<div dir="ltr">I removed the stanza, but anyway I found one problem was the DNS. I needed to setup the nameserver in resolv.conf with the ip of the ipa server. I can kinit now but ssh is still failing, connection gets closed instead of letting me in:<div><div><br></div><div>secure.log says:</div><div><br></div><div>Jul 10 13:19:01 ip-10-237-186-172 sshd[5581]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.61.205.107 user=apantano@ad.tweek</div><div>Jul 10 13:19:02 ip-10-237-186-172 sshd[5581]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.61.205.107 user=apantano@ad.tweek</div><div>Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: pam_ldap: ldap_starttls_s: Can't contact LDAP server</div><div>Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: Failed password for apantano@ad.tweek from 10.61.205.107 port 61833 ssh2</div><div>Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: fatal: Access denied for user apantano@ad.tweek by PAM account configuration [preauth] </div><div class="gmail_extra"><br></div><div class="gmail_extra">That's odd in so many ways, I got both a failure from pam_unix and a success from pam_sss...</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 10, 2015 at 12:50 PM, Alexander Bokovoy <span dir="ltr"><<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Fri, 10 Jul 2015, Angelo Pantano wrote:<br> </span><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I am using sssd and from ipa clients the authentication is not working<br> (works fine if I ssh on the ipa-server). I thought it could be due to the<br> external groups being empty and not mapping the AD users.<br> <br> Anyway this is the krb5.conf on the ipa client:<br> <br> #File modified by ipa-client-install<br> <br> includedir /var/lib/sss/pubconf/krb5.include.d/<br> <br> [libdefaults]<br> default_realm = IPA.TWEEK<br> dns_lookup_realm = true<br> dns_lookup_kdc = true<br> rdns = false<br> ticket_lifetime = 24h<br> forwardable = yes<br> udp_preference_limit = 0<br> default_ccache_name = KEYRING:persistent:%{uid}<br> <br> [realms]<br> IPA.TWEEK = {<br> kdc = centos.ipa.tweek:88<br> master_kdc = centos.ipa.tweek:88<br> admin_server = centos.ipa.tweek:749<br> default_domain = ipa.tweek<br> pkinit_anchors = FILE:/etc/ipa/ca.crt<br> auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/<br> auth_to_local = DEFAULT<br> }<br> AD.TWEEK = {<br> kdc = centos.ipa.tweek:88<br> pkinit_anchors = FILE:/etc/ipa/ca.crt<br> }<br> </blockquote></div></div> Why did you override AD.TWEEK KDC to point to FreeIPA?<br> <br> Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and<br> 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records.<div class="HOEnZb"><div class="h5"><br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br> [domain_realm]<br> .ipa.tweek = IPA.TWEEK<br> ipa.tweek = IPA.TWEEK<br> .ad.tweek = AD.TWEEK<br> ad.tweek = AD.TWEEK<br> <br> <br> and this is the error I see in krb5_child.log<br> <br> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400):<br> Will perform online auth<br> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]<br> (0x0400): Attempting kinit for realm [AD.TWEEK]<br> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]<br> (0x0020): 996: [-1765328378][Client 'freeipa@AD.TWEEK' not found in<br> Kerberos database]<br> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error]<br> (0x0020): 1065: [-1765328378][Client 'freeipa@AD.TWEEK' not found in<br> Kerberos database]<br> <br> <br> also<br> <br> # kinit freeipa@AD.TWEEK<br> kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial<br> credentials<br> <br> any idea what's the problem? It seems kerberos cannot find users in the AD<br> subdomain<br> <br> <br> this is my sssd.conf<br> <br> [domain/ipa.tweek]<br> debug_level = 6<br> cache_credentials = True<br> krb5_store_password_if_offline = True<br> ipa_domain = ipa.tweek<br> id_provider = ipa<br> auth_provider = ipa<br> ldap_tls_cacert = /etc/ipa/ca.crt<br> ipa_hostname = someaddress_here<br> chpass_provider = ipa<br> ipa_server = _srv_, centos.ipa.tweek<br> dns_discovery_domain = ipa.tweek<br> cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek<br> subdomains_provider = ipa<br> [sssd]<br> services = nss, pam, pac, ssh<br> config_file_version = 2<br> debud_level = 6<br> domains = ipa.tweek<br> <br> On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>><br> wrote:<br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Fri, 10 Jul 2015, Angelo Pantano wrote:<br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I have a freeipa server trusting an active directory domain, if I ssh to<br> the ipa server everything works, but if I try to ssh on an ipa client the<br> authentication fails.<br> <br> I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing:<br> <br> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND<br> <br> Also in the logs I see:<br> <br> log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name<br> ad.local (sitename NULL)<br> <br> everything else works though, I can getent users and group just fine.<br> <br> Can you please help me?<br> <br> </blockquote> We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at<br> least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed<br> on those platforms, SSSD is used to resolve users, not winbindd.<br> Winbindd is only used to manage forest topology.<br> <br> <br> <br> --<br> / Alexander Bokovoy<br> <br> </blockquote></blockquote> <br> </div></div><span class="HOEnZb"><font color="#888888"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> -- <br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br> </blockquote> <br> <br> -- <br> / Alexander Bokovoy<br> </font></span></blockquote></div><br></div></div></div>