According to that log, it looks like SSSD's LDAP provider crashed and had to be restarted. That's why you got access-denied.
See specifically:
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].
and then it goes to
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
Those lines indicate that the server is starting up again. At a guess, I'd say something went wrong while processing the ldap password policy on the client, since the last thing before it crashed was a reference to the LDAP code for the ldap_pwd_exop.
Check /var/log/messages for indications of a crash and file a bug with CentOS. Ideally, install the debuginfo for the sssd, openldap and ding-libs packages, then attach to the sssd_be process with gdb and get a backtrace of the crash to include in the bug report.
There are some tricky considerations to make everything works out-of-the-box. FreeBSD only supports sssd
version 1.9.6 at this moment. So there's no support for Enterprise Principal Names.
If you have a domain with non matched UPNs it will fail to login, since the Kerberos authentication will fail during the process, even with FreeBSD supporting Enterprise Principal Names with Kerberos, the sssd
cannot handle this case.
So in actual version of sssd
you are limited to have the User Principal Name within the same Domain Name, for example:
Domain Name = example.com
NetBIOS Name = EXAMPLE
User Principal Name:
username@example.com sAMAccountName: username
Knowing this we can describe the steps to successfully authenticate users from AD in FreeBSD.
1. Configure Kerberos
Create the file /etc/krb5.conf
with the following content:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
2. Install Samba 4.1 and configure it to join the Domain
Install Samba 4.1:
$ pkg install samba41
Create the file /usr/local/etc/smb4.conf
with the following content:
[global]
security = ads
realm = EXAMPLE.COM
workgroup = EXAMPLE
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
log file = /var/log/samba/%m.log
Ask for a Administrator Kerberos Ticket:
$ kinit Administrator
Then join the domain and create a keytab
$ net ads join createupn=host/server-hostname.example.com@EXAMPLE.COM -k
$ net ads keytab create -k
3. Install the sssd package and Cyrus SASL with Kerberos support
Install required packages:
$ pkg install sssd cyrus-sasl-gssapi
Edit the file /usr/local/etc/sssd/sssd.conf
to match this settings:
[sssd]
config_file_version = 2
services = nss, pam
domains = example.com
[nss]
[pam]
[domain/example.com]
# Uncomment if you need offline logins
#cache_credentials = true
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/tcsh
fallback_homedir = /home/%u
# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
#ldap_sasl_mech = GSSAPI
#ldap_sasl_authid = SERVER-HOSTNAME$@EXAMPLE.COM
4. Add sssd support to nsswitch.conf
Edit the file /etc/nsswitch.conf
to match this settings:
group: files sss
passwd: files sss
5. Configure PAM to allow sssd authentication and handle home directory creation
Install optional packages for home directory creation:
$ pkg install pam_mkhomedir
Modify the necessary PAM
realms to match this settings:
auth sufficient /usr/local/lib/pam_sss.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user
session required /usr/local/lib/pam_mkhomedir.so mode=0700
session optional /usr/local/lib/pam_sss.so
password sufficient /usr/local/lib/pam_sss.so use_authtok
6. Switch to SASL enabled OpenLDAP Client
$ pkg remove -f openldap-client
$ pkg install openldap-sasl-client
7. Finally confirm that's everything is working
$ getent passwd <username>
Best Answer
Try below settings, They work pretty well in my environment.
Make changes to /etc/sssd/sssd.conf
This will result in restarting sssd daemon.
Verify :-
Make sure you have IDMU installed on your AD box & users have unix attributes set.