Sevreral issues with CentOS 7.7

[MBi]

Hello,

 

I am installing CentOS 7.7 to make it available on VirtualDesktop 1912 Cu4.

The maser is now joined in the domain, sssd is configured, but when I test to authenticate with a user in the domain (I follow the Citrix doc) I get an error :

 

 

ssh localhost -l DOMAIN\\aduser

 

I get "Permission denied, please try again"

 

I also have an issue to enable home folder :

 

authconfig --enablesssd --enablesssdauth --enablemkhomedir –-update

give me : authconfig: unexpected argument

 

The content of /etc/sssd/sssd.conf  :

 

[sssd]

config_file_version = 2
domains = domain.xx.yy
services = nss, pam

[domain/domain.xx.yy]
# Uncomment if you need offline logins
# cache_credentials = true

id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad

# Should be specified as the lower-case version of the long version of the Active Directory domain.
ad_domain = domain.xx.yy

# Kerberos settings
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U

# Uncomment if service discovery is not working
# ad_server = infradc-p01.infra.vs.ch

# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/bash
fallback_homedir = /home/%d/%u

# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
 

 

Thanks in adavnce for your help.

 

 

[Boby John1709155536]

I would start by testing winbind and see if that works

 also how did you verify that the domain-join is ok ?

[MBi]

Hello

 

I'm using sssd not winbind.

Object is created on AD and I can see kerberos tocket with klist -k.

 

 

[MBi]

When starting sssd service it gives these messages :

 

Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 2
Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 1
Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 1
Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 1
Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 2
Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
 

 

xdping -p reports several errors :

 

 

ummary -----------------------------------------------------------------------
  The following tests did not pass:
      Verify XDPing is up-to-date                                     [WARNING]
      Unable to determine whether this is the latest version of XDPing
      because of a failure to query the Citrix Support web service
      containing this information.
      Verify SELinux not enforcing                                    [WARNING]
      Linux VDA supports Security Enhanced Linux (SELinux), but can
      cause problems in some environments depending on what operating
      system and third party packages are in use. If you experience
      problems try setting SELinux to permissive mode.
      Verify hostname and FQDN correlate                                [ERROR]
      The host name of fully-qualified domain name (FQDN) does not
      match the unqualified host name.
      Verify default realm slave KDC configured                       [WARNING]
      Only one KDC server has configured for the default XXXXXX
      realm. For redundancy, it is recommended that at least one
      slave/backup KDC server be configured for each realm. This also
      applies to other cross-domain or cross-forest realms that might
      be used.
      Verify default credential cache cache type                        [ERROR]
      The default credential cache setting is using an unsupported
      credential cache type. Only credential cache files are supported
      by Linux VDA; DIR, MEMORY and KEYRING credential cache types are
      not supported.
      Verify SSSD PAM module in use                                     [ERROR]
      The SSSD PAM module pam_sss.so is not configured for use in any
      known PAM configuration file.
      Verify PAM Kerberos ticket refresh enabled                      [WARNING]
      The SSSD PAM module pam_sss.so is not configured to
      automatically renew Kerberos tickets before expiry. This setting
      is optional for the Linux VDA, but recommended as a convenience
      to users who are accessing other Kerberized network services.
      Verify PAM home directory creation enabled                      [WARNING]
      The SSSD PAM module pam_sss.so is configured with user home
      directory creation disabled. For the Linux VDA it is recommended
      that this feature be enabled.
 

 

 

[MBi]

I ran authconfig --update --enablesssd --enablesssdauth and it works a bit better. I can ssh localhot -l DOMAIN\\User but the home folder is not created.

 

xdping gives me these errors

 

Summary -----------------------------------------------------------------------
  The following tests did not pass:
      Verify XDPing is up-to-date                                     [WARNING]
      Unable to determine whether this is the latest version of XDPing
      because of a failure to query the Citrix Support web service
      containing this information.
      Verify SELinux not enforcing                                    [WARNING]
      Linux VDA supports Security Enhanced Linux (SELinux), but can
      cause problems in some environments depending on what operating
      system and third party packages are in use. If you experience
      problems try setting SELinux to permissive mode.
      Verify hostname and FQDN correlate                                [ERROR]
      The host name of fully-qualified domain name (FQDN) does not
      match the unqualified host name.
      Verify default credential cache cache type                        [ERROR]
      The default credential cache setting is using an unsupported
      credential cache type. Only credential cache files are supported
      by Linux VDA; DIR, MEMORY and KEYRING credential cache types are
      not supported.
      Verify PAM Kerberos ticket refresh enabled                      [WARNING]
      The SSSD PAM module pam_sss.so is not configured to
      automatically renew Kerberos tickets before expiry. This setting
      is optional for the Linux VDA, but recommended as a convenience
      to users who are accessing other Kerberized network services.
      Verify PAM home directory creation enabled                      [WARNING]
      The SSSD PAM module pam_sss.so is configured with user home
      directory creation disabled. For the Linux VDA it is recommended
      that this feature be enabled.
 

 

 

[MBi]

authconfig --enablemkhomedir –update is now working.

[Boby John1709155536]

 Most of the xdping throws an error , I am not confident that domain-join is done right.

Can you confirm if you used Easyinstall method to install the LVDA?

 

 

 

[MBi]

 

It is almost all working now. Users can access their CentOS VDI from Workspace.

The only thing that is not working is Federaration Service.

I get a gray screen with a authentication error. Citrix doc says that it is because of a certificat error.

I did copy the root CA in folder /etc/pki/CA/certs/ accordinf to the documentation but it is not working.

 

Here is my krb5.conf file. I tested FILE:/ as well as DIR:/

 

 

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

IMYDOMAIN = {
  kdc = mydomain
 auth_to_local = RULE:[1:$1@$0]
 pkinit_kdc_hostname = mydomain
 pkinit_anchors = FILE:/etc/pki/CA/certs/root.pem
 pkinit_pool = FILE:/etc/pki/CA/certs/intermediate.pem
 pkinit_eku_checking = kpServerAuth
 pkinit_cert_match = ||<EKU>msScLogin,<KU>digitalSignature
  kdc = mydc.mydomain
 }

 

 

Note that federation service is working with Windows VDA.