Jump to content
Welcome to our new Citrix community!
  • 0

Sevreral issues with CentOS 7.7


MBi

Question

Hello,

 

I am installing CentOS 7.7 to make it available on VirtualDesktop 1912 Cu4.

The maser is now joined in the domain, sssd is configured, but when I test to authenticate with a user in the domain (I follow the Citrix doc) I get an error :

 

 

ssh localhost -l DOMAIN\\aduser

 

I get "Permission denied, please try again"

 

I also have an issue to enable home folder :

 

authconfig --enablesssd --enablesssdauth --enablemkhomedir –-update

give me : authconfig: unexpected argument

 

The content of /etc/sssd/sssd.conf  :

 

[sssd]

config_file_version = 2
domains = domain.xx.yy
services = nss, pam

[domain/domain.xx.yy]
# Uncomment if you need offline logins
# cache_credentials = true

id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad

# Should be specified as the lower-case version of the long version of the Active Directory domain.
ad_domain = domain.xx.yy

# Kerberos settings
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U

# Uncomment if service discovery is not working
# ad_server = infradc-p01.infra.vs.ch

# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/bash
fallback_homedir = /home/%d/%u

# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
 

 

Thanks in adavnce for your help.

 

 

Link to comment

7 answers to this question

Recommended Posts

  • 0

When starting sssd service it gives these messages :

 

Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 2
Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 1
Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 1
Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 1
Nov 29 13:10:23 XD-COS7-M01 sssd_be[4504]: GSSAPI client step 2
Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Nov 29 13:10:23 XD-COS7-M01 sssd[4501]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.

 

 

xdping -p reports several errors :

 

 

ummary -----------------------------------------------------------------------
  The following tests did not pass:
      Verify XDPing is up-to-date                                     [WARNING]
      Unable to determine whether this is the latest version of XDPing
      because of a failure to query the Citrix Support web service
      containing this information.
      Verify SELinux not enforcing                                    [WARNING]
      Linux VDA supports Security Enhanced Linux (SELinux), but can
      cause problems in some environments depending on what operating
      system and third party packages are in use. If you experience
      problems try setting SELinux to permissive mode.
      Verify hostname and FQDN correlate                                [ERROR]
      The host name of fully-qualified domain name (FQDN) does not
      match the unqualified host name.
      Verify default realm slave KDC configured                       [WARNING]
      Only one KDC server has configured for the default XXXXXX
      realm. For redundancy, it is recommended that at least one
      slave/backup KDC server be configured for each realm. This also
      applies to other cross-domain or cross-forest realms that might
      be used.
      Verify default credential cache cache type                        [ERROR]
      The default credential cache setting is using an unsupported
      credential cache type. Only credential cache files are supported
      by Linux VDA; DIR, MEMORY and KEYRING credential cache types are
      not supported.
      Verify SSSD PAM module in use                                     [ERROR]
      The SSSD PAM module pam_sss.so is not configured for use in any
      known PAM configuration file.
      Verify PAM Kerberos ticket refresh enabled                      [WARNING]
      The SSSD PAM module pam_sss.so is not configured to
      automatically renew Kerberos tickets before expiry. This setting
      is optional for the Linux VDA, but recommended as a convenience
      to users who are accessing other Kerberized network services.
      Verify PAM home directory creation enabled                      [WARNING]
      The SSSD PAM module pam_sss.so is configured with user home
      directory creation disabled. For the Linux VDA it is recommended
      that this feature be enabled.
 

 

 

Link to comment
  • 0

I ran authconfig --update --enablesssd --enablesssdauth and it works a bit better. I can ssh localhot -l DOMAIN\\User but the home folder is not created.

 

xdping gives me these errors

 

Summary -----------------------------------------------------------------------
  The following tests did not pass:
      Verify XDPing is up-to-date                                     [WARNING]
      Unable to determine whether this is the latest version of XDPing
      because of a failure to query the Citrix Support web service
      containing this information.
      Verify SELinux not enforcing                                    [WARNING]
      Linux VDA supports Security Enhanced Linux (SELinux), but can
      cause problems in some environments depending on what operating
      system and third party packages are in use. If you experience
      problems try setting SELinux to permissive mode.
      Verify hostname and FQDN correlate                                [ERROR]
      The host name of fully-qualified domain name (FQDN) does not
      match the unqualified host name.
      Verify default credential cache cache type                        [ERROR]
      The default credential cache setting is using an unsupported
      credential cache type. Only credential cache files are supported
      by Linux VDA; DIR, MEMORY and KEYRING credential cache types are
      not supported.
      Verify PAM Kerberos ticket refresh enabled                      [WARNING]
      The SSSD PAM module pam_sss.so is not configured to
      automatically renew Kerberos tickets before expiry. This setting
      is optional for the Linux VDA, but recommended as a convenience
      to users who are accessing other Kerberized network services.
      Verify PAM home directory creation enabled                      [WARNING]
      The SSSD PAM module pam_sss.so is configured with user home
      directory creation disabled. For the Linux VDA it is recommended
      that this feature be enabled.
 

 

 

Link to comment
  • 0

 

It is almost all working now. Users can access their CentOS VDI from Workspace.

The only thing that is not working is Federaration Service.

I get a gray screen with a authentication error. Citrix doc says that it is because of a certificat error.

I did copy the root CA in folder /etc/pki/CA/certs/ accordinf to the documentation but it is not working.

 

Here is my krb5.conf file. I tested FILE:/ as well as DIR:/

 

 

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

IMYDOMAIN = {
  kdc = mydomain
 auth_to_local = RULE:[1:$1@$0]
 pkinit_kdc_hostname = mydomain
 pkinit_anchors = FILE:/etc/pki/CA/certs/root.pem
 pkinit_pool = FILE:/etc/pki/CA/certs/intermediate.pem
 pkinit_eku_checking = kpServerAuth
 pkinit_cert_match = ||<EKU>msScLogin,<KU>digitalSignature
  kdc = mydc.mydomain
 }

 

 

Note that federation service is working with Windows VDA.

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...