5

When I try to do a su [email protected] I get a "user does not exist" message.

[email protected] exists in Active Directory. I can do kinit [email protected] successfully and get a ticket. Here are the steps I did:

  1. I have MIT KDC on CentOS 7 CENTOSREALM.COM and Active Directory realm ADREALM.COM
  2. On CentOS I did realm join ADREALM.COM which gave "* Successfully enrolled machine in realm". I can see the centos hostname in Active Directory Computers container.
  3. But I cannot login to the CentOS server with [email protected] this user exists in AD.

Where do I look for errors or steps to debug this issue?

The sssd.conf content:

[sssd]
domains = adrealm.com
config_file_version = 2
services = nss, pam

[domain/adrealm.com]
ad_server = adrealm.com
ad_domain = adrealm.com
krb5_realm = ADREALM.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
debug_level = 3
Christophe Drevet
  • 4,047
  • 1
  • 16
  • 16
ebeb
  • 199
  • 1
  • 1
  • 7
  • What does your `/etc/sssd/sssd.conf` file look like? – Christophe Drevet Sep 04 '18 at 12:40
  • [sssd] domains = adrealm.com config_file_version = 2 services = nss, pam [domain/adrealm.com] ad_server = adrealm.com ad_domain = adrealm.com krb5_realm = ADREALM.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad debug_level = 3 – ebeb Sep 05 '18 at 13:08
  • @Christophe Drevet-Droguet above is /etc/sssd/sssd.conf: In addition I checked forward and reverse dns from centos to Active Dir works fine. I have updated /etc/hosts, /etc/resolv.conf, /etc/krb5.conf based on many suggestions. Thx!! – ebeb Sep 05 '18 at 13:18
  • Also if I get this error with ldapwhoami: ldapwhoami -Y GSSAPI -H ldap://adserver1.adrealm.com SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) – ebeb Sep 05 '18 at 13:41
  • Did you try to use the name `[email protected]`? I'm sure LDAP is not case sensitive, but I think sssd is. If you want to use upper case, it should be also in the sssd domain name (`[domain/ADREALM.COM]`). If it's not that, do you have some errors in `/var/log/sssd/` files? – Christophe Drevet Sep 06 '18 at 07:36
  • Also, the `ad_server` should contain a list of AD servers near your machine, such as: `ad_server = srv1.adrealm.com,srv3.adrealm.com,srv4.adrealm.com`. I don't see anything else that could be wrong. – Christophe Drevet Sep 06 '18 at 07:40
  • Thanks for continuing to help on this :) I changed the ad_Server to the actual hostname svr.adrealm.com and restarted sssd. I tried both [email protected] and [email protected] same not found error. I ran wireshark and it gives below error: error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: ADREALM.COM Server Name (Service and Host): ldap/adrealm.com and also another error: error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: ADREALM.COM Server Name (Service and Instance): krbtgt/COM Below is the sssd_adrealm.log: – ebeb Sep 07 '18 at 15:32
  • (Fri Sep 7 10:51:42 2018) [sssd[be[adrealm.com]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Fri Sep 7 10:51:42 2018) [sssd[be[adrealm.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Fri Sep 7 10:51:42 2018) [sssd[be[adrealm.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] – ebeb Sep 07 '18 at 15:35
  • (Fri Sep 7 10:51:42 2018) [sssd[be[adrealm.com]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Fri Sep 7 10:51:42 2018) [sssd[be[adrealm.com]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Fri Sep 7 10:51:42 2018) [sssd[be[adrealm.com]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Fri Sep 7 10:51:42 2018) [sssd[be[adrealm.com]]] [ad_subdomains_refresh_connect_done] (0x0020): Unable to connect to LDAP [11]: Resource temporarily unavailable – ebeb Sep 07 '18 at 15:36
  • (Fri Sep 7 10:51:42 2018) [sssd[be[adrealm.com]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Fri Sep 7 10:51:42 2018) [sssd[be[adrealm.com]]] [sdap_dyndns_get_addrs_done] (0x0080): No LDAP server is available, dynamic DNS update is skipped in offline mode. (Fri Sep 7 10:51:42 2018) [sssd[be[adrealm.com]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update (Fri Sep 7 10:51:42 2018) [sssd[be[adrealm.com]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158241]: Dynamic DNS update not possible while offline – ebeb Sep 07 '18 at 15:36
  • 1
    I won't be able to help much more. It seems you have an issue with your kerberos configuration. But since you can get a ticket with `kinit`, I don't know what would be the issue. Sorry. – Christophe Drevet Sep 10 '18 at 11:38

1 Answers1

4

Finally I followed these instructions and suddenly it started working, its weird I still dont understand fully what was wrong: Manually Connecting an SSSD Client to an Active Directory Domain https://access.redhat.com/articles/3023951 .

I can now do id and su for an ActiveDir user on Centos7 like $ su [email protected] with ActiveDir password and login. Bottomline the /etc/hosts , /etc/krb5.conf, /etc/resolv.conf , /etc/sssd/sssd.conf, /etc/samba/smb.conf need to be carefully checked as all kinds of errors can happen.

ebeb
  • 199
  • 1
  • 1
  • 7