Ad Authetication Fails
Hello everyone,
I am trying to integrate RHEL 6.5 system into Windows server 2012 Ad environment. I followed the guide in the following link on page 31.
https://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/32/jcr:frozenNode/rh:resourceFile
So far I have no luck getting authentication work.
Here are the error messages i am getting;
Failed to join domain: failed to lookup DC info for domain 'MYDOMAIN.LCL' over rpc: Logon failure
Sep 5 16:19:50 Redhat01 winbindd[24064]: [2014/09/05 16:19:50.636313, 0] winbindd/winbindd.c:240(winbindd_sig_term_handler)
Sep 5 16:19:50 Redhat01 winbindd[24064]: Got sig[15] terminate (is_parent=1)
Sep 5 16:20:03 Redhat01 winbindd[24275]: [2014/09/05 16:20:03.186900, 0] winbindd/winbindd_dual.c:926(calculate_next_machine_pwd_change)
Sep 5 16:20:03 Redhat01 winbindd[24275]: cannot fetch own machine password ????ads_connect for domain MYDOMAIN failed: Cannot read password
Sep 5 22:14:46 Redhat01 winbindd[24272]: [2014/09/05 22:14:46.660704, 0] winbindd/winbindd.c:240(winbindd_sig_term_handler)
Sep 5 22:14:46 Redhat01 winbindd[24272]: Got sig[15] terminate (is_parent=1)
Sep 5 22:16:15 Redhat01 winbindd[27376]: [2014/09/05 22:16:15.418863, 0] winbindd/winbindd_dual.c:926(calculate_next_machine_pwd_change)
Sep 5 22:16:15 Redhat01 winbindd[27376]: cannot fetch own machine password ????ads_connect for domain MYDOMAIN failed: Cannot read password
Sep 5 22:16:15 Redhat01 smbd[27364]: [2014/09/05 22:16:15.788811, 0] printing/nt_printing.c:102(nt_printing_init)
Sep 5 22:16:15 Redhat01 smbd[27364]: nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
Here is my sbm.conf file
realm = MYDOMAIN.LCL
workgroup = MYDOMAIN
security = ads
idmap config * : backend = autorid
idmap config * : range = 1000000-201000000
idmap config * : rangesize = 2000000
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind offline logon = yes
debuglevel = 2
and /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.lcl
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYDOMAIN.LCL = {
kdc = dc01.MYDOMAIN.lcl
admin_server = dc01.MYDOMAIN.lcl
}
MYDOMAIN.LCL = {
kdc = DC01.MYDOMAIN.LCL
kdc = DC01.MYDOMAIN.LCL
kdc = DC01.MYDOMAIN.LCL
}
DC01.MYDOMAIN.LCL = {
}
[domain_realm]
mydomain.lcl = MYDOMAIN.LCL
.mydomain.lcl = MYDOMAIN.LCL
Responses
Troubleshooting AD auth is really a staged approach.
- Confirm DNS is working correctly and you can resolve the AD servers reliably
- Ensure NTP is configured and that time is in sync between clients and servers (ideally using the same NTP source)
- Validate domain join
a. Confirm that you can join the Red Hat server to the domain and the machine object appears in AD
b. Confirm you have received the correct Kerberos tickets and the Kerberos configuration looks correct - Confirm that the Red Hat server can 'see' users/groups coming in from the AD servers (eg. getent group domaingroup / getent passwd domainuser/ groups domainuser)
- Confirm that the user can correctly login / authenticate
Can you confirm 1 and 2 on this list are correct? and also ensure you don't have firewalls running (until AD steps are validated)
As a side note, is there a technical reason you chose not to use SSSD? file sharing requirement?
The go-to document for SSSD is really this one:
https://access.redhat.com/articles/216933
Which is the same document you have referred to above.
Configuration 3 at section 6.3 on page 56 explains using SSSD.
That being said, the stage you are currently at (joining the domain) is the same for both, so even if you change approach you will likely have the same issue you are having now.
-edit-
In your krb5.conf I would make it look like the following:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.LCL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[domain_realm]
mydomain.lcl = MYDOMAIN.LCL
.mydomain.lcl = MYDOMAIN.LCL
Essentially, I would fix the case of your 'default_realm' option so it is all caps, matching your other configuration. You also shouldn't need to define the [realms] manually as you have dns_lookup_realm and dns_lookup_kdc specified.
Good news about the join!
Do you have a reference for IMU being deprecated on 2012R2? Will likely change approach for some sites.
Questions:
1.This can be achieved with the override_homedir option in sssd.conf. This takes several variables to construct the home directory. This essentially instructs sssd to intercept the homedir value it's getting from the directory and overwrite it (or in your case, provide one when it doesn't exist)
override_homedir = /home/%d/%u
'man sssd.conf' will give you all the options.
2.You can restrict this using an access provider option. I personally use the simple access provider to do exactly what you are describing
access_provider = simple
simple_allow_groups = user_group
Depending on your configuration you may want to use the ldap access provider, both are documented here:
http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Setting_Up_SSSD.html
8.2.3.2.3.1. The Simple Access Provider
8.2.3.2.3.2. The LDAP Access Provider
3.In an SSSD authentication configuration yes. I essentially create a minimal smb.conf for AD join and nothing else. I have asked about adcli inclusion in another thread (https://access.redhat.com/discussions/1119143), I personally don't use it because it isn't shipped with RHEL (EPEL only currently) so I still use the Samba method, no other real reason. Unfortunately this means you need to install samba packages to do the join.
In regards to IMU being deprecated in 2012R2, I am unable to find a reference from Microsoft that confirms this, but I have found several online references suggesting the same.
The list of deprecated features in 2012R2 is here:
http://technet.microsoft.com/en-au/library/hh831568.aspx
There is no mention of IMU, only SUA (Subsystem for UNIX-based Applications) which is unrelated. Will post if I find anything else.
There are several key reasons for keeping UID/GIDs consistent and it is a primary reason (along with central authentication) that environments move to a directory. It isn't so apparent when you have systems that aren't interacting, but if you have systems that, for example share NFS file shares, the UID/GID is critical when managing file permissions / access. You need to make sure that a file created by user1 on systemA, will be accessible from the same user1 on systemB. If the UIDs / GIDs differ host to host, this becomes an access control headache.
Another 'nicety' that many admins like to maintain is that the primary GID of a user matches the user's UID, especially if the admin is planning to continue the Red Hat standard User Private Groups when using the directory (a downside being that user/group names can't match in AD).
UID/GID consistency is something that SSSD maintains with and without IMU (IdMU). If you don't have IMU enabled, SSSD uses an algorithm to generate UID/GIDs of the unique SID from Active Directory. The way the UID/GID is generated by SSSD is consistent so the same users/groups will receive the same UID/GIDs on SSSD servers with the same configuration (this ID range and algorithm can be configured).
When you have IMU installed, this UID/GID is configured as a property of the user and group objects in the directory. This gives you much greater control over this information, and can also be used to limit which elements from your AD directory are visible/presented to your Red Hat / Linux hosts (as they will only list entries with valid unix attributes). Having IMU enabled also gives you greater control over the default shell and home directory attributes of users as well as the primary group attribute of the user. Without IMU this information is essentially 'generated' dynamically based off information provided eg. username / domain.
I personally prefer IMU and have used it on multiple sites because of the reasons above. I find that without it you lose too much control of the Unix elements (uid/gid/shell/home directory) and I also like to have full control over the primary unix group which IMU gives you. The other benefit is that with IMU enabled AD is your single point of truth. Scripts etc. can reference the directory and extract the unix credentials of user objects, without IMU it is more involved because you need to interrogate a server that has the SSSD 'generated' information on it.
The way I generally approach it is to discuss enabling the IMU extensions with the directory owner, explaining the benefits.. failing that... fall back to the SSSD generated information on the client end.
This is all my opinion obviously, one of the arguments against IMU is that modifying the AD schema introduces a support issue when upgrading AD, so some organisations prefer to keep the Linux components completely separate.
thanks a lot PixelDrift.NET Support.Regards to IMU on 2012 R2. It looks like i was misreading. Title is:
RSAT: Identity management for Unix/NIS
The Server for Network Information Service (NIS) Tools option of Remote Server Administration Tools (RSAT) is deprecated. Use native LDAP, Samba Client, Kerberos, or non-Microsoft options.
http://technet.microsoft.com/en-us/library/dn303411.aspx
and the feature can be enabled via dism. They only deprecated the remote management tool i guess.
After reading your post regarding potential 2012R2 IMU deprecation (and several other posts that alluded to the same thing on other sites), I worked with a Windows Engineer and validated 2012R2 IMU functionality and have confirmed that it is still there and works as described from this Windows Server 2012 documentation:
http://technet.microsoft.com/en-au/library/cc731178.aspx#BKMK_command
The option that I believe is getting confused with the IMU functionality is the RSAT tools as you have mentioned. This displays deprecated in 2012R2, as below:
PS C:\Users\Administrator> Get-WindowsFeature -Name *nis*
Display Name Name Install State
------------ ---- -------------
[ ] Server for NIS Tools [DEPRECATED] RSAT-NIS Available
I have not used this feature as part of an IMU deployment.
Below is validation that the IMU steps still work as expected in 2012R2.
PS C:\Users\Administrator> dism /online /enable-feature:adminui
Deployment Image Servicing and Management tool
Version: 6.3.9600.17031
Image Version: 6.3.9600.17031
Enabling feature(s)
[==========================100.0%==========================]
The operation completed successfully.
PS C:\Users\Administrator> dism /online /enable-feature:nis
Deployment Image Servicing and Management tool
Version: 6.3.9600.17031
Image Version: 6.3.9600.17031
Enabling feature(s)
[==========================100.0%==========================]
The operation completed successfully.
From here the 'UNIX Attributes' tab was made available and UID/GID configuration for users/groups was enabled and validated. I don't enable the PasswordSync capability (from documentation) as I don't have a use for it, so I didn't test it.
I generally use AD groups. When using a directory I try and avoid local users/groups as much as possible.
You can specify sudoers groups using the standard '%group' notation, the only caveat being that the AD group must have a valid GID so that sudoers is 'aware' of it. With 'simple_allow_groups' in sssd.conf, the group doesn't necessarily need a valid GID as SSSD can access group information from AD about non 'unix' groups. As far as my experience goes (would love an alternative), sudoers is only aware of unix groups with a valid GID that are exposed to the system.
You can validate that a group is available with:
getent group adgroupname
A large amount of documentation when searching for sssd and sudoers refers to storing the sudoers rules in AD/LDAP, this isn't something I do personally. I prefer to manage the sudoers.d files with git and deploy using Puppet (or via RPM).
Once again this is down to personal preference, but there a several solutions when integrating your privileged access controls into AD groups (eg. you can potentially merge the function of the simple_allow_groups that provide access to the server, and the group that provides sudoers privileges).
id_provider = ad is correct.
You need to ensure that ldap_id_mapping = false (as per the linked documentation above).
This is the minimum configuration I use in sssd for an IMU enabled directory.
[sssd]
config_file_version = 2
debug_level = 0
domains = mydomain.local
services = nss, pam
[domain/mydomain.local]
id_provider = ad
access_provider = simple
simple_allow_groups = user_group
ldap_id_mapping = false
enumerate = true
I have also found when testing that the SSSD cache can cause issues when switching back/forth between IMU and mapped IDs. I would remove the cache after each configuration change to make sure what you are seeing is 'fresh', eg.
service sssd stop
rm /var/lib/sss/db/cache_*.ldb
service sssd start
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.