<div dir="ltr">Tickets on the FreeIPA host after connecting (with a password):<div><br></div><div><div>[adm.tiemen@clients.rdmedia.com@neodymium ~]$ klist</div><div>Ticket cache: KEYRING:persistent:998801112:krb_ccache_ZzERoB1</div><div>Default principal: <a href="mailto:adm.tiemen@CLIENTS.RDMEDIA.COM">adm.tiemen@CLIENTS.RDMEDIA.COM</a></div><div><br></div><div>Valid starting Expires Service principal</div><div>05/03/2017 11:26:03 05/03/2017 21:26:03 krbtgt/<a href="mailto:CLIENTS.RDMEDIA.COM@CLIENTS.RDMEDIA.COM">CLIENTS.RDMEDIA.COM@CLIENTS.RDMEDIA.COM</a></div><div> renew until 05/04/2017 11:26:03</div><div><br></div><div><br></div><div><div><br></div><div>Tickets on the AD laptop after a connection attempt:</div><div><br></div><div><div>C:\Users\adm.tiemen.CLIENTS>klist</div><div><br></div><div>Current LogonId is 0:0x587aa</div><div><br></div><div>Cached Tickets: (2)</div><div><br></div><div>#0> Client: adm.tiemen @ <a href="http://CLIENTS.RDMEDIA.COM">CLIENTS.RDMEDIA.COM</a></div><div> Server: krbtgt/<a href="http://CLIENTS.RDMEDIA.COM">CLIENTS.RDMEDIA.COM</a> @ <a href="http://CLIENTS.RDMEDIA.COM">CLIENTS.RDMEDIA.COM</a></div><div> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96</div><div> Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize</div><div> Start Time: 5/3/2017 11:12:46 (local)</div><div> End Time: 5/3/2017 21:12:46 (local)</div><div> Renew Time: 5/10/2017 11:12:46 (local)</div><div> Session Key Type: AES-256-CTS-HMAC-SHA1-96</div><div> Cache Flags: 0x1 -> PRIMARY</div><div> Kdc Called: <a href="http://vm-win-01.clients.rdmedia.com">vm-win-01.clients.rdmedia.com</a></div><div><br></div><div>#1> Client: adm.tiemen @ <a href="http://CLIENTS.RDMEDIA.COM">CLIENTS.RDMEDIA.COM</a></div><div> Server: LDAP/<a href="http://vm-win-01.clients.rdmedia.com/clients.rdmedia.com">vm-win-01.clients.rdmedia.com/clients.rdmedia.com</a> @ <a href="http://CLIENTS.RDMEDIA.COM">CLIENTS.RDMEDIA.COM</a></div><div> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96</div><div> Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize</div><div> Start Time: 5/3/2017 11:12:46 (local)</div><div> End Time: 5/3/2017 21:12:46 (local)</div><div> Renew Time: 5/10/2017 11:12:46 (local)</div><div> Session Key Type: AES-256-CTS-HMAC-SHA1-96</div><div> Cache Flags: 0</div><div> Kdc Called: <a href="http://vm-win-01.clients.rdmedia.com">vm-win-01.clients.rdmedia.com</a></div></div><div><br></div><div><br></div><div><br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 2 May 2017 at 19:45, Tiemen Ruiten <span dir="ltr"><<a href="mailto:t.ruiten@rdmedia.com" target="_blank">t.ruiten@rdmedia.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It's a CentOS 7.3 host, the version of sssd is 1.14.0, so there's no need for mapping. However on the AD host:<div><br></div><div><div>Microsoft Windows [Version 6.3.9600] </div><div>(c) 2013 Microsoft Corporation. All rights reserved. </div><div><br></div><div>adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen>klist </div><div><br></div><div>Current LogonId is 0:0x603b58 </div><div><br></div><div>Cached Tickets: (0) </div><div><br></div><div>adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen> </div><div><br></div><div>Note that this is the domain controller and I'm logged in using the experimental Win32-OpenSSH server. Not sure if that makes a difference. I am not currently in the office, so unfortunately can't turn on the only joined laptop in this domain.</div><div><br></div><div>How can I ensure a proper ticket is generated?</div><div><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 2 May 2017 at 18:25, Sumit Bose <span dir="ltr"><<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="m_2501825138433591387m_5709593643489192265gmail-">On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote:<br> > I think I just realised that my expectation may be wrong: GSSAPI login with<br> > a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it<br> > correct to also expect passwordless login with an AD user to a FreeIPA host?<br> <br> </span>The AD user case should work as well.<br> <br> First please send the SSSD version you use on the IPA client,<br> alternatively you can check if<br> /var/lib/sss/pubconf/krb5.incl<wbr>ude.d/localauth_plugin exists or not. This<br> would tell if SSSD can map the user name to the Kerberos principal of if<br> additional configuration is needed.<br> <br> On the AD host please check after trying to connect with ssh if there is<br> a proper service ticket for the IPA client by calling 'klist' in cmd.exe<br> or PowerShell.<br> <br> bye,<br> Sumit<br> <div><div class="m_2501825138433591387m_5709593643489192265gmail-h5"><br> ><br> > On 2 May 2017 at 17:40, Jason B. Nance <<a href="mailto:jason@tresgeek.net" target="_blank">jason@tresgeek.net</a>> wrote:<br> ><br> > > Hi Tiemen,<br> > ><br> > > To be clear, what I'm trying to do: log in from an AD account<br> > > (adm.tiemen), from an AD host (<a href="http://leon.clients.rdmedia.com" rel="noreferrer" target="_blank">leon.clients.rdmedia.com</a>) to a FreeIPA<br> > > host (<a href="http://neodymium.test.ams.i.rdmedia.com" rel="noreferrer" target="_blank">neodymium.test.ams.i.rdmedia.<wbr>com</a>) with the same AD account. I<br> > > expect to be logged in through GSSAPI, instead I get a password prompt.<br> > ><br> > > I'm assuming that you are coming from a Windows client that is domain<br> > > joined and logged into that Windows client with the same domain credentials<br> > > that you are using to connect to the IPA-joined host. Do you also have<br> > > your SSH client configured to attempt GSSAPI? It appears that you do from<br> > > the logs you provided but I'm just double-checking.<br> > ><br> > > In my setup I've found that this feature does not work all of the time.<br> > > I've not yet been able to track it down and I'm assuming it has something<br> > > to do with connections to domain controllers timing out, but at this point<br> > > that is speculation.<br> > ><br> > > So to answer your question, yes, that should work. Sorry I don't have<br> > > more information for you, I guess I'm basically "me too"ing your post.<br> > ><br> > > Regards,<br> > ><br> > > j<br> > ><br> > > Is this supposed to work? Did I miss something?<br> > ><br> > > Below the SSH log from the FreeIPA host with LogLevel DEBUG3:<br> > ><br> > > May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK<br> > > May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.<br> > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd<br> > > = 8 config len 922<br> > > May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0<br> > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore<br> > > May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5<br> > > newsock 5 pipe 7 sock 8<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping:<br> > > 3, 3<br> > > May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port<br> > > 53106 on 192.168.50.63 port 22<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0;<br> > > client software version PuTTY_KiTTY<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode<br> > > for protocol 2.0<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: Local version string<br> > > SSH-2.0-OpenSSH_6.6.1<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing<br> > > rlimit sandbox<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types:<br> > > ssh-rsa,ecdsa-sha2-nistp256,ss<wbr>h-ed25519 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 42 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect<br> > > entering: type 43 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking<br> > > request 42<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 43<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> > > gss-gex-sha1-toWM5Slw5Ew8Mqkay<wbr>+al2g==,gss-group1-sha1-toWM5S<wbr>lw5Ew8Mqkay+<br> > > al2g==,gss-group14-sha1-toWM5S<wbr>lw5Ew8Mqkay+al2g==,curve<br> > > <a href="mailto:25519-sha256@libssh.org" target="_blank">25519-sha256@libssh.org</a>,ecdh-s<wbr>ha2-nistp256,ecdh-sha2-<br> > > nistp384,ecdh-sha2-nistp521,di<wbr>ffie-hellman-group-exchange-<br> > > sha256,diffie-hellman-group-ex<wbr>change-sha1,diffie-hellman-<br> > > group14-sha1,diffie-hellman-gr<wbr>oup1-sha1 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> > > ssh-rsa,ecdsa-sha2-nistp256,ss<wbr>h-ed25519 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> > > aes128-ctr,aes192-ctr,aes256-c<wbr>tr,arcfour256,arcfour128,aes1<br> > > <a href="mailto:28-gcm@openssh.com" target="_blank">28-gcm@openssh.com</a>,<a href="mailto:aes256-gcm@openssh.com" target="_blank">aes256-gcm@<wbr>openssh.com</a>,<a href="mailto:chacha20-poly1305@openssh.com" target="_blank">chacha20-poly1305@<wbr>openssh.com</a><br> > > ,aes128-cbc,3des-cbc,blowfish-<wbr>cbc,cast128-cbc,<br> </div></div>> > aes192-cbc,aes256-cbc,arcfour,<a href="mailto:rijndael-cbc@lysator.liu.se" target="_blank"><wbr>rijndael-cbc@lysator.liu.se</a> [preauth]<br> <span class="m_2501825138433591387m_5709593643489192265gmail-">> > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> </span>> > aes128-ctr,aes192-ctr,aes256-c<wbr>tr,arcfour256,arcfour128,aes1<br> > > <a href="mailto:28-gcm@openssh.com" target="_blank">28-gcm@openssh.com</a>,<a href="mailto:aes256-gcm@openssh.com" target="_blank">aes256-gcm@<wbr>openssh.com</a>,<a href="mailto:chacha20-poly1305@openssh.com" target="_blank">chacha20-poly1305@<wbr>openssh.com</a><br> > > ,aes128-cbc,3des-cbc,blowfish-<wbr>cbc,cast128-cbc,<br> > > aes192-cbc,aes256-cbc,arcfour,<a href="mailto:rijndael-cbc@lysator.liu.se" target="_blank"><wbr>rijndael-cbc@lysator.liu.se</a> [preauth]<br> <span class="m_2501825138433591387m_5709593643489192265gmail-">> > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> </span>> > <a href="mailto:hmac-md5-etm@openssh.com" target="_blank">hmac-md5-etm@openssh.com</a>,<a href="mailto:hmac-sha1-etm@openssh.com" target="_blank">hmac-<wbr>sha1-etm@openssh.com</a>,<a href="mailto:umac-64-etm@openssh.com" target="_blank">umac-64-e<wbr>tm@openssh.com</a><br> > > ,<a href="mailto:umac-128-etm@openssh.com" target="_blank">umac-128-etm@openssh.com</a>,<a href="mailto:hmac-sha2-256-etm@openssh.com" target="_blank">hmac<wbr>-sha2-256-etm@openssh.com</a>,hmac<wbr>-sha2-512-etm@<br> > > <a href="http://openssh.com" rel="noreferrer" target="_blank">openssh.com</a>,<a href="mailto:hmac-ripemd160-etm@openssh.com" target="_blank">hmac-ripemd160-etm<wbr>@openssh.com</a>,<a href="mailto:hmac-sha1-96-etm@openssh.com" target="_blank">hmac-sha1-96-etm@<wbr>openssh.com</a>,<br> > > <a href="mailto:hmac-md5-96-etm@openssh.com" target="_blank">hmac-md5-96-etm@openssh.com</a>,hm<wbr>ac-md5,hmac-sha1,<a href="mailto:umac-64@openssh.com" target="_blank">umac-64@opens<wbr>sh.com</a>,umac-<br> > > <a href="mailto:128@openssh.com" target="_blank">128@openssh.com</a>,hmac-sha2-256,<wbr>hmac-sha2-512,hmac-ripemd160,h<br> > > <a href="mailto:mac-ripemd160@openssh.com" target="_blank">mac-ripemd160@openssh.com</a>,hmac<wbr>-sha1-96,hmac-md5-96 [preauth]<br> <span class="m_2501825138433591387m_5709593643489192265gmail-">> > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> </span>> > <a href="mailto:hmac-md5-etm@openssh.com" target="_blank">hmac-md5-etm@openssh.com</a>,<a href="mailto:hmac-sha1-etm@openssh.com" target="_blank">hmac-<wbr>sha1-etm@openssh.com</a>,<a href="mailto:umac-64-etm@openssh.com" target="_blank">umac-64-e<wbr>tm@openssh.com</a><br> > > ,<a href="mailto:umac-128-etm@openssh.com" target="_blank">umac-128-etm@openssh.com</a>,<a href="mailto:hmac-sha2-256-etm@openssh.com" target="_blank">hmac<wbr>-sha2-256-etm@openssh.com</a>,hmac<wbr>-sha2-512-etm@<br> > > <a href="http://openssh.com" rel="noreferrer" target="_blank">openssh.com</a>,<a href="mailto:hmac-ripemd160-etm@openssh.com" target="_blank">hmac-ripemd160-etm<wbr>@openssh.com</a>,<a href="mailto:hmac-sha1-96-etm@openssh.com" target="_blank">hmac-sha1-96-etm@<wbr>openssh.com</a>,<br> > > <a href="mailto:hmac-md5-96-etm@openssh.com" target="_blank">hmac-md5-96-etm@openssh.com</a>,hm<wbr>ac-md5,hmac-sha1,<a href="mailto:umac-64@openssh.com" target="_blank">umac-64@opens<wbr>sh.com</a>,umac-<br> > > <a href="mailto:128@openssh.com" target="_blank">128@openssh.com</a>,hmac-sha2-256,<wbr>hmac-sha2-512,hmac-ripemd160,h<br> > > <a href="mailto:mac-ripemd160@openssh.com" target="_blank">mac-ripemd160@openssh.com</a>,hmac<wbr>-sha1-96,hmac-md5-96 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,<br> > > <a href="mailto:zlib@openssh.com" target="_blank">zlib@openssh.com</a> [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,<br> <span class="m_2501825138433591387m_5709593643489192265gmail-">> > <a href="mailto:zlib@openssh.com" target="_blank">zlib@openssh.com</a> [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> > > first_kex_follows 0 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> > > <a href="mailto:curve25519-sha256@libssh.org" target="_blank">curve25519-sha256@libssh.org</a>,e<wbr>cdh-sha2-nistp256,ecdh-sha2-<br> > > nistp384,ecdh-sha2-nistp521,di<wbr>ffie-hellman-group-exchange-<br> > > sha256,diffie-hellman-group-ex<wbr>change-sha1,diffie-hellman-<br> > > group14-sha1,rsa2048-sha256,rs<wbr>a1024-sha1,diffie-hellman-grou<wbr>p1-sha1<br> </span><span class="m_2501825138433591387m_5709593643489192265gmail-">> > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> </span>> > ssh-ed25519,ecdsa-sha2-nistp25<wbr>6,ecdsa-sha2-nistp384,<br> > > ecdsa-sha2-nistp521,ssh-rsa,ss<wbr>h-dss [preauth]<br> <span class="m_2501825138433591387m_5709593643489192265gmail-">> > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> </span>> > aes256-ctr,aes256-cbc,<a href="mailto:rijndael-cbc@lysator.liu.se" target="_blank">rijndael<wbr>-cbc@lysator.liu.se</a>,aes192-<br> > > ctr,aes192-cbc,aes128-ctr,aes1<wbr>28-cbc,<a href="mailto:chacha20-poly1305@openssh.com" target="_blank">chacha20-poly1305@opens<wbr>sh.com</a><br> > > ,blowfish-ctr,blowfish-cbc,3de<wbr>s-ctr,3des-cbc,arcfour256,arcf<wbr>our128<br> <span class="m_2501825138433591387m_5709593643489192265gmail-">> > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> </span>> > aes256-ctr,aes256-cbc,<a href="mailto:rijndael-cbc@lysator.liu.se" target="_blank">rijndael<wbr>-cbc@lysator.liu.se</a>,aes192-<br> > > ctr,aes192-cbc,aes128-ctr,aes1<wbr>28-cbc,<a href="mailto:chacha20-poly1305@openssh.com" target="_blank">chacha20-poly1305@opens<wbr>sh.com</a><br> > > ,blowfish-ctr,blowfish-cbc,3de<wbr>s-ctr,3des-cbc,arcfour256,arcf<wbr>our128<br> <span class="m_2501825138433591387m_5709593643489192265gmail-">> > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> </span>> > hmac-sha2-256,hmac-sha1,hmac-s<wbr>ha1-96,hmac-md5,hmac-sha2-<br> > > <a href="mailto:256-etm@openssh.com" target="_blank">256-etm@openssh.com</a>,<a href="mailto:hmac-sha1-etm@openssh.com" target="_blank">hmac-sha1-<wbr>etm@openssh.com</a>,<a href="mailto:hmac-sha1-96-etm@openssh.com" target="_blank">hmac-sha1-96-e<wbr>tm@openssh.com</a><br> > > ,<a href="mailto:hmac-md5-etm@openssh.com" target="_blank">hmac-md5-etm@openssh.com</a> [preauth]<br> <span class="m_2501825138433591387m_5709593643489192265gmail-">> > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> </span>> > hmac-sha2-256,hmac-sha1,hmac-s<wbr>ha1-96,hmac-md5,hmac-sha2-<br> > > <a href="mailto:256-etm@openssh.com" target="_blank">256-etm@openssh.com</a>,<a href="mailto:hmac-sha1-etm@openssh.com" target="_blank">hmac-sha1-<wbr>etm@openssh.com</a>,<a href="mailto:hmac-sha1-96-etm@openssh.com" target="_blank">hmac-sha1-96-e<wbr>tm@openssh.com</a><br> <div class="m_2501825138433591387m_5709593643489192265gmail-HOEnZb"><div class="m_2501825138433591387m_5709593643489192265gmail-h5">> > ,<a href="mailto:hmac-md5-etm@openssh.com" target="_blank">hmac-md5-etm@openssh.com</a> [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:<br> > > first_kex_follows 0 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup<br> > > hmac-sha2-256 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server<br> > > aes256-ctr hmac-sha2-256 none [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup<br> > > hmac-sha2-256 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client<br> > > aes256-ctr hmac-sha2-256 none [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex:<br> > > <a href="mailto:curve25519-sha256@libssh.org" target="_blank">curve25519-sha256@libssh.org</a> need=32 dh_need=32 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 120 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect<br> > > entering: type 121 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking<br> > > request 120<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 121<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex:<br> > > <a href="mailto:curve25519-sha256@libssh.org" target="_blank">curve25519-sha256@libssh.org</a> need=32 dh_need=32 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 120 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect<br> > > entering: type 121 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking<br> > > request 120<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 121<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting<br> > > SSH2_MSG_KEX_ECDH_INIT [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 6 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for<br> > > MONITOR_ANS_SIGN [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect<br> > > entering: type 7 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking<br> > > request 6<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature<br> > > 0x7f7ea34ed250(83)<br> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 7<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once,<br> > > disabling now<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent<br> > > [preauth]<br> > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS<br> > > [preauth]<br> > > May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 [preauth]<br> > > May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received<br> > > [preauth]<br> > > May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user<br> > > <a href="mailto:adm.tiemen@clients.rdmedia.com" target="_blank">adm.tiemen@clients.rdmedia.com</a> service ssh-connection method none<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 8 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting for<br> > > MONITOR_ANS_PWNAM [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect<br> > > entering: type 9 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking<br> > > request 8<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map address<br> > > 192.168.10.155.<br> > > May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: config<br> > > reprocess config len 922<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: sending<br> > > MONITOR_ANS_PWNAM: 1<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 9<br> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once,<br> > > disabling now<br> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request:<br> > > setting up authctxt for <a href="mailto:adm.tiemen@clients.rdmedia.com" target="_blank">adm.tiemen@clients.rdmedia.com</a> [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 100 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv entering<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 4 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole entering<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 80 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try<br> > > method none [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure<br> > > partial=0 next methods="publickey,gssapi-keye<wbr>x,gssapi-with-mic,password,key<wbr>board-interactive"<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking<br> > > request 100<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for "<br> > > <a href="mailto:adm.tiemen@clients.rdmedia.com" target="_blank">adm.tiemen@clients.rdmedia.com</a><wbr>"<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to<br> > > "192.168.10.155"<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to "ssh"<br> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used once,<br> > > disabling now<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user<br> > > <a href="mailto:adm.tiemen@clients.rdmedia.com" target="_blank">adm.tiemen@clients.rdmedia.com</a> service ssh-connection method<br> > > gssapi-with-mic [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try<br> > > method gssapi-with-mic [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 42 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect<br> > > entering: type 43 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking<br> > > request 4<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv:<br> > > service=ssh-connection, style=<br> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once,<br> > > disabling now<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking<br> > > request 80<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role=<br> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used once,<br> > > disabling now<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking<br> > > request 42<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 43<br> > > May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for<br> > > <a href="mailto:adm.tiemen@clients.rdmedia.com" target="_blank">adm.tiemen@clients.rdmedia.com</a> from 192.168.10.155 port 53106 ssh2<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user<br> > > <a href="mailto:adm.tiemen@clients.rdmedia.com" target="_blank">adm.tiemen@clients.rdmedia.com</a> service ssh-connection method<br> > > keyboard-interactive [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try<br> > > method keyboard-interactive [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user=<br> > > <a href="mailto:adm.tiemen@clients.rdmedia.com" target="_blank">adm.tiemen@clients.rdmedia.com</a> devs= [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices 'pam'<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start:<br> > > devices pam [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: devices<br> > > <empty> [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: trying<br> > > authentication method 'pam' [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 104 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: waiting<br> > > for MONITOR_ANS_PAM_INIT_CTX [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect<br> > > entering: type 105 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking<br> > > request 104<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx entering<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 105<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 106 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting for<br> > > MONITOR_ANS_PAM_QUERY [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect<br> > > entering: type 107 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking<br> > > request 106<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering<br> > > May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv<br> > > entering, 1 messages<br> > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1<br> > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:<br> > > type 107<br> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query<br> > > returned 0 [preauth]<br> > > May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for<br> > > <a href="mailto:adm.tiemen@clients.rdmedia.com" target="_blank">adm.tiemen@clients.rdmedia.com</a> from 192.168.10.155 port 53106 ssh2<br> > > [preauth]<br> > ><br> > ><br> > ><br> > ><br> > ><br> > ><br> > ><br> > ><br> > > --<br> > > Tiemen Ruiten<br> > > Systems Engineer<br> > > R&D Media<br> > ><br> > > --<br> > > Manage your subscription for the Freeipa-users mailing list:<br> > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-users</a><br> > > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br> > ><br> > ><br> > ><br> ><br> ><br> > --<br> > Tiemen Ruiten<br> > Systems Engineer<br> > R&D Media<br> <br> > --<br> > Manage your subscription for the Freeipa-users mailing list:<br> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-users</a><br> > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br> <br> --<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br> </div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_2501825138433591387m_5709593643489192265gmail_signature"><div dir="ltr">Tiemen Ruiten<br>Systems Engineer<br>R&D Media<br></div></div> </div></div></div></div></div> </blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Tiemen Ruiten<br>Systems Engineer<br>R&D Media<br></div></div> </div>