On Wed, Oct 25, 2017 at 03:43:14PM +0200, Jeremy Monnet wrote:
> Hi,
> 
> On Tue, Oct 24, 2017 at 10:03 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
> 
> > >
> > > On these 2 servers, authentication works for testu...@sub1.example.com.
> > I
> > > can authenticate with my_u...@example.com on the ubuntu 14 with sssd
> > > 1.11.But I cannot authenticate with my_u...@example.com on the ubuntu 16
> > > with sssd 1.13.
> >
> > This is quite a new version, which already supports discovering trusted
> > domains in the same forest, so defining the root domain (example.com)
> > shouldn't be even required. The subdomain provider (which defaults to "ad",
> > same as the id_provider's value) should discover example.com on its own.
> >
> 
> Hum, not quite :
> 
> root@<servername>:~# id my_user
> uid=10000(my_user) gid=10001(ggs_admin_linux)
> groups=10001(ggs_admin_linux),10006(ggs_sa
> mba_logs),10002(ggs_samba_users)
> root@<servername>:~# id test_user
> uid=11400(test_user) gid=11400(test_group) groups=11400(test_group)
> 
> In between, I comment the main domain
> root@<servername>:~# grep -v "^$\|^#" /etc/sssd/sssd.conf
> [sssd]
> config_file_version = 2
> debug_level =0
> domains = sub1.example.com
> services = nss, pam
> [domain/sub1.example.com]
> dns_discovery_domain = cy2._sites.sub1.example.com
> ad_server = ad1.sub1.example.com,ad2.sub1.example.com
> debug_level = 7
> id_provider = ad
> access_provider = ad
> ldap_id_mapping = false
> 
> 
> root@<servername>:~# id my_user
> id: ‘my_user’: no such user
> root@<servername>:~# id test_user
> uid=11400(test_user) gid=11400(test_group) groups=11400(test_group)
> root@<servername>:~# id my_u...@example.com
> uid=10000(my_u...@example.com) gid=10001 groups=10001
> 
> my_user (without domain specification) is not found as it does not belong
> to the subdomain, and the groups are not resolved to their names anymore.
> It is possible (I am no expert on that matter) that without posix
> attributes it would be easier, as it would search through the domain for
> SID's...
> 
> 
> >
> > (Actually, with your setup, I would even think the explicitly defined
> > example.com domain is ignored at sssd would query the autodiscovered
> > subdomain of sub1.example.com if you ask it for any entry from example.com
> > )
> >
> 
> Well it seems it is not ignored :-)
> 
> 
> >
> >
> > It's easier to use:
> >         ad_site = cy2
> > with a recent version. But I guess this won't work with 1.11..
> >
> 
> I take note for when we will be only with recent OS's ;-)
> 
> 
> >
> > > debug_level = 7
> > > id_provider = ad
> > > access_provider = ad
> > > ldap_id_mapping = false
> > >
> > > I have played with ad_hostname, ldap_sasl_authid, ldap_sasl_realm with
> > > little succes (I am not even sure ldap_sasl_* variables are useful with
> > > id_provider =ad...)
> > >
> > > There is only one tiny difference I see in the SPN's : my ubuntu 16 is
> > the
> > > only of my servers that has a host/SERVERNAME SPN, all the others have
> > > HOST/SERVERNAME (Capital HOST). I cannot not understand though why that
> > > would allow the auth to the subdomain but not to the main, but I know
> > > kerberos is very sensible to the case, so just in case. And anyway, that
> > is
> > > coherent with the keytab.
> >
> > First, sssd should not select the host/hostname principal to connect to
> > AD LDAP, but it should use the SHORTNAME$@REALM principal. You can search
> > for messages from "select_principal_from_keytab" to see what principal did
> > SSSD match, for example this is how my setup looks like:
> >
> > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]]
> > [sdap_set_sasl_options] (0x0100): Will look for 
> > adclient.win.trust.t...@win.trust.test
> > in default keytab
> > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]]
> > [select_principal_from_keytab] (0x0200): trying to select the most
> > appropriate principal from keytab
> > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]]
> > [find_principal_in_keytab] (0x4000): Trying to find principal
> > adclient.win.trust.t...@win.trust.test in keytab.
> > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]]
> > [find_principal_in_keytab] (0x0400): No principal matching
> > adclient.win.trust.t...@win.trust.test found in keytab.
> > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]]
> > [find_principal_in_keytab] (0x4000): Trying to find principal
> > ADCLIENT$@WIN.TRUST.TEST in keytab.
> > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [match_principal]
> > (0x1000): Principal matched to the sample (ADCLIENT$@WIN.TRUST.TEST).
> > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]]
> > [select_principal_from_keytab] (0x0200): Selected primary: ADCLIENT$
> > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]]
> > [select_principal_from_keytab] (0x0200): Selected realm: WIN.TRUST.TEST
> > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]]
> > [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to ADCLIENT$
> > (Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]]
> > [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to
> > WIN.TRUST.TEST
> 
> 
> sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[
> sub1.example.com]]] [select_principal_from_keytab] (0x0200): trying to
> select the most appropriate principal from keytab
> sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[
> sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected
> primary: SERVERNAME$
> sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[
> sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected
> realm: SUB1.EXAMPLE.COM
> sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[
> sub1.example.com]]] [select_principal_from_keytab] (0x0200): trying to
> select the most appropriate principal from keytab
> sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[
> sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected
> primary: SERVERNAME$
> sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[
> sub1.example.com]]] [select_principal_from_keytab] (0x0200): Selected
> realm: SUB1.EXAMPLE.COM
> sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]]
> [select_principal_from_keytab] (0x0200): trying to select the most
> appropriate principal from keytab
> sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]]
> [select_principal_from_keytab] (0x0200): Selected primary: host/SERVERNAME
> sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]]
> [select_principal_from_keytab] (0x0200): Selected realm: SUB1.EXAMPLE.COM
> sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]]
> [select_principal_from_keytab] (0x0200): trying to select the most
> appropriate principal from keytab
> sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]]
> [select_principal_from_keytab] (0x0200): Selected primary: host/SERVERNAME
> sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]]
> [select_principal_from_keytab] (0x0200): Selected realm: SUB1.EXAMPLE.COM
> sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]]
> [select_principal_from_keytab] (0x0200): trying to select the most
> appropriate principal from keytab
> sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]]
> [select_principal_from_keytab] (0x0200): Selected primary: host/SERVERNAME
> sssd_example.com.log.1:(Mon Oct 23 18:17:09 2017) [sssd[be[example.com]]]
> [select_principal_from_keytab] (0x0200): Selected realm: SUB1.EXAMPLE.COM
> 
> 
> sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[
> sub1.example.com]]] [match_principal] (0x1000): Principal matched to the
> sample (SERVERNAME$@SUB1.EXAMPLE.COM).
> sssd_sub1.example.com.log:(Wed Oct 25 15:06:40 2017) [sssd[be[
> sub1.example.com]]] [match_principal] (0x1000): Principal matched to the
> sample (SERVERNAME$@SUB1.EXAMPLE.COM).

OK, here the principal matched to what I'd expect.

> sssd_example.com.log.1:(Mon Oct 23 09:37:28 2017) [sssd[be[example.com]]]
> [match_principal] (0x1000): Principal matched to the sample (SERVERNAME$@
> SUB1.EXAMPLE.COM).
> sssd_example.com.log.1:(Mon Oct 23 09:37:28 2017) [sssd[be[example.com]]]
> [match_principal] (0x1000): Principal matched to the sample (host/*@(null)).
> sssd_example.com.log.1:(Mon Oct 23 09:37:28 2017) [sssd[be[example.com]]]
> [match_principal] (0x1000): Principal matched to the sample (host/*@(null)).
> sssd_example.com.log.1:(Mon Oct 23 14:41:10 2017) [sssd[be[example.com]]]
> [match_principal] (0x1000): Principal matched to the sample (SERVERNAME$@
> SUB1.EXAMPLE.COM).
> sssd_example.com.log.1:(Mon Oct 23 14:41:10 2017) [sssd[be[example.com]]]
> [match_principal] (0x1000): Principal matched to the sample (host/*@(null)).

But here to a different pattern and I don't think the host/ principal will work
with AD.

Can you try adding:
    ldap_sasl_authid = SERVERNAME$@SUB1.EXAMPLE.COM
to the example.com section?
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to