Configuring AD/LDAP for HPC (CentOS7) - Not Working

General support questions
okcjj
Posts: 7
Joined: 2020/10/13 20:19:35

Configuring AD/LDAP for HPC (CentOS7) - Not Working

Post by okcjj » 2020/10/13 20:41:50

I am attempting to configure a 29 node HPC CentOS 7 cluster to use Active Directory authentication. There have been a number of networking issues because of the specific nature of this server. I am at a loss at why this isn't working and am hoping it is something misconfigured in the sssd.conf or the krb5.conf and that someone will recognize.

Everything else I have is running RHEL6/7/8 and would otherwise reach out the RH for help, that that isn't an option here. I have been able to get AD authentication to work on my RHEL 7 test servers, but their network configuration is much more straight forward than this box. I am going to include my sssd.conf and krb5.conf to see if anyone notices obvious errors (ip's and hostnames change for security). Also included an error message and the output from a systemctl status on sssd.

This is the error I am getting in /var/log/secure related to my attempt access with an AD account.

"""Oct 13 15:28:39 server sshd[13202]: Failed password for invalid user okcjj from 192.168.1.252 port 29307 ssh2"""

SSSD.CONF
[root@server sssd]# more sssd.conf
[domain/domain.local]
id_provider = ad
access_provider = ad
ad_gpo_access_control = permissive
default_shell=/bin/bash
fallback_homedir=/home/%u
debug_level = 0

[sssd]
services = nss, pam, pac
config_file_version = 2
domains = domain.local


Thanks for any assistance

[nss]
filter_groups = root
filter_users = root
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
allowed_shells = /bin/bash
shell_fallback = /bin/bash

[pam]



KRB5.CONF

[root@server etc]# more krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
DOMAIN.LOCAL = {
kdc = ad1.domain.local.:88
kdc = ad2.domain.local.:88
kdc = ad3.domain.local.:88
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL


SSSD STATUS

[root@server samba]# systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-10-13 15:15:40 CDT; 18min ago
Main PID: 10755 (sssd)
CGroup: /system.slice/sssd.service
├─10755 /usr/sbin/sssd -i --logger=files
├─10756 /usr/libexec/sssd/sssd_be --domain domain.local --uid 0 --gid 0 --logger=files
├─10757 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
├─10758 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
└─10759 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files

Oct 13 15:15:40 systemd[1]: Starting System Security Services Daemon...
Oct 13 15:15:40 sssd[10755]: Starting up
Oct 13 15:15:40 sssd[be][10756]: Starting up
Oct 13 15:15:40 sssd[nss][10757]: Starting up
Oct 13 15:15:40 sssd[pam][10758]: Starting up
Oct 13 15:15:40 sssd[pac][10759]: Starting up
Oct 13 15:15:40 systemd[1]: Started System Security Services Daemon.
Oct 13 15:17:00 sssd[be][10756]: Backend is offline

User avatar
TrevorH
Forum Moderator
Posts: 29719
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Configuring AD/LDAP for HPC (CentOS7) - Not Working

Post by TrevorH » 2020/10/13 21:07:11

I have been able to get AD authentication to work on my RHEL 7 test servers, but their network configuration is much more straight forward than this box.
What do you think is different between CentOS and RHEL here? They are built from the same source code, with the same options so why should there be any difference?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

okcjj
Posts: 7
Joined: 2020/10/13 20:19:35

Re: Configuring AD/LDAP for HPC (CentOS7) - Not Working

Post by okcjj » 2020/10/13 21:10:23

The difference is that I have paid support with Red Hat and no support for CentOS.

okcjj
Posts: 7
Joined: 2020/10/13 20:19:35

Re: Configuring AD/LDAP for HPC (CentOS7) - Not Working

Post by okcjj » 2020/10/13 21:32:26

TrevorH wrote:
2020/10/13 21:07:11
I have been able to get AD authentication to work on my RHEL 7 test servers, but their network configuration is much more straight forward than this box.
What do you think is different between CentOS and RHEL here? They are built from the same source code, with the same options so why should there be any difference?
I am just looking for some assistance with a piece of config I am not familiar with. I was able to get the AD authentication to work on 4 different RHEL7 servers, but the only CentOS server I tried I can't get it to function. There are a number of other differences besides the OS, but I am just trying to peel the troubleshooting onion on this and remove variables.

User avatar
TrevorH
Forum Moderator
Posts: 29719
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Configuring AD/LDAP for HPC (CentOS7) - Not Working

Post by TrevorH » 2020/10/13 21:35:10

What you said was that RHEL servers "network configuration is much more straight forward". The only differences between RHEL and CentOS other than cost and support is the lack of subscription manager etc in CentOS. Everything else should be identical. So whatever you did on RHEL should also work on CentOS and if it does not then it's either a bug or something else is different.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

okcjj
Posts: 7
Joined: 2020/10/13 20:19:35

Re: Configuring AD/LDAP for HPC (CentOS7) - Not Working

Post by okcjj » 2020/10/13 21:48:22

Exactly, I should be able to do the same thing and it work, but it didn't.

So that is why I am here.

okcjj
Posts: 7
Joined: 2020/10/13 20:19:35

Re: Configuring AD/LDAP for HPC (CentOS7) - Not Working

Post by okcjj » 2020/10/13 22:05:19

TrevorH wrote:
2020/10/13 21:35:10
What you said was that RHEL servers "network configuration is much more straight forward".
Below is the ip addr output for the HPC and below for one of the functioning test servers. That should explain the "much more straight foward"
OUTPUT from CentOS HPC

[root@servver samba]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether brd ff:ff:ff:ff:ff:ff
3: enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether brd ff:ff:ff:ff:ff:ff
inet 1.1.1.254/24 brd 1.1.1.255 scope global noprefixroute enp3s0f0
valid_lft forever preferred_lft forever
inet6 /64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: ens3f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP group default qlen 1000
link/ether brd ff:ff:ff:ff:ff:ff
inet 10.11.42.210/28 brd 10.111.42.223 scope global noprefixroute ens3f1
valid_lft forever preferred_lft forever
inet6 /64 scope link noprefixroute
valid_lft forever preferred_lft forever
5: enp3s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 38:2c:4a:c7:8e:76 brd ff:ff:ff:ff:ff:ff
inet 24.14.117.11/24 brd 24.14.117.255 scope global noprefixroute enp3s0f1
valid_lft forever preferred_lft forever
inet6 scope link noprefixroute
valid_lft forever preferred_lft forever
6: enp4s0f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether brd ff:ff:ff:ff:ff:ff
7: enp4s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether brd ff:ff:ff:ff:ff:ff
inet 1.2.1.254/24 brd 1.2.1.255 scope global noprefixroute enp4s0f1
valid_lft forever preferred_lft forever
inet6 scope link noprefixroute
valid_lft forever preferred_lft forever
8: ib0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2044 qdisc pfifo_fast state UP group default qlen 256
link/infiniband brd
inet 1.3.1.254/24 brd 1.3.1.255 scope global noprefixroute ib0
valid_lft forever preferred_lft forever
inet6 scope link
valid_lft forever preferred_lft forever


OUTPUT from Test server
[root@test01 ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether brd ff:ff:ff:ff:ff:ff
inet 12.1.1.101/24 brd 12.1.1.255 scope global noprefixroute dynamic ens192
valid_lft 505351sec preferred_lft 505351sec
inet6 scope link noprefixroute
valid_lft forever preferred_lft forever

User avatar
jlehtone
Posts: 3107
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Configuring AD/LDAP for HPC (CentOS7) - Not Working

Post by jlehtone » 2020/10/14 08:03:36

okcjj wrote:
2020/10/13 22:05:19
That should explain the "much more straight forward"
I see no difference between those two. One server has more ports than the other. That is a physical difference. Not a software issue.
Cheyenne: You know Ma'am, when you've killed four, it's easy to make it five.
Although, there usually is a "jump" from one connection to more than one connection.

NetworkManager.service is a default in RHEL/CentOS 7. If in use, then it would prudent to use its commands too.

Code: Select all

nmcli d s
nmcli c s
nmcli
ip ro
Well, the last one is not from NM, but its output is to the point and usually revealing when more than one connection has logic error.


AD ... never seen, never used.

okcjj
Posts: 7
Joined: 2020/10/13 20:19:35

Re: Configuring AD/LDAP for HPC (CentOS7) - Not Working

Post by okcjj » 2020/10/14 13:08:16

jlehtone wrote:
2020/10/14 08:03:36
okcjj wrote:
2020/10/13 22:05:19
That should explain the "much more straight forward"
I see no difference between those two. One server has more ports than the other. That is a physical difference. Not a software issue.
Cheyenne: You know Ma'am, when you've killed four, it's easy to make it five.
Although, there usually is a "jump" from one connection to more than one connection.

NetworkManager.service is a default in RHEL/CentOS 7. If in use, then it would prudent to use its commands too.

Code: Select all

nmcli d s
nmcli c s
nmcli
ip ro
Well, the last one is not from NM, but its output is to the point and usually revealing when more than one connection has logic error.


AD ... never seen, never used.
The different networks that were involved caused some configuration issues when trying to route to the domain controllers as well as the needed DNS servers. This particular server is a one off and sits away from the rest of our servers.

I was mostly curious about the sssd.conf and the krb5.conf configuration files I shared. I feel that I have resolved the networking concerns, but I will share the output from your command post.

[root@server samba]# nmcli d s
DEVICE TYPE STATE CONNECTION
ens3f1 ethernet connected net1
enp3s0f0 ethernet connected management
enp3s0f1 ethernet connected primary
enp4s0f1 ethernet connected ipmi
ib0 infiniband connected ib0
ens3f0 ethernet disconnected --
enp4s0f0 ethernet unavailable --
lo loopback unmanaged --

[root@server samba]# nmcli c s
NAME UUID TYPE DEVICE
net1 [deleted] ethernet ens3f1
ib0 [deleted] infiniband ib0
ipmi [deleted] ethernet enp4s0f1
management [deleted] ethernet enp3s0f0
primary [deleted] ethernet enp3s0f1
enp4s0f0 [deleted] ethernet --
ens3f0 [deleted] ethernet --

The last 2 commands provided more identifiable information than I would be allowed to share.

User avatar
jlehtone
Posts: 3107
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Configuring AD/LDAP for HPC (CentOS7) - Not Working

Post by jlehtone » 2020/10/14 14:38:22

Yes, routing and DNS can affect. Kerberos host principals contain fqdn hostname that must be resolvable by DNS.
Then again a host can have more than one principal, I presume.


A technical note:
* The /etc/krb5.conf comes from rpm-package. There is no need to edit it, because one can drop additional configuration files into /etc/krb5.conf.d/
That way settings from package stay clearly separate from your settings.

* Similarly, there is /etc/sssd/conf.d/ for additional config, even though file /etc/sssd/sssd.conf is not from package (but might be modified by authconfig, etc).
sssd.service requires /etc/sssd/sssd.conf, but it can be empty. Mine has just a comment:

Code: Select all

$ sudo cat /etc/sssd/sssd.conf 
# ansible #
$

Post Reply

Return to “CentOS 7 - General Support”