Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ad user login not working after SSSD and Kerberos

Ad user login not working after SSSD and Kerberos

Contributor

Hi,

We configured Linux system with SSSD and we are able to find id of the AD user. When we are trying to login into the linux system using AD credentials, We are getting access denied error. However, we are able to login using "su - user" command.

I think once we configure our linux system with SSSD, ticket should be generated automatically. But when using "su - user", we had to manually get the ticket using kinit command. Is this the only way to get the ticket ? or will it be generated automatically?

5 REPLIES 5

Re: Ad user login not working after SSSD and Kerberos

It looks like AD users are prevented from direct login to Linux boxes. Look at AllowUsers, AllowGroups properties in sshd_config file. You might want to look into MAN page for sshd_config. Other thing I can think of is default_shell value in sssd.conf file, if that is set to /bin/false, set it to /bin/bash and restart sssd service on box.

On other note, users will have to manually get the ticket using kinit command even after that, AFAIK. I am not expert on SSSD but its possible to enable automatic KINIT on behalf of user when user logins through SSSD.

Re: Ad user login not working after SSSD and Kerberos

Contributor

@Pradeep

Regarding

"On other note, users will have to manually get th e ticket using kinit command even after that, AFAIK."

If this is the case? how will people be able to access hive tables using services like Hue or reporting tools like tableau, using their AD credentials? They wouldn't have access to CLI, they can't run kinit command there.

Re: Ad user login not working after SSSD and Kerberos

Highlighted

Re: Ad user login not working after SSSD and Kerberos

Contributor

I am getting an error in message file.

ldap_start_tls_s() failed: Connect error (uri="ldap://AD-IP:389") May 6 14:47:58 hdp-slave6

failed to bind to LDAP server ldap://AD-IP:389: Connect error

Still I am able to su to the AD user. I am not able understand how this is happening when bind fails?

Re: Ad user login not working after SSSD and Kerberos

I configured KDC/LDAP recently using FreeIPA. sssd including "su - user" was working out of the box, but we had to integrate sssd and ssh manually. I found this deck useful, it talks about IPA, but starting from slide 8 it talks about integration of sssd and Open ssh. Anyway, it's not automatic as your attempts testify.