Hello, This one is nasty... I followed the documentation on configuring sssd: https://wiki.samba.org/index.php/Sssd In the section on extracting the keytab, it says: - Extract the keytab for a domain account (you can use the machines[sic] account for that, too) and make sure it is readable only by root. The following example uses the machine account of the host „DC1“ So, I used the keytab for my domain controller, and shared it will a couple of file servers. Here is the really bizarre thing, if I use the DC's keytab, and I configure sssd to a DC other than the DC the keytab file is from, it will update the DC's ip address in DNS to the fileserver's ip address. Let me give you an example: - Use DC1 to create keytab: "samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=dc1$" - configure sssd to point to DC2 on FS1: [sssd] config_file_version = 2 domains = DOMAIN.COM services = nss, pam debug_level=6 [domain/DOMAIN.COM] enumerate = true ad_domain = DOMAIN.COM krb5_realm = DOMAIN.COM cache_credentials = True id_provider = ad ad_hostname = dc2.domain.com ad_server = dc2.domain.com ad_domain = domain.com ldap_id_mapping = False access_provider = ad krb5_keytab=/etc/krb5.sssd.keytab debug_level=6 - service sssd restart - Now, DC2 has it's A record changed to match the IP address of FS1 Took me a week to figure out this was going on. Using the principal of the file server does not trigger this bug. Please add a note to the sssd wiki page recommending the *file server's* machine account. This occurs in Samba 4.3.4 and Samba 4.4.0. My version of sssd is 1.12.4-47.el6_7.7 running on CentOS 6.7.
On Thu, 24 Mar 2016, William Stuart wrote:> So, I used the keytab for my domain controller, and shared it will a couple > of file servers. Here is the really bizarre thing, if I use the DC's > keytab, and I configure sssd to a DC other than the DC the keytab file is > from, it will update the DC's ip address in DNS to the fileserver's ip > address.I believe you are telling it to do this:> [sssd] > ad_hostname = dc2.domain.com > ad_server = dc2.domain.com > > - service sssd restart > - Now, DC2 has it's A record changed to match the IP address of FS1ad_server tells sssd the server(s) to connect to for authentication services. ad_hostname sets the _local_ machine's hostname. Setting ad_hostname is probably triggering a dynamic DNS update to set dc2.domain.com to FS1's IP address. That said, I haven't tested this as I use the sssd-ldap provider rather than ad, because the ad provider did not exist in CentOS 6.5 when I initially set up my current domain. One other thing that stands out as odd to me here:> Let me give you an example: > > - Use DC1 to create keytab: "samba-tool domain exportkeytab > /etc/krb5.sssd.keytab --principal=dc1$" > - configure sssd to point to DC2 on FS1:If you're pointing sssd at DC2, wouldn't it make more sense to export the credentials for DC2, rather than DC1? Or even better, export all of your DC's credentials to the same keytab file. This way, if you ever replace one, sssd will continue to function properly. You can export multiple credentials to the same file by running the same command and changing the --principal option. Each run will append to the existing file rather than overwriting it with a new one.
Maybe Matching Threads
- sssd with ad backend and "ldap_id_mapping = false" refuse to start
- samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED
- Should I forget sssd ?
- sssd + samba4 not working (yet)
- Ubuntu SSSD Active Directory Authorization issue (group membership is not honored)