Learn more about these different git repos.
Other Git URLs
Hello,
I configured several fedora 22 x64 workstation with success with sssd against a AD domain. I followed the tutorial at https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server ("Joining the Linux client to the AD domain manually" part).
Last week, I upgrraded my workstation from fedora 22 to fedora 23 x64 (using fedup). I did not change the sssd.conf, krb5.conf and krb5.keytab from fedora 22 to 23.
In all upgraded fedora 23 workstations, users cannot loging anymore. Here is the error i get : sshd[9313]: pam_sss(sshd:account): Access denied for user xxxxx: 4 (System error) sshd[9313]: Failed password for xxxxx from x.x.x.x port 49459 ssh2 audit[9313]: USER_ACCT pid=9313 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=? acct="xxxxx" exe="/usr/sbin/sshd" hostname=x.x.x.x addr=x.x.x.x terminal=ssh res=failed' sshd[9313]: fatal: Access denied for user xxxxx by PAM account configuration [preauth] ...
Although, users can still loging in fedora 22 workstations.
Is it a known issue ? May you help me to resolve it ?
Best Regards, Ed
We can continue the discussion on sssd-users since the list archives are useful also to other people..
Ok, I have post this question on sssd-users at : https://lists.fedorahosted.org/archives/list/sssd-users%40lists.fedorahosted.org/message/LLCRKW7PP4DAVKMA7RJDPRMGTLT6TNQK/
Well, I activated debug_log=6 in sssd.conf
I added ad_gpo_access_control = disabled in domain section and users loging is restablished.
In fedora 22, ad_gpo_access_control was not necessary to enable loging. This should be added to the tutorial https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
attachment sssd_lmsad.polytechnique.fr.log
My gpo_child.log is empty
I am facing the same issue now on my fedora 22 workstation. But to bypass the problem, I had to set ad_gpo_access_control = permissive for fedora 22 workstation (disabled does not work on fed 22)...
My sssd version on both fedora 22 & 23 is 1.13.2
I checked log files and sssd was not able to retrieve target dn for host due to referrals.
[ad_gpo_connect_done] (0x4000): server_hostname from uri: lmscad1.lmsad.polytechnique.fr [ad_gpo_connect_done] (0x0400): sam_account_name is host/pandore-lms.lmsad.polytechnique.fr [sdap_print_server] (0x2000): Searching 129.104.5.228 [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(sAMAccountName=host/pandore-lms.lmsad.polytechnique.fr))][dc=lmsad,dc=polytechnique,dc=fr]. [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21 [sdap_process_result] (0x2000): Trace: sh[0x558f4ee72290], connected[1], ops[0x558f4ee93aa0], ldap[0x558f4edf75d0] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ForestDnsZones.lmsad.polytechnique.fr/DC=ForestDnsZones,DC=lmsad,DC=polytechnique,DC=fr [sdap_process_result] (0x2000): Trace: sh[0x558f4ee72290], connected[1], ops[0x558f4ee93aa0], ldap[0x558f4edf75d0] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.lmsad.polytechnique.fr/DC=DomainDnsZones,DC=lmsad,DC=polytechnique,DC=fr [sdap_process_result] (0x2000): Trace: sh[0x558f4ee72290], connected[1], ops[0x558f4ee93aa0], ldap[0x558f4edf75d0] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://lmsad.polytechnique.fr/CN=Configuration,DC=lmsad,DC=polytechnique,DC=fr [sdap_process_result] (0x2000): Trace: sh[0x558f4ee72290], connected[1], ops[0x558f4ee93aa0], ldap[0x558f4edf75d0] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set [sdap_op_destructor] (0x2000): Operation 21 finished [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.lmsad.polytechnique.fr/DC=ForestDnsZones,DC=lmsad,DC=polytechnique,DC=fr [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.lmsad.polytechnique.fr/DC=DomainDnsZones,DC=lmsad,DC=polytechnique,DC=fr [generic_ext_search_handler] (0x4000): Ref: ldap://lmsad.polytechnique.fr/CN=Configuration,DC=lmsad,DC=polytechnique,DC=fr [ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target. [sdap_id_op_destroy] (0x4000): releasing operation connection [ad_gpo_access_done] (0x0040): GPO-based access control failed. [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, Aucun fichier ou dossier de ce type) [Internal Error] [be_pam_handler_callback] (0x0100): Sending result [4][lmsad.polytechnique.fr] [be_pam_handler_callback] (0x0100): Sent result [4][lmsad.polytechnique.fr]
I think we decided to not continue if we could not find info about host or users to prevent security problems (CVEs)
So if I do not use GPO, ad_gpo_access_control must be present in sssd.conf and must be set like this : ad_gpo_access_control = permissive
Replying to [comment:8 edg91]:
Using the AD provider means the client is a member of the domain, also with the policies that apply. I would personally say that if you have a domain member and you set the access_provider to ad, then it's expected that the domain access control policies apply.
Hello, As I followed the tutorial https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server I set "access_provider = ad" in sssd.conf without know it imply that the domain access control policies apply.
What should I set special on my ad controler in gpo for the linux workstations ? I did not set any access control policies on AD side.
I would be curious why we was not able to find LDAP entry about host [(&(objectclass=user)(sAMAccountName=host/pandore-lms.lmsad.polytechnique.fr))][dc=lmsad,dc=polytechnique,dc=fr]
If you used realmd then entry should be there. Unless you joint to one AD and switch sssd.conf to sub-domain. Otherwise I cannot explain why we got referral for this LDAP query.
Would you be able to provide LDIF from AD for your client?
cc: => lslebodn@redhat.com
This is the LDIF export of pandore-lms host : "CN=pandore-lms,OU=lms,DC=lmsad,DC=polytechnique,DC=fr",computer,pandore-lms,,"CN=pandore-lms,OU=lms,DC=lmsad,DC=polytechnique,DC=fr",4,pandore-lms,pandore-lms$,,,,,host/pandore-lms.lmsad.polytechnique.fr;host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR,"CN=Computer,CN=Schema,CN=Configuration,DC=lmsad,DC=polytechnique,DC=fr",,,,,,host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
All my users and hosts are placed in an OU "lms"
I did no used realmd, but followed the "Joining the Linux client to the AD domain manually"
dn: CN=pandore-lms,OU=lms,DC=lmsad,DC=polytechnique,DC=fr changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: pandore-lms distinguishedName: CN=pandore-lms,OU=lms,DC=lmsad,DC=polytechnique,DC=fr instanceType: 4 whenCreated: 20151202083834.0Z whenChanged: 20151202105542.0Z uSNCreated: 11101209 uSNChanged: 11113060 name: pandore-lms objectGUID:: qbhxr64cQEKSrWLtaYSoaQ== userAccountControl: 4096 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 130941710813626077 localPolicyFlags: 0 pwdLastSet: 130935191148506091 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAA4roN0aVPjV8LacHGcQwAAA== accountExpires: 9223372036854775807 logonCount: 194 sAMAccountName: pandore-lms$ sAMAccountType: 805306369 userPrincipalName: host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR servicePrincipalName: host/pandore-lms.lmsad.polytechnique.fr servicePrincipalName: host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=lmsad,DC=polytechnique,DC=fr isCriticalSystemObject: FALSE dSCorePropagationData: 20151202105542.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130935193511199080
attachment ldif_pandore.txt
Thank you very much for ldif. I think I know where is a problem. sssd used wrong value for ldap_sasl_authid from keytab.
253 (Thu Dec 3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [sdap_set_sasl_options] (0x2000): authid contains realm [LMSAD.POLYTECHNIQUE.FR] 254 (Thu Dec 3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [sdap_set_sasl_options] (0x0100): Will look for host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR in /etc/krb5.keytab 255 (Thu Dec 3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab 256 (Thu Dec 3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR in keytab. 257 (Thu Dec 3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [match_principal] (0x1000): Principal matched to the sample (host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR). 258 (Thu Dec 3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [select_principal_from_keytab] (0x0200): Selected primary: host/pandore-lms.lmsad.polytechnique.fr 259 (Thu Dec 3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [select_principal_from_keytab] (0x0200): Selected realm: LMSAD.POLYTECHNIQUE.FR 260 (Thu Dec 3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/pandore-lms.lmsad.polytechnique.fr }}}
Could you try to explicitly set the option ldap_sasl_authid in domain section?
ldap_sasl_authid = pandore-lms$
I changed ldap_sasl_authid = host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR to ldap_sasl_authid = pandore-lms$ in sssd.conf
I get :
déc. 10 16:22:41 pandore-lms audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sssd comm="systemd" exe="/usr/lib/syste déc. 10 16:22:41 pandore-lms sssd[10860]: Starting up déc. 10 16:22:41 pandore-lms sssd[be[lmsad.polytechnique.fr]][10861]: Starting up déc. 10 16:22:41 pandore-lms sssd[nss][10862]: Starting up déc. 10 16:22:41 pandore-lms sssd[pam][10863]: Starting up déc. 10 16:22:41 pandore-lms [sssd[ldap_child[10864]]][10864]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthe déc. 10 16:22:41 pandore-lms [sssd[ldap_child[10864]]][10864]: Preauthentication failed
And AD users cannot login
Here is the content of my sssd.conf :
[sssd] config_file_version = 2 domains = lmsad.polytechnique.fr services = nss, pam #debug_level=9 [domain/lmsad.polytechnique.fr] cache_credentials = False #cache_credentials = true id_provider = ad auth_provider = ad access_provider = ad krb5_keytab = /etc/krb5.keytab ad_server = lmscad1.lmsad.polytechnique.fr,lmscad2.lmsad.polytechnique.fr ldap_id_mapping = False ldap_sasl_authid = host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR #ldap_sasl_authid = pandore-lms$ ldap_krb5_keytab = /etc/krb5.keytab use_fully_qualified_names = False ad_gpo_access_control = permissive #debug_level=9 [nss] [pam] #debug-level=9 [sudo] [autofs] [ssh] #debug_level=9 [pac]
_comment0: I changed ldap_sasl_authid = host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR to ldap_sasl_authid = pandore-lms$ in sssd.conf
I get : déc. 10 16:22:41 pandore-lms audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sssd comm="systemd" exe="/usr/lib/syste déc. 10 16:22:41 pandore-lms sssd[10860]: Starting up déc. 10 16:22:41 pandore-lms sssd[be[lmsad.polytechnique.fr]][10861]: Starting up déc. 10 16:22:41 pandore-lms sssd[nss][10862]: Starting up déc. 10 16:22:41 pandore-lms sssd[pam][10863]: Starting up déc. 10 16:22:41 pandore-lms [sssd[ldap_child[10864]]][10864]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthe déc. 10 16:22:41 pandore-lms [sssd[ldap_child[10864]]][10864]: Preauthentication failed
[sssd]
config_file_version = 2
domains = lmsad.polytechnique.fr
services = nss, pam
[domain/lmsad.polytechnique.fr]
cache_credentials = False
id_provider = ad auth_provider = ad access_provider = ad
krb5_keytab = /etc/krb5.keytab
ad_server = lmscad1.lmsad.polytechnique.fr,lmscad2.lmsad.polytechnique.fr
ldap_id_mapping = False
ldap_sasl_authid = host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
ldap_krb5_keytab = /etc/krb5.keytab
use_fully_qualified_names = False
ad_gpo_access_control = permissive
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac] => 1449762707870823
Replying to [comment:16 edg91]:
Here is the content of my sssd.conf : {{{ [sssd] config_file_version = 2 domains = lmsad.polytechnique.fr services = nss, pam debug_level=9 [domain/lmsad.polytechnique.fr] cache_credentials = False cache_credentials = true id_provider = ad auth_provider = ad access_provider = ad krb5_keytab = /etc/krb5.keytab ad_server = lmscad1.lmsad.polytechnique.fr,lmscad2.lmsad.polytechnique.fr ldap_id_mapping = False ldap_sasl_authid = host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR ldap_sasl_authid = pandore-lms$ }}} I assume it's just copy&paste error. BTW I checked the wiki https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server and it contain following line which is commented by default.
Here is the content of my sssd.conf : {{{ [sssd]
}}} I assume it's just copy&paste error. BTW I checked the wiki https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server and it contain following line which is commented by default.
# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available # ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
Was principal missing in keytab or why did you uncommented it? Could you share content of keytab klist -kt?
[root@pandore-lms ~]# klist -kt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
_comment0: [root@pandore-lms ~]# klist -kt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR => 1449841929673110
OK, you have principal "PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR" in keytab. I think you needn't specify in sssd.conf.
So, could you try without ldap_sasl_authid in sssd.conf? If it does not work. Could you provide new version of log files?
I tried without ldap_sasl_authid in sssd.conf Please find all logs in attached parts.
It does not work without ldap_sasl_authid
attachment krb5_child.log
attachment ldap_child.log
attachment sssd.log
attachment sssd_lmsad.polytechnique.fr.2.log
I would like to apologize for late response caused by Christmas break.
There is an error in ldap_child.log. sssd was not able to kinit with principal "PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR" which is really weird. we can see this principal in comment:18
Could you try kinit from command line?
kinit -k 'PANDORE-LMS$' or kinit -k 'PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR'
_comment0: I would like to apologize for late response caused by Christmas break.
Could you try kinit from command line? {{{ kinit -k PANDORE-LMS$
or
kinit -k PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR }}}
=> 1452185779860013
Hello, Thank you, the keytab was wrong for my pandore-lms workstation I rebuilt it, now I get : [root@pandore-lms etc]# kinit -k PANDORE-LMS\$@LMSAD.POLYTECHNIQUE.FR [root@pandore-lms etc]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
Valid starting Expires Service principal 08/01/2016 09:50:58 08/01/2016 19:50:58 krbtgt/LMSAD.POLYTECHNIQUE.FR@LMSAD.POLYTECHNIQUE.FR renew until 15/01/2016 09:50:58
However, I cannot log in the linux workstation without specify ad_gpo_access_control = permissive in sssd.conf
I joined a zip file of all my sssd logs when ad_gpo_access_control is not set (commented) in sssd.conf.
_comment0: Hello, Thank you, the keytab was wrong for my pandore-lms workstation I rebuilt it, now I get : [root@pandore-lms etc]# kinit -k PANDORE-LMS\$@LMSAD.POLYTECHNIQUE.FR [root@pandore-lms etc]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
I joined a zip file of all my sssd logs when ad_gpo_access_control is not set (uncommented) in sssd.conf.
=> 1452243704869933
attachment 08012016.zip
It's because sssd cannot find host for GPO. sssd-1.13.1+ uses part of host principal for finding LDAP host entry. It was changed because GPO did not work for hostnames longer than 16 characters @see #2692
[ad_gpo_connect_done] (0x4000): server_hostname from uri: lmscad1.lmsad.polytechnique.fr [ad_gpo_connect_done] (0x0400): sam_account_name is host/pandore-lms.lmsad.polytechnique.fr [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(sAMAccountName=host/pandore-lms.lmsad.polytechnique.fr))][dc=lmsad,dc=polytechnique,dc=fr]. [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [distinguishedName] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 13 [sdap_op_add] (0x2000): New operation 13 timeout 6 [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set [sdap_op_destructor] (0x2000): Operation 13 finished [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.lmsad.polytechnique.fr/DC=ForestDnsZones,DC=lmsad,DC=polytechnique,DC=fr [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.lmsad.polytechnique.fr/DC=DomainDnsZones,DC=lmsad,DC=polytechnique,DC=fr [generic_ext_search_handler] (0x4000): Ref: ldap://lmsad.polytechnique.fr/CN=Configuration,DC=lmsad,DC=polytechnique,DC=fr [ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target.
I can see in log files that you have overridden option ldap_sasl_authid. GPO should work if you change it to PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR or if you remove it. (sssd will try to use userPrincipal for host)
Thank you very much I commented ldap_sasl_authid and ad_gpo_access_control. It working now.
Best Regards
Thank you very much for confirmation. The change in behaviour between sssd-1.12 and sssd-1.13 was caused by fixing bug #2692.
owner: somebody => lslebodn
I will close the ticket as works for me
resolution: => worksforme status: new => closed
I am very sorry but I am still facing issues with sssd login against AD on fedora workstation
The issue is when users try to logon through the logon screen litghdm, it says that passords is wrong (but that is not the case). However, It is working through ssh authentication...
To enable users logon through litghdm, I set again ad_gpo_access_control = permissive in sssd.conf With that, logon is possible for users.
For information, on my fedora workstation, MATE is the default desktop.
All currently supported versions of fedora (22+) has sssd-1.13.3 and there should not be any and problems with GPO unless you have different UPN for host in keytab.
Please provide log files from sssd (at least permissive mode) and output of keytab on that machine klist -kt
attachment 14012016.zip
Pleas find logs in attached parts In logs, I try :
login through lightdm -> login failed
[root@pandore-lms ~]# klist -kt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
_comment0: Pleas find logs in attached parts In logs, I try : - first login through ssh -> works - login through lightdm -> login failed
3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR 3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR => 1452773735328169
Replying to [comment:30 edg91]:
Pleas find logs in attached parts In logs, I try : - first login through ssh -> works - login through lightdm -> login failed
It works as expected. Because service lightdm is not allowed by default. However the log file says there was a pam service xrdp-sesman
[be_pam_handler] (0x0100): Got request with the following data [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT [pam_print_data] (0x0100): domain: lmsad.polytechnique.fr [pam_print_data] (0x0100): user: guigne [pam_print_data] (0x0100): service: xrdp-sesman [pam_print_data] (0x0100): tty: xrdp-sesman [pam_print_data] (0x0100): ruser: [pam_print_data] (0x0100): rhost: [pam_print_data] (0x0100): authtok type: 0 [pam_print_data] (0x0100): newauthtok type: 0 [pam_print_data] (0x0100): priv: 1 [pam_print_data] (0x0100): cli_pid: 2231 [pam_print_data] (0x0100): logon name: not set [sdap_access_send] (0x0400): Performing access check for user [guigne] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [guigne] [sdap_account_expired_ad] (0x4000): User account control for user [guigne] is [10200]. [sdap_account_expired_ad] (0x4000): Expiration time for user [guigne] is [9223372036854775807]. [ad_gpo_access_send] (0x0400): using default right [ad_gpo_access_send] (0x0400): service xrdp-sesman maps to Denied [ad_gpo_access_done] (0x0040): GPO-based access control failed. [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success] [be_pam_handler_callback] (0x0100): Sending result [6][lmsad.polytechnique.fr] [be_pam_handler_callback] (0x0100): Sent result [6][lmsad.polytechnique.fr]
If it is a really lightdm and not a remote session than you should append it to the GPO map ad_gpo_map_interactive for remote session you might append it to ad_gpo_map_remote_interactive
You need to list also default values and not just xrdp-sesman e.g.
[domain/ad.example.com] ad_gpo_map_interactive = +login +su +su-l +gdm-fingerprint +gdm-password +gdm-smartcard +kdm +xrdp-sesman
Hello, Thanks for this explanation. I apologized because that's true I used xrdp session instead of lightdm to get logs. In this 2 cases, ad_gpo_map_interactive was not set in sssd.conf.
I Added "ad_gpo_map_interactive = +login +su +su-l +gdm-fingerprint +gdm-password +gdm-smartcard +kdm +xrdp-sesman" under [domain/lmsad.polytechnique.fr] in /etc/sssd/sssd.conf and restart sssd service
Althought, I did still not succeed to login in xrdp. I added the logs. It still said with ad_gpo_map_interactive that : (Thu Jan 14 14:29:04 2016) [sssd[be[lmsad.polytechnique.fr]]] [ad_gpo_access_send] (0x0400):
(Thu Jan 14 14:29:04 2016) [sssd[be[lmsad.polytechnique.fr]]] [ad_gpo_access_done] (0x0040):
.
How set lightdm in ad_gpo_map_interactive ? Like this ? ad_gpo_map_interactive = +login +su +su-l +gdm-fingerprint +gdm-password +gdm-smartcard +kdm +xrdp-sesman +lightdm
attachment 14012016_2.zip
I would like to apologize for small confusion. You needn't add all default services into ad_gpo_map_interactive. I think it is well explained in the manual page sssd-ad.
BTW. Do you have set in GPO InteractiveLogonRight or DenyInteractiveLogonRight for your host?
Because sshd is different service and should be in RemoteInteractiveLogonRight and DenyRemoteInteractiveLogonRight.
You might test with log-in on tty. In this case, the pam service "login" should be used. You should check sssd log files whether there is [pam_print_data] (0x0100): service: login or no. And you might also check if access was allowed. Check return code in be_pam_handler_callback for [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
OK, I did not set GPO InteractiveLogonRight / DenyInteractiveLogonRight for my host. I do not want to manage GPO for all hosts, so I set ad_gpo_access_control = disabled Thank you for the explanations
Please, I need advices for a linux workstations in centos 7. I set sssd.conf as in fedora workstations, but I am facing new issues. Users can only login through ssh, login through lightdm does not work, and xrdp works only first time after xrdp service is started. I know that it is for fedora support, but maybe can you identify my issue ? or tell me where I could find help ? I attached logs of my centos 7 workstations. When I try to logon through xrdp at 2nd time, I get a "sssd[krb5_child ... Permission denied" When I try to logon through lightdm, I get a "sssd[krb5_child ... Unknown code UUz 1"
attachment 15012016.zip
I try to logon tty on the centos 7 workstation, I get a "Cannot make/remove an entry for the specified session" message and a "sssd[krb5_child ... Permission denied"
Here are attached the logs for tty logon test
attachment tty.zip
Replying to [comment:34 edg91]:
Hello, OK, I did not set GPO InteractiveLogonRight / DenyInteractiveLogonRight for my host. I do not want to manage GPO for all hosts, so I set ad_gpo_access_control = disabled Thank you for the explanations So it's not a bug in sssd. It was just a configuration issue. Please, I need advices for a linux workstations in centos 7. I set sssd.conf as in fedora workstations, but I am facing new issues. Users can only login through ssh, login through lightdm does not work, and xrdp works only first time after xrdp service is started. I know that it is for fedora support, but maybe can you identify my issue ? or tell me where I could find help ? I attached logs of my centos 7 workstations. When I try to logon through xrdp at 2nd time, I get a "sssd[krb5_child ... Permission denied" When I try to logon through lightdm, I get a "sssd[krb5_child ... Unknown code UUz 1" Fedora issue is unrelated to this ticket. There was failure in authentication and not in authorization(GPO). I read log files and I have a suspicion. Could you provide exact version of following pacakges sssd-ad, krb5-libs, crypto-policies
So it's not a bug in sssd. It was just a configuration issue.
Please, I need advices for a linux workstations in centos 7. I set sssd.conf as in fedora workstations, but I am facing new issues. Users can only login through ssh, login through lightdm does not work, and xrdp works only first time after xrdp service is started. I know that it is for fedora support, but maybe can you identify my issue ? or tell me where I could find help ? I attached logs of my centos 7 workstations. When I try to logon through xrdp at 2nd time, I get a "sssd[krb5_child ... Permission denied" When I try to logon through lightdm, I get a "sssd[krb5_child ... Unknown code UUz 1" Fedora issue is unrelated to this ticket. There was failure in authentication and not in authorization(GPO). I read log files and I have a suspicion. Could you provide exact version of following pacakges sssd-ad, krb5-libs, crypto-policies
rpm -q sssd-ad krb5-libs crypto-policies
Please also provide an output of command:
file /etc/krb5.conf.d/crypto-policies
If it is broken-link then please upgrade package crypto-policies
As this is a centos 7 workstation, crypto-policies package is not available :
sssd-ad-1.13.0-40.el7_2.1.x86_64 krb5-libs-1.13.2-10.el7.x86_64 le paquet crypto-policies n'est pas installé
(the packages crypto-policies is not isntalled)
Is there a equivalent package for centos 7 ?
I misread your last two comments. I though there is a problem on fedora and you have a problem on CentOS 7. So It cannot be related to version of krb5-libs, crypto-policies
Please open different ticket for this issue. There is a problem with authentication. Please attach log files (you might use tty.zip. sssd.conf and also krb5.conf
Ok, I open a ticket for the authentication problem with centos 7
Metadata Update from @edg91: - Issue assigned to lslebodn - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3930
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.