sssd password update not working, AD behind firewall

mickg

12/5/23, 10:54 PM

I have a centos server in a DMZ joined to my AD with sssd, minimum ports are open in the corporate firewall to allow the authentication but if the password of a user is updated on the AD, the Centos server will no update it's cache and still work with the 1st password.

I tried the cache_credential = False, it did not work, I was not able to authenticate the users anymore.

I have no "deny" in my firewall log so I am trying to find out what needs to be allowed or configured so the centos server "knows" a password has been updated.

A Windows server seems to be able to do it.

Thank you for your time.

154

0 + 5

active-directory

dmz

sssd

Greg Askew

12/6/23, 12:24 PM

I'm trying to think of a reason why a user would be changing their password in a DMZ.

mickg

12/6/23, 2:03 PM

they would not. the server is joined to the AD on the domain, the users log on the server using their domain user but the password is updated every X days on the active directory so this needs to be updated on the server in the DMZ too. I am not sure the reason matter in the question.

Greg Askew

12/6/23, 2:40 PM

Understood. I can't think of a reason that a normal replica would not have the updated information. Even if it doesn't, such as a few minutes after a password change, the normal data flow would be to forward the authentication to the PDC emulator, which always has the up to date password. Maybe this is something specific to SSSD. AD has a truckload of ports (that are well documented), and I'm pretty sure replication <> authentication ports. Also the comment about "no deny", the main job of any firewall is to deny connections unless they are covered in a rule that allows the connection.

mickg

12/6/23, 2:49 PM

I will go over the documented ports again, maybe I skipped some. I thought that I would have a denied log if something is dropped, at least the last "deny all" but I understand. I will look more into SSSD options also. Thank you

mickg

12/6/23, 7:17 PM

Well it was stupid ; I was not pointing on my DNS server so even if the required port was open, it was not configured properly. thanks

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: sssd password update not working, AD behind firewall

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.