kerberos local authentication not working

Issues related to applications and software problems and general support
jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

kerberos local authentication not working

Post by jgauthier » 2019/10/24 22:20:03

Hello,

I am trying to fix this problem for several days now and I am out of idea so I really need help. I am trying to configure a server with CentOS 8. The user identification must be provided by our ldap server and the authentication must be done with Kerberos (through the university AD server). This system works perfectly on CentOS 7 but with CentOS 8 I have a problem.

The ldap works just fine and people are able to login with their AD credentials with ssh. The autofs also works perfectly and kinit command has no problem to authenticate people. The problem is that neither sudo -i or local login (I mean login directly on the physical computer) works with AD credentials. It's like only ssh is able to use the kerberos authentication. When I try to sudo -i I get those messages in /var/log/secure:

Oct 24 16:54:25 servername unix_chkpwd[12866]: password check failed for user (xxxxx)
Oct 24 16:54:25 servername sudo[12864]: pam_unix(sudo-i:auth): authentication failure; logname=xxxxx uid=xxxxxx euid=0 tty=/dev/pts/5 ruser=xxxxx rhost= user=xxxxx
Oct 24 16:54:25 servername sudo[12864]: pam_sss(sudo-i:auth): authentication failure; logname=xxxxx uid=xxxxxx euid=0 tty=/dev/pts/5 ruser=xxxxx rhost= user=xxxxx
Oct 24 16:54:25 servername sudo[12864]: pam_sss(sudo-i:auth): received for user xxxxx: 9 (Authentication service cannot retrieve authentication info)


It's normal that pam_unix fails but pam_sss should succeed and I don't know why it doesn't work. Of course if I use my local password it works just fine but I need to make it work with the kerberos credentials. With CentOS 7 we are using pam_krb5 but since it's deprecated on Redhat 8 I need to use sssd and I guess my problem is from some bad configuration in sssd.conf of nsswitch.conf but I cannot find what it is.

Here is my sssd.conf:

[sssd]
debug_level = 9
services = nss, pam, sudo, autofs
domains = default


[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = MY.REALM.EDU
ldap_search_base = o=xxxxxxxxx,dc=xxxxxxx,dc=xxxx,dc=edu
krb5_server = my.realm.edu:88
chpass_provider = krb5
krb5_store_password_if_offline = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://xxx.xxx.edu:389
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 5

[nss]
homedir_substring = /home

[ssh]

[pam]

[autofs]

[sudo]
debug_level = 9


And my nsswitch.conf settings are like that:

passwd: sss files systemd
group: sss files systemd
netgroup: sss files
automount: sss files
services: sss files
shadow: files sss
sudoers: files sss
hosts: files dns myhostname
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
publickey: files
aliases: files


Is there any obvious reason why local authentication doesn't work with kerberos? I can post any other config file you may need to help me to resolve this problem. Thank you for your help!


jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/10/25 15:14:40

I already went to this page and it doesn't help. I tried what they say and it doesn't work, at least not for sudo or local sessions.

I tried to modified the pam config files (removing iud conditions like "pam_succeed_if.so uid >= 1000 quiet_success" but nothing changes: sudo and local session are not seeing Active Directory information.

I am really desperate. Please could someone give me at least a clue where to look?

BShT
Posts: 584
Joined: 2019/10/09 12:31:40

Re: kerberos local authentication not working

Post by BShT » 2019/10/25 17:07:29

selinux?

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/10/25 17:35:55

That's a good thought but I already tried to disable it with setenforce 0. No change.

BShT
Posts: 584
Joined: 2019/10/09 12:31:40

Re: kerberos local authentication not working

Post by BShT » 2019/10/25 18:38:42

once i had a problem with samba domain client (2012 AD) and user names, there was an user named "apache" on AD and samba was configured with "force user = apache"

samba tries to use AD user apache instead of linux user and "valid users" was never honored.

it was a debian migration to CentOS and the original configuration was "force user = www-data". It works on debian because there was no www-data on AD.

i spent two days until i change to force user = nobody and it works.

i dont´t know if it has something to do with your problem but if you are going nowhere any way is valid...

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: kerberos local authentication not working

Post by hunter86_bg » 2019/10/26 17:55:22

How did you join the machine to the AD?
Did you use 'realm' for that task?


hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: kerberos local authentication not working

Post by hunter86_bg » 2019/10/28 14:02:18

Do you really need samba ?

You can try the 'realm' command as per "https://access.redhat.com/documentation ... lmd-domain"

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/10/28 14:32:23

When I do

# realm discover

I get

realm: No default realm discovered

If I do

# realm discover xxxx.xxxx.edu

I get

xxxx.xxxx.edu
type: kerberos
realm-name: XXXX.XXXX.EDU
domain-name: xxxx.xxxx.edu
configured: no

If I want to join realm

# realm join XXXX.XXXX.EDU -U xxxxxx
realm: Cannot join this realm

So it looks like the realm is not configured and I cannot join it because I am not an AD admin user. Do I have to ask my IT people to give me AD admin rights? I never had to do this before despite I installed several OS on so many machines (SL6, Centos 7, Unbutu, etc.).
Last edited by jgauthier on 2019/10/28 21:44:14, edited 1 time in total.

Post Reply