I am trying to integrate my CentOS 6.6 servers into Active Directory. I've followed this guide from Red Hat using configuration 3 (SSSD/Kerberos/LDAP). When using a Windows Server 2008 R2 server as the domain controller w/ IMU enabled, everything works perfectly.
However, when I use a Windows Server 2012 R2 server w/ IMU enabled, I am able to acquire a kerberos ticket, join the domain, search LDAP, but as soon as I try to login in as an AD user from the console, I get this error message in /var/log/messages:
Jun 6 11:12:30 test [sssd[krb5_child[4760]]]: Preauthentication failed
And /var/log/secure shows these error messages:
Jun 6 11:12:15 test login: pam_sss(login:auth): received for user aduser@domain.local: 17 (Failure setting user credentials)
Jun 6 11:12:17 test login: FAILED LOGIN 1 FROM (null) FOR aduser@domain.local, Authentication failure
Using getent passwd aduser
or getent group linuxgroup
returns successfully.
I've tried with this sssd.conf file:
[sssd] config_file_version = 2 services = nss, pam domains = domain.local debug_level = 5 [domain/domain.local] id_provider = ad auth_provider = ad ad_server = dc.domain.local default_shell = /bin/bash fallback_homedir = /home/%d/%u cache_credentials = false ldap_id_mapping = false
Then I read this bug report. So, I changed my sssd.conf file to this:
[sssd] config_file_version = 2 reconnection_retries = 2 services = nss,pam debug_level = 5 domains = domain.local [nss] debug_level = 5 [pam] debug_level = 5 [domain/domain.local] id_provider = ldap auth_provider = krb5 chpass_provider = krb5 debug_level = 5 ldap_uri = ldap://dc.domain.local/ ldap_sasl_mech = GSSAPI ldap_schema = rfc2307bis ldap_user_search_base = dc=domain,dc=local ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_search_base = dc=domain,dc=local ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_referrals = false krb5_server = dc.domain.local krb5_realm = DOMAIN.LOCAL krb5_canonicalize = false enumerate = false cache_credentials = false
I've cleared my SSSD cache and restarted the service. Yet I am unable to login.
I am getting this error now in /var/log/messages:
Jun 6 11:21:43 test [sssd[krb5_child[1546]]]: Permission denied
I'm seeing this error in /var/log/sssd/krb5_child.log:
(Sat Jun 6 11:21:43 2015) [[sssd[krb5_child[1387]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal aduser@DOMAIN.LOCAL in cache collection]
(Sat Jun 6 11:21:43 2015) [[sssd[krb5_child[1387]]]] [create_ccache] (0x0020): 575: [13][Permission denied]
Now, this is where it gets strange. As root, if I su to any AD domain user it actually works and home directory is auto created. I am about to concede defeat and just stick with the 2k8 DC.
Best Answer
I can not give a more qualified answer without seeing the
sssd
debug logs, but the bug report you're referring to only had performance implications, not functional.The reason you're able to
su
to the account fromroot
is that the PAM stack normally includespam_rootok.so
module that bypasses authentication withpam_sss
. Given the auth fromroot
works, we at least know that retrieving identity information works, but not auth.I would recommend adding more information to this question either here or on the sssd-users list. Most importantly,
sssd
debug logs with a highdebug_level
from the domain section and thekrb5_child.log
.Please find more information in the troubleshooting document on the SSSD wiki.