On CentOS6/7 we set up krb5.conf and then used authconfig-tui to add krb as a source for PAM and it all just worked, but I can't get the same thing to work in the new sssd environment in CentOS8.
What I've done so far:
- Transferred over my old krb5.conf
- Checked that works - which it does
Code: Select all
kinit username@EXAMPLE.COM
- Created an /etc/sssd/sssd.conf file (contents below)
- Ran and
Code: Select all
authconfig --enablesssd --update
Code: Select all
authconfig --enablesssdauth --update
/etc/nsswitch.conf has sss listed as the first provider for passwd (as well as a few others)
However I can't log into an account which only has a password in krb. Kinit for the same account is fine.
If I run
Code: Select all
sssctl user-checks -a=auth myuser
Code: Select all
user: myuser
action: auth
service: system-auth
SSSD nss user lookup result:
- user name: myuser
- user id: 13779
- group id: 13779
- gecos:
- home directory: /home/myuser
- shell: /bin/bash
SSSD InfoPipe user lookup result:
- name: myuser
- uidNumber: 13779
- gidNumber: 13779
- gecos: not set
- homeDirectory: /home/myuser
- loginShell: /bin/bash
testing pam_authenticate
Password:
pam_authenticate for user [myuser]: Authentication failure
PAM Environment:
- no env -
My sssd.conf file looks like (with the correct domain name):
Code: Select all
[sssd]
config_file_version = 2
services = pam, nss, ifp
domains = EXAMPLE.COM
[domain/EXAMPLE.COM]
id_provider = files
debug_level = 5
auth_provider = krb5
chpass_provider = krb5
krb5_realm = EXAMPLE.COM
krb5_server = EXAMPLE.COM:88
krb5_validate = true
krb5_cachedir = /var/tmp
I'm now stuck as to where to go to debug this further. Any help is very much appreciated.