Score:0

sssd password update not working, AD behind firewall

tv flag

I have a centos server in a DMZ joined to my AD with sssd, minimum ports are open in the corporate firewall to allow the authentication but if the password of a user is updated on the AD, the Centos server will no update it's cache and still work with the 1st password.

I tried the cache_credential = False, it did not work, I was not able to authenticate the users anymore.

I have no "deny" in my firewall log so I am trying to find out what needs to be allowed or configured so the centos server "knows" a password has been updated.

A Windows server seems to be able to do it.

Thank you for your time.

cn flag
I'm trying to think of a reason why a user would be changing their password in a DMZ.
mickg avatar
tv flag
they would not. the server is joined to the AD on the domain, the users log on the server using their domain user but the password is updated every X days on the active directory so this needs to be updated on the server in the DMZ too. I am not sure the reason matter in the question.
cn flag
Understood. I can't think of a reason that a normal replica would not have the updated information. Even if it doesn't, such as a few minutes after a password change, the normal data flow would be to forward the authentication to the PDC emulator, which always has the up to date password. Maybe this is something specific to SSSD. AD has a truckload of ports (that are well documented), and I'm pretty sure replication <> authentication ports. Also the comment about "no deny", the main job of any firewall is to deny connections unless they are covered in a rule that allows the connection.
mickg avatar
tv flag
I will go over the documented ports again, maybe I skipped some. I thought that I would have a denied log if something is dropped, at least the last "deny all" but I understand. I will look more into SSSD options also. Thank you
mickg avatar
tv flag
Well it was stupid ; I was not pointing on my DNS server so even if the required port was open, it was not configured properly. thanks
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.