Greetings,
I would like to enable users from multiple AD domains (inside the same forest) to login into SAS Enterprise Guide without needin to join multiple domains via realmd or adcli on RedHat 7 Linux Server. I have managed to join the Linux Server to two domains(domain1.test.net and domain2.test.net) and was able to ssh two users from both domains and also to login them vie Enteprise Guide (also defined inside Metadata Server).
When I configure inside krb5.conf both realms with the IPs of the AD KDCs I can do kinit -U user01.domain1.test.net and get a ticket (I see it with klist) without needing to join the domain. I am also using the sasauth module inside PAM. When I login via a user from the domain1.test.net (which is joined - one domain can be joined) it works, bu when I try with a user domain2.test.net (which is not joined but listed inside krb5.conf and kinit works) I cannot login into Enteprise Guide , I get access denied from enteprise guide.
Is there a way to configure a Metadata Server / Enterprise Guide to initiate a kerberos ticket and authentificate the user against the domain without domain joining (maybe only with kinit)?
Thanks in advance.
@ultimo ,
bu when I try with a user domain2.test.net (which is not joined but listed inside krb5.conf and kinit works) I cannot login into Enteprise Guide , I get access denied from enteprise guide.
First of all, I'm wondering to see what is in your /etc/pam.d/sasauth file. Also, I would like to see the output from a command shown below:
sudo grep sasauth /var/log/secure | grep -i USERNAME_FROM_SECOND_DOMAIN
Hi,
Thanks for the fast reply.
It is not much to see inside /var/log/secure. The user from the second domain(that is not joined) gets the user unknown.
When I join both of the domains via adcli and both users can login via ssh , than it works. But I do not want to join many domains. I would like to use the tickets and only the config (KDC IPs are inside) krb5.conf
sasauth: pam_sss(sasauth:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=testuserdomain01
sasauth: pam_sss(sasauth:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=testuserdomain01
sasauth: pam_sss(sasauth:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=testuserdomain01
sasauth: pam_unix(sasauth:auth): check pass; user unknown
sasauth: pam_unix(sasauth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Is it possible to use the logins as I want it, without Domain join and only with a ticket?
Here are the examples from my pam.de and sasauth
/etc/pam.d/sasauth#
%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
And also the SAS Config FIle.
cat /opt/sas/rrm61/prog/SASFoundation/9.4/utilities/bin/sasauth.conf | grep methods
# Name: methods Authentication used.
methods=pam pw
# methods.
Thanks in advance.
@ultimo ,
The user from the second domain(that is not joined) gets the user unknown.
That error was thrown by pam_unix module, which means the user doesn't exist in /etc/passwd, which is normal. Have you seen any entries for that user from pam_sss module?
Is it possible to use the logins as I want it, without Domain join and only with a ticket?
Most likely not.
methods=pam pw
pw is not required there as you already have pam_unix module in /etc/pam.d/sasauth file
Hi Alexal,
Thanks for your fast reply.
1. In the sssd_pam.log I can see from before many sss_domain_get_state where all of my domains are listed that are trusted. I can also see some older entries in the log where the user from the domain2.test.net was searched with [cache_req_search_cache] in many domains and found inside the right one, but this was when I had two domain joins, and the user was found and the login was found.
In the latest logs I see no entries of the user with only one domain join.
Ist there some way to tell SAS Enterprise Guide to init a ticket and to authentificate it against the Kerberos KDCs listed inside krb5.conf config file. Because I can get a ticket with kinit for both of the users from both domains , that are defined inside krb5.conf
I do not have the pam_sss module config file inside /etc/pam.d , I have only the sasauth. And the logs inside /var/log/sssd/pam_sssd.log are coming from the [pam] -- debug =5 config inside sssd.conf file.
Thanks for your help. I think this should be possible. I have seen that some people have tried.
https://serverfault.com/questions/943669/sssd-authenticate-against-parent-domain
Thanks in advance.
@ultimo ,
Ist there some way to tell SAS Enterprise Guide to init a ticket and to authentificate it against the Kerberos KDCs listed inside krb5.conf config file.
If PAM_SETCREDENTIALS=TRUE isn't commented in sasauth.conf file, sasauth module will invoke a system function called pam_setcred which is responsible for Kerberos ticket generation. The important part here that before invoking pam_setcred the user account has to be found by pam_sss module (as specified in your configuration).
Hi,
Thanks for the fast reply.
I think I have changed the pam_setcredentials but it was commented at my setup. No I commented it out and restarted the sas.service (will take some time).
When you tell me that the pam_sss needs to find the user , can this module do it? Can I configure it somewhere more inside SAS config? Because the use-case that I am now trying is to use only Kerberos and tickets and no Domain Join.
I think it cannot be found, I could find the user in the log, but this was when I used domain join, or I need to use the FQDN at the login screen of the Enteprise? Can pam_sss Module find the user based only of the KDCs inside krb5.conf?
Thanks for your great help btw.
Hi Alexal,
Is it maybe possible to make tell the Enterprise Guide to use Kerberos only (krb5.conf) without sssd and domain join and also the PAM module?
Thanks in advance.
@ultimo ,
Is it maybe possible to make tell the Enterprise Guide to use Kerberos only (krb5.conf) without sssd and domain join and also the PAM module?
No.
Hi Alexal,
Sorry, but maybe I did not phrased myself good.
Is there some way to tell Enterprise Guide and Metadata Server (9.4) to use native Kerberos without needing to join multiple domains and only using krb5.conf
I have tried the login screen with IWA and Kerberos but it did not work, maybe I need some more configuration (PAM was still in my config sasauth.conf file).
I have found also this article: https://communities.sas.com/t5/Administration-and-Deployment/Kerberos-Authentication-via-SAS-EG/td-p...
Was also written from you. Can I use this way on the article, without SSSD and domain join and only native Kerberos. Could you maybe tell some more about this?
Kind regards.
@ultimo ,
Is there some way to tell Enterprise Guide and Metadata Server (9.4) to use native Kerberos without needing to join multiple domains and only using krb5.conf
You can try to configure pam_krb5 module instead of pam_sss in /etc/pam.d/sasauth, but I have doubts it will work. Anyway, your system has to be able to authenticate users from both domains, also "getent passwd USER" should return information for users from both domains.
I have tried the login screen with IWA and Kerberos but it did not work, maybe I need some more configuration
Yes, a lot more. You have to create a keytab file with correct SPN and add a few more options to the SAS configuration files.
Hi Alexal,
Thanks for your fast reply.
As for pam_krb5 did you mean that I try to use:
1. ktadd host/kbclient.example.com and then
2. authconfig --enablekrb5 --update
I have tried the kadmin but I get 'MYUSER/admin@DOMAIN1.TEST.NET' not found in kerberos database , although I can login via ssh with my domain account. Do you have some steps here for me to make the small test?
And as for the creation of a keytab file with correct SPN, I have tried this also but did not have any luck with kadmin.
Could you clarify some more steps here for me?
Thanks in advance.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.