kerberos local authentication not working
kerberos local authentication not working
Hello,
I am trying to fix this problem for several days now and I am out of idea so I really need help. I am trying to configure a server with CentOS 8. The user identification must be provided by our ldap server and the authentication must be done with Kerberos (through the university AD server). This system works perfectly on CentOS 7 but with CentOS 8 I have a problem.
The ldap works just fine and people are able to login with their AD credentials with ssh. The autofs also works perfectly and kinit command has no problem to authenticate people. The problem is that neither sudo -i or local login (I mean login directly on the physical computer) works with AD credentials. It's like only ssh is able to use the kerberos authentication. When I try to sudo -i I get those messages in /var/log/secure:
Oct 24 16:54:25 servername unix_chkpwd[12866]: password check failed for user (xxxxx)
Oct 24 16:54:25 servername sudo[12864]: pam_unix(sudo-i:auth): authentication failure; logname=xxxxx uid=xxxxxx euid=0 tty=/dev/pts/5 ruser=xxxxx rhost= user=xxxxx
Oct 24 16:54:25 servername sudo[12864]: pam_sss(sudo-i:auth): authentication failure; logname=xxxxx uid=xxxxxx euid=0 tty=/dev/pts/5 ruser=xxxxx rhost= user=xxxxx
Oct 24 16:54:25 servername sudo[12864]: pam_sss(sudo-i:auth): received for user xxxxx: 9 (Authentication service cannot retrieve authentication info)
It's normal that pam_unix fails but pam_sss should succeed and I don't know why it doesn't work. Of course if I use my local password it works just fine but I need to make it work with the kerberos credentials. With CentOS 7 we are using pam_krb5 but since it's deprecated on Redhat 8 I need to use sssd and I guess my problem is from some bad configuration in sssd.conf of nsswitch.conf but I cannot find what it is.
Here is my sssd.conf:
[sssd]
debug_level = 9
services = nss, pam, sudo, autofs
domains = default
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = MY.REALM.EDU
ldap_search_base = o=xxxxxxxxx,dc=xxxxxxx,dc=xxxx,dc=edu
krb5_server = my.realm.edu:88
chpass_provider = krb5
krb5_store_password_if_offline = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://xxx.xxx.edu:389
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 5
[nss]
homedir_substring = /home
[ssh]
[pam]
[autofs]
[sudo]
debug_level = 9
And my nsswitch.conf settings are like that:
passwd: sss files systemd
group: sss files systemd
netgroup: sss files
automount: sss files
services: sss files
shadow: files sss
sudoers: files sss
hosts: files dns myhostname
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
publickey: files
aliases: files
Is there any obvious reason why local authentication doesn't work with kerberos? I can post any other config file you may need to help me to resolve this problem. Thank you for your help!
I am trying to fix this problem for several days now and I am out of idea so I really need help. I am trying to configure a server with CentOS 8. The user identification must be provided by our ldap server and the authentication must be done with Kerberos (through the university AD server). This system works perfectly on CentOS 7 but with CentOS 8 I have a problem.
The ldap works just fine and people are able to login with their AD credentials with ssh. The autofs also works perfectly and kinit command has no problem to authenticate people. The problem is that neither sudo -i or local login (I mean login directly on the physical computer) works with AD credentials. It's like only ssh is able to use the kerberos authentication. When I try to sudo -i I get those messages in /var/log/secure:
Oct 24 16:54:25 servername unix_chkpwd[12866]: password check failed for user (xxxxx)
Oct 24 16:54:25 servername sudo[12864]: pam_unix(sudo-i:auth): authentication failure; logname=xxxxx uid=xxxxxx euid=0 tty=/dev/pts/5 ruser=xxxxx rhost= user=xxxxx
Oct 24 16:54:25 servername sudo[12864]: pam_sss(sudo-i:auth): authentication failure; logname=xxxxx uid=xxxxxx euid=0 tty=/dev/pts/5 ruser=xxxxx rhost= user=xxxxx
Oct 24 16:54:25 servername sudo[12864]: pam_sss(sudo-i:auth): received for user xxxxx: 9 (Authentication service cannot retrieve authentication info)
It's normal that pam_unix fails but pam_sss should succeed and I don't know why it doesn't work. Of course if I use my local password it works just fine but I need to make it work with the kerberos credentials. With CentOS 7 we are using pam_krb5 but since it's deprecated on Redhat 8 I need to use sssd and I guess my problem is from some bad configuration in sssd.conf of nsswitch.conf but I cannot find what it is.
Here is my sssd.conf:
[sssd]
debug_level = 9
services = nss, pam, sudo, autofs
domains = default
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = MY.REALM.EDU
ldap_search_base = o=xxxxxxxxx,dc=xxxxxxx,dc=xxxx,dc=edu
krb5_server = my.realm.edu:88
chpass_provider = krb5
krb5_store_password_if_offline = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://xxx.xxx.edu:389
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 5
[nss]
homedir_substring = /home
[ssh]
[pam]
[autofs]
[sudo]
debug_level = 9
And my nsswitch.conf settings are like that:
passwd: sss files systemd
group: sss files systemd
netgroup: sss files
automount: sss files
services: sss files
shadow: files sss
sudoers: files sss
hosts: files dns myhostname
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
publickey: files
aliases: files
Is there any obvious reason why local authentication doesn't work with kerberos? I can post any other config file you may need to help me to resolve this problem. Thank you for your help!
Re: kerberos local authentication not working
I already went to this page and it doesn't help. I tried what they say and it doesn't work, at least not for sudo or local sessions.
I tried to modified the pam config files (removing iud conditions like "pam_succeed_if.so uid >= 1000 quiet_success" but nothing changes: sudo and local session are not seeing Active Directory information.
I am really desperate. Please could someone give me at least a clue where to look?
I tried to modified the pam config files (removing iud conditions like "pam_succeed_if.so uid >= 1000 quiet_success" but nothing changes: sudo and local session are not seeing Active Directory information.
I am really desperate. Please could someone give me at least a clue where to look?
Re: kerberos local authentication not working
That's a good thought but I already tried to disable it with setenforce 0. No change.
Re: kerberos local authentication not working
once i had a problem with samba domain client (2012 AD) and user names, there was an user named "apache" on AD and samba was configured with "force user = apache"
samba tries to use AD user apache instead of linux user and "valid users" was never honored.
it was a debian migration to CentOS and the original configuration was "force user = www-data". It works on debian because there was no www-data on AD.
i spent two days until i change to force user = nobody and it works.
i dont´t know if it has something to do with your problem but if you are going nowhere any way is valid...
samba tries to use AD user apache instead of linux user and "valid users" was never honored.
it was a debian migration to CentOS and the original configuration was "force user = www-data". It works on debian because there was no www-data on AD.
i spent two days until i change to force user = nobody and it works.
i dont´t know if it has something to do with your problem but if you are going nowhere any way is valid...
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: kerberos local authentication not working
How did you join the machine to the AD?
Did you use 'realm' for that task?
Did you use 'realm' for that task?
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: kerberos local authentication not working
Do you really need samba ?
You can try the 'realm' command as per "https://access.redhat.com/documentation ... lmd-domain"
You can try the 'realm' command as per "https://access.redhat.com/documentation ... lmd-domain"
Re: kerberos local authentication not working
When I do
# realm discover
I get
realm: No default realm discovered
If I do
# realm discover xxxx.xxxx.edu
I get
xxxx.xxxx.edu
type: kerberos
realm-name: XXXX.XXXX.EDU
domain-name: xxxx.xxxx.edu
configured: no
If I want to join realm
# realm join XXXX.XXXX.EDU -U xxxxxx
realm: Cannot join this realm
So it looks like the realm is not configured and I cannot join it because I am not an AD admin user. Do I have to ask my IT people to give me AD admin rights? I never had to do this before despite I installed several OS on so many machines (SL6, Centos 7, Unbutu, etc.).
# realm discover
I get
realm: No default realm discovered
If I do
# realm discover xxxx.xxxx.edu
I get
xxxx.xxxx.edu
type: kerberos
realm-name: XXXX.XXXX.EDU
domain-name: xxxx.xxxx.edu
configured: no
If I want to join realm
# realm join XXXX.XXXX.EDU -U xxxxxx
realm: Cannot join this realm
So it looks like the realm is not configured and I cannot join it because I am not an AD admin user. Do I have to ask my IT people to give me AD admin rights? I never had to do this before despite I installed several OS on so many machines (SL6, Centos 7, Unbutu, etc.).
Last edited by jgauthier on 2019/10/28 21:44:14, edited 1 time in total.