Failed to configure sssd for kerberos authentication

Support for security such as Firewalls and securing linux
Post Reply
xylose
Posts: 2
Joined: 2019/11/01 10:12:25

Failed to configure sssd for kerberos authentication

Post by xylose » 2019/11/01 10:33:58

I'm having problems getting my authentication setup working on the new CentOS8 infrastructure. I've been using a system where we defer authentication to a kerberos server, but only for password authentication - account uids/gids are managed locally.

On CentOS6/7 we set up krb5.conf and then used authconfig-tui to add krb as a source for PAM and it all just worked, but I can't get the same thing to work in the new sssd environment in CentOS8.

What I've done so far:
  • Transferred over my old krb5.conf
  • Checked that

    Code: Select all

    kinit username@EXAMPLE.COM
    works - which it does
  • Created an /etc/sssd/sssd.conf file (contents below)
  • Ran

    Code: Select all

    authconfig --enablesssd --update
    and

    Code: Select all

    authconfig --enablesssdauth --update
sssd starts and I can see my domain as started.

/etc/nsswitch.conf has sss listed as the first provider for passwd (as well as a few others)

However I can't log into an account which only has a password in krb. Kinit for the same account is fine.

If I run

Code: Select all

sssctl user-checks -a=auth myuser
then I get

Code: Select all

user: myuser
action: auth
service: system-auth

SSSD nss user lookup result:
 - user name: myuser
 - user id: 13779
 - group id: 13779
 - gecos:
 - home directory: /home/myuser
 - shell: /bin/bash

SSSD InfoPipe user lookup result:
 - name: myuser
 - uidNumber: 13779
 - gidNumber: 13779
 - gecos: not set
 - homeDirectory: /home/myuser
 - loginShell: /bin/bash

testing pam_authenticate

Password:
pam_authenticate for user [myuser]: Authentication failure

PAM Environment:
 - no env -
So it looks like it's going to PAM but either it's not trying the auth against the domain, or it's failing for some reason.


My sssd.conf file looks like (with the correct domain name):

Code: Select all

[sssd]
config_file_version = 2
services = pam, nss, ifp
domains = EXAMPLE.COM

[domain/EXAMPLE.COM]
id_provider = files
debug_level = 5
auth_provider = krb5
chpass_provider = krb5
krb5_realm = EXAMPLE.COM
krb5_server = EXAMPLE.COM:88
krb5_validate = true
krb5_cachedir = /var/tmp
I've also checked that chrony is running and is synced to our NTP server and that the domain name resolves correctly in DNS.

I'm now stuck as to where to go to debug this further. Any help is very much appreciated.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Failed to configure sssd for kerberos authentication

Post by hunter86_bg » 2019/11/04 06:13:21

What is the output of:

Code: Select all

getent passwd myuser 
What happens when you switch to that user:

Code: Select all

su - myuser

xylose
Posts: 2
Joined: 2019/11/01 10:12:25

Re: Failed to configure sssd for kerberos authentication

Post by xylose » 2019/11/04 10:40:19

Code: Select all

getent passwd myuser 
returns the appropriate line from /etc/passwd (which is right I think)

Code: Select all

su - myuser 
switches to myuser correctly.

I did some more playing with this and now have it working. The change which made it work was to add:

Code: Select all

krb5_validate = false
to /etc/sssd/sssd.conf

It looks like the checking of the krb5 server's identity was failing before (but with no pointer towards this in the logs). In my previous setups I've never done anything specific to set up this validation, so maybe this was never running before and the default has changed? It would seem that the best fix would be to put the public key for the krb5 server into the krb5_keytab file, but I'm not really sure how to extract that from the server (I don't control the server, I'm just acting as a client). I guess I was hoping this would be something like SSH where it trusts the first time it connects and then validates against the initial identity for subsequent interactions.

Post Reply