SSSD is offline

mhm

New Member
Joined
Jul 4, 2022
Messages
2
Reaction score
0
Credits
55
Dears,
I have configured the KRB5 and SSSD to authenticate with AD Windows Server 2012R2, joining RHEL8 machine (test) to the AD is done, however, domain users are not getting retrieved and I always receive ": no such user" with id command and Global catalogue seems down (it's working from the windows server side). Below is my configuration:
[[email protected] ~]# realm join --user vmadmin WIN-JGT3N0TES8J-CA.hadoop.com
Completed successfully and I can see "test" server in the AD computers.
[[email protected] ~]# realm list
hadoop.com
type: kerberos
realm-name: HADOOP.COM
domain-name: hadoop.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
[[email protected] ~]# sssctl domain-status hadoop.com
Online status: Offline
Active servers:
AD Global Catalog: not connected
AD Domain Controller: win-jgt3n0tes8j-ca.hadoop.com
Discovered AD Global Catalog servers:
- win-jgt3n0tes8j-ca.hadoop.com
Discovered AD Domain Controller servers:
- win-jgt3n0tes8j-ca.hadoop.com
[[email protected] ~]# systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─network.conf
Active: active (running) since Sun 2022-07-03 08:12:46 UTC; 1s ago
Main PID: 1502 (sssd)
Tasks: 5 (limit: 4700)
Memory: 39.1M
CGroup: /system.slice/sssd.service
├─1502 /usr/sbin/sssd -i --logger=files
├─1504 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
├─1505 /usr/libexec/sssd/sssd_be --domain hadoop.com --uid 0 --gid 0 --logger=files
├─1507 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─1508 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Jul 03 08:12:46 test.hadoop.com systemd[1]: sssd.service: Succeeded.
Jul 03 08:12:46 test.hadoop.com systemd[1]: Stopped System Security Services Daemon.
Jul 03 08:12:46 test.hadoop.com systemd[1]: Starting System Security Services Daemon...
Jul 03 08:12:46 test.hadoop.com sssd[1502]: Starting up
Jul 03 08:12:46 test.hadoop.com sssd_be[1504]: Starting up
Jul 03 08:12:46 test.hadoop.com sssd_be[1505]: Starting up
Jul 03 08:12:46 test.hadoop.com sssd_pam[1508]: Starting up
Jul 03 08:12:46 test.hadoop.com sssd_nss[1507]: Starting up
Jul 03 08:12:46 test.hadoop.com sssd_be[1505]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
Jul 03 08:12:46 test.hadoop.com systemd[1]: Started System Security Services Daemon.
[[email protected] ~]# klist -l
Principal name Cache name
-------------- ----------
[email protected] KCM:0
[email protected] KCM:0:63744 (Expired)
[email protected] KCM:0:61402 (Expired)
[email protected] KCM:0:51946 (Expired)
[email protected] KCM:0:13576 (Expired)
[[email protected] ~]# cat /etc/sssd/sssd.conf
[sssd]
domains = hadoop.com
config_file_version = 2
services = nss, pam
[domain/hadoop.com]
ad_server = win-jgt3n0tes8j-ca.hadoop.com
ad_domain = hadoop.com
krb5_realm = HADOOP.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
[[email protected] ~]# cat /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING
tongue.gif
ersistent:%{uid}
udp_preference_limit = 0
default_realm = HADOOP.COM
[realms]
HADOOP.COM = {
kdc = WIN-JGT3N0TES8J-CA.hadoop.com
admin_server = WIN-JGT3N0TES8J-CA.hadoop.com
}
[domain_realm]
.example.com = HADOOP.COM
example.com = HADOOP.COM
Thanks in advance
 


OP
M

mhm

New Member
Joined
Jul 4, 2022
Messages
2
Reaction score
0
Credits
55
Hi all,
It's working now, assure that the /etc/resolv.conf is confiugred properly, and then I had to fix the keytab errors by:
realm leave --user administrator <domain_name>
kinit administrator
realm join --user administrator <domain_name>
Regards
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation


Top