2

I have searched on stackoverflow but did not found a solution.

I have two domains in one forest (domain1 and domain2). I can login with ssh using domain1 and cannot login with domain2. I can kinit a ticket from domain2.

Here are some configs:

[sssd]
debug_level = 3
services = nss, pam
config_file_version = 2
domains = DOMAIN1.TEST.NET, DOMAIN2.TEST.NET 

[domain/DOMAIN1.TEST.NET]
debug_level = 3
override_homedir = /home/%u
create_homedir = true
override_gid = 100
default_shell = /bin/bash

id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad
dyndns_update = false
ad_gpo_access_control = disabled
#ad_enabled_domains = DOMAIN1.TEST.NET, DOMAIN2.TEST.NET
ldap_idmap_range_size = 1000000
subdomain_enumerate = all
use_fully_qualified_names = false


ad_domain = DOMAIN1.TEST.NET


[domain/DOMAIN2.TEST.NET]
debug_level = 10
override_homedir = /home/%u
create_homedir = true
override_gid = 100
default_shell = /bin/bash

id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad
dyndns_update = false
ad_gpo_access_control = disabled
#ad_enabled_domains = DOMAIN1.TEST.NET, DOMAIN2.TEST.NET
ldap_idmap_range_size = 1000000
subdomain_enumerate = all
use_fully_qualified_names = false

ad_domain = DOMAIN2.TEST.NET



[nss]
filter_users = root
filter_groups = root

In the realm list I see the both realms. With kinit from the domain2 I get the ticket. Realm join worked on domain2 with the user from domain1 and when I join he tells me I have already joined. The systemtctl status sssd throws me an error although I can login to the first domain. In the klist -k I see only KEYTAB from the Domain1 and cannot make it to have the domain2 in the keytab.

sssd[ldap_child[18103]]][18103]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/server01.domain1.test.net@ST...onnection.
sssd_be[17222]: GSSAPI client step 1
ssd_be[17222]: GSSAPI client step 1
[be[DOMAIN1.TEST.NET]][17222]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

There are also some sssd logs from the domain2.

Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'atsvtroot1.domain2.test.net' as 'not working'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_handle_release] (0x2000): Trace: sh[0x55feb6513de0], connected[1], ops[(nil)], ldap[0x55feb64b3e70], destructor_lock[0], release_memory[0]
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #1
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_server_status] (0x1000): Status of server 'atsvtroot2.domain2.test.net' is 'name resolved'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x1000): Port status of port 389 for server 'atsvtroot2.domain2.test.net' is 'not working'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_server_status] (0x1000): Status of server 'atsvtroot1.domain2.test.net' is 'name resolved'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x1000): Port status of port 389 for server 'atsvtroot1.domain2.test.net' is 'not working'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_mark_offline] (0x2000): Going offline!
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_mark_offline] (0x2000): Enable check_if_online_ptask.
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 67 seconds from now [1559627215]
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [ad_subdomains_refresh_connect_done] (0x0020): Unable to connect to LDAP [11]: Resource temporarily unavailable
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [ad_subdomains_refresh_connect_done] (0x0080): No AD server is available, cannot get the subdomain list while offline
(Tue Jun  4 07:45:48 2019) [sssd[be[DOMAIN2.TEST.NET]]] [be_ptask_done] (0x0040): Task [Subdomains Refresh]: failed with [1432158212]: SSSD is offline
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [be_ptask_execute] (0x0400): Task [Subdomains Refresh]: executing task, timeout 14400 seconds
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [set_server_common_status] (0x0100): Marking server '10.51.51.222' as 'resolving name'
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [set_server_common_status] (0x0100): Marking server '10.x.x.x.' as 'name resolved'
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [be_resolve_server_process] (0x0200): Found address for server 10.x.x.x.x: [10.51.51.222] TTL 7200
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,DC=domain1,DC=test,DC=net]
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/server01.domain1.test.net, domain1.test.net, 86400)
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [be_resolve_server_process] (0x0200): Found address for server 10.x.x.x.x.: [10.x.x.x.x] TTL 7200
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 68
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for TGT child
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [write_pipe_handler] (0x0400): All data has been sent!
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [child_sig_handler] (0x0100): child [18330] finished successfully.
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client 'host/server01.domain1.test.net@DOMAIN1.TEST.NET' not found in Kerberos database], expired on [0]
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158226](Authentication Failed)
(Tue Jun  4 10:48:15 2019) [sssd[be[domain2.test.net]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied

In the krb5.conf I have all the REALMs inside.

What am I missing. Why cannot I login with SSH.

Thanks in advance.

ultimo_frogman
  • 91
  • 3
  • 11

1 Answers1

0

In krb5.conf you must add an entry for the common parent realm i.e. TEST.NET.
Because the Kerberos client libs must "know" how to hop from the realm that granted the TGT (domain2) to the realm that will grant a service ticket for the target server, with type host for SSH, HTTP for SPNego etc.

Either you set up explicitly the [capath] rules, or you let Kerberos rewind the implicit dependency path to the common parent then wind to the target. Cf. MIT Kerberos documentation for krb5.conf

For SSSD, I don't know whether it uses base Kerberos conf or needs custom conf.

Samson Scharfrichter
  • 8,884
  • 1
  • 17
  • 36
  • Hi Samson. Thanks for you insights. I did not quite unterstood you. The forest is TEST.NET and I have two domains domain1.test.net and domain2.test.net I think sssd.conf does not has additional configs and I assume it uses krn5.conf. As for the common parten realm, where should I configure it inside krb5.conf ? As for the [capath] it documented on MIT Kerberos, but I am using Windows Kerberos , did not install MIT kerberos client on Linux and will not. Thanks for you help – ultimo_frogman Jun 04 '19 at 12:00
  • _"did not install MIT kerberos client on Linux"_ > when you talk about `kinit`, you mean you run it on Windows?? What are you doing exactly, on which machines, connecting from what to what using which tools??? – Samson Scharfrichter Jun 04 '19 at 16:27
  • HI. I have Linux client (Redhat 7) with SSSD and I am trying to integrate it into two Windows Server domains. As I understood I do not need to have two SPNs and Keytabs and can be only joined to one domain with realmd. But I cannot login via SSH or any other method using the second domain. I can get a ticket using kinit. I also get from the first domain the errors: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: and then I need to restart the sssd service and they go away. I login normally into the first domain. – ultimo_frogman Jun 05 '19 at 04:45
  • Hi. I have managed to join the two domains with adcli join but I can login with ssh only to one domain at the time. Does it mean, that the keytab file and SPNs with SSSD cannot be two at the same time, or can I join two domains in the same forest with adcli and sssd and use both of them for ssh and sso? – ultimo_frogman Jun 06 '19 at 08:03