Joining Proxmox VE host to domain using realm join

apfaffman

New Member
Jan 23, 2020
9
0
1
35
i have joined one of my proxmox cluster nodes to my active directory domain, with the intention of allowing a group of particular users in active directory to have sudo privileges in proxmox.

was able to join the host to domain and can id users:

Code:
root@prox01-node01:~# id pfaffmanadm
uid=1118231140(pfaffmanadm) gid=1118200513(domain users) groups=1118200513(domain users),1118200512(domain admins),1118232637(sudoers),1118232625(sslvpn),1118229844(squid),1118210067(linuxadmin),1118224818(kiosk)
realm list looks groovy:

Code:
root@prox01-node01:~# realm list
domain.ad
  type: kerberos
  realm-name: DOMAIN.AD
  domain-name: domain.ad
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-realm-logins
however, when i try to switch to my domain user from root,

Code:
root@prox01-node01:~# su pfaffmanadm
su: System error
similarly, any attempt to ssh into the host as a domain user is rejected:

Code:
PS C:\Users\pfaffmanadm> ssh pfaffmanadm@192.168.221.1
pfaffmanadm@192.168.221.1's password:
Connection closed by 192.168.221.1 port 22
sshd_config is pretty standard, hasn't been modified. i wonder if i should also be looking at /etc/pam.d/sshd and /etc/nsswitch.conf?
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
4,171
523
118
Check the journal for error messages when trying to `su` or `ssh` - googling them usually help in hunting down issues like that

I hope this helps!
 

apfaffman

New Member
Jan 23, 2020
9
0
1
35
Hi, Stoiko. Thanks for chiming in!

That's the thing, nothing comes up if I tail system logs or view journalctl if I su or SSH into the host as a domain user.
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
4,171
523
118
sshd and su should log something in case of an error - that's odd
you could try running `strace -f su pfaffmanadm`
that might point to where it fails
 

apfaffman

New Member
Jan 23, 2020
9
0
1
35
Very strange output, but I think there are some clues. The output of strace -f su pfaffmanadm is too long to include here, so I have attached it.

Clues look like /etc/passwd and /etc/login.defs are set to read-only, perhaps blocking the service trying to create a new login for my AD user. Could that be it?
 

Attachments

ph0x

Member
Jul 5, 2020
54
1
8
50
I'm not totally sure what the default setting with realmd is but on my hosts I usually issue those commands right after joining:
Bash:
realm deny --all
realm permit -g 'group1' 'group2'
After that logins (both remote and non-remote) are possible.

Why didn't you just use the ldap-plugin?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!