Joining Proxmox VE host to domain using realm join

[apfaffman]

i have joined one of my proxmox cluster nodes to my active directory domain, with the intention of allowing a group of particular users in active directory to have sudo privileges in proxmox.

was able to join the host to domain and can id users:

root@prox01-node01:~# id pfaffmanadm
uid=1118231140(pfaffmanadm) gid=1118200513(domain users) groups=1118200513(domain users),1118200512(domain admins),1118232637(sudoers),1118232625(sslvpn),1118229844(squid),1118210067(linuxadmin),1118224818(kiosk)

realm list looks groovy:

root@prox01-node01:~# realm list
domain.ad
  type: kerberos
  realm-name: DOMAIN.AD
  domain-name: domain.ad
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-realm-logins

however, when i try to switch to my domain user from root,

root@prox01-node01:~# su pfaffmanadm
su: System error

similarly, any attempt to ssh into the host as a domain user is rejected:

PS C:\Users\pfaffmanadm> ssh pfaffmanadm@192.168.221.1
pfaffmanadm@192.168.221.1's password:
Connection closed by 192.168.221.1 port 22

sshd_config is pretty standard, hasn't been modified. i wonder if i should also be looking at /etc/pam.d/sshd and /etc/nsswitch.conf?

 

[Stoiko Ivanov]

Check the journal for error messages when trying to `su` or `ssh` - googling them usually help in hunting down issues like that

I hope this helps!

 

[apfaffman]

Hi, Stoiko. Thanks for chiming in!

That's the thing, nothing comes up if I tail system logs or view journalctl if I su or SSH into the host as a domain user.

 

[Stoiko Ivanov]

sshd and su should log something in case of an error - that's odd
you could try running `strace -f su pfaffmanadm`
that might point to where it fails

 

[apfaffman]

Very strange output, but I think there are some clues. The output of strace -f su pfaffmanadm is too long to include here, so I have attached it.

Clues look like /etc/passwd and /etc/login.defs are set to read-only, perhaps blocking the service trying to create a new login for my AD user. Could that be it?

 

[ph0x]

I'm not totally sure what the default setting with realmd is but on my hosts I usually issue those commands right after joining:

realm deny --all
realm permit -g 'group1' 'group2'

After that logins (both remote and non-remote) are possible.

Why didn't you just use the ldap-plugin?

 

[hackinthebox]

im late to the party, but please check the contents of /var/log/secure or /var/log/auth.log for logs on attempted log ins, etc.