Can sles11sp4 do sssd+AD+Kerberos?

Tried following the instructions here →

No luck. Got it to run without errors, but getent never returned anything from AD - only from “files”.

So, using realmd I configured sssd on a Centos 7 vm. With some help from our Windows people, got it to work. Copied the sssd.conf, krb5.conf, and krb5.keytab to a fresh sles11.4 vm that has the same name as the Centos vm. sssd fails complaining that /usr/lib64/sssd/ does not exist. Sigh.

Does sssd actually work in sles11sp4? We need AD with Kerberos, real UID/GIDs, netgroups, and auto-mounted homedirs for this to be a success.

Here’s the realmd generated sssd.conf:

domains =
default_domain_suffix = FNC.FAKENAME.COM
config_file_version = 2
services = nss, pam

ad_domain =
debug_level = 9
krb5_realm = FNC.FAKENAME.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

And the krb5.conf:

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

  • I have pursued getting then, Novell, to rewrite that TID to be better detailed and more operationally relevant, even providing the re-write, but was not successful.

  • The SSSD AD provider is not available on SLES 11, the LDAP or LDAP/Kerberos providers are required for SSSD connectivity to AD (I have discussed this with SUSE, but the AD provider, sssd-ad package) itself isn’t provided on the SLES platform until v 12). Hence your /usr/lib64/sssd/ error.

  • The standard /etc/krb5.keytab file created from a domain join operation will not be transferable between different hosts.

The SSSD LDAP/Kerberos configuration on SLES 11 can be a bit clunky to implement using YaST, so I implement it manually.

In a nutshell my procedure for SLES 11 connectivity to AD using the SSSD is:

  1. Configure the Linux system to use the same DNS and time source as the target AD domain.

Check that the /etc/HOSTNAME file contains the FQDN of your Linux server.

Check time synchronisation with the target domain.

Check key domain SRV records used for LDAP and Kerberos functionality.

darkvixen240:~ # host -t SRV
darkvixen240:~ # host -t SRV

  1. Install the SSSD client (sssd) and sssd LDAP (sssd-ldap) and SSSD Kerberos providers (sssd-krb5) and the python-sssd-config package.

I would also install the sssd-tools package for the sssd cache management utilities.

  1. Manually implement and test the SLES Kerberos client (doing so in YaST will implement the pam_ldap and pam_krb5 modules which are unnecessary).

Install the Kerberos client (krb5-client) package.
Configure the /etc/krb5.conf file (The SP4 krb5.conf file has some different options, but use this SP3 example as a template).

default_realm = DVC.DARKVIXEN.COM
clockskew = 300

kdc =
default_domain =
admin_server =

kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log

[domain_realm] = DVC.DARKVIXEN.COM

pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 10000
clockskew = 300
external = sshd
use_shmem = sshd

Attempt authentication to the target domain using a known set of credentials using the “kinit” application.

kinit -k <Some_Known_User>

  1. Join the system to the target domain using the YaST Windows Domain Membership module using the appropriate Windows credentials.

YaST will install any of the required Samba packages.
Using the “Expert Settings” fields select the “secrets and keytab” option in the “Kerberos Method” section to create a /etc/krb5.keytab file.

Attempt authentication to the target domain using the host principles (SPN’s in Windows parlance) in the /etc/krb5.conf file using the “kinit” application.

kinit -k <Linux_HostName$>

darkvixen240:~ # kinit -k DARKVIXEN240$

(no output indicates a successful result)

Verify the host SPN used has a valid Kerberos ticket.

darkvixen240:~ # klist

Then use “kdestroy” to clear the local Kerberos ticket cache.

darkvixen240:~ # kdestroy

  1. Use the pam-config utility to implement the system PAM configuration to use the SSSD.

Review the current system authentication configuration.

darkvixen240:~ # pam-config --query --unix2 (do not disable, will break local auth!)
darkvixen240:~ # pam-config --query --ldap
darkvixen240:~ # pam-config --query --krb5
darkvixen240:~ # pam-config --query --winbind
darkvixen240:~ # pam-config --query --sss
darkvixen240:~ # pam-config --query --mkhomedir

Ensure pam_ldap and pam_krb5 modules are disabled if they are enabled.

darkvixen240:~ # pam-config --delete --ldap
darkvixen240:~ # pam-config --delete --krb5

Ensure the pam_mkhomedir module is disabled if remote home directories are to be used, with the automounter as in your example.

darkvixen240:~ # pam-config --delete --mkhomedir

If the SSSD module (pam_sss) is not enabled, enable it.

darkvixen240:~ # pam-config --add --sss

  1. Configure the /etc/nsswitch.conf to reference the SSSD.

passwd: compat sss
group: compat sss

  1. Manually implement a /etc/sssd/sssd.conf than facilitates connectivity to the target AD environment using GSSAPI authentication using the rights of the joined computer object for the Linux server.

config_file_version = 2
services = nss,pam
domains =

reconnection_retries = 3
filter_users = root
filter_groups = root

reconnection_retries = 3

cache_credentials = true
enumerate = false
case_sensitive = false

This directive permits the use of the naming conventions used by the AD provider.

username or or domain\username

re_expression = (((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))

id_provider = ldap
auth_provider = krb5

Used to implement access control to the host

access_provider = ldap

Think of this as the /etc/krb5.conf for the SSSD

krb5_realm = DVC.DARKVIXEN.COM
krb5_server =
krb5_renewable_lifetime = 1d
krb5_lifetime = 1d
krb5_validate = true

ldap_schema = ad
ldap_id_mapping = true

ldap_uri = ldap://
ldap_user_search_base = dc=dvc,dc=darkvixen,dc=com
ldap_group_search_base = dc=dvc,dc=darkvixen,dc=com
ldap_force_upper_case_realm = true
ldap_disable_referrals = true

Access control by expired account and group membership

ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter = memberOf=cn=DARKVIXEN240_G,ou=LDAP,ou=SVS,dc=dvc,dc=darkvixen,dc=com

Secure auth for the daemon using the computer object security

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = DARKVIXEN240$@DVC.DARKVIXEN.COM

Provides debug output for troubleshooting, when enabled

debug_level = 7

Start the daemon and test.

Hoping it all helps and ping us back if you have issues, or want to then implement the automounter using the SSSD as well :slight_smile: .

– lawrence

Thank you very much for all your help! Using your setup I’ve been able to make it work briefly. Flush the cache, restart the daemon - and it will retrieve one or two passwd entries. Then it just stops working. The daemon is still running but it seems to be unable to reconnect(?)

(Fri Jul 29 17:00:49 2016) [sssd[be[]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://,DC=fnc,DC=fake,DC=com] with fd [25].
(Fri Jul 29 17:00:49 2016) [sssd[be[]]] [sdap_rebind_proc] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error]
(Fri Jul 29 17:00:49 2016) [sssd[be[]]] [sdap_rebind_proc] (0x1000): Failed to bind to [ldap://,DC=fnc,DC=fakeg,DC=com].
(Fri Jul 29 17:00:49 2016) [sssd[be[]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://,DC=fnc,DC=fake,DC=com] with fd [25].
(Fri Jul 29 17:00:49 2016) [sssd[be[]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://,DC=fnc,DC=fakeg,DC=com] with fd [26].
(Fri Jul 29 17:00:49 2016) [sssd[be[]]] [sdap_rebind_proc] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error]
(Fri Jul 29 17:00:49 2016) [sssd[be[]]] [sdap_rebind_proc] (0x1000): Failed to bind to [ldap://,DC=fnc,DC=fakeg,DC=com].
(Fri Jul 29 17:00:49 2016) [sssd[be[]]] [sdap_rebind_proc] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error]
(Fri Jul 29 17:00:49 2016) [sssd[be[]]] [sdap_rebind_proc] (0x1000): Failed to bind to [ldap://,DC=fnc,DC=fakeg,DC=com].
(Fri Jul 29 17:00:55 2016) [sssd[be[]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [110]: Connection timed out
(Fri Jul 29 17:00:55 2016) [sssd[be[]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
(Fri Jul 29 17:00:55 2016) [sssd[be[]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,110,User lookup failed

Really, really, really, wish they had backported realmd to SLES11. :frowning:

Connectivity to the AD back end is definitely failing here and the daemon is attempting to locate another DC to talk to (obviously). Given that I don’t suspect your SPNs or your keytab file if you performed a successful search using SASL/GSSAPI (I would like to see the log info supporting a successful search to be definitive).

I know you have posted some config info already, but could you re-post your most recent sssd.conf and krb5.conf that performed successful searches. I can at least test them on a known good system before I suggest turning the focus to the AD end of things.

— and I prefer “adcli” myself :slight_smile: .

– lawrence

Giving this some thought I wanted to be sure that the concept of a known good system was conveyed clearly, and often asynchronous messaging fails that task. So to help you and others I have composed a two part video tutorial covering how to deploy the SSSD LDAP and Kerberos providers on a SLES 11 SP4 system against an AD back end.

Hoping they help, obviously.

SLES 11 Video PART 1:
SLES 11 Video PART 1:

– lawrence

I now have a working SSSD configuration for SLES11R4. Thanks very much to @hangarbait/Lawrence for all his help. Once I disabled ldap_referrals, his configuration file worked fine.

The Yast Windows Domain Membership module needs work. There are several points were you have to know in advance what to do - it gives you no clue.

… outstanding, and good feedback. I’ll pass it along to some “guys” I know :slight_smile: .

– lawrence

Please use the updated URL for a more polished second production of this video.

– lawrence