Linux AD integration, unable to login when using Windows Server 2012 DC

Question

I am trying to integrate my CentOS 6.6 servers into Active Directory. I've followed this guide from Red Hat using configuration 3 (SSSD/Kerberos/LDAP). When using a Windows Server 2008 R2 server as the domain controller w/ IMU enabled, everything works perfectly.

However, when I use a Windows Server 2012 R2 server w/ IMU enabled, I am able to acquire a kerberos ticket, join the domain, search LDAP, but as soon as I try to login in as an AD user from the console, I get this error message in /var/log/messages:

Jun 6 11:12:30 test [sssd[krb5_child[4760]]]: Preauthentication failed

And /var/log/secure shows these error messages:

Jun 6 11:12:15 test login: pam_sss(login:auth): received for user aduser@domain.local: 17 (Failure setting user credentials)

Jun 6 11:12:17 test login: FAILED LOGIN 1 FROM (null) FOR aduser@domain.local, Authentication failure

Using getent passwd aduser or getent group linuxgroup returns successfully.

I've tried with this sssd.conf file:

[sssd]
config_file_version = 2
services = nss, pam
domains = domain.local
debug_level = 5

[domain/domain.local]
id_provider = ad
auth_provider = ad

ad_server = dc.domain.local

default_shell = /bin/bash
fallback_homedir = /home/%d/%u

cache_credentials = false
ldap_id_mapping = false

Then I read this bug report. So, I changed my sssd.conf file to this:

[sssd]
config_file_version = 2
reconnection_retries = 2
services = nss,pam
debug_level = 5
domains = domain.local

[nss]
debug_level = 5

[pam]
debug_level = 5

[domain/domain.local]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
debug_level = 5

ldap_uri = ldap://dc.domain.local/
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis

ldap_user_search_base = dc=domain,dc=local
ldap_user_object_class = user

ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName

ldap_group_search_base = dc=domain,dc=local
ldap_group_object_class = group

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_referrals = false

krb5_server = dc.domain.local
krb5_realm = DOMAIN.LOCAL
krb5_canonicalize = false

enumerate = false
cache_credentials = false

I've cleared my SSSD cache and restarted the service. Yet I am unable to login.

I am getting this error now in /var/log/messages:

Jun 6 11:21:43 test [sssd[krb5_child[1546]]]: Permission denied

I'm seeing this error in /var/log/sssd/krb5_child.log:

(Sat Jun 6 11:21:43 2015) [[sssd[krb5_child[1387]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal aduser@DOMAIN.LOCAL in cache collection]

(Sat Jun 6 11:21:43 2015) [[sssd[krb5_child[1387]]]] [create_ccache] (0x0020): 575: [13][Permission denied]

Now, this is where it gets strange. As root, if I su to any AD domain user it actually works and home directory is auto created. I am about to concede defeat and just stick with the 2k8 DC.

Answer 1

I can not give a more qualified answer without seeing the sssd debug logs, but the bug report you're referring to only had performance implications, not functional.

The reason you're able to su to the account from root is that the PAM stack normally includes pam_rootok.so module that bypasses authentication with pam_sss. Given the auth from root works, we at least know that retrieving identity information works, but not auth.

I would recommend adding more information to this question either here or on the sssd-users list. Most importantly, sssd debug logs with a high debug_level from the domain section and the krb5_child.log.

Please find more information in the troubleshooting document on the SSSD wiki.

Answer 2

Try this:

chmod 644 /etc/krb5.conf