Bug 968926 - ssh does not work when ad_server is defined in configuration
ssh does not work when ad_server is defined in configuration
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: SSSD Maintainers
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-30 05:51 EDT by Patrik Kis
Modified: 2015-04-24 01:21 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-24 01:21:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sssd logs (9.90 KB, application/x-gzip)
2013-05-30 05:51 EDT, Patrik Kis
no flags Details

  None (edit)
Description Patrik Kis 2013-05-30 05:51:46 EDT
Created attachment 754746 [details]
sssd logs

Description of problem:
I'm not sure if this is sssd problem, and not other component, but so far it looks like sssd.
When workstation in joined to an active directory domain and "ad_server = IP" is configured it is not possible to ssh to a AD user.

Version-Release number of selected component (if applicable):
sssd-1.10.0-5.el7.beta1

How reproducible:
always

Steps to Reproduce:
1. This is just to verify, that ssh works otherwise:

0 [root@rhel7 ~ ]# realm -v join --user=Administrator ad.baseos.qe
 * Resolving: _ldap._tcp.dc._msdcs.ad.baseos.qe
 * Sending MS-CLDAP ping to: 10.34.25.20
 * Successfully discovered: ad.baseos.qe
Password for Administrator: 
 * Required files: /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.YV8RXW -U Administrator ads join ad.baseos.qe
Enter Administrator's password:
DNS update failed: NT_STATUS_UNSUCCESSFUL
Using short domain name -- AD
Joined 'RHEL7' to dns domain 'ad.baseos.qe'
DNS Update for rhel7.pkis.net failed: ERROR_DNS_GSS_ERROR
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.YV8RXW -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable sssd.service
ln -s '/usr/lib/systemd/system/sssd.service' '/etc/systemd/system/multi-user.target.wants/sssd.service'
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable sssd.service
 * Successfully enrolled machine in realm
0 [root@rhel7 ~ ]# 
0 [root@rhel7 ~ ]# cat /etc/sssd/sssd.conf 

[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
0 [root@rhel7 ~ ]# 
0 [root@rhel7 ~ ]# getent passwd bender@ad.baseos.qe
bender@ad.baseos.qe:*:1197601112:1197600513:Bender:/home/ad.baseos.qe/bender:/bin/bash
0 [root@rhel7 ~ ]# ssh bender@ad.baseos.qe@localhost
bender@ad.baseos.qe@localhost's password: 
org.freedesktop.DBus.Error.ServiceUnknown: The name com.redhat.oddjob_mkhomedir was not provided by any .service files
Last login: Wed May 29 10:01:27 2013 from localhost
Could not chdir to home directory /home/ad.baseos.qe/bender: No such file or directory
-bash-4.2$ whoami
bender@ad.baseos.qe
-bash-4.2$ exit
logout
Connection to localhost closed.
0 [root@rhel7 ~ ]# 

2. Now joining with IP address:

0 [root@rhel7 work ]# realm -v join --user=Administrator 10.34.25.20
 * Sending MS-CLDAP ping to: 10.34.25.20
 * Performing LDAP DSE lookup on: 10.34.25.20
 * Successfully discovered: ad.baseos.qe
Password for Administrator: 
 * Required files: /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain ad.baseos.qe --domain-realm AD.BASEOS.QE --domain-controller 10.34.25.20 --login-type user --login-user Administrator --stdin-password
 * Using domain name: ad.baseos.qe
 * Calculated computer account name from fqdn: RHEL7
 * Using domain realm: ad.baseos.qe
 * Sending cldap pings to domain controller: 10.34.25.20
 * Received NetLogon info from: WIN.ad.baseos.qe
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-cjDeVC/krb5.d/adcli-krb5-conf-3SInSR
 * Authenticated as user: Administrator@AD.BASEOS.QE
 * Looked up short domain name: AD
 * Using fully qualified name: rhel7.pkis.net
 * Using domain name: ad.baseos.qe
 * Using computer account name: RHEL7
 * Using domain realm: ad.baseos.qe
 * Enrolling computer account name calculated from fqdn: RHEL7
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Using fully qualified name: rhel7.pkis.net
 * Using domain name: ad.baseos.qe
 * Using computer account name: RHEL7
 * Using domain realm: ad.baseos.qe
 * Looked up short domain name: AD
 * Found computer account for RHEL7$ at: CN=rhel7,CN=Computers,DC=ad,DC=baseos,DC=qe
 * Set computer password
 * Retrieved kvno '13' for computer account in directory: CN=rhel7,CN=Computers,DC=ad,DC=baseos,DC=qe
 * Modifying computer account: userAccountControl
 * Modifying computer account: operatingSystemVersion, operatingSystemServicePack
 * Modifying computer account: userPrincipalName
 * Discovered which keytab salt to use
 * Added the entries to the keytab: RHEL7$@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: HOST/RHEL7@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: HOST/rhel7.pkis.net@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/RHEL7@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/rhel7.pkis.net@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 * /usr/bin/systemctl enable sssd.service
ln -s '/usr/lib/systemd/system/sssd.service' '/etc/systemd/system/multi-user.target.wants/sssd.service'
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable sssd.service
 * Successfully enrolled machine in realm
0 [root@rhel7 work ]# 
0 [root@rhel7 work ]# cat /etc/sssd/sssd.conf 

[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/ad.baseos.qe]
ad_server = 10.34.25.20
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
0 [root@rhel7 work ]# 
0 [root@rhel7 work ]# getent passwd bender@ad.baseos.qe
bender@ad.baseos.qe:*:1197601112:1197600513:Bender:/home/ad.baseos.qe/bender:/bin/bash
0 [root@rhel7 work ]# ssh bender@ad.baseos.qe@localhost
bender@ad.baseos.qe@localhost's password: 
Permission denied, please try again.
bender@ad.baseos.qe@localhost's password: 
Permission denied, please try again.
bender@ad.baseos.qe@localhost's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
255 [root@rhel7 work ]# 


^^ the logs from this login attempt are attached to this bug report

Additional info:
The issue can be reproduced on Fedora 19 too with sssd-1.10.0-5.fc19.beta1.
Comment 1 Jakub Hrozek 2013-05-30 05:59:05 EDT
Does your IP address resolve to A record correctly?

This functionality is not officially supported by the SSSD at the moment, we are tracking it for a future release.
Comment 2 Jakub Hrozek 2013-05-30 06:01:07 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1444
Comment 3 Jenny Galipeau 2013-07-16 10:33:06 EDT
upstream ticket targeting 1.12 beta .. moving to RHEL 7.1
Comment 4 Jakub Hrozek 2014-07-02 11:10:10 EDT
The upstream ticket is targetting 1.13, so I'm reproposing the BZ to RHEL-7.2
Comment 5 Kaushik Banerjee 2015-04-24 01:21:43 EDT
Came across this bug while doing a cleanup of rhel7.2 sssd bugs.

ad_server=IP config works only after setting "rdns=true" in /etc/krb5.conf.

Since the upstream ticket linked to this bug is closed, closing this bug. If you think otherwise, please feel free to re-open this bug.

Note You need to log in before you can comment on or make changes to this bug.