We configured Linux system with SSSD and we are able to find id of the AD user. When we are trying to login into the linux system using AD credentials, We are getting access denied error. However, we are able to login using "su - user" command.
I think once we configure our linux system with SSSD, ticket should be generated automatically. But when using "su - user", we had to manually get the ticket using kinit command. Is this the only way to get the ticket ? or will it be generated automatically?
It looks like AD users are prevented from direct login to Linux boxes. Look at AllowUsers, AllowGroups properties in sshd_config file. You might want to look into MAN page for sshd_config. Other thing I can think of is default_shell value in sssd.conf file, if that is set to /bin/false, set it to /bin/bash and restart sssd service on box.
On other note, users will have to manually get the ticket using kinit command even after that, AFAIK. I am not expert on SSSD but its possible to enable automatic KINIT on behalf of user when user logins through SSSD.
"On other note, users will have to manually get th e ticket using kinit command even after that, AFAIK."
If this is the case? how will people be able to access hive tables using services like Hue or reporting tools like tableau, using their AD credentials? They wouldn't have access to CLI, they can't run kinit command there.
For Hue/Ambari Views, proxyuser settings will have to be configured. Refer below for Hue, and Tableau.
I am getting an error in message file.
ldap_start_tls_s() failed: Connect error (uri="ldap://AD-IP:389") May 6 14:47:58 hdp-slave6
failed to bind to LDAP server ldap://AD-IP:389: Connect error
Still I am able to su to the AD user. I am not able understand how this is happening when bind fails?
I configured KDC/LDAP recently using FreeIPA. sssd including "su - user" was working out of the box, but we had to integrate sssd and ssh manually. I found this deck useful, it talks about IPA, but starting from slide 8 it talks about integration of sssd and Open ssh. Anyway, it's not automatic as your attempts testify.