MBi Posted November 29, 2021 Share Posted November 29, 2021 Hello, I am installing CentOS 7.7 to make it available on VirtualDesktop 1912 Cu4. The maser is now joined in the domain, sssd is configured, but when I test to authenticate with a user in the domain (I follow the Citrix doc) I get an error : ssh localhost -l DOMAIN\\aduser I get "Permission denied, please try again" I also have an issue to enable home folder : authconfig --enablesssd --enablesssdauth --enablemkhomedir –-update give me : authconfig: unexpected argument The content of /etc/sssd/sssd.conf : [sssd] config_file_version = 2 domains = domain.xx.yy services = nss, pam [domain/domain.xx.yy] # Uncomment if you need offline logins # cache_credentials = true id_provider = ad auth_provider = ad access_provider = ad ldap_id_mapping = true ldap_schema = ad # Should be specified as the lower-case version of the long version of the Active Directory domain. ad_domain = domain.xx.yy # Kerberos settings krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U # Uncomment if service discovery is not working # ad_server = infradc-p01.infra.vs.ch # Comment out if the users have the shell and home dir set on the AD side default_shell = /bin/bash fallback_homedir = /home/%d/%u # Uncomment and adjust if the default principal SHORTNAME$@REALM is not available # ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM Thanks in adavnce for your help. Link to comment
0 Boby John1709155536 Posted November 29, 2021 Share Posted November 29, 2021 I would start by testing winbind and see if that works also how did you verify that the domain-join is ok ? Link to comment
0 MBi Posted November 29, 2021 Author Share Posted November 29, 2021 Hello I'm using sssd not winbind. Object is created on AD and I can see kerberos tocket with klist -k. Link to comment
0 MBi Posted November 29, 2021 Author Share Posted November 29, 2021 When starting sssd service it gives these messages : Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 2 Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 1 Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 1 Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 1 Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 2 Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. xdping -p reports several errors : ummary ----------------------------------------------------------------------- The following tests did not pass: Verify XDPing is up-to-date [WARNING] Unable to determine whether this is the latest version of XDPing because of a failure to query the Citrix Support web service containing this information. Verify SELinux not enforcing [WARNING] Linux VDA supports Security Enhanced Linux (SELinux), but can cause problems in some environments depending on what operating system and third party packages are in use. If you experience problems try setting SELinux to permissive mode. Verify hostname and FQDN correlate [ERROR] The host name of fully-qualified domain name (FQDN) does not match the unqualified host name. Verify default realm slave KDC configured [WARNING] Only one KDC server has configured for the default XXXXXX realm. For redundancy, it is recommended that at least one slave/backup KDC server be configured for each realm. This also applies to other cross-domain or cross-forest realms that might be used. Verify default credential cache cache type [ERROR] The default credential cache setting is using an unsupported credential cache type. Only credential cache files are supported by Linux VDA; DIR, MEMORY and KEYRING credential cache types are not supported. Verify SSSD PAM module in use [ERROR] The SSSD PAM module pam_sss.so is not configured for use in any known PAM configuration file. Verify PAM Kerberos ticket refresh enabled [WARNING] The SSSD PAM module pam_sss.so is not configured to automatically renew Kerberos tickets before expiry. This setting is optional for the Linux VDA, but recommended as a convenience to users who are accessing other Kerberized network services. Verify PAM home directory creation enabled [WARNING] The SSSD PAM module pam_sss.so is configured with user home directory creation disabled. For the Linux VDA it is recommended that this feature be enabled. Link to comment
0 MBi Posted November 29, 2021 Author Share Posted November 29, 2021 I ran authconfig --update --enablesssd --enablesssdauth and it works a bit better. I can ssh localhot -l DOMAIN\\User but the home folder is not created. xdping gives me these errors Summary ----------------------------------------------------------------------- The following tests did not pass: Verify XDPing is up-to-date [WARNING] Unable to determine whether this is the latest version of XDPing because of a failure to query the Citrix Support web service containing this information. Verify SELinux not enforcing [WARNING] Linux VDA supports Security Enhanced Linux (SELinux), but can cause problems in some environments depending on what operating system and third party packages are in use. If you experience problems try setting SELinux to permissive mode. Verify hostname and FQDN correlate [ERROR] The host name of fully-qualified domain name (FQDN) does not match the unqualified host name. Verify default credential cache cache type [ERROR] The default credential cache setting is using an unsupported credential cache type. Only credential cache files are supported by Linux VDA; DIR, MEMORY and KEYRING credential cache types are not supported. Verify PAM Kerberos ticket refresh enabled [WARNING] The SSSD PAM module pam_sss.so is not configured to automatically renew Kerberos tickets before expiry. This setting is optional for the Linux VDA, but recommended as a convenience to users who are accessing other Kerberized network services. Verify PAM home directory creation enabled [WARNING] The SSSD PAM module pam_sss.so is configured with user home directory creation disabled. For the Linux VDA it is recommended that this feature be enabled. Link to comment
0 MBi Posted November 29, 2021 Author Share Posted November 29, 2021 authconfig --enablemkhomedir –update is now working. Link to comment
0 Boby John1709155536 Posted November 29, 2021 Share Posted November 29, 2021 Most of the xdping throws an error , I am not confident that domain-join is done right. Can you confirm if you used Easyinstall method to install the LVDA? Link to comment
0 MBi Posted November 30, 2021 Author Share Posted November 30, 2021 It is almost all working now. Users can access their CentOS VDI from Workspace. The only thing that is not working is Federaration Service. I get a gray screen with a authentication error. Citrix doc says that it is because of a certificat error. I did copy the root CA in folder /etc/pki/CA/certs/ accordinf to the documentation but it is not working. Here is my krb5.conf file. I tested FILE:/ as well as DIR:/ [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } IMYDOMAIN = { kdc = mydomain auth_to_local = RULE:[1:$1@$0] pkinit_kdc_hostname = mydomain pkinit_anchors = FILE:/etc/pki/CA/certs/root.pem pkinit_pool = FILE:/etc/pki/CA/certs/intermediate.pem pkinit_eku_checking = kpServerAuth pkinit_cert_match = ||<EKU>msScLogin,<KU>digitalSignature kdc = mydc.mydomain } Note that federation service is working with Windows VDA. Link to comment
Question
MBi
Hello,
I am installing CentOS 7.7 to make it available on VirtualDesktop 1912 Cu4.
The maser is now joined in the domain, sssd is configured, but when I test to authenticate with a user in the domain (I follow the Citrix doc) I get an error :
ssh localhost -l DOMAIN\\aduser
I get "Permission denied, please try again"
I also have an issue to enable home folder :
authconfig --enablesssd --enablesssdauth --enablemkhomedir –-update
give me : authconfig: unexpected argument
The content of /etc/sssd/sssd.conf :
[sssd]
config_file_version = 2
domains = domain.xx.yy
services = nss, pam
[domain/domain.xx.yy]
# Uncomment if you need offline logins
# cache_credentials = true
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad
# Should be specified as the lower-case version of the long version of the Active Directory domain.
ad_domain = domain.xx.yy
# Kerberos settings
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U
# Uncomment if service discovery is not working
# ad_server = infradc-p01.infra.vs.ch
# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
Thanks in adavnce for your help.
Link to comment
7 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now