[Freeipa-devel] pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ilt-gif-ipa01.ipa.preprod.local user=aduser at corp.addomain.com

rajat gupta rajat.linux at gmail.com
Tue Aug 16 12:28:50 UTC 2016 

Hi,


I have done IPA AD trust between IPA and AD server. But trust is showing
offline always. But we are able to get the AD user information. And able to
grant the  KRB ticket.



# wbinfo --online-status
BUILTIN : online
IPA : online
*CORP : offline*


#id aduser at CORP.ADDOMAIN.COM
uid=1007656917(aduser at corp.addomain.com) gid=1007656917(
aduser at corp.addomain.com) groups=1007656917(aduser at corp.addomain.com
),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
da-eeg-intra-read at corp.addomain.com),1007600513(domain
users at corp.addomain.com)


[root at ilt-gif-ipa01 ~]# kinit  aduser at CORP.ADDOMAIN.COM
Password for aduser at CORP.ADDOMAIN.COM:
[root at ilt-gif-ipa01 ~]#
[root at ilt-gif-ipa01 ~]#
[root at ilt-gif-ipa01 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: aduser at CORP.ADDOMAIN.COM

Valid starting       Expires              Service principal
08/11/2016 13:11:35  08/11/2016 23:11:35  krbtgt/
CORP.ADDOMAIN.COM at CORP.ADDOMAIN.COM
        renew until 08/12/2016 13:11:29
[root at ilt-gif-ipa01 ~]#



Form IPA client server we are able to get the all thinks ( KRB ticket/
user/groups )

[root at ilt-gif-ipa02 ~]# getent passwd aduser at CORP.addomain.COM
aduser at corp.addomain.com:*:1007656917:1007656917:USER  NAME:/home/
corp.addomain.com/aduser:
[root at ilt-gif-ipa02 ~]#


[root at ilt-gif-ipa02 ~]# getent group aduser at CORP.addomain.COM
aduser at corp.addomain.com:*:1007656917:
[root at ilt-gif-ipa02 ~]#


[root at ilt-gif-ipa02 ~]# id aduser at CORP.addomain.COM
uid=1007656917(aduser at corp.addomain.com) gid=1007656917(
aduser at corp.addomain.com) groups=1007656917(aduser at corp.addomain.com
),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
da-eeg-intra-read at corp.addomain.com),1007600513(domain
users at corp.addomain.com),1007725088(tfs_users at corp.addomain.com)


Also we are to ssh  to IPA client on same machine or from some other
machine with gss authentication. But using password authentication it’s
failed to login.

*ERROR:- pam_sss(sshd:auth): authentication failure; logname*


kinit aduser at CORP.ADDOMAIN.COM
Password for aduser at CORP.ADDOMAIN.COM:



[root at ilt-gif-ipa02 ~]# ssh -vl aduser at corp.addomain.com
ilt-gif-ipa02.ipa.preprod.local
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 60: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
22 ilt-gif-ipa02.ipa.preprod.local
debug1: permanently_set_uid: 0/0
debug1: permanently_drop_suid: 0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none
debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16
debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA
f0:e6:b2:66:c8:41:06:4e:83:a4:a2:c5:5a:57:24:66
debug1: Host 'ilt-gif-ipa02.ipa.preprod.local' is known and matches the
ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
*debug1: Authentication succeeded (gssapi-with-mic).*
Authenticated to ilt-gif-ipa02.ipa.preprod.local (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Thu Aug 11 13:17:05 2016 from ilt-gif-ipa02.ipa.preprod.local

RHN kickstart on 2014-10-16

-sh-4.2$ pwd
/home/corp.addomain.com/aduser
-sh-4.2$ who am i
aduser at corp.addomain.com pts/3        2016-08-11 13:19
(ilt-gif-ipa02.ipa.preprod.local)
-sh-4.2$



]# ssh  aduser at corp.addomain.com@ilt-gif-ipa02.ipa.preprod.local
e600336 at corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:
Permission denied, please try again.
e600336 at corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:


Can you please help me i am not able to login with AD user
password authentication.



/Rajat Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160816/b936b902/attachment.htm>

More information about the Freeipa-devel mailing list