Joining Proxmox VE host to domain using realm join

apfaffman

Member
Jan 23, 2020
9
0
6
39
i have joined one of my proxmox cluster nodes to my active directory domain, with the intention of allowing a group of particular users in active directory to have sudo privileges in proxmox.

was able to join the host to domain and can id users:

Code:
root@prox01-node01:~# id pfaffmanadm
uid=1118231140(pfaffmanadm) gid=1118200513(domain users) groups=1118200513(domain users),1118200512(domain admins),1118232637(sudoers),1118232625(sslvpn),1118229844(squid),1118210067(linuxadmin),1118224818(kiosk)

realm list looks groovy:

Code:
root@prox01-node01:~# realm list
domain.ad
  type: kerberos
  realm-name: DOMAIN.AD
  domain-name: domain.ad
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-realm-logins

however, when i try to switch to my domain user from root,

Code:
root@prox01-node01:~# su pfaffmanadm
su: System error

similarly, any attempt to ssh into the host as a domain user is rejected:

Code:
PS C:\Users\pfaffmanadm> ssh pfaffmanadm@192.168.221.1
pfaffmanadm@192.168.221.1's password:
Connection closed by 192.168.221.1 port 22

sshd_config is pretty standard, hasn't been modified. i wonder if i should also be looking at /etc/pam.d/sshd and /etc/nsswitch.conf?
 
Check the journal for error messages when trying to `su` or `ssh` - googling them usually help in hunting down issues like that

I hope this helps!
 
Hi, Stoiko. Thanks for chiming in!

That's the thing, nothing comes up if I tail system logs or view journalctl if I su or SSH into the host as a domain user.
 
sshd and su should log something in case of an error - that's odd
you could try running `strace -f su pfaffmanadm`
that might point to where it fails
 
Very strange output, but I think there are some clues. The output of strace -f su pfaffmanadm is too long to include here, so I have attached it.

Clues look like /etc/passwd and /etc/login.defs are set to read-only, perhaps blocking the service trying to create a new login for my AD user. Could that be it?
 

Attachments

  • strace.txt
    49.6 KB · Views: 7
I'm not totally sure what the default setting with realmd is but on my hosts I usually issue those commands right after joining:
Bash:
realm deny --all
realm permit -g 'group1' 'group2'
After that logins (both remote and non-remote) are possible.

Why didn't you just use the ldap-plugin?
 
im late to the party, but please check the contents of /var/log/secure or /var/log/auth.log for logs on attempted log ins, etc.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!