kerberos local authentication not working

Issues related to applications and software problems and general support
jgauthier
Posts: 20
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/11/21 15:16:20

Hi gostal,

I am very sorry that I didn't come here for a while but I am kind of overwhelmed at work and I can barely find a few minutes.

The problem is that pam_krb5 is not supported anymore in redhat 8 so we need to switch to sssd but it doesn't work for Kerberos authentication (but it works very well for ldap and autofs). If you have a trick to use Kerberos without pam_krb5 and sss neither I would be very happy to learn it.

In the meanwhile we found a temporary solution: I downloaded a pam_krb5 rpm for CentOS 7 and I installed it on my CentOS 8 machines and it works wonderfully well. The problem is that pam_krb5 will be totally deprecated in 3 years, so we need to find a solution without it as soon as possible (would be nice to configure our servers the right way now instead of having to redo the configuration in 3 years). So our problem is "patched" but not solved.

tony_down_under
Posts: 83
Joined: 2019/08/07 01:50:24
Location: Perth, Australia but originally from Carshalton, Surrey

Re: kerberos local authentication not working

Post by tony_down_under » 2019/11/22 04:34:00

OP did you see or try PBIS open software? It simplifies the AD join process (and doing the configs).

I wrote myself a guide to link Centos7 machines into AD. It's short. And I think it's 99% correct because yes it works but the experience changes on each time. So I abandoned this and use the PBIS software now. The guide is below in the quotes.

Also, you dont need to be AD admin to join computers to the domain. There are two reasons for this:
1. ad domain users are allowed to join 10 computers to the domain. After the 10th, AD denies any more.
2. You can easily configure a AD security group member to get join domain privilege. This is what I use in our company so that I dont need to make or give out AD admin accounts to users. See this guide; https://www.networking-forums.com/every ... ome-users/

RHEL 7 AD domain join guide:
PS I wrote this and havent used this in many months because I now use PBIS free software to achieve the same task with better results. This leads me to think that the guide can be improved. May be something is missing. Providing to you here for info in case it helps.
centos7 AD guide wrote:Pre-requisite - must have correct FQDN applied and correct DNS to be able to lookup your domain "something.domain.com" for example.
note:: This guide IS CASE SENSITIVE

1. yum install realmd –y
2. check /etc/resolv.conf and /etc/hosts for correct hostname settings
3. realm discover S.DOMAIN.COM
a. shows packages needed
4. yum install oddjob oddjob-mkhomedir sssd adcli samba-common -y
5. sudo realm join S.DOMAIN.COM -U user@S.DOMAIN.COM
i. For Ubuntu 16- might need: apt-get install realmd packagekit

***No longer required*** This resolved and issue where SSSD only updated DNS with the IPv6 address. To fix:
6. vi /etc/sssd/sssd.conf
7. add this at the bottom inside domain: dyndns_iface = *
8. service sssd restart (don’t re-join the domain because it resets the sssd.conf!)

And that's it... The rest of the guide had detail about:
A) giving sudo privilege to an AD group
B) Prevent root from SSHing
Also there is a RHEL AD integration guide I found a while back, may be it will help, although it is for "7" : https://access.redhat.com/documentation ... uide/index

jgauthier
Posts: 20
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/11/22 17:51:35

I did something this morning and I got an interesting results. I configured one of my Centos 7 machines with sssd instead of pam_krb5 and guess what? It's working just fine. So the problem is not with our authentication system that is not compatible with sssd, it's really something that doesn't work in Centos 8.

Maybe the configuration is different and I need to put some other options in sssd.conf, maybe it's a bug with the 8.0 version. I don't know the reason but for sure it works just fine with CentOS 7.

I have to setup a CentOS 7 machine from scratch this afternoon and will try to configure it with sss too and see if it still works.

gostal
Posts: 36
Joined: 2019/09/23 15:26:45

Re: kerberos local authentication not working

Post by gostal » 2019/11/26 11:28:19

Hi jgauthier,

You're making progress, it seems. Good! Sorry, I haven't checked in for some time. Time now is limited, too, but I will read thoroughly in the hopefully not too distant future.

Cheers,
gostal
Last edited by gostal on 2019/11/27 20:42:51, edited 1 time in total.
Desktop Dell T5810 Intel(R) Xeon(R) CPU E5-1650 v4 @ 3.60GHz, 72 GB RAM, Radeon Pro WX 7100
CentOS 7.7.1908

jgauthier
Posts: 20
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/11/26 17:31:50

Update: I could not install CentOS 7 on that machine because it got a memory issue. But I already have two CentOS 7 computers with sssd working just fine with our authentication system. I even uninstalled pam_krb5 just to make sure it was not doing anything that I didn't know and the authentication still works flawlessly.

So the situation looks like that:

A new kernel that is considering pam_krb5 as deprecated doesn't work with what is supposed to replace it (sssd) but the older version in which pam_krb5 is still available works just fine with it (sssd). If it's not a bug in CentOS 8 and there is some extra configuration to do then a complete tutorial would be very appreciated because the ones that I can currently find (like this one https://docs.pagure.org/SSSD.sssd/users ... ation.html) don't help at all.

taranga
Posts: 1
Joined: 2020/01/27 14:14:22

Re: kerberos local authentication not working

Post by taranga » 2020/01/27 14:22:17

@jgauthier I too feel your pain. Nearly all suggestions I can find online about this involve Active Directory, but in my environment I'm thankfully talking straight to KRB5 on UNIX.

Despite enumerating specific services in sssd.conf and bumping the debug level, I still see CentOS 8.1 complaining through PAM:

Code: Select all

sudo: pam_unix(sudo:auth): authentication failure;
My desire to plumb KRB5 directly through SSSD is the only thing keeping me on CentOS 7.

jgauthier
Posts: 20
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2020/01/31 23:32:08

@taranga

Yes I was hoping this issue would be resolved with 8.1 but still same problem. And it still works just fine with CentOS 7 (without pam-krb5). Again, I just don't understand how they managed to deprecate pam-krb5 in 8 without having sssd working with Kerberos while it's still working just fine on Centos 7. If they deprecate something the least would be to make sure the alternate process works on the new OS. In the moment the situation is like that:

CentOS 8:
pam-krb5 -> deprecated, needs to be installed with a Centos 7 rpm
sssd -> not working

CentOS 7:
pam-krb5 -> not deprecated, still available with yum
sssd -> works just fine

Doesn't make any sense to me.

Post Reply

Return to “CentOS 8 - General Support”