1

For the love of all that is holy - been at this for a solid 12 hours straight.

I've added my centos machine to my simple AD service in AWS. Following the steps outlined here

https://docs.aws.amazon.com/directoryservice/latest/adminguide/join_windows_instance.html

And then added a "testuser" outlined here https://aws.amazon.com/blogs/security/how-to-manage-identities-in-simple-ad-directories/

I can see the realm is configured properly using

[root@testhost home]# realm discover corp.example.com
  type: kerberos
  realm-name: CORP.EXAMPLE.COM
  domain-name: corp.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@corp.example.com
  login-policy: allow-realm-logins

realm list command also works and shows the same info

I can see my users listed by doing

[root@testhost home]# net ads user -S corp.example.com
AWSAdminD-97672D7BEE
Administrator
testuser
krbtgt
Guest

However when querying users with the id command like so

[root@testhost home]# id testuser@corp.example.com
id: testuser@corp.rise.com: no such user

My krb5.conf is 

 [libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  rdns = false
  pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
  default_ccache_name = KEYRING:persistent:%{uid}
  default_realm = CORP.EXAMPLE.COM

 [realms]
   CORP.EXAMPLE.COM = {
    default_domain = corp.example.com
      kdc = corp.example.com
      admin_server = corp.example.com
   }

  [domain_realm]
    corp.example.com = CORP.EXAMPLE.COM
   .corp.example.com = CORP.EXAMPLE.COM

And my SSSD.conf is

 [sssd]
 domains = corp.example.com
 config_file_version = 2
 services = nss, pam
 debug_level = 9
 default_domain_suffix = corp.example.com

 [domain/corp.example.com]
 enumerate = True
 ad_server = corp.example.com
 ad_domain = corp.example.com
 krb5_realm = CORP.EXAMPLE.COM
 realmd_tags = manages-system joined-with-adcli
 cache_credentials = False
 id_provider = ad
 krb5_store_password_if_offline = True
 default_shell = /bin/bash
 ldap_id_mapping = True
 use_fully_qualified_names = True
 fallback_homedir = /home/%u@%d
 access_provider = ad
 debug_level = 9

My logs show this in /var/log/messages - might be a red herring... not sure

sssd[be[corp.example.com]]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

My /var/log/sssd/sssd_corp.example.com.log shows the following when I make an id request for a user

(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): DP Request [Account #145]: New request. Flags [0x0001].
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sss_domain_get_state] (0x1000): Domain corp.example.com is Active
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [_dp_req_recv] (0x0400): DP Request [Account #145]: Receiving request data.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #145]: Finished. Backend is currently offline.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1::corp.example.com:name=testuser@corp.example.com] from reply table
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_destructor] (0x0400): DP Request [Account #145]: Request removed.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x56430d094580
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_dispatch] (0x4000): Dispatching.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=testuser@corp.example.com]
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): DP Request [Account #146]: New request. Flags [0x0001].
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [sss_domain_get_state] (0x1000): Domain corp.example.com is Active
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [_dp_req_recv] (0x0400): DP Request [Account #146]: Receiving request data.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_req_reply_gen_error] (0x0080): DP Request [Account #146]: Finished. Backend is currently offline.
(Sat Jun 29 20:27:21 2019) [sssd[be[corp.example.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1:U:corp.example.com:name=testuser@corp.example.com] from reply table

Why can I not list users from AD after adding to the realm?

RalfFriedl
  • 3,008
  • 4
  • 12
  • 17
Sim
  • 111
  • 4

1 Answers1

0

This was resolved by adding DNS servers to

/etc/resolv.conf

nameserver <dns1>
nameserver <dns2>

Instead of mapping the domain corp.example.com to the IP of the KDC/AD directory address inside /etc/hosts

Sim
  • 111
  • 4