DHilsbos at performair.com
2020-May-14 17:01 UTC
[CentOS] CentOS 8 Client to Windows file share SSO Active Directory
All; My Google foo is failing me, and searching through the last 10 months on this mailing list hasn't helped either. We have an existing Active Directory domain set up, and I'd like to add a CentOS 8 Workstation to it. I have experience using both realmd and manual configuration to allow local login with AD accounts to various Linux distribution, and have this working on my test system. I used realmd this time, and it configured sssd. I have one problem that I've never been able to solve; when I attempt to connect to a remote file server, while logged on to the CentOS 8 system using a domain account, it asks for credentials. Theoretically, this should work as it's just Kerberos. Can anyone point me at resources on what is needed for SSO to domain resources to work properly? This may be related to another issue that I'm seeing; I don't see the CentOS 8 user logon event (event ID 4624) on the Domain Controller. I see lots of logon events for the computer account, but none for the user account. Thank you, Dominic L. Hilsbos, MBA Director - Information Technology Perform Air International Inc. DHilsbos at PerformAir.com www.PerformAir.com
Orion Poplawski
2020-May-15 02:03 UTC
[CentOS] CentOS 8 Client to Windows file share SSO Active Directory
On 5/14/20 11:01 AM, DHilsbos at performair.com wrote:> All; > > My Google foo is failing me, and searching through the last 10 months on this mailing list hasn't helped either. > > We have an existing Active Directory domain set up, and I'd like to add a CentOS 8 Workstation to it. > > I have experience using both realmd and manual configuration to allow local login with AD accounts to various Linux distribution, and have this working on my test system. I used realmd this time, and it configured sssd. > > I have one problem that I've never been able to solve; when I attempt to connect to a remote file server, while logged on to the CentOS 8 system using a domain account, it asks for credentials. Theoretically, this should work as it's just Kerberos. Can anyone point me at resources on what is needed for SSO to domain resources to work properly?Well, check the usual kerberos stuff: - Do you have a ticket (klist)? - Is /etc/krb5.conf(.d) looking good? - How are you connecting to the remote file server? Is that software configured to use Kerberos/GSSAPI to authenticate? Do it have debug options to show you the authentication steps? - What does the remote server report about the connection attempts? -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 https://www.nwra.com/