# Note # While making this post I managed to find the problem myself so I thought I might as well post in case it may help someone else later on. The problem was that I had a typo in **/etc/nsswitch.conf**, I had written **suduers** and not **sudoers** The **sudoers:** entry wasn't there from the beginning so I had to add it, hence the typo. One more thing was that the package **libsss-sudo** wasn't installed either, which was needed. # Post # I have my Linux-servers joined to my AD with SSSD like this: apt-get install sssd-ad sssd-tools realmd adcli krb5-user libsss-sudo realm join -U Administrator domain.local I can logon with my AD-users just fine but now I want to manage the sudo-rules in AD too. I extended the AD scheme like this on my AD-server: > wget https://github.com/sudo-project/sudo/blob/main/docs/schema.ActiveDirectory -o schema.ActiveDirectory I changed all the **DC=X** entries with **DC=domain,DC=local** and then ran: > ldifde -i -f schema.ActiveDirectory So far so good. I created a OU where I want all my sudo-rules: OU=Sudo-rules,OU=Linux Servers,OU=Computers,OU=Company,DC=domain,DC=local In the OU **Sudo-rules** I created an object with the **sudoRole** class, named it **LinuxAdminsSudo** and edited the following attributes: sudoCommand: ALL sudoHost: ALL sudoRunAs: ALL sudoUser: %linuxadmins@domain.local The **linuxadmins@domain.local** is an AD-group where all the Linux-admins are members and I want them to get full sudo-access to all Linux-servers. This is my **/etc/sssd/sssd.conf**: [sssd] domains = domain.local config_file_version = 2 services = nss, pam, sudo [domain/domain.local] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = DOMAIN.LOCAL realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%d/%u ad_domain = domain.local use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad sudo_provider = ad [sudo] In **/etc/nsswitch.conf** I added: sudoers: sss files Clear cache for SSSD and restart: sss_cache -E systemctl restart sssd Now I login with a user that's in the **LinuxAdmins**-group and when I run **sudo -l** I get this: Sorry, user admin-user@domain.local may not run sudo on linux-host1. So I'm not allowed to run sudo at all even though the rule in AD should allow this. When checking the SSSD cache I can see that it has indeed retrieved the rule: ldbsearch -H /var/lib/sss/db/cache_domain.local.ldb I found this entry: # record 28 dn: name=LinuxAdminsSudo,cn=sudorules,cn=custom,cn=domain.local,cn=sysdb cn: LinuxAdminsSudo dataExpireTimestamp: 1699953662 entryUSN: 65897179 name: LinuxAdminsSudo objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=domain,DC=local objectClass: sudoRule originalDN: CN=LinuxAdminsSudo,OU=Sudo-rules,OU=Linux Servers,OU=Computers,OU=Company,DC=domain,DC=local sudoCommand: ALL sudoHost: ALL sudoRunAs: ALL sudoUser: %linuxadmins@domain.local distinguishedName: name=LinuxAdminsSudo,cn=sudorules,cn=custom,cn=domain.local,cn=sysdb Which indicates that it can retrieve the rule just fine from AD. And everything was just fine, I had just made a typo in **/etc/nsswitch.conf** stated in the beginning of the post.

Currently have a CentOS8 server AD integrated using SSSD + automatic SID->UID mapping/generation. I would like to setup some file shares to make use of AD groups, but am struggling to get it set up. Does anybody have an example config that does not make use of winbind? Currently have the following: [global] workgroup = security = ads realm = domain master = no local master = no preferred master = no client min protocol = SMB3 vfs objects = acl_xattr map acl inherit = yes log level = 5 idmap config * : backend = sss idmap config * : range = 10001-2000100000 kerberos method = secrets and keytab I'm not familiar with setting up Samba, so maybe some of those settings dont make sense/are superfluous? I get the following error when trying to start Samba: [2021/02/08 19:26:53.511544, 3] ../../source3/auth/token_util.c:788(finalize_local_nt_token) Failed to check for local Guests membership (NT_STATUS_INVALID_PARAMETER_MIX) [2021/02/08 19:26:53.511550, 0] ../../source3/auth/auth_util.c:1403(make_new_session_info_guest) create_local_token failed: NT_STATUS_INVALID_PARAMETER_MIX [2021/02/08 19:26:53.511603, 0] ../../source3/smbd/server.c:2052(main) ERROR: failed to setup guest info. Thank you

I have an issue when I try to join my domain. I am able to create the kerberos ticket successfully. root@debian:~# kinit Administrateur@ASP.DOMAIN Password for Administrateur@ASP.DOMAIN: root@debian:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrateur@ASP.DOMAIN Valid starting Expires Service principal 26/04/2016 18:20:18 27/04/2016 04:20:18 krbtgt/ASP.DOMAIN@ASP.DOMAIN renew until 27/04/2016 18:20:11 and when I try to join the domain : root@debian:~# net ads join -k Failed to join domain: failed to lookup DC info for domain 'ASP.DOMAIN' over rpc: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. my krb5.conf is: [libdefaults] default_realm = ASP.DOMAIN # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] ASP.DOMAIN = { kdc = asp.domain admin_server = server.domain default_domain = DOMAIN } [domain_realm] .asp.domain = ASP.DOMAIN asp.domain = ASP.DOMAIN My smb.conf : [global] security = ADS realm = ASP.DOMAIN password server = server.domain workgroup = asp.domain winbind separator = / idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes winbind use default domain = yes domain master = no local master = no preferred master = no os level = 0 I have no idea: there is no drop on my firewall. The ticket is ok. I've tried with 3 Domain Controlers. PS : Domain is a variable EDIT : I've tried to do it with samba-tool too root@debian:~# samba-tool domain join ASP.DOMAIN MEMBER -UAdministrateur --real=ASP.DOMAIN ERROR(runtime): uncaught exception - Connection to SAMR pipe of PDC for ASP.DOMAIN failed: Connection to DC failed: NT_STATUS_IO_TIMEOUT File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 606, in run machinepass=machinepass) EDIT 2 : Join is ok ? But wbinfo -u is not ok root@debian:~# net ads join -U Administrateur Enter Administrateur's password: Using short domain name -- DOMAIN Joined 'ASP.DOMAIN' to dns domain 'asp.domain' DNS Update for asp.kapia failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL root@debian:~# net ads testjoin Join is OK root@debian:~# wbinfo -u could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! Error looking up domain users EDIT 3 : EDIT 4 : root@debian:~# service winbind status ● winbind.service - LSB: start Winbind daemon Loaded: loaded (/etc/init.d/winbind) Active: active (exited) since mer. 2016-04-27 16:16:00 CEST; 55s ago Process: 2222 ExecStart=/etc/init.d/winbind start (code=exited, status=0/SUCCESS) avril 27 16:16:00 debian winbindd: #5 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_timer_delay+0xcd) [0x7fbc2b11e1cd] avril 27 16:16:00 debian winbindd: #6 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x91ca) [0x7fbc2b11f1ca] avril 27 16:16:00 debian winbindd: #7 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x78e7) [0x7fbc2b11d8e7] avril 27 16:16:00 debian winbindd: #8 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fbc2b11a12d] avril 27 16:16:00 debian winbindd: #9 /usr/sbin/winbindd(main+0xb7c) [0x7fbc325cbc8c] avril 27 16:16:00 debian winbindd: #10 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fbc2a92db45] avril 27 16:16:00 debian winbindd: #11 /usr/sbin/winbindd(+0x25318) [0x7fbc325cc318] avril 27 16:16:00 debian winbindd: [2016/04/27 16:16:00.971185, 0] ../source3/lib/dumpcore.c:318(dump_core) avril 27 16:16:00 debian winbindd: dumping core in /var/log/samba/cores/winbindd avril 27 16:16:00 debian winbindd:

I try to automate the authentication on CentOS 7 Hosts over my AD with the realm commands. It totally works when I execute the following commands by myself. $ yum -y install realmd oddjob oddjob-mkhomedir sssd samba-common $ realm join -U admin domain.com $ realm permit -g LinuxAdmins@domain.com In addition to that I replace the following lines in */etc/sssd/sssd.conf* and restart sssd service. use_fully_qualified_names = False fallback_homedir = /home/%d/%u $systemctl restart sssd After those steps I can log in on that specific CentOS Host with any permitted user of my Active Directory **Now the Problem:** If I run the following script on a CentOS Host as root it seems like everything has worked. yum -y install realmd oddjob oddjob-mkhomedir sssd samba-common echo "Password" | realm join -U admin domain.com realm permit -g LinuxAdmins@domain.com sed -i -e 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf sed -i -e 's#fallback_homedir = /home/%u@%d#fallback_homedir = /home/%d/%u#g' /etc/sssd/sssd.conf systemctl restart sssd If I try to log in as a permitted AD user it says *permission denied* I checked */etc/sssd/sssd.conf* for any possible sed-caused problems, but that seems fine. Also running the command *realm list* seems like there is no problem. # realm list domain.com type: kerberos realm-name: DOMAIN.COM domain-name: domain.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups: LinuxAdmins@domain.com The output of this command is exactly the same when I run it after manually executing the commands. Anybody any idea how to handle that?

there. At first, it says the daemon couldn't find the /etc/sssd/sssd.conf. So, I created this and, when executing sssd "systemctl start sssd.service", it shows the following errors.

Jun 25 21:00:48 tmax1 sssd[nss]: Starting up
Jun 25 21:00:48 tmax1 sssd[nss]: Starting up
Jun 25 21:00:48 tmax1 sssd[pam]: Starting up
Jun 25 21:00:48 tmax1 sssd[pam]: Starting up
Jun 25 21:00:49 tmax1 sssd[be[DOMAIN.COM]]: Starting up
Jun 25 21:00:49 tmax1 sssd: Exiting the SSSD. Could not restart critical service [DOMAIN.COM].
Jun 25 21:00:49 tmax1 systemd: sssd.service: main process exited, code=exited, status=1/FAILURE
Jun 25 21:00:49 tmax1 systemd: Failed to start System Security Services Daemon.
Jun 25 21:00:49 tmax1 systemd: Unit sssd.service entered failed state.
Jun 25 21:00:49 tmax1 systemd: sssd.service failed.

Is there any other configuration file or something to check before running sssd? I can check the realm by "realm discover DOMAIN.COM". Ping is fine.

[test1@ ~]$ realm discover domain.com
domain.com
  type: kerberos
  realm-name: DOMAIN.COM
  domain-name: domain.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

Sometimes, the "kinit" command doesn't work, but I can see the ticket by the "klist" only with the root account.

[test1@ ~]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found

[root@ ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrator@DOMAIN.COM

Valid starting       Expires              Service principal
06/25/2018 17:08:47  06/26/2018 03:08:47  krbtgt/DOMAIN.COM@DOMAIN.COM
	renew until 07/02/2018 17:08:45

What do I do more to start sssd..? Thank you.

We have one CentOS 8 server where it's integrated with Windows AD so users access it with their Windows credentials. I have a request and need to check out which users and groups are allowed to access it (not all the AD users were authorized). I can check on sudoers file to see who has the rights to run commands, but is there any other place we can check who can ssh to the server? /etc/passwd seems not storing the AD user info. Many thanks.

Platforms: Oracle Linux 5, Oracle Linux 6 PowerbrokerOpen V7.01 What we want to happen: Users are able to login to the Linux command line using their Active Directory username and password. What's happening now: Users are logging in with their AD login, and are no longer being prompted for a password What changed: The Linux machines were migrated from the domain "MYCOMPANY.NET" to "MYCOMPANY.LOCAL" as the "MYCOMPANY.NET domain will be removed. This is output in /var/log/secure from a machine that has not migrated yet: Feb 11 14:51:07 prdsrv101 sshd: Accepted keyboard-interactive/pam for davthac from 10.53.25.44 port 53561 ssh2 Feb 11 14:51:07 prdsrv01 sshd: pam_unix(sshd:session): session opened for user davthac by (uid=0) This is output in /var/log/secure from a machine that has been migrated: Feb 11 14:57:00 tstivxapp01 sshd: Authorized to davthac, krb5 principal davthac@MYCOMPANY.LOCAL (krb5_kuserok) Feb 11 14:57:00 tstivxapp01 sshd: Accepted gssapi-with-mic for davthac from 10.53.25.44 port 53777 ssh2 Feb 11 14:57:00 tstivxapp01 sshd: pam_unix(sshd:session): session opened for user davthac by (uid=0) It looks like the authentication method was changed, but we made no configuration changes to Powerbroker other than leaving MYCOMPANY.NET and joining MYCOMPANY.LOCAL. What do I need to do to get the password prompt back? Thanks in advance Dave

I have a Windows Active Directory system and the GID of group X is 1745005454. The RHEL machines are AD joined using realm and SSSD authenticated, and when you do an id username it will show that that user is in group X of 1745005454. However, several different environments exist and are not connected to each other and have this similar setup and the GID on each environment for group X is different. This causes issues on the RHEL systems on all environments where there are local group X's all with the consistent GID of 10001 and scripts being executed that look for the 10001 GID in order to run. There are no local users (except for root and local admin accounts), and I can't add the AD user to the local group obviously. I can't change the GID of the AD group X to the needed 10001, so the question is.... can I configure RHEL to see the incoming group X GID 1745005454 (or whatever) and make it associate/alias to the local GID 10001 for group X and being equivalent?

I'm trying to set up a Active Directory Domain Controller on an Ubuntu 16.04 instance on Amazon's EC2 micro services. I do everything right (following at least three different tutorials) and get all the server side tests to run and go fine. My most recent attempt used this tutorial:https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller (although I got the kerberos install list from Step 2 of https://www.tecmint.com/install-samba4-active-directory-ubuntu/) . But when I try to connect from Windows 10 (as explained here https://wiki.samba.org/index.php/Windows_DNS_Configuration) , I get the following error: > Note: This information is intended for a network administrator. If > you are not your network's administrator, notify the administrator > that you received this information, which has been recorded in the > file C:\Windows\debug\dcdiag.txt. > > DNS was successfully queried for the service location (SRV) resource > record used to locate a domain controller for domain > "ad.company.com.my": > > The query was for the SRV record for > _ldap._tcp.dc._msdcs.ad.company.com.my > > The following domain controllers were identified by the query: > dc1.ad.company.com.my > > > However no domain controllers could be contacted. > > Common causes of this error include: > > - Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect > addresses. > > - Domain controllers registered in DNS are not connected to the network or are not running. My setup: AWS Micro instance running Ubuntu 16.04 LTS. Elastic IP address set so that I have a static IP address for the server. The Windows client is a virtual machine. It has the public IP address of the amazon instance set as per instructed on the samba wiki (https://wiki.samba.org/index.php/Windows_DNS_Configuration) . All of these work: host -t A ad.company.com.my host -t A dc1 ping -c3 ad.company.com.my ping -c3 dc1.ad.company.com.my Configuration files: /etc/network/interfaces: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # Source interfaces # Please check /etc/network/interfaces.d before changing this file # as interfaces may have been defined in /etc/network/interfaces.d # See LP: #1262951 # source /etc/network/interfaces.d/*.cfg auto eth0 iface eth0 inet static address 172.31.36.46 netmask 255.255.240.0 broadcast 172.31.47.255 gateway 172.31.32.1 dns-nameserver 172.31.36.46 # dns-nameserver 172.31.0.2 # dns-nameserver 8.8.8.8 dns-search ad.company.com.my /etc/hosts: 127.0.0.1 localhost localhost.localdomain 172.31.36.46 dc1.ad.company.com.my dc1 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 172.31.36.46 search ad.company.com.my /etc/hostname dc1 /etc/krb5.conf [libdefaults] default_realm = AD.COMPANY.COM.MY dns_lookup_realm = false dns_lookup_kdc = true /etc/samba/smb.conf [global] workgroup = AD realm = AD.COMPANY.COM.MY netbios name = DC1 server role = active directory domain controller dns forwarder = 8.8.8.8 idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/ad.company.com.my/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Here is the output of the command: nslookup dc1.ad.company.com.my Server: ec2-ADDRESS.ap-southeast-1.compute.amazonaws.com Address: ADDRESS Name: dc1.ad.company.com.my Address: 172.31.36.46 And then doing an SRV check: C:\Users\user>nslookup Default Server: ec2-ADDRESS.ap-southeast-1.compute.amazonaws.com Address: ADDRESS > set type=SRV > _ldap._tcp.ad.company.com.my Server: ec2-ADDRESS.ap-southeast-1.compute.amazonaws.com Address: ADDRESS _ldap._tcp.ad.company.com.my SRV service location: priority = 0 weight = 100 port = 389 svr hostname = dc1.ad.company.com.my I've opened all traffic on the instance so that I know it's not a firewall issue. So, what am I doing wrong?

My RHEL servers are enabled with Active Directory authentication configured in the sssd.conf file. I have allowed few AD groups in sssd.conf to login to the Linux server. The issue is: I need to know how do I add this AD groups members in local group membership. I tried adding the AD group in /etc/group but that's not working: docker:x:332:user1,user2,**g-my-AD-user-group**

I'm forced (ugh) to join several linux machines to a domain. I'm currently using debian stable, and am joining the machines using a join script I wrote (at https://rbmj.github.io/join.sh for reference). The setup uses realm and sssd for all of the joining magic, and pam_mkhomedir to create home directories. Machines are debian stable. getent passwd $USER shows proper uid/gid and home directory set to /home/$DOMAIN/$USER as it should be. The problem is that on logon pam_mkhomedir.so is creating the home directory in the proper place (/home/$DOMAIN/$USER), but login tries to chdir() into /home/$USER. The workaround I'm currently using is symlinking /home/$DOMAIN to /home, which *is* an ugly symlink loop, but it gets the job done for now. Once I can figure this out migration should be fairly straightforward, as there's only one or two system accounts so I can move the rest via script. Since this is a recently installed debian stable machine, I think it's a systemd issue, as I believe the standard login daemon is replaced by systemd-logind or similar cruft. I think this is a bug somewhere, as login should try to change directory to whatever nsswitch indicates is the user's proper home directory, but I'm no expert.

I have set up some RHEL9 servers to authenticate through the AD for the domain EXAMPLE.XYZ; this is done via Ansible playbooks, and so far all works well. (It's the same setup as this previous question: https://unix.stackexchange.com/questions/786569/joining-domain-via-ansible-returns-error-already-joined-to-this-domain-while-v) However, every few minutes, on each host (let's say on myhost42) there are bursts of error messages, several times per second, in /var/log/messages: Feb 19 15:23:32 myhost42 ldap_child: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'MYHOST42$@EXAMPLE.XYZ' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. This is the /etc/krb5.conf file: includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = true default_realm = EXAMPLE.XYZ default_ccache_name = KEYRING:persistent:%{uid} udp_preference_limit = 0 [realms] [domain_realm] What can be done to troubleshoot the issue? --- EDIT #1: Based on a comment below and my researches, it might be due to a missing association between the AD domain and the Kerberos realm and/or missing entries in the Kerberos keytab.
However, I'm using the same configuration as another server farm, which works correctly.
This is the output of klist -kt /etc/krb5.keytab: Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 3 02/25/2025 15:53:24 MYHOST42$@EXAMPLE.XYZ 3 02/25/2025 15:53:24 MYHOST42$@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 host/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/MYHOST42@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ 3 02/25/2025 15:53:24 RestrictedKrbHost/myhost42.EXAMPLE.XYZ@EXAMPLE.XYZ

Hello, i'am issuing e problem with winbind samba joined computer. the system is unable to verify the group memberships in Forest B. All users from Forest B are only part of the "Domain Users" group; id B\\USERNAME -> returns only uid(b\username) and gid(b\domain users) however, once they log in to the system via SSH, the group memberships are correctly populated. Record saved into samlogon net cache with the respective SID and username This limitation poses a problem if we want to restrict SSH access to specific users and groups. Have you encountered this issue or found a solution to it? https://unix.stackexchange.com/questions/536001/samba-winbind-how-to-authenticate-from-trusted-ad-domain-one-way-trust/790017?noredirect=1#comment1515924_790017

Hello linux newbie here. **What I am trying to achieve:** to be able to login to Linux machine with Active Directory credentials from trusted domain. I have the following setup: +----------------+ +---------------+ +-----------+ | Forest B | | Forest A | | User in | | | one-way trust | | | domain B +----------+ Domain B +<--------------+ Domain A | | | | b.net | | a.net | +-----------+ | | | | | | | | +----------------+ +-------+-------+ | | | | | +-------+-------+ | | | Ubuntu 16.04 | | samba 4.7.12 | | | | | | | +---------------+ I have successfully joined my Ubuntu 16.04 to Active Directory domain A with samba winbind, but I am unable to login to the machine with user account that exists in domain B. Domain A and domain B are Active Directory domains and they have one-way trust so that domain A trusts domain B, but domain B does not trust domain A. Here are my smb.conf, krb5.conf and nsswitch.conf /etc/samba/smb.conf [global] workgroup = A security = ADS realm = A.NET encrypt passwords = yes idmap config *:range = 16777216-33554431 allow trusted domains = yes winbind trusted domains only = no kerberos method = secrets and keytab winbind refresh tickets = yes template shell = /bin/bash server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no /etc/krb5.conf [libdefaults] default_realm = A.NET dns_lookup_kdc = false krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CSAIL.MIT.EDU = { kdc = kerberos-1.csail.mit.edu kdc = kerberos-2.csail.mit.edu admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu krb524_server = krb524.csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } ANDREW.CMU.EDU = { kdc = kerberos.andrew.cmu.edu kdc = kerberos2.andrew.cmu.edu kdc = kerberos3.andrew.cmu.edu admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } A.NET = { admin_server = dc.a.net kdc = dc.a.net } B.NET = { admin_server = dc.b.net kdc = dc.b.net } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA a.net = A.NET .a.net = A.NET b.net = B.NET .b.net = .B.NET [login] krb4_convert = true krb4_get_tickets = false /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Most of the modification are based on these instructions, though I added the domain b to krb5.conf: https://docs.citrix.com/en-us/linux-virtual-delivery-agent/7-15-ltsr/installation-overview/ubuntu.html I have tried the following wbinfo commands: **wbinfo --online-status** shows domain A online, but domain B offline. **wbinfo -n B\\administrator** returns a SID and wbinfo -s SID returns the name **wbinfo -m** BUILTIN MYLINUX A B **wbinfo -K B\\user%password** returns the following error message: wbcLogonUser(B\user): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No logon servers are currently available to service the logon request. Could not authenticate user [B\user%password] with Kerberos (ccache: FILE) I would really appreciate if someone could help me to solve this. How would I start to troubleshoot this issue?

I have an Ansible playbook that writes to /etc/sssd/sssd.conf this Jinja template (variables are defined somewhere else): # This line is just to check that the file is written correctly [sssd] domains = {{ domain }} config_file_version = 2 services = nss, pam [domain/{{ domain }}] id_provider = ad auth_provider = ad ad_domain = {{ domain }} ad_server = {{ ad_server }} krb5_realm = {{ domain | upper }} cache_credentials = true krb5_store_password_if_offline = true default_shell = /bin/bash ldap_id_mapping = true use_fully_qualified_names = false fallback_homedir = /home/EXAMPLE/%u access_provider = simple simple_allow_groups = {{ simple_allow_groups }} simple_allow_users = {{ simple_allow_users }} ignore_group_members = true enumerate = False ldap_purge_cache_timeout = 0 subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout Then the playbook restarts sssd, and does some realm leave and realm join operations. After running the playbook, this is the content of /etc/sssd/sssd.conf on the server: # This line is just to check that the file is written correctly [sssd] domains = example.abc config_file_version = 2 services = nss, pam [domain/example.abc] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = EXAMPLE.ABC realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = example.abc use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad What is changing /etc/sssd/sssd.conf, and how?

I'm getting a strange message with Ansible. On a RHEL 9 server, I can join our domain via the shell command line realm join example.xyz --user=svc-ansible --computer-ou="OU=Linux Servers, OU=Servers, OU=ACME, OU=Units, DC=example, DC=xyz" Once done that I can successfully change user via su - johndoe@example.xyz, where "johndoe" is an user defined in the AD and belonging to an AD group defined in simple_allow_groups in the file /etc/sssd/sssd.conf. So the config seems to be working. After that, I run an realm leave example.xyz --remove -U 'svc-ansible' and realm list beforehand to check that the server is not in the domain anymore. However, when I run via AWX an Ansible playbook defined as this (...) - name: Set staging_ou ansible.builtin.set_fact: staging_ou: "OU=Linux Servers, OU=Servers, OU=ACME, OU=Units, DC=example, DC=xyz" - name: Realm join into domain ansible.builtin.expect: command: /bin/bash -c 'realm join {{ domain }} --user={{ ad_join_user }} --computer-ou="{{ staging_ou }}"' responses: Password.*: "{{ ad_join_password }}" timeout: 120 (...) I get the following error: > TASK [playbook_ad_join : Realm join into domain] ********************************** fatal: [myrhel9server]: FAILED! => {"changed": true, "cmd": "/bin/bash -c 'realm join example.xyz --user=svc-ansible --computer-ou=\"OU=Linux Servers, OU=Servers, OU=ACME, OU=Units, DC=example, DC=xyz\"'", "delta": "0:00:00.152467", "end": "2024-11-13 11:45:09.577079", "msg": "non-zero return code", "rc": 1, "start": "2024-11-13 11:45:09.424612", "stdout": "realm: Already joined to this domain\r\nPlease check\r\n https://red.ht/support_rhel_ad \r\nto get help for common issues.", "stdout_lines": ["realm: Already joined to this domain", "Please check", " https://red.ht/support_rhel_ad ", "to get help for common issues."]} A realm list confirms that the server is indeed in the example.xyz domain and returns the same output as when I ran the realm join ... command via shell. However, I cannot su to AD users anymore: trying to do so returns an error > su: user johndoe@example.xyz does not exist or the user entry does not contain all the required fields The link cited in the error message doesn't help. What could be wrong? --- EDIT 1: Running via shell the same command run via ansible, i.e. /bin/bash -c 'realm join example.xyz (...) ' doesn't change anything with respect to running realm join example.xyz (...) (see top of post). The other tasks in the playbook only modify a few config files: /etc/krb5.conf /etc/sssd/sssd.conf /usr/local/bin/sss_ssh_authorizedkeys_ad /etc/ssh/sshd_config and install some packages. These do not matter as the configuration already converged. I have removed a line which restarted the realmd daemon, since it could be the one causing the issue, but nothing changed.

I have added my Red Hat Linux 9 to the Active Directory with realm. I see the computer in AD now. Then I did realm permit --all In /etc/ssh/sshd_config I added : # Authentication: AllowGroups "Domain Admins" My account is in the Domain Admins group. File /etc/sssd/sssd.conf: [sssd] domains = example.corp config_file_version = 2 services = nss, pam [domain/example.corp] dyndns_update = false default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = EXAMPLE.CORP realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = example.corp ad_hostname = DC01.example.corp use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad Login fails: > ssh -l jsmith@example.corp 10.120.10.106 jsmith@example.corp@10.120.10.106's password: Permission denied, please try again. jsmith@example.corp@10.120.10.106's password: And the messages log has the following Nov 20 14:28:32 MYLINUX krb5_child: Pre-authentication failed: Invalid argument Nov 20 14:28:32 MYLINUX krb5_child: Preauthentication failed Nov 20 14:28:32 MYLINUX krb5_child: Preauthentication failed Nov 20 14:28:32 MYLINUX krb5_child: Preauthentication failed

When trying to get an Ubuntu 22 joined to our AD domain via SSSD, I have encountered an odd situation where any AD user can login to the system without any password prompt and no ssh-key setup on the host. In the below example USER1 is a sanitized account name with no .ssh directory nor authorized_keys setup on the Ubuntu host. I believe this is a PAM configuration issue, but I am not sure what specifically in the PAM configs would need to be updated to force a password prompt. /etc/ssh/sshd_config includes: HostbasedAuthentication no IgnoreRhosts yes PermitEmptyPasswords no PasswordAuthentication yes ChallengeResponseAuthentication yes KerberosAuthentication no GSSAPIAuthentication no GSSAPICleanupCredentials no UsePAM yes AllowTcpForwarding yes X11Forwarding no PermitUserEnvironment no ClientAliveInterval 900 ClientAliveCountMax 0 UseDNS no MaxStartups 10:30:100 **SSHD debug log output** when USER1 logs into the host successfully without any password prompt on the client side. sshd: debug1: Forked child 158343. sshd: debug1: Set /proc/self/oom_score_adj to 0 sshd: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 sshd: debug1: inetd sockets after dupping: 4, 4 sshd: Connection from 172.30.128.205 port 64416 on 10.63.129.197 port 22 rdomain "" sshd: debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.7 sshd: debug1: Remote protocol version 2.0, remote software version OpenSSH_9.7 sshd: debug1: compat_banner: match: OpenSSH_9.7 pat OpenSSH* compat 0x04000000 sshd: debug1: permanently_set_uid: 106/65534 [preauth] sshd: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] sshd: debug1: SSH2_MSG_KEXINIT sent [preauth] sshd: debug1: SSH2_MSG_KEXINIT received [preauth] sshd: debug1: kex: algorithm: curve25519-sha256@libssh.org [preauth] sshd: debug1: kex: host key algorithm: ssh-ed25519 [preauth] sshd: debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth] sshd: debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none [preauth] sshd: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] sshd: debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth] sshd: debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 [preauth] sshd: debug1: rekey out after 134217728 blocks [preauth] sshd: debug1: SSH2_MSG_NEWKEYS sent [preauth] sshd: debug1: Sending SSH2_MSG_EXT_INFO [preauth] sshd: debug1: expecting SSH2_MSG_NEWKEYS [preauth] sshd: debug1: ssh_packet_read_poll2: resetting read seqnr 3 [preauth] sshd: debug1: SSH2_MSG_NEWKEYS received [preauth] sshd: debug1: rekey in after 134217728 blocks [preauth] sshd: debug1: KEX done [preauth] sshd: debug1: userauth-request for user USER1 service ssh-connection method none [preauth] sshd: debug1: attempt 0 failures 0 [preauth] sshd: debug1: PAM: initializing for "USER1" sshd: debug1: PAM: setting PAM_RHOST to "172.30.128.205" sshd: debug1: PAM: setting PAM_TTY to "ssh" sshd: debug1: userauth_send_banner: sent [preauth] sshd: debug1: userauth-request for user USER1 service ssh-connection method publickey [preauth] sshd: debug1: attempt 1 failures 0 [preauth] sshd: debug1: userauth_pubkey: publickey test pkalg rsa-sha2-512 pkblob RSA SHA256:IvAkAVaIAXzi48uZEHICHHUVZgYQ5QozSfi/YwvJeUM [preauth] sshd: debug1: temporarily_use_uid: 219435810/219400513 (e=0/0) sshd: debug1: trying public key file /home/USER1/.ssh/authorized_keys sshd: debug1: Could not open authorized keys '/home/USER1/.ssh/authorized_keys': No such file or directory sshd: debug1: restore_uid: 0/0 sshd: Failed publickey for USER1 from 172.30.128.205 port 64416 ssh2: RSA SHA256:IvAkAVaIAXzi48uZEHICHHUVZgYQ5QozSfi/YwvJeUM sshd: debug1: userauth-request for user USER1 service ssh-connection method keyboard-interactive [preauth] sshd: debug1: attempt 2 failures 1 [preauth] sshd: debug1: keyboard-interactive devs [preauth] sshd: debug1: auth2_challenge: user=USER1 devs= [preauth] sshd: debug1: kbdint_alloc: devices 'pam' [preauth] sshd: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] sshd: debug1: do_pam_account: called sshd: pam_access(sshd:account): cannot resolve hostname "cron" sshd: pam_access(sshd:account): cannot resolve hostname "crond" sshd: pam_faillock(sshd:account): Unknown option: unlock sshd: debug1: PAM: num PAM env strings 2 sshd: Postponed keyboard-interactive for USER1 from 172.30.128.205 port 64416 ssh2 [preauth] sshd: debug1: do_pam_account: called sshd: Accepted keyboard-interactive/pam for USER1 from 172.30.128.205 port 64416 ssh2 sshd: debug1: monitor_child_preauth: user USER1 authenticated by privileged process sshd: debug1: monitor_read_log: child log fd closed sshd: debug1: PAM: establishing credentials sshd: pam_unix(sshd:session): session opened for user USER1(uid=219435810) by (uid=0) systemd-logind: New session 2938 of user USER1. systemd: pam_faillock(systemd-user:account): Unknown option: unlock systemd: pam_unix(systemd-user:session): session opened for user USER1(uid=219435810) by (uid=0) sshd: User child is on pid 158357 sshd: debug1: SELinux support disabled sshd: debug1: PAM: establishing credentials sshd: debug1: permanently_set_uid: 219435810/219400513 sshd: debug1: rekey in after 134217728 blocks sshd: debug1: rekey out after 134217728 blocks sshd: debug1: ssh_packet_set_postauth: called sshd: debug1: active: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding sshd: debug1: Entering interactive session for SSH2. sshd: debug1: server_init_dispatch sshd: debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 sshd: debug1: input_session_request sshd: debug1: channel 0: new [server-session] sshd: debug1: session_new: session 0 sshd: debug1: session_open: channel 0 sshd: debug1: session_open: session 0: link with channel 0 sshd: debug1: server_input_channel_open: confirm session sshd: debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0 sshd: debug1: server_input_channel_req: channel 0 request pty-req reply 1 sshd: debug1: session_by_channel: session 0 channel 0 sshd: debug1: session_input_channel_req: session 0 req pty-req sshd: debug1: Allocating pty. sshd: debug1: session_new: session 0 sshd: debug1: SELinux support disabled sshd: debug1: session_pty_req: session 0 alloc /dev/pts/5 sshd: debug1: Ignoring unsupported tty mode opcode 11 (0xb) sshd: debug1: Ignoring unsupported tty mode opcode 17 (0x11) sshd: debug1: server_input_channel_req: channel 0 request env reply 0 sshd: debug1: session_by_channel: session 0 channel 0 sshd: debug1: session_input_channel_req: session 0 req env sshd: debug1: server_input_channel_req: channel 0 request env reply 0 **SSSD.conf file contents:** [sssd] domains = my.domain.com config_file_version = 2 services = nss, pam override_space = _ #default_domain_suffix = my.domain.com domain_resolution_order = my.domain.com debug_level = 9 full_name_format=%1$s [nss] #cache_first = True [domain/my.domain.com] #default_shell = /bin/bash #krb5_store_password_if_offline = True #cache_credentials = True #krb5_realm = my.domain.com #realmd_tags = manages-system joined-with-adcli #id_provider = ad #fallback_homedir = /home/%u #ad_domain = my.domain.com use_fully_qualified_names = False ldap_id_mapping = True access_provider = ad default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = my.domain.com realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u ad_domain = my.domain.com ad_enabled_domains = my.domain.com ignore_group_members = True subdomain_inherit = ignore_group_members ldap_referrals = False dyndns_update = false ad_gpo_access_control = disabled dyndns_update_ptr = false ldap_opt_timeout = 20 ldap_network_timeout = 20 dns_resolver_timeout = 20 ad_use_ldaps = false **/etc/pam.d/sshd** # grep -v "#" /etc/pam.d/sshd @include common-auth account required pam_nologin.so account required pam_access.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session required pam_limits.so session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password **common-auth** auth [default=4 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok auth [success=1 default=ignore] pam_sss.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so **common-password** password [success=2 default=ignore] pam_unix.so obscure yescrypt password sufficient pam_sss.so use_authtok password requisite pam_deny.so password required pam_permit.so **common-account** account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so account sufficient pam_localuser.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_faillock.so

When I run command: realm join -U adminuser@PORTON.COM.IL porton.com.il --verbose I am prompted to enter the password for adminuser@PORTON.COM.IL. Since I want to run this in a script for a lot of servers, Is there a way to skip this prompt or automatically send the password from the script (Its script running in bash or csh).

I have created an LDAP (OpenLDAP and LAM) server with a structure, I solved the remote configuration of using sudo. I configured the client stations (will be exclusively Linux Ubuntu) to use LDAP with SSSD and the connections are encrypted (ldaps). Now I need to resolve remote shared home directories for users that are created in the LDAP database. A sufficiently large disk with set appropriate quotas is connected to the server where the LDAP server is running. The user from the client PC logs into the system after successful authentication using LDAP and SSSD. At this point I would need to: - After logging in via SSSD and LDAP, the user gets access to his remote home directory (on the server where LDAP is running). - The remote directory will be automatically mounted to /home/user_name-from_LDAP after login. I have read several tutorials, how-to's and tried deploying Samba. However, many instructions are outdated, incomplete and often focus only on a certain part. I'm just a beginner in LDAP, Samba, Kerberos. With Samba, I read about a problem with connecting Samba-LDAP user databases, where maintaining and managing users is difficult. I ran into this problem when trying to configure and also failed to connect Samba to LDAPS with constant errors with TLS, while all test steps with ldapsearch and openssl went OK. I also read about the possibility of using Kerberos in addition to LDAP and Samba. Compatibility with Windows clients was also often addressed, which will not be my case. I'm honestly confused and I'm looking for the most efficient, easiest to manage, and easiest to implement solution with some clear instructions. So my question is: What alternative choose for using remote home directories please? So that LDAP is used, the user database is created in OpenLDAP and the client stations will be Linux Ubuntu operating systems with SSSD only. The goal is also to automatically mount remote home directories after client login. Thanks for all advices and guidance.