The only useful guide I found on google is https://thornelabs.net/2014/01/30/authe ... 08-r2.html. Even then It seems that is a guide to authenticate users. The step where I input the admin user and pw is omitted. For cent7, that step occur when you do `realm join <$domain>` for centos6 it's `adcli join <$domain>`. In cent5 there's no `realmd` and there's no `adcli`.
I need the machines to be authenticated because I am using nfs+krb5.
Below is what I have tried.
Clock is sync with ad/dc, /etc/resolv.conf is configured properly as well.
Domain controller hostname: dc1.abc-es.test.com
Domain: abc-es.test.com
Code: Select all
[root@testbox06 pam.d]# cat /etc/*release
Red Hat Enterprise Linux Client release 5.8 (Tikanga)
[root@testbox06 sssd]# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = ABC-ES.TEST.COM
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/ABC-ES.TEST.COM]
debug_level = 0
cache_credentials = False
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldap://ad1.abc-es.test.com
ldap_schema = rfc2307bis
ldap_referrals = False
ldap_search_base = dc=abc-es.test,dc=com
ldap_user_search_base = cn=Users,dc=abc-es.test,dc=com
ldap_user_object_class = user
ldap_group_search_base = ou=Groups,dc=abc-es.test,dc=com
ldap_group_object_class = group
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_member_of = memberOf
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = True
ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=sssd,ou=Service Accounts,ou=Groups,dc=abc-es.test,dc=com
ldap_default_authtok_type = Default123!
ldap_default_authtok = $PASSWORD
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_realm = ABC-ES.TEST.COM
krb5_canonicalize = False
krb5_server = dc1.abc-es.test.com:88
krb5_kpasswd = dc1.abc-es.test.com:88
[root@testbox06 pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[root@testbox06 etc]# cat nsswitch.conf | grep -v "#"
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: plus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: plus
automount: files sss
aliases: files nisplus
sudoers: files ldap
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ABC.TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
ABC.TEST.COM = {
kdc = dc1.abc-es.test.com:88
}
[domain_realm]
abc-es.test.com = ABC.TEST.COM
.abc-es.test.com = ABC.TEST.COM