[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    =?utf-8?q?=5BSSSD-users=5D?= SSSD AD login fails in RHEL 6
From:       pavan.kumar21 () wipro ! com
Date:       2017-02-08 6:27:33
Message-ID: 20170208062733.1496.45697 () mailman01 ! phx2 ! fedoraproject ! org
[Download RAW message or body]

Hi Team,

I am new member of this group and ofcourse this is my first post. :)

I have configured SSSD manually by updating sssd.conf , smb.conf and krb5.conf. Used 
authconfig to update pam files and also manually done.
System joins to domain but AD user login fails.
while running sometimes i get error Kerberos pre-authentication failed ..sometimes its
joined without error. But both times AD login fails.


KRB5.CONF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

WIPRO.COM = {
kdc = sss.test.com
admin_server = sss.test.com
}

[domain_realm]
.test.com = TEST.COMtest.com = TEST.COM


SSSD.CONF
config_file_version = 2

# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3

# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam

# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = TEST.COM
#domains = LOCAL
[domain/TETS.COM]
id_provider = ad
access_provider = ad
ldap_schema = ad
override_homedir = /home/%d/%u
ldap_id_mapping = false

[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

# The entry_cache_nowait_percentage indicates the percentage of the
# entry_cache_timeout to wait before updating the cache out-of-band.
# (NSS requests will still be returned from cache until the full
# entry_cache_timeout). Setting this value to 0 turns this feature
# off (default).
; entry_cache_nowait_percentage = 300

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5



SMB.CONF
[global]
#--authconfig--start-line--

# Generated by authconfig on 2017/02/07 12:37:55
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = TETS
password server = *
realm = TEST.COM
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false

As part of troubleshooting ,i have tried with sssd debug mode etc. Major error message i
get is related to Kerberos.Hope this forum gives me success.

Regards
Pavan
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org

[prev in list] [next in list] [prev in thread] [next in thread]