View Issue Details

IDProjectCategoryView StatusLast Update
0016406CentOS-7realmdpublic2019-09-17 17:20
Reporterhking 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Platformx86_64OSCentOSOS Version7.6.1810
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0016406: REALM commands stop working after adjusting realm-generated "sssd.conf" or adding custom SSSD configs in "/etc/sssd/conf.d"
DescriptionWhen following the recommended way of Red Hat prepare client machines for joining realms/domains using "realm join" (see: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#sssd-ad-proc), the realm command stops working when:
- adapting the realm-generated System Security Services Daemon (SSSD) main configuration file below "/etc/sssd/sssd.conf"
- placing a custom/tailored SSSD configuration below "/etc/sssd/conf.d/*.conf" (see: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/sssd-multiple-config-files) overwriting/enhancing central configuration directives specified in "/etc/sssd/sssd.conf"

As the "realm" command does not support passing special SSSD-specific configuration settings like:
- "id_provider=ldap",
- "auth_provider",
- "chpass_provider",
- "ldap_uri",
- "ldap_search_base",
- "ldap_tls_reqcert",
- "ldap_user_principal", etc.),

the "realm join" command seems to be unflexible regarding the creation of a custom SSSD configuration file. Especially, when having to deal with an environment where Linux attributes are separated from central authentication Microsoft Active Directory identities using a separate LDAP directory service.
Steps To Reproduce1. Setup a Microsoft Active Directory (AD) domain controller incl. Kerberos support
2. Create an administrative AD account allowing to write to the AD (to create the machine accounts during the "realm join" run)
3. Setup a LDAP directory service to provision Linux account attributes
4. Install the following RPM packages on a CentOS machine that has to be AD joined: realmd, adcli, sssd, authconfig, krb5-workstation, oddjob, oddjob-mkhomedir, samba-common-tools
5. execute the following command to join the machine: "realm join -v -U <binding_user_name> <realm_name>" (this action updates and modifies values in an existing "/etc/sssd/sssd.conf" file, see attachment enclosed).
6a. replace the current main SSSD configuration file below "/etc/sssd/sssd.conf" with the custom/tailored one (see "sssd.conf_custom.txt". This configuration works from an SSSD perspective but leads to a broken "realm" command not allowing to list joined realms, to leave the joined realm, etc.
6b. alternatively put the custom/tailored SSSD configuration file (see "sssd.conf_custom.txt" below "/etc/sssd/conf.d")
7. execute "systemctl restart sssd"
Additional Information"realmd" is just a wrapper tool for:
- System Security Services Daemon (SSSD)
- /usr/bin/net (provided by "samba-common-tools")
- /usr/sbin/authconfig (provided by "authconfig")
- /usr/bin/systemctl (provided by "systemd")

To our understanding it should allow customizing the generated SSSD during the join run or at least support adding customized SSSD configuration files below "/etc/sssd/conf.d"!
TagsNo tags attached.
abrt_hash
URL

Activities

hking

hking

2019-09-17 17:14

reporter  

sssd.conf_after_realm_join.txt (470 bytes)
[sssd]
domains = <realm_to_be_joined>
config_file_version = 2
services = nss, pam

[domain/<realm_to_be_joined>]
ad_domain = <realm_to_be_joined>
krb5_realm = <realm_to_be_joind> (in uppercase)
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
sssd.conf_custom.txt (1,162 bytes)
[sssd]

domains = <realm_to_join>
config_file_version = 2

reconnection_retries = 3


sbus_timeout = 30

services = nss, pam, ssh, autofs


re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>[^.]+).+$)|(^(?P<name>[^@\\]+)$))



[nss]

reconnection_retries = 3

override_homedir = /lhome/%u

debug_level = 9



[pam]

reconnection_retries = 3

debug_level = 9



[domain/<realm_to_join>]

enumerate = true

ad_domain = <realm_to_join>
krb5_realm = <realm_to_join> (uppercase)

realmd_tags = manages-system joined-with-samba

cache_credentials = True

case_sensitive = false

default_shell = /bin/bash



min_id = 1000


id_provider = ldap

auth_provider = krb5

chpass_provider = krb5



krb5_server = <realm_to_join>
krb5_kpasswd = <realm_to_join>
krb5_realm = <realm_to_join> (uppercase)
krb5_store_password_if_offline = True

krb5_renewable_lifetime = 7d

krb5_renew_interval = 1h



ldap_uri = ldap://<read-only_ldap_instance>:389/,ldap://<master_ldap_instance>:389/

ldap_search_base = <DN_of_tree_where_to_start_search>
ldap_tls_reqcert = demand

ldap_user_principal = userPrincipalName
sssd.conf_custom.txt (1,162 bytes)
hking

hking

2019-09-17 17:20

reporter   ~0035107

Important note: the custom "sssd.conf" works as users can successfully authenticate towards the Microsoft AD and retrieve UID, GID attributes out of the separate LDAP directory service!

Issue History

Date Modified Username Field Change
2019-09-17 17:14 hking New Issue
2019-09-17 17:14 hking File Added: sssd.conf_after_realm_join.txt
2019-09-17 17:14 hking File Added: sssd.conf_custom.txt
2019-09-17 17:14 hking Tag Attached: realmd sssd
2019-09-17 17:18 hking Tag Detached: realmd sssd
2019-09-17 17:20 hking Note Added: 0035107