Andyve_
Enthusiast
Enthusiast

Ubuntu 16.04.3 Realm permit and SSO issues

Jump to solution

Hi.

Im trying to deploy Ubuntu 16.04.3 LTS (Gnome Flashback Metacity) VDI's for the first time in in Horizon 7.3.1 and fully automated desktop pool using runeoncescript to join domain with SSSD.

In the runoncescript i have done the following.

echo 'password' | /usr/sbin/realm join --user=serviceusername my.domain.com --computer-ou=OU=....... info removed.....

/usr/sbin/realm deny -R my.domain.com -a

/usr/sbin/realm permit -R my.domain.com -g active directory group

But when the VM is created i must login with template user and run this command again for login to work 

/usr/sbin/realm permit -R my.domain.com-g active directory group

if i do a realm list command before running this the AD group is already listed under permitted-groups

-------------------------------

When it comes to SSO

I get vmware-sso in the logon screen and then it fails with "Invalid password, please try again"

Any help would be appreciated.

0 Kudos
1 Solution

Accepted Solutions
Andyve_
Enthusiast
Enthusiast

Problem Solved with 5sec sleep between commands

View solution in original post

0 Kudos
3 Replies
txiong
VMware Employee
VMware Employee

Hello Andyve,

Some questions for the issue:

1. If you manually clone a VM from template VM and manually run your script with root, after that, can domain user authetnication work?

2. Would you please add some lines in your script to write the execution to a log file so that we can check if the script was executed successfully?

Tiddy

0 Kudos
Andyve_
Enthusiast
Enthusiast

When i run my script the log says it has run and i see the results in the sssd.conf file.

But im not able to login with domain account. i have to login with templateuser and run this command again.

/usr/sbin/realm permit -R my.domain.com -g ADgroupName

Then it works?

This is how the sssd.conf file looks like after deployment. (gets created when i do realm join)

[sssd]
domains = my.domain.com

default_domain_suffix = MY.DOMAIN.COM

config_file_version = 2
services = nss, pam


[domain/my.domain.com]
ad_domain = my.domain.com
krb5_realm = MY.DOMAIN.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple

simple_allow_groups = ADgroupName

0 Kudos
Andyve_
Enthusiast
Enthusiast

Problem Solved with 5sec sleep between commands

View solution in original post

0 Kudos