0

I've installed a MIT KDC instance backed by an OpenLDAP instance, all running on RHEL 7. I'm wanting to configure SSSD to pull users and groups from this combination, but I'm running into a lot of issues, since most documentation assumes AD.

The issue I'm stuck on right now is that SSSD, from the logs, appears to need some sort of numeric ID for each user, which it uses to create a UID locally. Problem is, the KDC doesn't appear to be storing that in LDAP at all. I'm also noticing that the KDC is only storing the full principal (user@DOMAIN.COM), which means when I try to log in as just the user name, I don't have any fields to point SSSD to to use.

Is there anyway to get the KDC to store more information in LDAP, or a way to get SSSD to work with what we've got?

Also, any documentation on making a connection like this would be much appreciated.

SSSD Config:

[sssd]
services = nss, pam
domains = DOMAIN.COM
debug_level = 10

[nss]
debug_level = 10

[pam]
debug_level = 10

[domain/DOMAIN.COM]
debug_level = 10
id_provider = ldap
auth_provider = krb5
access_provider = ldap
chpass_provider = krb5
dyndns_update = False
realmd_tags = manages-system joined-with-samba
cache_credentials = False
enumerate = False
entry_cache_timeout = 86400
min_id = 1000000
default_shell = /bin/bash
fallback_homedir = /home/%u@%d
use_fully_qualified_names = True

#LDAP Configuration
ldap_uri = ldap://ldapserver:389
ldap_search_base = dc=domain,dc=com
ldap_user_search_base = dc=domain,dc=com
ldap_group_search_base = dc=domain,dc=com
ldap_id_mapping = True
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 2000000000
ldap_idmap_default_domain = <DOMAIN>
ldap_access_filter = &(objectClass=krbPrincipal)
ldap_user_object_class = krbPrincipal
ldap_user_name = krbPrincipalName
ldap_user_principal = krbPrincipalName
ldap_user_fullname = krbPrincipalName
ldap_user_uid_number = krbPrincipalName
ldap_user_objectsid = krbPrincipalName

#KRB5 Configuration
krb5_server = kdc_server
krb5_realm = DOMAIN.COM

Sample Entry:

dn: krbPrincipalName=test-user2@DOMAIN.COM,cn=DOMAIN.COM,cn=kerberos,dc=domain,dc=com
ufn: test-user2@DOMAIN.COM, DOMAIN.COM, kerberos, DOMAIN.com
krbLoginFailedCount: 0
krbPrincipalName: test-user2@DOMAIN.COM
krbPrincipalKey:: ...
krbLastPwdChange: 20190524234020Z
krbExtraData:: ...
krbExtraData:: ...
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
Dave McGinnis
  • 133
  • 1
  • 12

1 Answers1

0

So I never found a good answer for this, but I was able to work around it, and wanted to post this for the google users that stumble across this.

I ended up basically just using OpenLDAP and the KDC as if they were completely separate. I kept KDC being backed by LDAP out of convenience, but I'm not using that fact anymore. Instead, when we add a user, I add it in both the KDC and in LDAP separately. I've then pointed SSSD to the LDAP area where I'm adding the users manually, but still using the KDC for authentication. It seems to be working mostly well although I've had a few glitches so far.

If anyone has a real solution for the above, I'd still love to hear it!

Dave McGinnis
  • 133
  • 1
  • 12
  • 1
    Is there any particular reason why you don't use ipa/freeipa? It is a part of RHEL 7. – Tomek May 29 '19 at 16:27
  • @Tomek: To be honest, I hadn't heard of IPA/FreeIPA before starting this project. A colleague brought it up this morning, and I'm definitely going to investigate it and make a PoC before my next engagement. That being said, this isn't even the main point of my current engagement, so whatever the quickest way to get users, passwords and groups into SSSD, the better. – Dave McGinnis May 29 '19 at 16:44