0

I have a centos server in a DMZ joined to my AD with sssd, minimum ports are open in the corporate firewall to allow the authentication but if the password of a user is updated on the AD, the Centos server will no update it's cache and still work with the 1st password.

I tried the cache_credential = False, it did not work, I was not able to authenticate the users anymore.

I have no "deny" in my firewall log so I am trying to find out what needs to be allowed or configured so the centos server "knows" a password has been updated.

A Windows server seems to be able to do it.

Thank you for your time.

mickg
  • 1
  • I'm trying to think of a reason why a user would be changing their password in a DMZ. – Greg Askew Dec 06 '22 at 12:24
  • they would not. the server is joined to the AD on the domain, the users log on the server using their domain user but the password is updated every X days on the active directory so this needs to be updated on the server in the DMZ too. I am not sure the reason matter in the question. – mickg Dec 06 '22 at 14:03
  • Understood. I can't think of a reason that a normal replica would not have the updated information. Even if it doesn't, such as a few minutes after a password change, the normal data flow would be to forward the authentication to the PDC emulator, which always has the up to date password. Maybe this is something specific to SSSD. AD has a truckload of ports (that are well documented), and I'm pretty sure replication <> authentication ports. Also the comment about "no deny", the main job of any firewall is to deny connections unless they are covered in a rule that allows the connection. – Greg Askew Dec 06 '22 at 14:40
  • I will go over the documented ports again, maybe I skipped some. I thought that I would have a denied log if something is dropped, at least the last "deny all" but I understand. I will look more into SSSD options also. Thank you – mickg Dec 06 '22 at 14:49
  • Well it was stupid ; I was not pointing on my DNS server so even if the required port was open, it was not configured properly. thanks – mickg Dec 06 '22 at 19:17

0 Answers0