ve installed and configured the necessary packages for allow a recent Rocky Linux install to authenticate againts an AD domain. After installing such packages and registering the server to the AD this is failing when it tries to authenticate users.
These are the packages I installed:
realmd
sssd
adcli
samba-common
samba-common-tools
krb5-workstation
authconfig
This is my current sssd.conf config(with some changes for security reasons):
[sssd]
domains = area1.abcxyz.local
config_file_version = 2
services = nss, pam
[nss]
filter_groups = root
filter_users = root
[pam]
offline_credentials_expiration = 3
[domain/area1.abcxyz.local]
ad_domain = area1.abcxyz.local
ad_server = EUSERVER012.area1.abcxyz.local
ad_backup_server = EUSERVER002.area1.abcxyz.local
krb5_realm = AREA1.ABCXYZ.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
ignore_group_members = True
ad_enable_gc = False
cache_credentials = true
account_cache_expiration = 7
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = enforcing
GSSAPIAuthentication = no
dyndns_update = false
krb5_validate = false
access_provider = simple
simple_allow_groups = WO_Linux_Admins
debug=8
This is my /etc/krb5.conf config:
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AREA1.ABCXYZ.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
# default_realm = EXAMPLE.COM
# default_ccache_name = KEYRING:persistent:%{uid}
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[realms]
AREA1.ABCXYZ.LOCAL = {
kdc = EUSERVER012.area1.abcxyz.local
admin_server = EUSERVER012.area1.abcxyz.local
default_domain = area1.abcxyz.local
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
[domain_realm]
.area1.eurofins.local = AREA1.ABCXYZ.LOCAL
area1.eurofins.local = AREA1.ABCXYZ.LOCAL
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
The service shows it’s working and gets the users from AD (partially) but even though it’s not allowing to authenticate.
Click to see the full logs
[root@eu50apvt951 ~ ]# systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-07-20 00:51:09 CEST; 40min ago
Main PID: 54653 (sssd)
Tasks: 5 (limit: 49464)
Memory: 53.3M
CGroup: /system.slice/sssd.service
├─54653 /usr/sbin/sssd -i --logger=files
├─54654 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
├─54655 /usr/libexec/sssd/sssd_be --domain area1.abcxyz.local --uid 0 --gid 0 --logger=files
├─54657 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─54658 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Jul 20 00:51:09 eu50apvt951.area1.abcxyz.local sssd[pam][54658]: Starting up
Jul 20 00:51:09 eu50apvt951.area1.abcxyz.local sssd[nss][54657]: Starting up
Jul 20 00:51:09 eu50apvt951.area1.abcxyz.local systemd[1]: Started System Security Services Daemon.
Jul 20 00:52:43 eu50apvt951.area1.abcxyz.local sssd[be[area1.abcxyz.local]][54655]: Backend is online
Jul 20 00:52:43 eu50apvt951.area1.abcxyz.local adcli[54673]: GSSAPI client step 1
Jul 20 00:52:43 eu50apvt951.area1.abcxyz.local adcli[54673]: GSSAPI client step 1
Jul 20 00:52:43 eu50apvt951.area1.abcxyz.local adcli[54673]: GSSAPI client step 1
Jul 20 01:03:53 eu50apvt951.area1.abcxyz.local adcli[54953]: GSSAPI client step 1
Jul 20 01:03:53 eu50apvt951.area1.abcxyz.local adcli[54953]: GSSAPI client step 1
Jul 20 01:03:53 eu50apvt951.area1.abcxyz.local adcli[54953]: GSSAPI client step 1
[root@eu50apvt951 ~ ]#
[root@eu50apvt951 ~ ]# id adm_w7ea
uid=1344378677(adm_w7ea) gid=968200513(domain users) groups=968200513(domain users)
[root@eu50apvt951 ~ ]#
Checking the logs I’ve found this:
Click to see the full logs
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [fo_resolve_service_send] (0x0100): Trying to resolve service ‘AD’
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [get_server_status] (0x1000): Status of server ‘EUSERVER012.area1.abcxyz.local’ is ‘working’
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [get_port_status] (0x1000): Port status of port 0 for server ‘EUSERVER012.area1.abcxyz.local’ is ‘not working’
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [get_server_status] (0x1000): Status of server ‘EUSERVER002.area1.abcxyz.local’ is ‘working’
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [get_port_status] (0x1000): Port status of port 0 for server ‘EUSERVER002.area1.abcxyz.local’ is ‘not working’
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [fo_resolve_service_send] (0x0020): No available servers for service ‘AD’
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [be_mark_dom_offline] (0x1000): Marking back end offline
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [be_mark_offline] (0x2000): Going offline!
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [be_mark_offline] (0x2000): Enable check_if_online_ptask.
(2021-07-20 1:38:55): [be[area1.abcxyz.local]] [be_ptask_enable] (0x0080): Task [Check if online (periodic)]: already enabled
Do you know why SSSD is making a request to port 0 to the AD, isn’t suppose it has to make such request to port 389/TCP or 636/TCP ?
Just in case, this same config is working fine in both RHEL 8 and CentOS 8, with a slight difference, it shows all groups where the AD account belongs to
[root@eu50wevp296 ~ ]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)
[root@eu50wevp296 ~ ]# id adm_w7ea
uid=1344378677(adm_w7ea) gid=968200513(domain users) groups=968200513(domain users),352346990(eu_comlims_commercialcustomerframeworkandquotationdmzusers_bx),352346976(eu_comlims_commercialcustomerframeworkandquotationdmzusers_de),352346968(eu_comlims_commercialcustomerframeworkandquotationdmzusers_fr),352346982(eu_comlims_commercialcustomerframeworkandquotationdmzusers_ph)
.
.
. (Output ommited)