Authentication with sssd and kerberso - Authentication failure

Hello,

I am hoping somebody here can help me. I am trying to authenticate with kerberos. If I use kinit I get a valid ticket if I try

sssctl user-checks -a=auth robin

I get

user: robin@xxx.yyy.zzz
action: auth
service: system-auth

SSSD nss user lookup result:
 - user name: robin
 - user id: 5001
  - group id: 5001
  - gecos: robin
  - home directory: /home/robin
  - shell: /bin/bash

 SSSD InfoPipe user lookup result:
   - name: robin
   - uidNumber: 5001
   - gidNumber: 5001
   - gecos: robin
   - homeDirectory: /home/robin
   - loginShell: /bin/bash

 testing pam_authenticate

 Password: 
  pam_authenticate for user [robin@xxx.yyyy.zzz]: Authentication failure
 
 PAM Environment:
  - KRB5CCNAME=KCM:

My configuration file fore sssd is the following

[sssd]
config_file_version = 2
domains = xxx.yyy.zzz
services = nss, pam

[domain/xxx.yyy.zzz]
 debug_level = 5

id_provider = ldap
ldap_uri = ldap://server.xxx.yyy.zzz
ldap_search_base = dc=xxx,dc=yyy,dc=zzz
ldap_schema = rfc2307bis

auth_provider = krb5
krb5_server = server.xxx.yyyy.zzz:88
krb5_kpasswd = server.xxx.yyy.zzz
krb5_realm = XXX.YYY.ZZZ
krb5_map_user = robin:robin

chpass_provider = none

[kcm]

[secrets]

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

Actual domain was replaced by xxx.yyy.zzz. I am using Fedora 32 and have no more ideas how to fix the problem and would appreciate any help and hints you can give me.

Thank you
Robin

1 Like

Is that Samba DC, or AD DC, or something else?

No, it’s only ldap and kerberos. Previously I only used kerberos and the user information was located in the passwd file. But this seams no longer possible (at least that is what the internet told me :wink: ). I need a kerberos ticket for the user for a nfs share and ssh.

1 Like