> On 3 Aug 2017, at 10:22, Tristan Bouillon > <tristan.bouil...@cheetahdigital.com> wrote: > > Thanks for your time guys. > > Looking through sssd stuff I almost forgot y main goal was to ssh to a server. > I did a little test with ssh, server and user in the same domain. > > If I do: > $ ssh server -l tbouillon # It works > but: > $ ssh server -l 'tbouil...@example.com' # Permission denied. > > From early debug it seems like ssh sees my user like > tbouil...@example.com@example.com on the second line. > So i should find a way to make ssh understand this is a domain > extension OR for child.example.com configure the default domain when > login as example.com >
I’ve never seen this issue. I don’t think the quotes are needed, and in my environment, this works fine: ssh localhost -l administra...@win.trust.test administra...@win.trust.test@localhost's password: Last login: Mon Aug 7 17:24:19 2017 from ::1 Could not chdir to home directory /home/administra...@win.trust.test: Permission denied -bash: /home/administra...@win.trust.test/.bash_profile: Permission denied -bash-4.3$ id uid=1156200500(administrator) gid=1156200513(domain users) groups=1156200513(domain users),1156200512(domain admins),1156200518(schema admins),1156200519(enterprise admins),1156200520(group policy creator owners),1156200572(denied rodc password replication group) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -bash-4.3$ What is the output of “id tbouil...@example.com <mailto:tbouil...@example.com>” ? > On 2 August 2017 at 19:40, Michal Židek <mzi...@redhat.com> wrote: >> On 08/02/2017 06:01 PM, Tristan Bouillon wrote: >>> >>> OK, tried to be clear but looks like I'm not :) >>> No big deal let's try again >>> >>> Use case >>> I'm connected to a linux jumpbox (let's say jb.example.com) which is >>> in domain example.com. >>> I do: "$ kinit tbouillon" and get a working ticket. I can connect with >>> user tbouillon via ssh to all servers in example.com domain via SSSD. >>> Now I have this server which is in child.example.com, and I want to >>> connect from jb.example.com to server1.child.example.com >>> >>> I do tbouil...@jb.example.com $ ssh server1.child.example.com -l >>> 'tbouil...@example.com' >>> I get this result: Permission denied >>> (publickey,gssapi-keyex,gssapi-with-mic). >> >> >> I am not completely sure, but this looks like wrong sshd configuration on >> the server1.child.example.com. Did you do something with the sshd >> configuration there? SSH tried to authenticate you using your public >> key but failed to do so. >> >> Sorry, I can not help you with OpenSSH much, but it does not look like >> you are facing an SSSD issue. >> >> >>> Obvisouly I expected a shell like: tbouil...@server1.child.example.com >>> >>> So the ssh command doesn't work well also when on >>> server1.child.examplel.com I get >>> kinit tbouil...@example.com >>> Password for tbouil...@example.com: >>> kinit: KDC reply did not match expectations while getting initial >>> credentials >>> >>> Here is the sssd.conf, sshd.log from server1, sssd.log >>> >>> On 2 August 2017 at 16:41, Michal Židek <mzi...@redhat.com> wrote: >>>> >>>> Hi Tristan, >>>> >>>> I understand your topology from what you wrote, but I still >>>> do not know what is your problem. See question inline. >>>> >>>> >>>> On 08/02/2017 03:48 PM, Tristan Bouillon wrote: >>>>> >>>>> >>>>> Hi Michal >>>>> Thanks for answering >>>>> >>>>> For the missing part : >>>>> OS : Centos 7.3 with latest updates >>>>> SSSD: 1.14.0 release 43 >>>>> >>>>> So, I removed all traces of server1 (which is indeed a linux host) >>>>> from AD and tried to re join with the realm command. >>>>> >>>>> Good points: >>>>> The sssd.conf provided by the realm command was not far from the one I >>>>> had. I guess my understanding of how sssd and kerberos work together >>>>> wasn't that bad. >>>>> it added: >>>>> realmd_tags = manages-system joined-with-samba >>>>> ldap_id_mapping = True >>>>> >>>>> Now I have the same error basicly. Reminder, I want my server in >>>>> child.example.com but users are in parent domain example.com >>>>> My server1 has successfully joined domain child.example.com and has a >>>>> keytab >>>>> when trying to connect sssd succesffuly find the multiple AD servers >>>>> and SSSD ad backend is seen as online. >>>>> >>>>> [ad_get_client_site_done] (0x0400): Found forest: example.com >>>>> [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup >>>>> servers >>>>> [fo_add_server_to_list] (0x0400): Inserted primary server >>>>> 'ff1pdc01.child.example.com:3268' to service 'AD_GC' # Domain >>>>> controller for child.example.com >>>>> [fo_add_server_to_list] (0x0400): Inserted primary server >>>>> 'ff1gdc01.example.com:3268' to service 'AD_GC' # Domain >>>>> controller for example.com >>>>> >>>>> After that I have some sucessful ldap connection to different AD >>>>> servers and then it searches for my user. But it looks like the search >>>>> never goes to domain child.example.com >>>>> and after that it fails because the user doesn't exists in >>>>> child.example.com >>>> >>>> >>>> >>>> For what purpose is something searching for your user? Again... please >>>> tell me what is not working for you. Below you say that 'id' lookup is >>>> successful, that means SSSD's NSS responder is working. What command is >>>> not working for you (su, ssh, getent, id, etc.)? >>>> >>>> Sorry, I am simple person :) >>>> >>>> Please answer in format: >>>> I am doing this command: (for example) getent passwd us...@example.com >>>> (or) ssh localhost -l us...@example.com >>>> I get this result: ... >>>> I expected this result: ... >>>> Here is my sssd.conf: >>>> Logs from /var/log/sssd/ are in attachment. >>>> >>>> >>>>> >>>>> [sdap_save_user] (0x1000): Mapping user [tbouil...@example.com] >>>>> objectSID [S-1-5-21-481120694-805105173-3562786754-5671] to unix ID >>>>> [sdap_save_user] (0x0400): Original memberOf is not available for >>>>> [tbouil...@example.com]. >>>>> [sdap_save_user] (0x0400): Adding user principal [tbouil...@ccmp.intl] >>>>> to attributes of [tbouil...@example.com]. >>>>> [sdap_save_user] (0x0400): Storing info for user tbouil...@example.com >>>>> [sysdb_search_by_name] (0x0400): No such entry >>>>> [sysdb_store_user] (0x1000): User tbouil...@example.com does not exist. >>>>> >>>>> On a classical shell if I do: "$ id user1.example.com" I have a correct >>>>> answer. >>>>> >>>>> On 2 August 2017 at 13:19, Michal Židek <mzi...@redhat.com> wrote: >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> You did not mention what SSSD version and what OS you are using. >>>>>> I have few questions, see inline. >>>>>> >>>>>> On 08/02/2017 10:59 AM, Tristan Bouillon wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi >>>>>>> >>>>>>> I have this case I'm working on and it's driving me crazy. I try to >>>>>>> setup something like this: >>>>>>> >>>>>>> AD setup is like this with be-directional approbation: >>>>>>> - example.com >>>>>>> \-- chlld.example.com > >>>>>>> Have users registered in example.com => us...@example.com >>>>>>> computers are registered in child.eample.com => >>>>>>> serv...@child.example.com >>>>>>> >>>>>>> I want to connect with user1 to server1 with ssh and sssd. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> So, server1 is a Linux host, right? You can add it to the >>>>>> child.example.com domain using 'realm join CHILD.EXAMPLE.COM'. It >>>>>> will automatically add server1 to the child.example.com >>>>>> domain (so it did not have to be there before). >>>>>> >>>>>>> Before any debug process I want to make sure this is possible because >>>>>>> i'm running in circle. >>>>>>> >>>>>>> When setting up sssd et krb5 confs with child.example.com: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> IF you set up SSSD manually there is a lot of room for errors, >>>>>> I recommend using realm join and then just tweak the sssd.conf >>>>>> in case something does not work the way you want. >>>>>> >>>>>>> -- sssd nss says: example.com is created as a subdomain of >>>>>>> child.example.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> This is OK. The 'subdomain' may be a little bit confusing, because this >>>>>> refers to an internal C code structure that represents a trusted >>>>>> domain, >>>>>> not an actual subdomain in the DNS sense. IIRC we changed the message >>>>>> recently to be less confusing. >>>>>> >>>>>>> -- but AD backend is online for child.example.com and i can query it >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> You mean SSSD AD backend is running on the Linux host server1, right? >>>>>> >>>>>>> -- the query for us...@example.com works great but the AD server in >>>>>>> child.example.com does not know the user and can't query his master AD >>>>>>> server. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> I do not understand what you mean here. So, on the Linux host >>>>>> (server1), >>>>>> if you query the us...@example.com, user info is returned. So what >>>>>> operation on the Linux host is not working? (getent, su, ssh ... copy >>>>>> paste the problematic commands and see our troubleshooting page). >>>>>> >>>>>>> >>>>>>> When setting up sssd et krb5 confs with example.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Again, realm join should set up everything for you. If you join the >>>>>> EXAMPLE.COM realm then the server1 host will be added to the >>>>>> example.com >>>>>> domain (you said you wanted them in the child.example.com, so I am >>>>>> not sure if this what you want to do, but you can try it if it works >>>>>> for you). >>>>>> >>>>>>> -- it attempts kinit with host/server1.child.example.com and fails >>>>>>> to get a tgt. AD is set to offline and it cannot query it. >>>>>>> >>>>>>> When trying to mix up theses solutions I find something similar to the >>>>>>> cases above. >>>>>>> If it is possible can someone point me towards the configuration I'm >>>>>>> suppose to make. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Try using the realm join command from the Linux host to avoid hand >>>>>> crafting the configuration. Note that the AD domain controller for >>>>>> the domain you are joining to must be DNS resolvable from the Linux >>>>>> host. >>>>>> >>>>>>> >>>>>>> Don't know if it's the place but GG for the debugging options provides >>>>>>> with SSSD, it is clear and powerful. >>>>>>> _______________________________________________ >>>>>>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>>>>>> To unsubscribe send an email to >>>>>>> sssd-users-le...@lists.fedorahosted.org >>>>>>> >>>>>> _______________________________________________ >>>>>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>>>>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>>>> >>>>> >>>>> _______________________________________________ >>>>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>>>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>>>> >>>> _______________________________________________ >>>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>>> >>>> >>>> _______________________________________________ >>>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org