Centos/rhel5 update 8 sssd

General support questions including new installations
juniorsysadmin1
Posts: 1
Joined: 2017/01/10 19:46:00

Centos/rhel5 update 8 sssd

Postby juniorsysadmin1 » 2017/01/10 20:23:44

I understand cent5 will be obsolete in mere 2 month but I can't upgrade the operating system, this question is actually about a rhel5. Since cent5 and rhel5 are binary compatible I figure someone here could help me out here. I've exhausted all available options and decide to create an account to try my luck here.

The only useful guide I found on google is https://thornelabs.net/2014/01/30/authenticate-rhel-5-and-6-sssd-using-kerberos-and-ldap-against-active-directory-on-windows-server-2008-r2.html. Even then It seems that is a guide to authenticate users. The step where I input the admin user and pw is omitted. For cent7, that step occur when you do `realm join <$domain>` for centos6 it's `adcli join <$domain>`. In cent5 there's no `realmd` and there's no `adcli`.

I need the machines to be authenticated because I am using nfs+krb5.

Below is what I have tried.

Clock is sync with ad/dc, /etc/resolv.conf is configured properly as well.
Domain controller hostname: dc1.abc-es.test.com
Domain: abc-es.test.com

Code: Select all

[root@testbox06 pam.d]# cat /etc/*release
Red Hat Enterprise Linux Client release 5.8 (Tikanga)

[root@testbox06 sssd]# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2

reconnection_retries = 3

sbus_timeout = 30
services = nss, pam

domains = ABC-ES.TEST.COM

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/ABC-ES.TEST.COM]
debug_level = 0
cache_credentials = False

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_uri = ldap://ad1.abc-es.test.com

ldap_schema = rfc2307bis

ldap_referrals = False

ldap_search_base = dc=abc-es.test,dc=com

ldap_user_search_base = cn=Users,dc=abc-es.test,dc=com
ldap_user_object_class = user

ldap_group_search_base = ou=Groups,dc=abc-es.test,dc=com
ldap_group_object_class = group

ldap_user_name = sAMAccountName

ldap_user_home_directory = unixHomeDirectory

ldap_user_member_of = memberOf

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = True

ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=sssd,ou=Service Accounts,ou=Groups,dc=abc-es.test,dc=com
ldap_default_authtok_type = Default123!
ldap_default_authtok = $PASSWORD
ldap_tls_cacertdir = /etc/openldap/cacerts

krb5_realm = ABC-ES.TEST.COM
krb5_canonicalize = False
krb5_server = dc1.abc-es.test.com:88
krb5_kpasswd = dc1.abc-es.test.com:88

[root@testbox06 pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


[root@testbox06 etc]# cat nsswitch.conf | grep -v "#"


passwd:     files sss
shadow:     files sss
group:      files sss

hosts:      files  dns


bootparams: plus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  plus

automount:  files sss
aliases:    files nisplus

sudoers: files ldap

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ABC.TEST.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]

 ABC.TEST.COM = {
  kdc = dc1.abc-es.test.com:88
 }

[domain_realm]
 abc-es.test.com = ABC.TEST.COM
 .abc-es.test.com = ABC.TEST.COM



At this point is where i'm confused. I try doing `net ads join` but it ends up host being not configured, that's a given because I didn't configure smb.conf. However, that should be beside the point because I am using sssd not samba right? I deal mostly with cent6 and cent7, the adcli and realm did alot of stuff for me and I think i'm missing a lot of the actual nitty gritty for cent5 to work. I appreciate any help.

Return to “CentOS 5 - General Support”

Who is online

Users browsing this forum: No registered users and 5 guests