This is my third question regarding the ongoing problem I'm facing with "Linux to AD SSO". I've been trying to understand what the problem was and still not sure I know exactly the cause.
Here are my previous questions:
TargetUserName in Events display ComputerName$ for Linux Clients
How domain joined Linux clients send Security Events to the AD (KDC)
The problem in a nutshell is that I'm implementing an SSO system into our environment. It is integrated to our AD (via kerberos/sssd/realmd). We configured an agent (Server) which reads the security events from the DC (events ids: 4624, 4768, 4769, 4770, 4634, 4661, 4623). Then the firewall receives the user status (is user active/logged on/off etc) from the SSO. And finally implements the firewall rules to the user objects.
The issue we are facing is between Linux Clients (Debian). The logs sent from the Linux users are only showing hostnames in them. Don't get me wrong all of the event ids mentioned above are generated on the DC (for both Linux and Windows). The only difference between Windows clients and Linux clients is that the Windows machines send these logs with usernames and hostnames (separate logs ofc). But the Linux ones only send the respective logs with hostnames (it shows as: machine_name$). There is an exception for Linux machines showing the username in its logs and that exception is event id 4776. But this event is not one that's picked up by the SSO. The only other exception is the first logon event. That too shows the username once. That's it though. All the other events only show machine names in them.
Since these events do not include the Usernames in them the SSO can't update the user's status. After a certain amount of minutes, the respective user gets dropped due to inactivity. This is because the DC events are all populated with machine names. Since the SSO saw no activity from that particular domain user for some time it just drops it. We can't catch log off/reboot events either.
A response was given to my last question I posted regarding sssd:
"One major difference is that in most Linux AD clients, standard communications with the LDAP directory are handled by a single service (SSSD or Winbind) which then always uses machine credentials to retrieve information..."
I suspect that our Linux clients are communicating with the AD with machine creds (via keytab). On the other hand the user has its token under /tmp/krb5cc_xxxx_ . Are there any configurations I can do so that the domain users creds (/tmp/krb5cc_xxxx_) are used for communication to the AD? When I say communication I mean I would like those events generated on the AD-side to use the users information.
I would like to repeat my question once more for clarification:
"**standard communications** with the LDAP directory are handled by SSSD which uses machine credentials to retrieve information" (modified a bit for clarity)
I want this "standard communication" to be done with user creds too.
If this can be accomplished I believe the SSO will be able to read the user status from the security events.
