[Authentication] realm list output changes after joining AD domain

Ben Cohen cohen.ben at gmail.com
Fri Mar 27 16:44:27 PDT 2015 

aww I missed a few anonymizing translations when cut/pasting for email ...
 since the cats out of the bag -- everywhere that references AD.EXAMPLE.COM
was me attempting to manually edit for emailing the list -- to be clear,
that configuration is consistent on my test host

On Fri, Mar 27, 2015 at 4:39 PM, Ben Cohen <cohen.ben at gmail.com> wrote:

> Hi -- I posted this question to serverfault -- I think maybe I should ping
> this list though as I'm not sure if this is a bug:
>
>
> http://serverfault.com/questions/678884/realm-join-client-software-sssd-on-centos-7-joins-two-realms-one-with-sssd
>
> On clean installed centos-7 host:
>
> realm join -U foo --client-software sssd AD.EXAMPLE.COM
>
> After running realm list output looks initially like this:
>
> AD.EXAMPLE.COM
>   type: kerberos
>   realm-name: AD.EXAMPLE.COM
>   domain-name: ad.example.com
>   configured: kerberos-member
>   server-software: active-directory
>   client-software: sssd
>   required-package: oddjob
>   required-package: oddjob-mkhomedir
>   required-package: sssd
>   required-package: adcli
>   required-package: samba-common
>   login-formats: %U at ad.example.com
>   login-policy: allow-realm-logins
>
> Showing me that I joined an active directory with sssd as I had intended
> -- logins work as expected both via ssh and samba.
>
> Later on (not sure what triggers or it but a system reboot guarantees it)
> -- the realm list output changes to this
>
> ad.example.com
>   type: kerberos
>   realm-name: AD.EXAMPLE.COM
>   domain-name: ad.example.com
>   configured: kerberos-member
>   server-software: active-directory
>   client-software: winbind
>   required-package: oddjob-mkhomedir
>   required-package: oddjob
>   required-package: samba-winbind-clients
>   required-package: samba-winbind
>   required-package: samba-common
>   login-formats: AD\%U
>   login-policy: allow-any-loginAD.EXAMPLE.COM
>   type: kerberos
>   realm-name: AD.EXAMPLE.COM
>   domain-name: ad.example.com
>   configured: kerberos-member
>   server-software: active-directory
>   client-software: sssd
>   required-package: oddjob
>   required-package: oddjob-mkhomedir
>   required-package: sssd
>   required-package: adcli
>   required-package: samba-common
>   login-formats: %U at ad.example.com
>   login-policy: allow-realm-logins
>
> A few more details: -- after running realm join --verbose
> --client-software sssd --user foo AD.EXAMPLE.COM, I
>
> (1) shutdown sssd
> (2) replace sssd.conf
> (3) rm -rf /var/lib/sss/db/*
> (4) restart sssd
>
> I have to do this because the active directory domain I'm joining is
> larger than the default ldap_idmap_range_size -- the sssd.conf I generate
> looks like this:
>
> [sssd]
>
> domains = AD.UCSD.EDU
>
> config_file_version = 2
>
> services = nss, pam
>
>
>
> [domain/AD.UCSD.EDU]
>
> ad_domain = AD.UCSD.EDU
>
> krb5_realm = AD.UCSD.EDU
>
> realmd_tags = manages-system joined-with-samba
>
> cache_credentials = True
>
> id_provider = ad
>
> krb5_store_password_if_offline = True
>
> default_shell = /bin/bash
>
> ldap_id_mapping = True
>
> use_fully_qualified_names = True
>
> fallback_homedir = /home/%d/%u
>
>
> ldap_idmap_default_domain=AD.UCSD.EDU
>
> ldap_idmap_range_size=2000000
>
>
> ldap_search_base = dc=AD,dc=UCSD,dc=EDU
>
>
>
> override_homedir=/home/%d/%u
>
> dyndns_update=False
>
>
> access_provider = ad
>
>
> # define the sts_ad_access_filter host variable in ansible if you wish to
> restrict access to this host
>
> # example: sts_ad_access_filter:
> "(memberOf=CN=somts,OU=Share-access,OU=BusinessOffice,OU=Groups,OU=SOMTS,OU=SIO,DC=AD,DC=UCSD,DC=EDU)"
>
>
> I also try with a realmd.conf
>
> [active-directory]
>
> default-client = sssd
>
>
> [service]
>
> automatic-install = no
>
> No matter what I do:
>
> - realm list initially doesn't return anything about a winbind domain --
> but everything works
> - after reboot, realm list shows the two domains (and now I can login as
> either user at ad.example.com or AD\\user ...
>
> Maybe this is by design -- but I suspect that something is afoot and this
> has me worried ...  I've been re-doing clean installs trying to figure this
> out for hours now -- here's a snippet from my ansible config automated this
> if it helps anyone reproduce ...
>
> ---
>
> - name: "Ensure libraries required to join Active Directory domain are installed"
>   yum: name={{ item }} state="present"
>   with_items:
>     - krb5-workstation
>     - realmd
>     - sssd
>     - samba
>     - oddjob
>     - oddjob-mkhomedir
>     - adcli
>     - samba-common
>
>
> - name: "Ensure winbind is not present to avoid the possibility of CRAZY CONFUSION?"
>   yum: name={{ item }} state="absent"
>   with_items:
>     - samba-winbind
>     - samba-winbind-clients
>     - samba-winbind-krb5-locator
>     - samba-winbind-modules
>
> - name: "Ensure sane realmd.conf exists prior to running realm command"
>   template: src=sssd/realmd.conf.j2 dest=/etc/realmd.conf
>
> - name: "Test if we are currently part of Active Directory"
>   shell: "realm list"
>   register: domain_membership_test
>   ignore_errors: True
>
> - name: "Join to UCSD Active directory if needed"
>   when: domain_membership_test.stdout.find("AD.EXAMPLE.COM") == -1
>   shell: "echo -n {{ foo_password_from_vault }} | realm join --user foo --verbose --client-software sssd --server-software active-directory AD.EXAMPLE.COM"
>   notify:
>     - clear sssd cache and restart
>
> #- name: "Ensure appropriate krb5.conf file is deployed"
> #  template: src=sssd/krb5.conf.j2 dest=/etc/krb5.conf
>
> # a custom sssd.conf is needed rather than the one built by realm for a few reasons:
> # - default ldap_idmap_range_size is too small for ucsd-ad
> # - want custom ad_access_filter
> # - want deterministic id mapping for @AD.EXAMPLE.COM domain which requires:
> #   using a pre-established ldap_idmap_range_size and using ldap_idmap_default_domain which ensures that @ad.ucsd.edu will always be mapped into first domain 'slice'
> - name: "Ensure appropriate sssd.conf is deployed"
>   template: src=sssd/sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=0600
>   notify:
>     - clear sssd cache and restart
>
> - name: "Ensure sssd service is enabled"
>   service: name=sssd enabled=yes
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/authentication/attachments/20150327/ddc5e44b/attachment-0001.html>

More information about the Authentication mailing list