kerberos local authentication not working

Issues related to applications and software problems and general support
jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/11/21 15:16:20

Hi gostal,

I am very sorry that I didn't come here for a while but I am kind of overwhelmed at work and I can barely find a few minutes.

The problem is that pam_krb5 is not supported anymore in redhat 8 so we need to switch to sssd but it doesn't work for Kerberos authentication (but it works very well for ldap and autofs). If you have a trick to use Kerberos without pam_krb5 and sss neither I would be very happy to learn it.

In the meanwhile we found a temporary solution: I downloaded a pam_krb5 rpm for CentOS 7 and I installed it on my CentOS 8 machines and it works wonderfully well. The problem is that pam_krb5 will be totally deprecated in 3 years, so we need to find a solution without it as soon as possible (would be nice to configure our servers the right way now instead of having to redo the configuration in 3 years). So our problem is "patched" but not solved.

tony_down_under
Posts: 83
Joined: 2019/08/07 01:50:24
Location: Perth, Australia but originally from Carshalton, Surrey

Re: kerberos local authentication not working

Post by tony_down_under » 2019/11/22 04:34:00

OP did you see or try PBIS open software? It simplifies the AD join process (and doing the configs).

I wrote myself a guide to link Centos7 machines into AD. It's short. And I think it's 99% correct because yes it works but the experience changes on each time. So I abandoned this and use the PBIS software now. The guide is below in the quotes.

Also, you dont need to be AD admin to join computers to the domain. There are two reasons for this:
1. ad domain users are allowed to join 10 computers to the domain. After the 10th, AD denies any more.
2. You can easily configure a AD security group member to get join domain privilege. This is what I use in our company so that I dont need to make or give out AD admin accounts to users. See this guide; https://www.networking-forums.com/every ... ome-users/

RHEL 7 AD domain join guide:
PS I wrote this and havent used this in many months because I now use PBIS free software to achieve the same task with better results. This leads me to think that the guide can be improved. May be something is missing. Providing to you here for info in case it helps.
centos7 AD guide wrote:Pre-requisite - must have correct FQDN applied and correct DNS to be able to lookup your domain "something.domain.com" for example.
note:: This guide IS CASE SENSITIVE

1. yum install realmd –y
2. check /etc/resolv.conf and /etc/hosts for correct hostname settings
3. realm discover S.DOMAIN.COM
a. shows packages needed
4. yum install oddjob oddjob-mkhomedir sssd adcli samba-common -y
5. sudo realm join S.DOMAIN.COM -U user@S.DOMAIN.COM
i. For Ubuntu 16- might need: apt-get install realmd packagekit

***No longer required*** This resolved and issue where SSSD only updated DNS with the IPv6 address. To fix:
6. vi /etc/sssd/sssd.conf
7. add this at the bottom inside domain: dyndns_iface = *
8. service sssd restart (don’t re-join the domain because it resets the sssd.conf!)

And that's it... The rest of the guide had detail about:
A) giving sudo privilege to an AD group
B) Prevent root from SSHing
Also there is a RHEL AD integration guide I found a while back, may be it will help, although it is for "7" : https://access.redhat.com/documentation ... uide/index

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/11/22 17:51:35

I did something this morning and I got an interesting results. I configured one of my Centos 7 machines with sssd instead of pam_krb5 and guess what? It's working just fine. So the problem is not with our authentication system that is not compatible with sssd, it's really something that doesn't work in Centos 8.

Maybe the configuration is different and I need to put some other options in sssd.conf, maybe it's a bug with the 8.0 version. I don't know the reason but for sure it works just fine with CentOS 7.

I have to setup a CentOS 7 machine from scratch this afternoon and will try to configure it with sss too and see if it still works.

gostal
Posts: 71
Joined: 2019/09/23 15:26:45

Re: kerberos local authentication not working

Post by gostal » 2019/11/26 11:28:19

Hi jgauthier,

You're making progress, it seems. Good! Sorry, I haven't checked in for some time. Time now is limited, too, but I will read thoroughly in the hopefully not too distant future.

Cheers,
gostal
Last edited by gostal on 2019/11/27 20:42:51, edited 1 time in total.
Desktop Dell T5810 Intel(R) Xeon(R) CPU E5-1650 v4 @ 3.60GHz, 72 GB RAM, Radeon Pro WX 7100
CentOS 7.9.2009

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/11/26 17:31:50

Update: I could not install CentOS 7 on that machine because it got a memory issue. But I already have two CentOS 7 computers with sssd working just fine with our authentication system. I even uninstalled pam_krb5 just to make sure it was not doing anything that I didn't know and the authentication still works flawlessly.

So the situation looks like that:

A new kernel that is considering pam_krb5 as deprecated doesn't work with what is supposed to replace it (sssd) but the older version in which pam_krb5 is still available works just fine with it (sssd). If it's not a bug in CentOS 8 and there is some extra configuration to do then a complete tutorial would be very appreciated because the ones that I can currently find (like this one https://docs.pagure.org/SSSD.sssd/users ... ation.html) don't help at all.

taranga
Posts: 1
Joined: 2020/01/27 14:14:22

Re: kerberos local authentication not working

Post by taranga » 2020/01/27 14:22:17

@jgauthier I too feel your pain. Nearly all suggestions I can find online about this involve Active Directory, but in my environment I'm thankfully talking straight to KRB5 on UNIX.

Despite enumerating specific services in sssd.conf and bumping the debug level, I still see CentOS 8.1 complaining through PAM:

Code: Select all

sudo: pam_unix(sudo:auth): authentication failure;
My desire to plumb KRB5 directly through SSSD is the only thing keeping me on CentOS 7.

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2020/01/31 23:32:08

@taranga

Yes I was hoping this issue would be resolved with 8.1 but still same problem. And it still works just fine with CentOS 7 (without pam-krb5). Again, I just don't understand how they managed to deprecate pam-krb5 in 8 without having sssd working with Kerberos while it's still working just fine on Centos 7. If they deprecate something the least would be to make sure the alternate process works on the new OS. In the moment the situation is like that:

CentOS 8:
pam-krb5 -> deprecated, needs to be installed with a Centos 7 rpm
sssd -> not working

CentOS 7:
pam-krb5 -> not deprecated, still available with yum
sssd -> works just fine

Doesn't make any sense to me.

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2020/05/15 15:42:40

I know this post is getting old but I figured out the problem a couple of weeks ago and I thought I could share the solution here, in case of someone as desperate as I was googles the problem.

The solution is quite simple:

If you use ldap as the id_provider and you have a local account on the machine with the same identifiers, make sure the local account is disabled (commented or deleted in the /etc/passwd). For some reason, sssd on CentOS 8 doesn't allow to have both ldap and local account with the same username and if it occurs, the local account will have priority and the ldap identification and kerberos authentication will not work, so only the local password will be accepted.

It took me all this time to figure out the issue because this does not happen on CentOS 7 so I could not suspect the problem was related to the local account. Now I know that on CentOS 8 either you don't have a local account or if you really need it, create a special one with different username and UID.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: kerberos local authentication not working

Post by TrevorH » 2020/05/15 15:45:23

For some reason, sssd on CentOS 8 doesn't allow to have both ldap and local account with the same username and if it occurs, the local account will have priority and the ldap identification and kerberos authentication will not work, so only the local password will be accepted
As far as I know this has always been true and would be done for good reasons. If you use LDAP or any other remote authentication system and it breaks, you need to have a local logon to get on to be able to fix it. If it prefers remote over local then you'd not be able to do that. It's done via /etc/nsswitch.conf via the order of the lookup methods specified there and "files" is always first.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2020/05/16 20:41:08

Thank you for replying despite this post being very old. Here are my comments:
As far as I know this has always been true and would be done for good reasons.
Sorry if I have to repeat it again but CentOS 7 doesn't have this problem. Local account and ldap with same identifiers and sssd has no issue.
If you use LDAP or any other remote authentication system and it breaks, you need to have a local logon to get on to be able to fix it.
I know and it's exactly why I always create a local account for myself and to avoid confusion, I use the same identifiers than my ldap ones. And again, it works flawlessly on CentOS 7 but not on CentOS 8.
If it prefers remote over local then you'd not be able to do that. It's done via /etc/nsswitch.conf via the order of the lookup methods specified there and "files" is always first.
Switching "files" and "sss" order in the nsswitch.conf is one of the first things I tried when I started to work on this problem and it has no effect at all. And it's actually the opposite with CentOS 8: it uses the local password only and ignores the remote account one if the username is the same for both, whatever the order in the nsswitch.conf.

We thus decided to give up the local admin accounts on the CentOS 8 machines and use only the root account in the event of ldap breakup even if it's not ideal since we don't allow ssh root login for obvious security reasons. Hopefully it will work just fine but I would prefer to have the possibility to have both remote and local admin accounts.

Post Reply