2

I set up an Centos7 using sssd as authentication system. The user identies are provided by files (passwd/group, managed by ansible), auth is done via krb5 (provided by active directory).

The sssd.conf looks like this:

[sssd]
domains = OURADDOMAIN
services = nss, pam

[domain/OURADDOMAIN]
id_provider = files
auth_provider = krb5
krb5_server = our_domain_controller
krb5_realm = OURADDOMAIN
cache_credentials = true

[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

This works fine online without problems, but when I disconnect the network, login fails. If login is ok, in /var/log/secure I see the following:

Apr 21 10:18:17 authtestel7 unix_chkpwd[11986]: password check failed for user (testuser)
Apr 21 10:18:17 authtestel7 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=testuser
Apr 21 10:18:17 authtestel7 login: pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser
Apr 21 10:18:17 authtestel7 login: pam_unix(login:session): session opened for user testuser by LOGIN(uid=0)
Apr 21 10:18:17 authtestel7 login: LOGIN ON tty1 BY testuser

If login fails, it looks like this:

Apr 21 10:18:52 authtestel7 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=testuser
Apr 21 10:18:52 authtestel7 login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser
Apr 21 10:18:52 authtestel7 login: pam_sss(login:auth): received for user testuser: 6 (Permission denied)
Apr 21 10:18:54 authtestel7 login: FAILED LOGIN 1 FROM tty1 FOR testuser, Authentication failure

When I set debug level to 4 in sssd.conf, I see the following line in sssd_pam.log:

(2021-04-21 10:18:52): [pam] [sysdb_cache_auth] (0x0100): Cached user entry is too old.

But the chache files are updated every time testuser logs in:

[root@authtestel7 ~]# ls -lrt /var/lib/sss/db/
insgesamt 8800
-rw-------. 1 root root 1286144  6. Apr 16:56 sssd.ldb
-rw-------. 1 root root 1609728  6. Apr 16:57 timestamps_files.ldb
-rw-------. 1 root root 1609728  6. Apr 16:57 cache_files.ldb
-rw-------. 1 root root 1286144 21. Apr 10:17 config.ldb
-rw-------. 1 root root 1609728 21. Apr 10:17 timestamps_OURDOMAIN.ldb
-rw-------. 1 root root 1609728 21. Apr 10:18 cache_OURDOMAIN.ldb

Any ideas whats wrong here?

HalexMg
  • 21
  • 1

1 Answers1

0

I don't know about for Kerberos, but for AD you would need to structure your configuration file like this:

[sssd]
domains = foo.com,files
config_file_version = 2
services = nss, pam

[nss]
#debug_level = 9

[pam]
offline_credentials_expiration = 87

[domain/ad.uillinois.edu]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
account_cache_expiration = 90
krb5_realm = foo.com
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = foo.com
ldap_id_mapping = False
access_provider = ad
auth_provider = ad
chpass_provider = ad
use_fully_qualified_names = False
simple_allow_groups = mygroup, yourgroup
ad_gpo_access_control = Permissive

[domain/files]
id_provider = files

Notice under [sssd] the listing of both domains for AD and files. You have to have this if sssd is to know to use the cache credentials.

mforsetti
  • 2,488
  • 2
  • 14
  • 20
user7242751
  • 1
  • A new domain option cached_auth_timeout will be added. The value of this option is a time period in seconds for which cached authentication can be used. After this period is exceeded online authentication must be performed. The default value would be 0, which implies that this feature is by default disabled. https://sssd.io/design-pages/cached_authentication.html – Ace Jul 07 '22 at 16:47