[SSSD-users] Re: does sssd support using a Microsoft read-only Domain Controller (RODC)?

2018-04-19 Thread James Ralston 
On Thu, Apr 19, 2018 at 3:12 AM, Sumit Bose  wrote:

> Unfortunately there is a special behavior of the AD provider which
> is not documented in the man page which would use
> MYCLIENT$@EXAMPLE.ORG as default, see below ...

OK…

> >
> > However, this is ambiguous.  Does this mean:
> >
> > host/shorthostname@REALM
> >
> > …or does it mean:
> >
> > host/fqdn@REALM
>
> Whatever you have written in userPrincipalName. With AD you can only get
> a TGT for the principal in userPrincipalName or if this is not set for
> sAMAccountName@AD.REALM (MYCLIENT$@EXAMPLE.ORG in the example above).
> And this is what is needed to authenticate against Active Directory.

Ah; now this makes more sense.

This is almost certainly what was tripping us up.  We were so focused
on getting the "host/fqdn" entries in the exported keytab correct,
because according to the sssd documentation, that's what sssd needed
to authenticate to AD.  But the documentation did not reflect what
sssd was actually doing.

We'll make sure that "kinit -k 'MYCLIENT$'" is working with the
exported keytab.  I'm very confident if that works, then sssd will
work.

As an aside, though…

> let's circle back to the beginning, joining the AD domain.
>
> Was my assumption correct that you used the --user-principal of adcli?
> If yes, is there a reason or were you just trying different options to
> make SSSD work?

Well, we use "net ads join", not adcli, becaues adcli wasn't available
way back when we first started our Linux hosts to AD (5+ years ago!).

But yes, you are correct.  This is how we join our Linux hosts to AD:

$ net -d 1 -k ads join createcomputer=Servers/Linux
createupn=host/${HOSTNAME}@EXAMPLE.ORG

This produces this /etc/krb5.keytab file:

$ klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 
--
   2 host/myclient.example@example.org (des-cbc-crc)
   2 host/mycli...@example.org (des-cbc-crc)
   2 host/myclient.example@example.org (des-cbc-md5)
   2 host/mycli...@example.org (des-cbc-md5)
   2 host/myclient.example@example.org (aes128-cts-hmac-sha1-96)
   2 host/mycli...@example.org (aes128-cts-hmac-sha1-96)
   2 host/myclient.example@example.org (aes256-cts-hmac-sha1-96)
   2 host/mycli...@example.org (aes256-cts-hmac-sha1-96)
   2 host/myclient.example@example.org (arcfour-hmac)
   2 host/mycli...@example.org (arcfour-hmac)
   2 MYCLIENT$@EXAMPLE.ORG (des-cbc-crc)
   2 MYCLIENT$@EXAMPLE.ORG (des-cbc-md5)
   2 MYCLIENT$@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)
   2 MYCLIENT$@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
   2 MYCLIENT$@EXAMPLE.ORG (arcfour-hmac)

And in AD, the computer object has a userPrincipalName attribute:

sAMAccountName: MYCLIENT$
dNSHostName: myclient.example.org
userPrincipalName: host/myclient.example@example.org
servicePrincipalName: HOST/myclient.example.org
servicePrincipalName: HOST/MYCLIENT

The presence of the host/myclient.example@example.org
userPrincipalName permits "kinit -k" to work without specifying a
principal, because "kinit -k" defaults to "host/fqdn", and
host/myclient.example.org is a valid principal because of the
userPrincipalName attribute:

$ env KRB5CCNAME=$TMPDIR/test kinit -k; env KRB5CCNAME=$TMPDIR/test klist
Ticket cache: FILE:/tmp/myuser-0ZyB7rKb/test
Default principal: host/myclient.example@example.org

Valid starting   Expires  Service principal
2018-04-19 19:04:53  2018-04-20 19:04:53  krbtgt/example@example.org
renew until 2018-04-26 19:04:53

> If you want to use --user-principal you have to set ldap_sasl_authid
> explicitly in sssd.conf to the same value because the AD provider
> will use a different default.

That isn't our experience.  Our experience is that authenticating
against MYCLIENT$ explicitly also works:

$ env KRB5CCNAME=$TMPDIR/test kinit -k 'MYCLIENT$'; env
KRB5CCNAME=$TMPDIR/test klist
Ticket cache: FILE:/tmp/myuser-0ZyB7rKb/test
Default principal: MYCLIENT$@EXAMPLE.ORG

Valid starting   Expires  Service principal
2018-04-19 19:04:46  2018-04-20 19:04:46  krbtgt/example@example.org
renew until 2018-04-26 19:04:46

So:

> With AD you can only get a TGT for the principal in
> userPrincipalName or if this is not set for sAMAccountName@AD.REALM

To clarify: it's an "OR" condition, not an "XOR" condition.  You can
always get a TGT for the sAMAccountName; if userPrincipalName is set,
then you can also get a TGT for the userPrincipalName.

This is why, when we first starting joining our Linux hosts to AD, we
explicitly set the userPrincipalName to "host/fqdn@REALM" when we
joined: it seemed like the correct thing to do, because it was very
clearly what "kinit -k" was expecting by default.

More simply put, it's a lot easier to script this:

[SSSD-users] Re: does sssd support using a Microsoft read-only Domain Controller (RODC)?

2018-04-18 Thread James Ralston 
On Tue, Apr 17, 2018 at 2:27 AM, Sumit Bose  wrote:

> On Mon, Apr 16, 2018 at 04:28:59PM -0400, James Ralston wrote:
>
> > Has anyone figured out how to make sssd utilize a Microsoft
> > read-only Domain Controller (RODC)?
> >
> > But no matter how we create the computer account object, or how we
> > export the Kerberos keytab, sssd cannot use the resulting keytab
> > file to authenticate to the RODC: when sssd sends the AS-REQ, the
> > RODC always replies with KRB5KDC_ERR_PREAUTH_FAILED.
>
> If 'kinit -k' works, SSSD should work as well.

Thanks; that's good to know.

> Can you send the SSSD logs with debug_level=9, most important would
> be the domain log and the ldap_child.log files.
>
> For comparison it would be good to see the output of
>
> KRB5_TRACE=/dev/stdout kinit -k 
>
> as well.

OK, I will look into that.  (KRB5_TRACE especially seems like it will
be useful; I wasn't aware of that.)

I think part of why we're struggling here is because the behavior of
sssd doesn't seem to match its documentation.

Specifically…

For RWDCs, when I use Samba "net ads join" to create the computer
account in AD and write the /etc/krb5.keytab file, it always creates
multiple entries:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
   2 host/myhost.example@example.org (des-cbc-crc)
   2 host/myhost.example@example.org (des-cbc-md5)
   2 host/myhost.example@example.org (aes128-cts-hmac-sha1-96)
   2 host/myhost.example@example.org (aes256-cts-hmac-sha1-96)
   2 host/myhost.example@example.org (arcfour-hmac)
   2 host/myh...@example.org (des-cbc-crc)
   2 host/myh...@example.org (des-cbc-md5)
   2 host/myh...@example.org (aes128-cts-hmac-sha1-96)
   2 host/myh...@example.org (aes256-cts-hmac-sha1-96)
   2 host/myh...@example.org (arcfour-hmac)
   2 MYHOST$@EXAMPLE.ORG (des-cbc-crc)
   2 MYHOST$@EXAMPLE.ORG (des-cbc-md5)
   2 MYHOST$@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)
   2 MYHOST$@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
   2 MYHOST$@EXAMPLE.ORG (arcfour-hmac)

Using "adcli" does much the same thing, but additionally creates
RestrictedKrbHost SPNs:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
   2 MYCLIENT$@EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
   2 MYCLIENT$@EXAMPLE.ORG (aes128-cts-hmac-sha1-96)
   2 MYCLIENT$@EXAMPLE.ORG (des3-cbc-sha1)
   2 MYCLIENT$@EXAMPLE.ORG (arcfour-hmac)
   2 MYCLIENT$@EXAMPLE.ORG (des-cbc-md5)
   2 MYCLIENT$@EXAMPLE.ORG (des-cbc-crc)
   2 host/myclient.example@example.org (aes256-cts-hmac-sha1-96)
   2 host/myclient.example@example.org (aes128-cts-hmac-sha1-96)
   2 host/myclient.example@example.org (des3-cbc-sha1)
   2 host/myclient.example@example.org (arcfour-hmac)
   2 host/myclient.example@example.org (des-cbc-md5)
   2 host/myclient.example@example.org (des-cbc-crc)
   2 host/mycli...@example.org (aes256-cts-hmac-sha1-96)
   2 host/mycli...@example.org (aes128-cts-hmac-sha1-96)
   2 host/mycli...@example.org (des3-cbc-sha1)
   2 host/mycli...@example.org (arcfour-hmac)
   2 host/mycli...@example.org (des-cbc-md5)
   2 host/mycli...@example.org (des-cbc-crc)
   2 RestrictedKrbHost/mycli...@example.org (aes256-cts-hmac-sha1-96)
   2 RestrictedKrbHost/mycli...@example.org (aes128-cts-hmac-sha1-96)
   2 RestrictedKrbHost/mycli...@example.org (des3-cbc-sha1)
   2 RestrictedKrbHost/mycli...@example.org (arcfour-hmac)
   2 RestrictedKrbHost/mycli...@example.org (des-cbc-md5)
   2 RestrictedKrbHost/mycli...@example.org (des-cbc-crc)
   2 RestrictedKrbHost/myclient.example@example.org
(aes256-cts-hmac-sha1-96)
   2 RestrictedKrbHost/myclient.example@example.org
(aes128-cts-hmac-sha1-96)
   2 RestrictedKrbHost/myclient.example@example.org (des3-cbc-sha1)
   2 RestrictedKrbHost/myclient.example@example.org (arcfour-hmac)
   2 RestrictedKrbHost/myclient.example@example.org (des-cbc-md5)
   2 RestrictedKrbHost/myclient.example@example.org (des-cbc-crc)

For adcli, this is the corresponding computer object in AD:

sAMAccountName: MYCLIENT$
sAMAccountType: 805306369
dNSHostName: myclient.example.org
userPrincipalName: host/myclient.example@example.org
servicePrincipalName: RestrictedKrbHost/myclient.example.org
servicePrincipalName: RestrictedKrbHost/MYCLIENT
servicePrincipalName: host/myclient.example.org
servicePrincipalName: host/MYCLIENT

If use Samba to join the host to AD, the account is the same, minus
the RestrictedKrbHost SPNs.

According to the sssd-ldap(5) man page, ldap_sasl_authid defaults to:

host/hostname@REALM

However, this is ambiguous.  Does this mean:

host/shorthostname@REALM

…or does it mean:

host/fqdn@REALM

I'm not sure.

But at least for AD, this doesn't seem to be what sssd is doing.  We
don't set ldap_sasl_authid, but for hosts joined to a RWDC with a
keytab like

[SSSD-users] Re: does sssd support using a Microsoft read-only Domain Controller (RODC)?

2018-04-17 Thread Sumit Bose 
On Mon, Apr 16, 2018 at 04:28:59PM -0400, James Ralston wrote:
> Has anyone figured out how to make sssd utilize a Microsoft read-only
> Domain Controller (RODC)?
> 
> The host we want to join to AD is already behind the RODC. So, we are
> trying to "join" the host to the RODC by pre-creating a computer
> account object in AD (via a RWDC), then exporting a Kerberos keytab
> file to install on the client host.
> 
> On the client host, in the /etc/krb5.conf file, we have overridden the
> "kdc" setting for our domain, pointing it to the RODC. In
> /etc/sssd/sssd.conf, we have set "ad_server" for our domain, pointing
> it to the RODC. Using the exported keytab file, we can run "kinit -k"
> successfully.
> 
> But no matter how we create the computer account object, or how we
> export the Kerberos keytab, sssd cannot use the resulting keytab file
> to authenticate to the RODC: when sssd sends the AS-REQ, the RODC
> always replies with KRB5KDC_ERR_PREAUTH_FAILED.
> 
> I'm beginning to suspect that sssd just doesn't work with RODCs: if
> "kinit -k" can successfully authenticate and acquire a service
> principal using the keytab file we exported to the client from the
> RWDC, then why can't sssd successfully use it?

If 'kinit -k' works, SSSD should work as well. Can you send the SSSD
logs with debug_level=9, most important would be the domain log and the
ldap_child.log files.

For comparison it would be good to see the output of

KRB5_TRACE=/dev/stdout kinit -k 

as well.

bye,
Sumit

> 
> Can anyone confirm that you have sssd successfully speaking to a
> Microsoft RODC?
> 
> If so, did you join the client host to a RWDC and then move it behind
> the RODC? Or did you pre-create the machine account on the RWDC and
> export the Kerberos keytab to the client? If the latter, do you have
> the exact net/admod/ktpass commands you used to pre-create the
> computer account and export the keytab in a way that is compatible
> with sssd?
> 
> Thanks in advance for any pointers or advice!
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org