[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: [SSSD-users] kvno out of sync and trust issues
From: "Carl Pettersson (BN)" <carl.pettersson () bonniernews ! se>
Date: 2015-08-31 19:59:14
Message-ID: AMSPR05MB002C6BA3A0B89D4CC533E488F6B0 () AMSPR05MB002 ! eurprd05 ! prod ! outlook ! com
[Download RAW message or body]
Hi,
(Warning: It's been a looong day, and upon rereading, the below may not be entirely \
coherent. I'll gladly clarify in the morning where needed) We've been struggling for \
several months with getting our Linux (a mix of CentOS 7 and RHEL 7.1) servers AD \
integrated. We have a Win2012R2 domain with two sites, and several cross-forest, \
one-way trusts, and at the moment we are mostly (see below) able to authenticate with \
accounts local to our domain. We currently have two problems (that we \
know of):
* After a few days, it is no longer possible to log in with a domain account. \
Restarting sssd mostly works, and if not, performing a domain join again does. What \
we've seen is that this seems to change the KVNO field of kinit -k, and we've seen an \
error message (which I can't find again at the moment, sorry) indicating that this is \
a problem. Oddly enough, on some of the servers which we still can log on to, the \
KVNO can be different from the one which we just "fixed". The KVNO seems to always \
be either 2 or 5, switching when we "fix" a server.
* Authenticating with an account from a trusted domain never works. I can ping domain \
controllers from the other domain, I can telnet all the AD ports I can think of \
(significantly, 389 and 88), and there's no real error message shown anywhere. Right \
now /var/log/secure complains about unknown users, and journalctl says "Unspecified \
GSS failure. Minor code may provide more information (Server not found in Kerberos \
database)". I can resolve both A and PTR records, both on local and remote domains.
I'm at a loss on how to continue with the troubleshooting. People are starting to \
mumble about requesting local accounts on all machines. Tonight, I tried throwing \
PBIS Open (previously Likewise) on a machine, and it just worked. I'd like to avoid \
PBIS, though, since it is a bit more opaque about how it works, and we'd probably end \
up having to pay to get the features we could get from sssd in a (mostly) more \
understandable and clean packaging. But this would at least seem to indicate that the \
issue is with our configuration, rather than some infrastructural problem?
Here's the configuration files:
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.MAIN-DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
[domain_realm]
/etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = AD.MAIN-DOMAIN.COM
[nss]
override_homedir = /home/%d/%u
override_shell = /bin/bash
[domain/AD.MAIN-DOMAIN.COM]
id_provider = ad
use_fully_qualified_names = TRUE
krb5_renew_interval = 1h
I tried replacing the krb5.conf file with the one generated by PBIS, but that didn't \
help, unfortunately.
Any ideas for things to try would be greatly appreciated!
Best regards,
Carl
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.E-postmall17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="SV" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">(Warning: It’s been a looong day, and \
upon rereading, the below may not be entirely coherent. I’ll gladly clarify in \
the morning where needed)<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB">We’ve been struggling for several months with getting our Linux (a \
mix of CentOS 7 and RHEL 7.1) servers AD integrated. We have a Win2012R2 domain with \
two sites, and several cross-forest, one-way trusts, and at the moment we are mostly \
(see below) able to authenticate with accounts local to our domain. We currently have \
two problems (that we know of): <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">* After a few days, it is no longer possible \
to log in with a domain account. Restarting sssd mostly works, and if not, performing \
a domain join again does. What we’ve seen is that this seems to change the KVNO \
field of kinit -k, and we’ve seen an error message (which I can’t find \
again at the moment, sorry) indicating that this is a problem. Oddly enough, on some \
of the servers which we still can log on to, the KVNO can be different from the one \
which we just “fixed”. The KVNO seems to always be either 2 or 5, \
switching when we “fix” a server.<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-GB">* Authenticating with an account from a trusted \
domain never works. I can ping domain controllers from the other domain, I can telnet \
all the AD ports I can think of (significantly, 389 and 88), and there’s no \
real error message shown anywhere. Right now /var/log/secure complains about unknown \
users, and journalctl says “Unspecified GSS failure. Minor code may \
provide more information (Server not found in Kerberos database)”. I can \
resolve both A and PTR records, both on local and remote domains. \
<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB">I’m at a loss on how to continue with the troubleshooting. People \
are starting to mumble about requesting local accounts on all machines. Tonight, I \
tried throwing PBIS Open (previously Likewise) on a machine, and it just worked. \
I’d like to avoid PBIS, though, since it is a bit more opaque about how it \
works, and we’d probably end up having to pay to get the features we could get \
from sssd in a (mostly) more understandable and clean packaging. But this would at \
least seem to indicate that the issue is with our configuration, rather than some \
infrastructural problem?<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB">Here’s the configuration files:<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p> <p \
class="MsoNormal">/etc/krb5.conf:<o:p></o:p></p> <p \
class="MsoNormal"> [logging]<o:p></o:p></p> <p \
class="MsoNormal"> default = \
FILE:/var/log/krb5libs.log<o:p></o:p></p> <p \
class="MsoNormal"> kdc = \
FILE:/var/log/krb5kdc.log<o:p></o:p></p> <p \
class="MsoNormal"> admin_server = \
FILE:/var/log/kadmind.log<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> <span \
lang="EN-GB">[libdefaults]<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"> default_realm = \
AD.MAIN-DOMAIN.COM<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"> dns_lookup_realm = true<o:p></o:p></span></p> \
<p class="MsoNormal"><span lang="EN-GB"> dns_lookup_kdc = \
true<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"> ticket_lifetime = 24h<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-GB"> renew_lifetime = \
7d<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"> </span>forwardable = true<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"> \
[realms]<o:p></o:p></p> <p class="MsoNormal"> [domain_realm]<span \
lang="EN-GB"><o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB">/etc/sssd/sssd.conf<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"> [sssd]<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-GB"> services = nss, pam, ssh, \
autofs<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"> config_file_version = 2<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-GB"> domains = \
AD.MAIN-DOMAIN.COM<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"> [nss]<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-GB"> override_homedir = \
/home/%d/%u<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"> override_shell = /bin/bash<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span lang="EN-GB"> \
[domain/AD.MAIN-DOMAIN.COM]<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"> id_provider = ad<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-GB"> use_fully_qualified_names = \
TRUE<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB"> \
krb5_renew_interval = 1h<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">I \
tried replacing the krb5.conf file with the one generated by PBIS, but that \
didn’t help, unfortunately.<o:p></o:p></span></p> <p class="MsoNormal"><span \
lang="EN-GB"><o:p> </o:p></span></p> <p class="MsoNormal"><span lang="EN-GB">Any \
ideas for things to try would be greatly appreciated! <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Carl<o:p></o:p></span></p>
</div>
</body>
</html>
[Attachment #4 (unknown)]
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic