2 Replies Latest reply: Mar 11, 2014 8:09 AM by russday RSS

    SGD 4.7 - Cannot enable Active Directory authentication

    russday

      I've followed the steps in the Admin Guide, and have a service object created.  Running tarantella service list --name service_name produces the following output (obfuscated):

       

      Name:  service_name

      Enabled: 1

      Url: ad://url_to_dc

      Base-domain: same as above

      Security-mode: kerberos

      Type: ad

       

      ...all of which looks correct.  I've added the recommended log filters.  Directory services (server/directoryservices/*) returns the following INFO message when attempting a logn:

       

      No Login authorities are available.

      The configured service objects will not be used.

       

      When I click the "Test" button in the service object property screen, the above log fills with what look like appropriate log messages and a Success result from the AD server, then the above message is displayed.  Running the tarantella config list | grep login command produced the following output:

       

      login-ad-base-domain:  same domain as above

      login-ad-default-domain: ""

      login-ldap-thirdparty-ens: 1

      login-lday-thirdparty-profile: 1

      login-thirdparty-ens: 0

      login-thirdparty-nonens: 0

      login-thirdparty-superusers:  sgd_trusted_user

      login-web-tokenvalidity: 180

      server-login: enabled

       

      Any ideas?

        • 1. Re: SGD 4.7 - Cannot enable Active Directory authentication
          tbasien

          Problems can be

          • Incorrect domain
          • Name resolutions fails: OSGD server must be able to resolve the global catalog server
          • Timeserver: OSGD server must have the same time as the AD
          • Wrong /etc/krb5.conf

          Global Catalog Server

          Check, if the domain has a global catalog server:

           

          nslookup -query=any _gc._tcp.DOMAIN_lowercase

           

           

          Example for Domain TBSOL.DE

           

           

          [root@tab-ol5u7-SGD1dev-adm tmp]# nslookup -query=any _gc._tcp.tbsol.de

           

          Server:         192.168.99.1

          Address:        192.168.99.1#53

          Non-authoritative answer:

          _gc._tcp.tbsol.de       service = 0 100 3268 office-ad.tbsol.de.

          Authoritative answers can be found from:

          tbsol.de        nameserver = office-ad.tbsol.de.

          office-ad.tbsol.de      internet address = 172.16.1.14

          Kerberos Layer

          Simple Kerberos file

           

          [libdefaults]

           

            default_realm = TBSOL.DE

            default_tkt_enctypes = rc4-hmac

            default_tgs_enctypes = rc4-hmac

          [realms]

             TBSOL.DE = {

               kdc = office-ad.tbsol.de

               admin_server = office-ad.tbsol.de

             }

           

          [domain_realm]

             .tbsol.de = TBSOL.DE

             tbsol.de = TBSOL.DE

          Icon

          The format (tabs and spaces) of the Kerberos file is not relevant.

          (other experience: after correcting the format of the kerberos file, pwd change works !)

          Use kinit to test the Kerberos file.

          Tarantella needs a restart, if this file is changed.

           

          Icon

          The OSGD documentation mentions in "2.2.4.2 Active Directory Password Expiry" to set

          kpasswd_protocol = SET_CHANGE

          This was not needed in these tests.

           

          Login check via kinit

           

          kinit <userprincibalename>@DOMAIN_uppercase

           

           

          Example of kinit

           

           

          [root@tab-ol5u7-SGD1dev-adm tmp]# kinit tbasien@TBSOL.DE; echo $?

           

          Password for tbasien@TBSOL.DE:

          kinit(v5): Preauthentication failed while getting initial credentials

          1

          [root@tab-ol5u7-SGD1dev-adm tmp]# kinit tbasien@TBSOL.DE; echo $?

          Password for tbasien@TBSOL.DE:

          0

          [root@tab-ol5u7-SGD1dev-adm tmp]#

          Check password change with KPASSWD

           

          [root@tab-ol5u7-SGD1dev-adm log]# kpasswd jperez@TBSOL.DE

           

          Password for jperez@TBSOL.DE:

          Enter new password:

          Enter it again:

          Password changed.

          Check password change on AD request

          Mark user, that he has to change his password on the next login in the AD.

           

          [root@tab-ol5u7-SGD2dev-adm tmp]# kinit jperez@TBSOL.DE

           

          Password for jperez@TBSOL.DE:

          Password expired.  You must change it now.

          Enter new password:

          Enter it again:

          [root@tab-ol5u7-SGD2dev-adm tmp]# kinit jperez@TBSOL.DE

          C

          • 2. Re: SGD 4.7 - Cannot enable Active Directory authentication
            russday

            Thanks tbasien,

             

            The nslookup was successful, as well as kinit, and kpasswd.  I should note that the host authenticates to the AD domain (through pam), so the kerberos infrastructure was already setup.

             

            One thing I did not have was a link to krb5.conf in /opt/tarantella/bin/jre/lib/security.  I have added that, and restarted sgd.  Now, when I try to authenticate, I get the following log output:

             

                 Attempted login for rday@domain

                 using disambiguation attributes {}.

             

            And then nothing else.  My guess is that there is a kerberos issue, but I can't figure out a way to get that logged...

             

            Thanks again for the assistance!