[Authentication] realm list output changes after joining AD domain

Ben Cohen cohen.ben at gmail.com
Fri Mar 27 16:39:04 PDT 2015 

Hi -- I posted this question to serverfault -- I think maybe I should ping
this list though as I'm not sure if this is a bug:

http://serverfault.com/questions/678884/realm-join-client-software-sssd-on-centos-7-joins-two-realms-one-with-sssd

On clean installed centos-7 host:

realm join -U foo --client-software sssd AD.EXAMPLE.COM

After running realm list output looks initially like this:

AD.EXAMPLE.COM
  type: kerberos
  realm-name: AD.EXAMPLE.COM
  domain-name: ad.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U at ad.example.com
  login-policy: allow-realm-logins

Showing me that I joined an active directory with sssd as I had intended --
logins work as expected both via ssh and samba.

Later on (not sure what triggers or it but a system reboot guarantees it)
-- the realm list output changes to this

ad.example.com
  type: kerberos
  realm-name: AD.EXAMPLE.COM
  domain-name: ad.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: oddjob-mkhomedir
  required-package: oddjob
  required-package: samba-winbind-clients
  required-package: samba-winbind
  required-package: samba-common
  login-formats: AD\%U
  login-policy: allow-any-loginAD.EXAMPLE.COM
  type: kerberos
  realm-name: AD.EXAMPLE.COM
  domain-name: ad.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U at ad.example.com
  login-policy: allow-realm-logins

A few more details: -- after running realm join --verbose --client-software
sssd --user foo AD.EXAMPLE.COM, I

(1) shutdown sssd
(2) replace sssd.conf
(3) rm -rf /var/lib/sss/db/*
(4) restart sssd

I have to do this because the active directory domain I'm joining is larger
than the default ldap_idmap_range_size -- the sssd.conf I generate looks
like this:

[sssd]

domains = AD.UCSD.EDU

config_file_version = 2

services = nss, pam



[domain/AD.UCSD.EDU]

ad_domain = AD.UCSD.EDU

krb5_realm = AD.UCSD.EDU

realmd_tags = manages-system joined-with-samba

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = True

fallback_homedir = /home/%d/%u


ldap_idmap_default_domain=AD.UCSD.EDU

ldap_idmap_range_size=2000000


ldap_search_base = dc=AD,dc=UCSD,dc=EDU



override_homedir=/home/%d/%u

dyndns_update=False


access_provider = ad


# define the sts_ad_access_filter host variable in ansible if you wish to
restrict access to this host

# example: sts_ad_access_filter:
"(memberOf=CN=somts,OU=Share-access,OU=BusinessOffice,OU=Groups,OU=SOMTS,OU=SIO,DC=AD,DC=UCSD,DC=EDU)"


I also try with a realmd.conf

[active-directory]

default-client = sssd


[service]

automatic-install = no

No matter what I do:

- realm list initially doesn't return anything about a winbind domain --
but everything works
- after reboot, realm list shows the two domains (and now I can login as
either user at ad.example.com or AD\\user ...

Maybe this is by design -- but I suspect that something is afoot and this
has me worried ...  I've been re-doing clean installs trying to figure this
out for hours now -- here's a snippet from my ansible config automated this
if it helps anyone reproduce ...

---

- name: "Ensure libraries required to join Active Directory domain are
installed"
  yum: name={{ item }} state="present"
  with_items:
    - krb5-workstation
    - realmd
    - sssd
    - samba
    - oddjob
    - oddjob-mkhomedir
    - adcli
    - samba-common


- name: "Ensure winbind is not present to avoid the possibility of
CRAZY CONFUSION?"
  yum: name={{ item }} state="absent"
  with_items:
    - samba-winbind
    - samba-winbind-clients
    - samba-winbind-krb5-locator
    - samba-winbind-modules

- name: "Ensure sane realmd.conf exists prior to running realm command"
  template: src=sssd/realmd.conf.j2 dest=/etc/realmd.conf

- name: "Test if we are currently part of Active Directory"
  shell: "realm list"
  register: domain_membership_test
  ignore_errors: True

- name: "Join to UCSD Active directory if needed"
  when: domain_membership_test.stdout.find("AD.EXAMPLE.COM") == -1
  shell: "echo -n {{ foo_password_from_vault }} | realm join --user
foo --verbose --client-software sssd --server-software
active-directory AD.EXAMPLE.COM"
  notify:
    - clear sssd cache and restart

#- name: "Ensure appropriate krb5.conf file is deployed"
#  template: src=sssd/krb5.conf.j2 dest=/etc/krb5.conf

# a custom sssd.conf is needed rather than the one built by realm for
a few reasons:
# - default ldap_idmap_range_size is too small for ucsd-ad
# - want custom ad_access_filter
# - want deterministic id mapping for @AD.EXAMPLE.COM domain which requires:
#   using a pre-established ldap_idmap_range_size and using
ldap_idmap_default_domain which ensures that @ad.ucsd.edu will always
be mapped into first domain 'slice'
- name: "Ensure appropriate sssd.conf is deployed"
  template: src=sssd/sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=0600
  notify:
    - clear sssd cache and restart

- name: "Ensure sssd service is enabled"
  service: name=sssd enabled=yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/authentication/attachments/20150327/1f395291/attachment.html>

More information about the Authentication mailing list