> On 7 Aug 2017, at 18:00, Tristan Bouillon > <tristan.bouil...@cheetahdigital.com> wrote: > > I progressed a bit on that issue. > > I am able to ssh to server on the same domain as my user, as I always > could withtout password with kerberos. > kinit tbouillon > ssh myser...@example.com # works > > I am able to connect to my server in child.domain.com with fully > qualified domain user. Which is normal otherwise sssd tries to resolc > it as tbouil...@child.example.com > so: > ssh myserver.child.example.com -l tbouil...@example.com # also works > BUT I must enter my AD password. My kerberos ticket is not recognized. > I haven't push to far on krb5 conf >
My first guess would be — check your domain-to-realm mappings in Kerberos. Sssd also generates them into /var/lib/sss/pubconf/krb5.include.d, but there was an issue in realmd (I think?) where the include directory was not included from krb5.conf so libkrb5 wasn’t reading the mappings at all. > So I guess sssd works pretty well. > To answer Jakub question : > id tbouil...@example.com now returns AD groups so this works as well. > > Maybe I'll try to give a quick look to use only short names in my > trusted domains. I think I saw something on that, domain resolution > order, but this is in the next sssd version. > > On 7 August 2017 at 17:25, Jakub Hrozek <jhro...@redhat.com> wrote: >> >> On 3 Aug 2017, at 10:22, Tristan Bouillon >> <tristan.bouil...@cheetahdigital.com> wrote: >> >> Thanks for your time guys. >> >> Looking through sssd stuff I almost forgot y main goal was to ssh to a >> server. >> I did a little test with ssh, server and user in the same domain. >> >> If I do: >> $ ssh server -l tbouillon # It works >> but: >> $ ssh server -l 'tbouil...@example.com' # Permission denied. >> >> From early debug it seems like ssh sees my user like >> tbouil...@example.com@example.com on the second line. >> So i should find a way to make ssh understand this is a domain >> extension OR for child.example.com configure the default domain when >> login as example.com >> >> >> I’ve never seen this issue. I don’t think the quotes are needed, and in my >> environment, this works fine: >> ssh localhost -l administra...@win.trust.test >> administra...@win.trust.test@localhost's password: >> Last login: Mon Aug 7 17:24:19 2017 from ::1 >> Could not chdir to home directory /home/administra...@win.trust.test: >> Permission denied >> -bash: /home/administra...@win.trust.test/.bash_profile: Permission denied >> -bash-4.3$ id >> uid=1156200500(administrator) gid=1156200513(domain users) >> groups=1156200513(domain users),1156200512(domain admins),1156200518(schema >> admins),1156200519(enterprise admins),1156200520(group policy creator >> owners),1156200572(denied rodc password replication group) >> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> -bash-4.3$ >> >> What is the output of “id tbouil...@example.com” ? >> >> On 2 August 2017 at 19:40, Michal Židek <mzi...@redhat.com> wrote: >> >> On 08/02/2017 06:01 PM, Tristan Bouillon wrote: >> >> >> OK, tried to be clear but looks like I'm not :) >> No big deal let's try again >> >> Use case >> I'm connected to a linux jumpbox (let's say jb.example.com) which is >> in domain example.com. >> I do: "$ kinit tbouillon" and get a working ticket. I can connect with >> user tbouillon via ssh to all servers in example.com domain via SSSD. >> Now I have this server which is in child.example.com, and I want to >> connect from jb.example.com to server1.child.example.com >> >> I do tbouil...@jb.example.com $ ssh server1.child.example.com -l >> 'tbouil...@example.com' >> I get this result: Permission denied >> (publickey,gssapi-keyex,gssapi-with-mic). >> >> >> >> I am not completely sure, but this looks like wrong sshd configuration on >> the server1.child.example.com. Did you do something with the sshd >> configuration there? SSH tried to authenticate you using your public >> key but failed to do so. >> >> Sorry, I can not help you with OpenSSH much, but it does not look like >> you are facing an SSSD issue. >> >> >> Obvisouly I expected a shell like: tbouil...@server1.child.example.com >> >> So the ssh command doesn't work well also when on >> server1.child.examplel.com I get >> kinit tbouil...@example.com >> Password for tbouil...@example.com: >> kinit: KDC reply did not match expectations while getting initial >> credentials >> >> Here is the sssd.conf, sshd.log from server1, sssd.log >> >> On 2 August 2017 at 16:41, Michal Židek <mzi...@redhat.com> wrote: >> >> >> Hi Tristan, >> >> I understand your topology from what you wrote, but I still >> do not know what is your problem. See question inline. >> >> >> On 08/02/2017 03:48 PM, Tristan Bouillon wrote: >> >> >> >> Hi Michal >> Thanks for answering >> >> For the missing part : >> OS : Centos 7.3 with latest updates >> SSSD: 1.14.0 release 43 >> >> So, I removed all traces of server1 (which is indeed a linux host) >> from AD and tried to re join with the realm command. >> >> Good points: >> The sssd.conf provided by the realm command was not far from the one I >> had. I guess my understanding of how sssd and kerberos work together >> wasn't that bad. >> it added: >> realmd_tags = manages-system joined-with-samba >> ldap_id_mapping = True >> >> Now I have the same error basicly. Reminder, I want my server in >> child.example.com but users are in parent domain example.com >> My server1 has successfully joined domain child.example.com and has a >> keytab >> when trying to connect sssd succesffuly find the multiple AD servers >> and SSSD ad backend is seen as online. >> >> [ad_get_client_site_done] (0x0400): Found forest: example.com >> [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup >> servers >> [fo_add_server_to_list] (0x0400): Inserted primary server >> 'ff1pdc01.child.example.com:3268' to service 'AD_GC' # Domain >> controller for child.example.com >> [fo_add_server_to_list] (0x0400): Inserted primary server >> 'ff1gdc01.example.com:3268' to service 'AD_GC' # Domain >> controller for example.com >> >> After that I have some sucessful ldap connection to different AD >> servers and then it searches for my user. But it looks like the search >> never goes to domain child.example.com >> and after that it fails because the user doesn't exists in >> child.example.com >> >> >> >> >> For what purpose is something searching for your user? Again... please >> tell me what is not working for you. Below you say that 'id' lookup is >> successful, that means SSSD's NSS responder is working. What command is >> not working for you (su, ssh, getent, id, etc.)? >> >> Sorry, I am simple person :) >> >> Please answer in format: >> I am doing this command: (for example) getent passwd us...@example.com >> (or) ssh localhost -l us...@example.com >> I get this result: ... >> I expected this result: ... >> Here is my sssd.conf: >> Logs from /var/log/sssd/ are in attachment. >> >> >> >> [sdap_save_user] (0x1000): Mapping user [tbouil...@example.com] >> objectSID [S-1-5-21-481120694-805105173-3562786754-5671] to unix ID >> [sdap_save_user] (0x0400): Original memberOf is not available for >> [tbouil...@example.com]. >> [sdap_save_user] (0x0400): Adding user principal [tbouil...@ccmp.intl] >> to attributes of [tbouil...@example.com]. >> [sdap_save_user] (0x0400): Storing info for user tbouil...@example.com >> [sysdb_search_by_name] (0x0400): No such entry >> [sysdb_store_user] (0x1000): User tbouil...@example.com does not exist. >> >> On a classical shell if I do: "$ id user1.example.com" I have a correct >> answer. >> >> On 2 August 2017 at 13:19, Michal Židek <mzi...@redhat.com> wrote: >> >> >> >> Hi, >> >> You did not mention what SSSD version and what OS you are using. >> I have few questions, see inline. >> >> On 08/02/2017 10:59 AM, Tristan Bouillon wrote: >> >> >> >> >> Hi >> >> I have this case I'm working on and it's driving me crazy. I try to >> setup something like this: >> >> AD setup is like this with be-directional approbation: >> - example.com >> \-- chlld.example.com > >> Have users registered in example.com => us...@example.com >> computers are registered in child.eample.com => >> serv...@child.example.com >> >> I want to connect with user1 to server1 with ssh and sssd. >> >> >> >> >> >> So, server1 is a Linux host, right? You can add it to the >> child.example.com domain using 'realm join CHILD.EXAMPLE.COM'. It >> will automatically add server1 to the child.example.com >> domain (so it did not have to be there before). >> >> Before any debug process I want to make sure this is possible because >> i'm running in circle. >> >> When setting up sssd et krb5 confs with child.example.com: >> >> >> >> >> >> IF you set up SSSD manually there is a lot of room for errors, >> I recommend using realm join and then just tweak the sssd.conf >> in case something does not work the way you want. >> >> -- sssd nss says: example.com is created as a subdomain of >> child.example.com >> >> >> >> >> >> This is OK. The 'subdomain' may be a little bit confusing, because this >> refers to an internal C code structure that represents a trusted >> domain, >> not an actual subdomain in the DNS sense. IIRC we changed the message >> recently to be less confusing. >> >> -- but AD backend is online for child.example.com and i can query it >> >> >> >> >> >> You mean SSSD AD backend is running on the Linux host server1, right? >> >> -- the query for us...@example.com works great but the AD server in >> child.example.com does not know the user and can't query his master AD >> server. >> >> >> >> >> >> I do not understand what you mean here. So, on the Linux host >> (server1), >> if you query the us...@example.com, user info is returned. So what >> operation on the Linux host is not working? (getent, su, ssh ... copy >> paste the problematic commands and see our troubleshooting page). >> >> >> When setting up sssd et krb5 confs with example.com >> >> >> >> >> >> Again, realm join should set up everything for you. If you join the >> EXAMPLE.COM realm then the server1 host will be added to the >> example.com >> domain (you said you wanted them in the child.example.com, so I am >> not sure if this what you want to do, but you can try it if it works >> for you). >> >> -- it attempts kinit with host/server1.child.example.com and fails >> to get a tgt. AD is set to offline and it cannot query it. >> >> When trying to mix up theses solutions I find something similar to the >> cases above. >> If it is possible can someone point me towards the configuration I'm >> suppose to make. >> >> >> >> >> >> Try using the realm join command from the Linux host to avoid hand >> crafting the configuration. Note that the AD domain controller for >> the domain you are joining to must be DNS resolvable from the Linux >> host. >> >> >> Don't know if it's the place but GG for the debugging options provides >> with SSSD, it is clear and powerful. >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to >> sssd-users-le...@lists.fedorahosted.org >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org