On Wed, Oct 25, 2017 at 03:43:14PM +0200, Jeremy Monnet wrote: > Hi, > > On Tue, Oct 24, 2017 at 10:03 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > > > > > On these 2 servers, authentication works for testu...@sub1.example.com. > > I > > > can authenticate with my_u...@example.com on the ubuntu 14 with sssd > > > 1.11.But I cannot authenticate with my_u...@example.com on the ubuntu 16 > > > with sssd 1.13. > > > > This is quite a new version, which already supports discovering trusted > > domains in the same forest, so defining the root domain (example.com) > > shouldn't be even required. The subdomain provider (which defaults to "ad", > > same as the id_provider's value) should discover example.com on its own. > > > > Hum, not quite : > > root@<servername>:~# id my_user > uid=10000(my_user) gid=10001(ggs_admin_linux) > groups=10001(ggs_admin_linux),10006(ggs_sa > mba_logs),10002(ggs_samba_users) > root@<servername>:~# id test_user > uid=11400(test_user) gid=11400(test_group) groups=11400(test_group) > > In between, I comment the main domain > root@<servername>:~# grep -v "^$\|^#" /etc/sssd/sssd.conf > [sssd] > config_file_version = 2 > debug_level =0 > domains = sub1.example.com > services = nss, pam > [domain/sub1.example.com] > dns_discovery_domain = cy2._sites.sub1.example.com > ad_server = ad1.sub1.example.com,ad2.sub1.example.com > debug_level = 7 > id_provider = ad > access_provider = ad > ldap_id_mapping = false > > > root@<servername>:~# id my_user > id: ‘my_user’: no such user > root@<servername>:~# id test_user > uid=11400(test_user) gid=11400(test_group) groups=11400(test_group) > root@<servername>:~# id my_u...@example.com > uid=10000(my_u...@example.com) gid=10001 groups=10001 > > my_user (without domain specification) is not found as it does not belong > to the subdomain, and the groups are not resolved to their names anymore. > It is possible (I am no expert on that matter) that without posix > attributes it would be easier, as it would search through the domain for > SID's... > > > > > > (Actually, with your setup, I would even think the explicitly defined > > example.com domain is ignored at sssd would query the autodiscovered > > subdomain of sub1.example.com if you ask it for any entry from example.com > > ) > > > > Well it seems it is not ignored :-) > > > > > > > > It's easier to use: > > ad_site = cy2 > > with a recent version. But I guess this won't work with 1.11.. > > > > I take note for when we will be only with recent OS's ;-) > > > > > > > debug_level = 7 > > > id_provider = ad > > > access_provider = ad > > > ldap_id_mapping = false > > > > > > I have played with ad_hostname, ldap_sasl_authid, ldap_sasl_realm with > > > little succes (I am not even sure ldap_sasl_* variables are useful with > > > id_provider =ad...) > > > > > > There is only one tiny difference I see in the SPN's : my ubuntu 16 is > > the > > > only of my servers that has a host/SERVERNAME SPN, all the others have > > > HOST/SERVERNAME (Capital HOST). I cannot not understand though why that > > > would allow the auth to the subdomain but not to the main, but I know > > > kerberos is very sensible to the case, so just in case. And anyway, that > > is > > > coherent with the keytab. > > > > First, sssd should not select the host/hostname principal to connect to > > AD LDAP, but it should use the SHORTNAME$@REALM principal. You can search > > for messages from "select_principal_from_keytab" to see what principal did > > SSSD match, for example this is how my setup looks like: > > > > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > > [sdap_set_sasl_options] (0x0100): Will look for > > adclient.win.trust.t...@win.trust.test > > in default keytab > > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > > [select_principal_from_keytab] (0x0200): trying to select the most > > appropriate principal from keytab > > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > > [find_principal_in_keytab] (0x4000): Trying to find principal > > adclient.win.trust.t...@win.trust.test in keytab. > > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > > [find_principal_in_keytab] (0x0400): No principal matching > > adclient.win.trust.t...@win.trust.test found in keytab. > > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > > [find_principal_in_keytab] (0x4000): Trying to find principal > > ADCLIENT$@WIN.TRUST.TEST in keytab. > > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [match_principal] > > (0x1000): Principal matched to the sample (ADCLIENT$@WIN.TRUST.TEST). > > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > > [select_principal_from_keytab] (0x0200): Selected primary: ADCLIENT$ > > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > > [select_principal_from_keytab] (0x0200): Selected realm: WIN.TRUST.TEST > > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > > [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to ADCLIENT$ > > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] > > [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to > > WIN.TRUST.TEST > > > sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ > sub1.example.com]]] [select_principal_from_keytab] (0x0200): trying to > select the most appropriate principal from keytab > sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ > sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected > primary: SERVERNAME$ > sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ > sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected > realm: SUB1.EXAMPLE.COM > sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ > sub1.example.com]]] [select_principal_from_keytab] (0x0200): trying to > select the most appropriate principal from keytab > sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ > sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected > primary: SERVERNAME$ > sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ > sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected > realm: SUB1.EXAMPLE.COM > sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] > [select_principal_from_keytab] (0x0200): trying to select the most > appropriate principal from keytab > sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] > [select_principal_from_keytab] (0x0200): Selected primary: host/SERVERNAME > sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] > [select_principal_from_keytab] (0x0200): Selected realm: SUB1.EXAMPLE.COM > sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] > [select_principal_from_keytab] (0x0200): trying to select the most > appropriate principal from keytab > sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] > [select_principal_from_keytab] (0x0200): Selected primary: host/SERVERNAME > sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] > [select_principal_from_keytab] (0x0200): Selected realm: SUB1.EXAMPLE.COM > sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] > [select_principal_from_keytab] (0x0200): trying to select the most > appropriate principal from keytab > sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] > [select_principal_from_keytab] (0x0200): Selected primary: host/SERVERNAME > sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]] > [select_principal_from_keytab] (0x0200): Selected realm: SUB1.EXAMPLE.COM > > > sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ > sub1.example.com]]] [match_principal] (0x1000): Principal matched to the > sample (SERVERNAME$@SUB1.EXAMPLE.COM). > sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[ > sub1.example.com]]] [match_principal] (0x1000): Principal matched to the > sample (SERVERNAME$@SUB1.EXAMPLE.COM).
OK, here the principal matched to what I'd expect. > sssd_example.com.log.1:(Mon Oct 23 09:37:28 2017) [sssd[be[example.com]]] > [match_principal] (0x1000): Principal matched to the sample (SERVERNAME$@ > SUB1.EXAMPLE.COM). > sssd_example.com.log.1:(Mon Oct 23 09:37:28 2017) [sssd[be[example.com]]] > [match_principal] (0x1000): Principal matched to the sample (host/*@(null)). > sssd_example.com.log.1:(Mon Oct 23 09:37:28 2017) [sssd[be[example.com]]] > [match_principal] (0x1000): Principal matched to the sample (host/*@(null)). > sssd_example.com.log.1:(Mon Oct 23 14:41:10 2017) [sssd[be[example.com]]] > [match_principal] (0x1000): Principal matched to the sample (SERVERNAME$@ > SUB1.EXAMPLE.COM). > sssd_example.com.log.1:(Mon Oct 23 14:41:10 2017) [sssd[be[example.com]]] > [match_principal] (0x1000): Principal matched to the sample (host/*@(null)). But here to a different pattern and I don't think the host/ principal will work with AD. Can you try adding: ldap_sasl_authid = SERVERNAME$@SUB1.EXAMPLE.COM to the example.com section? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org