5

When I try to do a su [email protected] I get a "user does not exist" message.

[email protected] exists in Active Directory. I can do kinit [email protected] successfully and get a ticket. Here are the steps I did:

  1. I have MIT KDC on CentOS 7 CENTOSREALM.COM and Active Directory realm ADREALM.COM
  2. On CentOS I did realm join ADREALM.COM which gave "* Successfully enrolled machine in realm". I can see the centos hostname in Active Directory Computers container.
  3. But I cannot login to the CentOS server with [email protected] this user exists in AD.

Where do I look for errors or steps to debug this issue?

The sssd.conf content:

[sssd]
domains = adrealm.com
config_file_version = 2
services = nss, pam

[domain/adrealm.com]
ad_server = adrealm.com
ad_domain = adrealm.com
krb5_realm = ADREALM.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
debug_level = 3
Improve this question
11
  • What does your /etc/sssd/sssd.conf file look like? Commented Sep 4, 2018 at 12:40
  • [sssd] domains = adrealm.com config_file_version = 2 services = nss, pam [domain/adrealm.com] ad_server = adrealm.com ad_domain = adrealm.com krb5_realm = ADREALM.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad debug_level = 3 Commented Sep 5, 2018 at 13:08
  • @Christophe Drevet-Droguet above is /etc/sssd/sssd.conf: In addition I checked forward and reverse dns from centos to Active Dir works fine. I have updated /etc/hosts, /etc/resolv.conf, /etc/krb5.conf based on many suggestions. Thx!! Commented Sep 5, 2018 at 13:18
  • Also if I get this error with ldapwhoami: ldapwhoami -Y GSSAPI -H ldap://adserver1.adrealm.com SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) Commented Sep 5, 2018 at 13:41
  • 1
    I won't be able to help much more. It seems you have an issue with your kerberos configuration. But since you can get a ticket with kinit, I don't know what would be the issue. Sorry. Commented Sep 10, 2018 at 11:38

1 Answer 1

Reset to default
4

Finally I followed these instructions and suddenly it started working, its weird I still dont understand fully what was wrong: Manually Connecting an SSSD Client to an Active Directory Domain https://access.redhat.com/articles/3023951 .

I can now do id and su for an ActiveDir user on Centos7 like $ su [email protected] with ActiveDir password and login. Bottomline the /etc/hosts , /etc/krb5.conf, /etc/resolv.conf , /etc/sssd/sssd.conf, /etc/samba/smb.conf need to be carefully checked as all kinds of errors can happen.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.