[Freeipa-devel] pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ilt-gif-ipa01.ipa.preprod.local user=aduser at corp.addomain.com
Jakub Hrozek
jhrozek at redhat.com
Tue Aug 16 12:44:01 UTC 2016
On Tue, Aug 16, 2016 at 02:28:50PM +0200, rajat gupta wrote:
> Hi,
>
>
> I have done IPA AD trust between IPA and AD server. But trust is showing
> offline always. But we are able to get the AD user information. And able to
> grant the KRB ticket.
>
>
>
> # wbinfo --online-status
> BUILTIN : online
> IPA : online
> *CORP : offline*
>
>
> #id aduser at CORP.ADDOMAIN.COM
> uid=1007656917(aduser at corp.addomain.com) gid=1007656917(
> aduser at corp.addomain.com) groups=1007656917(aduser at corp.addomain.com
> ),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
> da-eeg-intra-read at corp.addomain.com),1007600513(domain
> users at corp.addomain.com)
>
>
> [root at ilt-gif-ipa01 ~]# kinit aduser at CORP.ADDOMAIN.COM
> Password for aduser at CORP.ADDOMAIN.COM:
> [root at ilt-gif-ipa01 ~]#
> [root at ilt-gif-ipa01 ~]#
> [root at ilt-gif-ipa01 ~]# klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: aduser at CORP.ADDOMAIN.COM
>
> Valid starting Expires Service principal
> 08/11/2016 13:11:35 08/11/2016 23:11:35 krbtgt/
> CORP.ADDOMAIN.COM at CORP.ADDOMAIN.COM
> renew until 08/12/2016 13:11:29
> [root at ilt-gif-ipa01 ~]#
>
>
>
> Form IPA client server we are able to get the all thinks ( KRB ticket/
> user/groups )
>
> [root at ilt-gif-ipa02 ~]# getent passwd aduser at CORP.addomain.COM
> aduser at corp.addomain.com:*:1007656917:1007656917:USER NAME:/home/
> corp.addomain.com/aduser:
> [root at ilt-gif-ipa02 ~]#
>
>
> [root at ilt-gif-ipa02 ~]# getent group aduser at CORP.addomain.COM
> aduser at corp.addomain.com:*:1007656917:
> [root at ilt-gif-ipa02 ~]#
>
>
> [root at ilt-gif-ipa02 ~]# id aduser at CORP.addomain.COM
> uid=1007656917(aduser at corp.addomain.com) gid=1007656917(
> aduser at corp.addomain.com) groups=1007656917(aduser at corp.addomain.com
> ),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
> da-eeg-intra-read at corp.addomain.com),1007600513(domain
> users at corp.addomain.com),1007725088(tfs_users at corp.addomain.com)
>
>
> Also we are to ssh to IPA client on same machine or from some other
> machine with gss authentication. But using password authentication it’s
> failed to login.
>
> *ERROR:- pam_sss(sshd:auth): authentication failure; logname*
>
>
> kinit aduser at CORP.ADDOMAIN.COM
> Password for aduser at CORP.ADDOMAIN.COM:
>
>
>
> [root at ilt-gif-ipa02 ~]# ssh -vl aduser at corp.addomain.com
> ilt-gif-ipa02.ipa.preprod.local
> OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 60: Applying options for *
> debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
> 22 ilt-gif-ipa02.ipa.preprod.local
> debug1: permanently_set_uid: 0/0
> debug1: permanently_drop_suid: 0
> debug1: identity file /root/.ssh/id_rsa type -1
> debug1: identity file /root/.ssh/id_rsa-cert type -1
> debug1: identity file /root/.ssh/id_dsa type -1
> debug1: identity file /root/.ssh/id_dsa-cert type -1
> debug1: identity file /root/.ssh/id_ecdsa type -1
> debug1: identity file /root/.ssh/id_ecdsa-cert type -1
> debug1: identity file /root/.ssh/id_ed25519 type -1
> debug1: identity file /root/.ssh/id_ed25519-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.6.1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
> debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none
> debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none
> debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16
> debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ECDSA
> f0:e6:b2:66:c8:41:06:4e:83:a4:a2:c5:5a:57:24:66
> debug1: Host 'ilt-gif-ipa02.ipa.preprod.local' is known and matches the
> ECDSA host key.
> debug1: Found key in /root/.ssh/known_hosts:3
> debug1: ssh_ecdsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug1: Next authentication method: gssapi-with-mic
> *debug1: Authentication succeeded (gssapi-with-mic).*
> Authenticated to ilt-gif-ipa02.ipa.preprod.local (via proxy).
> debug1: channel 0: new [client-session]
> debug1: Requesting no-more-sessions at openssh.com
> debug1: Entering interactive session.
> debug1: Sending environment.
> debug1: Sending env LANG = en_US.UTF-8
> Last login: Thu Aug 11 13:17:05 2016 from ilt-gif-ipa02.ipa.preprod.local
>
> RHN kickstart on 2014-10-16
>
> -sh-4.2$ pwd
> /home/corp.addomain.com/aduser
> -sh-4.2$ who am i
> aduser at corp.addomain.com pts/3 2016-08-11 13:19
> (ilt-gif-ipa02.ipa.preprod.local)
> -sh-4.2$
>
>
>
> ]# ssh aduser at corp.addomain.com@ilt-gif-ipa02.ipa.preprod.local
> e600336 at corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:
> Permission denied, please try again.
> e600336 at corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:
>
>
> Can you please help me i am not able to login with AD user
> password authentication.
This is the devel list, you're probably looking for the freeipa-users
list:
http://www.redhat.com/mailman/listinfo/freeipa-users
and the best place to start debugging is:
https://fedorahosted.org/sssd/wiki/Troubleshooting
More information about the Freeipa-devel
mailing list