View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016406 | CentOS-7 | realmd | public | 2019-09-17 17:14 | 2019-09-17 17:20 |
Reporter | hking | ||||
Priority | normal | Severity | minor | Reproducibility | always |
Status | new | Resolution | open | ||
Platform | x86_64 | OS | CentOS | OS Version | 7.6.1810 |
Product Version | 7.6.1810 | ||||
Target Version | Fixed in Version | ||||
Summary | 0016406: REALM commands stop working after adjusting realm-generated "sssd.conf" or adding custom SSSD configs in "/etc/sssd/conf.d" | ||||
Description | When following the recommended way of Red Hat prepare client machines for joining realms/domains using "realm join" (see: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#sssd-ad-proc), the realm command stops working when: - adapting the realm-generated System Security Services Daemon (SSSD) main configuration file below "/etc/sssd/sssd.conf" - placing a custom/tailored SSSD configuration below "/etc/sssd/conf.d/*.conf" (see: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/sssd-multiple-config-files) overwriting/enhancing central configuration directives specified in "/etc/sssd/sssd.conf" As the "realm" command does not support passing special SSSD-specific configuration settings like: - "id_provider=ldap", - "auth_provider", - "chpass_provider", - "ldap_uri", - "ldap_search_base", - "ldap_tls_reqcert", - "ldap_user_principal", etc.), the "realm join" command seems to be unflexible regarding the creation of a custom SSSD configuration file. Especially, when having to deal with an environment where Linux attributes are separated from central authentication Microsoft Active Directory identities using a separate LDAP directory service. | ||||
Steps To Reproduce | 1. Setup a Microsoft Active Directory (AD) domain controller incl. Kerberos support 2. Create an administrative AD account allowing to write to the AD (to create the machine accounts during the "realm join" run) 3. Setup a LDAP directory service to provision Linux account attributes 4. Install the following RPM packages on a CentOS machine that has to be AD joined: realmd, adcli, sssd, authconfig, krb5-workstation, oddjob, oddjob-mkhomedir, samba-common-tools 5. execute the following command to join the machine: "realm join -v -U <binding_user_name> <realm_name>" (this action updates and modifies values in an existing "/etc/sssd/sssd.conf" file, see attachment enclosed). 6a. replace the current main SSSD configuration file below "/etc/sssd/sssd.conf" with the custom/tailored one (see "sssd.conf_custom.txt". This configuration works from an SSSD perspective but leads to a broken "realm" command not allowing to list joined realms, to leave the joined realm, etc. 6b. alternatively put the custom/tailored SSSD configuration file (see "sssd.conf_custom.txt" below "/etc/sssd/conf.d") 7. execute "systemctl restart sssd" | ||||
Additional Information | "realmd" is just a wrapper tool for: - System Security Services Daemon (SSSD) - /usr/bin/net (provided by "samba-common-tools") - /usr/sbin/authconfig (provided by "authconfig") - /usr/bin/systemctl (provided by "systemd") To our understanding it should allow customizing the generated SSSD during the join run or at least support adding customized SSSD configuration files below "/etc/sssd/conf.d"! | ||||
Tags | No tags attached. | ||||
abrt_hash | |||||
URL | |||||
sssd.conf_after_realm_join.txt (470 bytes)
[sssd] domains = <realm_to_be_joined> config_file_version = 2 services = nss, pam [domain/<realm_to_be_joined>] ad_domain = <realm_to_be_joined> krb5_realm = <realm_to_be_joind> (in uppercase) realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad
sssd.conf_custom.txt (1,162 bytes)
[sssd] domains = <realm_to_join> config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, ssh, autofs re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>[^.]+).+$)|(^(?P<name>[^@\\]+)$)) [nss] reconnection_retries = 3 override_homedir = /lhome/%u debug_level = 9 [pam] reconnection_retries = 3 debug_level = 9 [domain/<realm_to_join>] enumerate = true ad_domain = <realm_to_join> krb5_realm = <realm_to_join> (uppercase) realmd_tags = manages-system joined-with-samba cache_credentials = True case_sensitive = false default_shell = /bin/bash min_id = 1000 id_provider = ldap auth_provider = krb5 chpass_provider = krb5 krb5_server = <realm_to_join> krb5_kpasswd = <realm_to_join> krb5_realm = <realm_to_join> (uppercase) krb5_store_password_if_offline = True krb5_renewable_lifetime = 7d krb5_renew_interval = 1h ldap_uri = ldap://<read-only_ldap_instance>:389/,ldap://<master_ldap_instance>:389/ ldap_search_base = <DN_of_tree_where_to_start_search> ldap_tls_reqcert = demand ldap_user_principal = userPrincipalName |
|
Important note: the custom "sssd.conf" works as users can successfully authenticate towards the Microsoft AD and retrieve UID, GID attributes out of the separate LDAP directory service! | |
Date Modified | Username | Field | Change |
---|---|---|---|
2019-09-17 17:14 | hking | New Issue | |
2019-09-17 17:14 | hking | File Added: sssd.conf_after_realm_join.txt | |
2019-09-17 17:14 | hking | File Added: sssd.conf_custom.txt | |
2019-09-17 17:14 | hking | Tag Attached: realmd sssd | |
2019-09-17 17:18 | hking | Tag Detached: realmd sssd | |
2019-09-17 17:20 | hking | Note Added: 0035107 |