Centos/rhel5 update 8 sssd

General support questions including new installations
Post Reply
Posts: 1
Joined: 2017/01/10 19:46:00

Centos/rhel5 update 8 sssd

Post by juniorsysadmin1 » 2017/01/10 20:23:44

I understand cent5 will be obsolete in mere 2 month but I can't upgrade the operating system, this question is actually about a rhel5. Since cent5 and rhel5 are binary compatible I figure someone here could help me out here. I've exhausted all available options and decide to create an account to try my luck here.

The only useful guide I found on google is https://thornelabs.net/2014/01/30/authe ... 08-r2.html. Even then It seems that is a guide to authenticate users. The step where I input the admin user and pw is omitted. For cent7, that step occur when you do `realm join <$domain>` for centos6 it's `adcli join <$domain>`. In cent5 there's no `realmd` and there's no `adcli`.

I need the machines to be authenticated because I am using nfs+krb5.

Below is what I have tried.

Clock is sync with ad/dc, /etc/resolv.conf is configured properly as well.
Domain controller hostname: dc1.abc-es.test.com
Domain: abc-es.test.com

Code: Select all

[root@testbox06 pam.d]# cat /etc/*release
Red Hat Enterprise Linux Client release 5.8 (Tikanga)

[root@testbox06 sssd]# cat /etc/sssd/sssd.conf
config_file_version = 2

reconnection_retries = 3

sbus_timeout = 30
services = nss, pam

domains = ABC-ES.TEST.COM

filter_groups = root
filter_users = root
reconnection_retries = 3

reconnection_retries = 3

debug_level = 0
cache_credentials = False

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_uri = ldap://ad1.abc-es.test.com

ldap_schema = rfc2307bis

ldap_referrals = False

ldap_search_base = dc=abc-es.test,dc=com

ldap_user_search_base = cn=Users,dc=abc-es.test,dc=com
ldap_user_object_class = user

ldap_group_search_base = ou=Groups,dc=abc-es.test,dc=com
ldap_group_object_class = group

ldap_user_name = sAMAccountName

ldap_user_home_directory = unixHomeDirectory

ldap_user_member_of = memberOf

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = True

ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=sssd,ou=Service Accounts,ou=Groups,dc=abc-es.test,dc=com
ldap_default_authtok_type = Default123!
ldap_default_authtok = $PASSWORD
ldap_tls_cacertdir = /etc/openldap/cacerts

krb5_realm = ABC-ES.TEST.COM
krb5_canonicalize = False
krb5_server = dc1.abc-es.test.com:88
krb5_kpasswd = dc1.abc-es.test.com:88

[root@testbox06 pam.d]# cat system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

[root@testbox06 etc]# cat nsswitch.conf | grep -v "#"

passwd:     files sss
shadow:     files sss
group:      files sss

hosts:      files  dns

bootparams: plus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  plus

automount:  files sss
aliases:    files nisplus

sudoers: files ldap

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = ABC.TEST.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true


  kdc = dc1.abc-es.test.com:88

 abc-es.test.com = ABC.TEST.COM
 .abc-es.test.com = ABC.TEST.COM

At this point is where i'm confused. I try doing `net ads join` but it ends up host being not configured, that's a given because I didn't configure smb.conf. However, that should be beside the point because I am using sssd not samba right? I deal mostly with cent6 and cent7, the adcli and realm did alot of stuff for me and I think i'm missing a lot of the actual nitty gritty for cent5 to work. I appreciate any help.

Posts: 1
Joined: 2017/03/20 17:20:27

Re: Centos/rhel5 update 8 sssd

Post by dannyboy123 » 2017/03/20 17:29:38

Maybe at least try to update to 5.11.

You do also need to configure smb.conf since the net command is part of the samba-common package. If that is the command you are using to join the domain, then clearly that is the config file you need to use.

You can see if it worked by checking if a keytab was created in /etc/krb5.conf (default location) but it should give you some feedback on how it is doing.

Post Reply