I'm running a server with CentOS 7.4.1708 and all patches applied. sssd is version 1.15.2.

I have a working sssd setup which enables me to sign in using SSH public keys stored in Active Directory.

The config

The instance is successfully joined and this is my /etc/sssd/sssd.conf:

[sssd]
domains = EXAMPLE.COM
default_domain_suffix = EXAMPLE.COM
config_file_version = 2
debug_level = 7
services = nss, pam, ssh

[domain/EXAMPLE.COM]
ad_domain = EXAMPLE.COM
debug_level = 7
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ldap_user_ssh_public_key = sshPublicKey
ad_access_filter = DOM:EXAMPLE.COM:(memberOf:1.2.840.113556.1.4.1941:=CN=ACL_DEV_APAC_developers,OU=ACL,OU=Group,OU=EXAMPLE,DC=EXAMPLE,DC=COM)

[ssh]
debug_level = 7

[nss]
debug_level = 7

My /etc/ssh/sshd_config includes

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

The problem

User are able to log in only once during cache lifetime (by default 90 minutes), otherwise they are denied access. See the log at https://pastebin.com/Jqc52MWH. For logs with debug_level = 9 see https://pastebin.com/0uQ8MCuS

Running sss_ssh_authorizedkeys myadmin works perfectly when run with a clean/timed-out cache (even multiple times in a row). When I log in via ssh and try to run it directly after then nothing is returned for the user logged in but I can query a (new/fresh) user right away.

The workaround

adding entry_cache_user_timeout = 5 to [domain/EXAMPLE.COM] in /etc/sssd/sssd.conf enables a login every 5 seconds. Faster logins are not possible. A lower timeout lengthens the login time.

Solution

Anyone a solution to this problem?

I started to expriement with smart card based login. So far I can logon to my local PC using my smart card.

What doesn't work is using sso when connecting via RDP to another server. I get the error message "Der Anmeldeversuch ist fehlgeschlagen" (translates to: "The logon attempt failed"). The security eventlog of the server does not show anything related.

When using my password for logon sso works.

Am I missing somenthing for sso to work with a smartcard based logon? If I understood correctly, I should be able to use sso in combination with a smart card.

Environment is Exchange 2010 SP3 running on Sever 2008 R2 with the latest rollup 4 installed. Exchange 2003 is gone.

The Problem

When mail-disabling a public folder the public folder object is not deleted below CN=Microsoft Exchange System Objects,DC=Domain (MESO). This means the email address is still in use and cannot be bound to another public folder. When re-mail-enabling the public folder a second object is created below MESO pointing to the same public folder.

Creating a new folder, mail-enabling it changing permissions for the public folder below MESO so that "Domain\Exchange Servers" have full-control and mail-disabling it again works. The public folder below MESO disappears and the email address is available again.

Checked so far

In the permissions tab for MESO "Domain\Exchange Servers" have a deny delete tree. According to this Technet article in the prepare Domain section that is perfectly fine... What I don't get is, why is the Group denied to delete the tree and in the next line is allowed to delete the tree.

What needs to be done, that Exchange 2010 properly mail-disables a public folder i.e. deleting it below MESO?

Update

I opened a call with MS. Will update here, when we have a solution.

I'm using Windows 7 and the Servers are Windows 2008 R2. So far there are at least 4 Servers that show this behavior.

Sometimes I get a warning when trying to connect via RDP stating the certificate name is wrong. When I reboot the server this warning disappears. After a reboot or maybe 2 or 3 the warning shows again. I always connect using the hostname only.

When the warning is shown, single sign-on does not work anymore. The certificate might be self signed or from our internal pki. The only difference is an additional "publisher not trusted" warning when the cert is self signed.

When I use the fqdn, I pass the certificate check but Kerberos SSO does still not work.

What is wrong? How can I fix this? How do I debug this to get more information? What changes after a reboot, so it works again?

We are running an enterprise CA on Windows 2008R2. I just did an update to windows 7 on my workstation. Now every time I connect to a remote server using rdp I get a warning stating that the servername is wrong. This is because I use just the hostname for connecting and the cert is created using the fqdn.

The certificates on the servers have been created using autoenrollment with a template based on the computer template.

Is there a way to automatically include the hostname as a subject alternate name (san) and still use autoenrollment? I would like the autoenrolled certificates to have server and server.domain.local as a valid name.

We have a openssl offline root CA with a Windows 2008 R2 AD-integrated SubCA.

The Openssl Root CA was published to ldap CN=ROOTCANAME,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN using certutil -dspublish -f root.cer RootCA

Everything works ok, except for one thing. So far two clients (both XP) showed up which did not import the Root CA Cert to the trusted enterprise root certificate authorities store.

On my working workstation, I get the following output:

C:\>certutil -store -enterprise root
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
================ Certificate 0 ================
Serial Number: f818516373f917e8
Issuer: E=hostmaster@DOMAIN, CN=ROOTCA, O=Organisation, L=Location, S=State, C=DE
Subject: E=hostmaster@DOMAIN, CN=ROOTCA, O=Organisation, L=Location, S=State, C=DE
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): a6 ed 80 59 04 80 c7 1f 4e cb aa e1 8d e7 77 4a 2a 98 43 97
No key provider information
No stored keyset property
CertUtil: -store command completed successfully.

On a workstation which does not import the root CA cert. The output is:

C:\>certutil -store -enterprise root
CertUtil: -store command completed successfully.

Even after importing the certificate manually. This particular machine was even rejoined to the domain. To no avail.

Questions now are:

• where to look for errors or debugging information?
• how to identify machines with this problem?
• how to manually trigger the import of ldap certificates?
• Is this the right approach to distribute the root ca cert? I prefer to not use a group policy for simple distribution but on the other side can not find much information regarding the ldap distribution process.

last Saturday we promoted a new virtual 2008R2 server as dc and transferred all FSMO roles to it. Today we spend all day chasing down a problem with the domain browser function.

First some background:

• We have a WAN with about 30 sites/subnets. Most sites have a DC running either 2000 or 2003. On the main site we had two 2000 (ntads01, ntads02) and one 2003 (ntads03) DCs before installing the 2008R2 (ntads04).
• A 2003 Server was never owner of the FSMO roles. The Roles were transferred from ntads01 to ntads04 directly.
• The IP of the old primary DC (ntads01) was changed and ntads04 got assigned to it. All DCs are still up and running.
• WINS was installed on all three DCs on the main site. The two 2000 DCs were listed as WINS servers in DHCP.

Problem information

Problem this morning was, that net send between xp machines quit working. We started to investigate.

In the event-log on ntads04 we have the messages, that the DCs on the other site get detected as master browsers and the local master browser is shutdown or an election is forced. (Message is in German sorry). The event-log xml is as follows.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="bowser" /> 
    <EventID Qualifiers="49152">8003</EventID> 
    <Level>2</Level> 
    <Task>0</Task> 
    <Keywords>0x80000000000000</Keywords> 
    <TimeCreated SystemTime="2011-12-06T16:46:16.873033800Z" /> 
    <EventRecordID>19226</EventRecordID> 
    <Channel>System</Channel> 
    <Computer>ntads04.domain.local</Computer> 
    <Security /> 
  </System>
  <EventData>
    <Data>\Device\LanmanDatagramReceiver</Data> 
    <Data>NTFIL_BIET03</Data> 
    <Data>NetBT_Tcpip_{53FF57AE-2EC4-44D7-B96F-0A9F89AD9909}</Data> 
    <Binary>000000000300320000000000431F00C00000000000000000B1010000000000000000000000000000</Binary> 
  </EventData>
</Event>

This morning we had some 8021 browser events on ntads01, ntads02 and ntads03 stating that the server list could not be retrieved from ntads04. After browser eventid 8032 they disappeared even so I restarted the computer browser service on ntads01 and ntads03.

WINS on the for DCs on the main site does have a different number of entries per server. On ntads04 we have WINS eventids (all translated):

• 4342 WINS could not read Cachesizeparamter "minimum". Standard is used
• 4325 WINS could not get the Initial-Challenge-Retry-Intervall from registry
• 4326 WINS could not get the maximal Count of Challenge-Retries from the registry

Steps taken so far:

• Activated Computer Browser on ntads04 (solved only some sites in network neighborhood)
• Disabled WINS on ntads01 and ntads02, re-installed on ntads04 and after first sync cleared database on ntads03 which seemed to solve some replication problems
• Analyzed old event-logs of ntads01. It had the MRxSmb 8003 once a day per site, we now have it every 12 minutes.

• Ran Wireshark on ntads04 (lots of browser elections and no domain master announcement)

  .... .... .... .... .... .... .... ...1 = Workstation: This is a Workstation
  .... .... .... .... .... .... .... ..1. = Server: This is a Server
  .... .... .... .... .... .... .... .0.. = SQL: This is NOT an SQL server
  .... .... .... .... .... .... .... 1... = Domain Controller: This is a Domain Controller
  .... .... .... .... .... .... ...0 .... = Backup Controller: This is NOT a Backup Controller
  .... .... .... .... .... .... ..1. .... = Time Source: This is a Time Source
  .... .... .... .... .... .... .0.. .... = Apple: This is NOT an Apple host
  .... .... .... .... .... .... 0... .... = Novell: This is NOT a Novell server
  .... .... .... .... .... ...0 .... .... = Member: This is NOT a Domain Member server
  .... .... .... .... .... ..0. .... .... = Print: This is NOT a Print Queue server
  .... .... .... .... .... .0.. .... .... = Dialin: This is NOT a Dialin server
  .... .... .... .... .... 0... .... .... = Xenix: This is NOT a Xenix server
  .... .... .... .... ...1 .... .... .... = NT Workstation: This is an NT Workstation
  .... .... .... .... ..0. .... .... .... = WfW: This is NOT a WfW host
  .... .... .... .... 0... .... .... .... = NT Server: This is NOT an NT Server
  .... .... .... ...0 .... .... .... .... = Potential Browser: This is NOT a Potential Browser
  .... .... .... ..0. .... .... .... .... = Backup Browser: This is NOT a Backup Browser
  .... .... .... .1.. .... .... .... .... = Master Browser: This is a Master Browser
  .... .... .... 0... .... .... .... .... = Domain Master Browser: This is NOT a Domain Master Browser
  .... .... ...0 .... .... .... .... .... = OSF: This is NOT an OSF host
  .... .... ..0. .... .... .... .... .... = VMS: This is NOT a VMS host
  .... .... .0.. .... .... .... .... .... = Windows 95+: This is NOT a Windows 95 or above host
  .... .... 1... .... .... .... .... .... = DFS: This is a DFS server
  .0.. .... .... .... .... .... .... .... = Local: This is NOT a local list only request
  0... .... .... .... .... .... .... .... = Domain Enum: This is NOT a Domain Enum request
  

• Set the IsDomainMaster key on ntads04 and restarted computer browser (no change)

• checked with browstat who is master browser (seems to be ok, nothing strange seen), but not sure about browstat sta:

  C:\temp>browstat sta
  
  Status for domain DOMAIN on transport \Device\NetBT_Tcpip_{08C65950-9A5B-4E16-8CD8-F2890F7E81C7}
      Browsing is active on domain.
      Master browser name is: NTADS04
          Master browser is running build 7601
      3 backup servers retrieved from master NTADS04
          \\NTADS03
          \\NTADS01
          \\NTADS04
      Unable to retrieve server list from NTADS04: 64
  

Questions open

• Why is the interval of the master browser events so much higher than before? Can we get rid of this event completely? And is it true that ntads04 does not promote itself as Domain Master Browser? (See Edit 2)
• Why did net send stop working? (See Edit 1)
• Is WINS all right? I.e. is it normal that of two wins server one has about 200 extra entries (total 4000) even after a couple of hours? (They have the same intervals setup)

Thanks for helping, I hope all the relevant information is included.

Edit 1:

The net send problem is solved. During the update gpos were cleaned up, which involved deleting all service configurations from the domain default gpo. This in turn made the Messenger service revert to its default (deactivated). Made a new gpo which made it autostart again. fixed

Edit 2:

The problem with the interval of the master browser events is fixed to. We got rid of them alltogether. Problem was the DHCP helper of the cisco routers. The did not only forward dhcp and bootp but also a lot of other protocolls in the default config. See http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1108053 for details.