[Freeipa-devel] pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ilt-gif-ipa01.ipa.preprod.local user=aduser at corp.addomain.com
Alexander Bokovoy
abokovoy at redhat.com
Tue Aug 16 12:46:14 UTC 2016
On Tue, 16 Aug 2016, rajat gupta wrote:
>Hi,
>
>
>I have done IPA AD trust between IPA and AD server. But trust is showing
>offline always. But we are able to get the AD user information. And able to
>grant the KRB ticket.
>
>
>
># wbinfo --online-status
>BUILTIN : online
>IPA : online
>*CORP : offline*
Don't use wbinfo. Its output is irrelevant starting from FreeIPA 3.3.
>
>
>#id aduser at CORP.ADDOMAIN.COM
>uid=1007656917(aduser at corp.addomain.com) gid=1007656917(
>aduser at corp.addomain.com) groups=1007656917(aduser at corp.addomain.com
>),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
>da-eeg-intra-read at corp.addomain.com),1007600513(domain
>users at corp.addomain.com)
>
>
>[root at ilt-gif-ipa01 ~]# kinit aduser at CORP.ADDOMAIN.COM
>Password for aduser at CORP.ADDOMAIN.COM:
>[root at ilt-gif-ipa01 ~]#
>[root at ilt-gif-ipa01 ~]#
>[root at ilt-gif-ipa01 ~]# klist
>Ticket cache: KEYRING:persistent:0:0
>Default principal: aduser at CORP.ADDOMAIN.COM
>
>Valid starting Expires Service principal
>08/11/2016 13:11:35 08/11/2016 23:11:35 krbtgt/
>CORP.ADDOMAIN.COM at CORP.ADDOMAIN.COM
> renew until 08/12/2016 13:11:29
>[root at ilt-gif-ipa01 ~]#
This is irrelevant for the trust case because you are authenticating
against AD DCs, not IPA KDCs.
>
>
>
>Form IPA client server we are able to get the all thinks ( KRB ticket/
>user/groups )
>
>[root at ilt-gif-ipa02 ~]# getent passwd aduser at CORP.addomain.COM
>aduser at corp.addomain.com:*:1007656917:1007656917:USER NAME:/home/
>corp.addomain.com/aduser:
>[root at ilt-gif-ipa02 ~]#
>
>
>[root at ilt-gif-ipa02 ~]# getent group aduser at CORP.addomain.COM
>aduser at corp.addomain.com:*:1007656917:
>[root at ilt-gif-ipa02 ~]#
>
>
>[root at ilt-gif-ipa02 ~]# id aduser at CORP.addomain.COM
>uid=1007656917(aduser at corp.addomain.com) gid=1007656917(
>aduser at corp.addomain.com) groups=1007656917(aduser at corp.addomain.com
>),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
>da-eeg-intra-read at corp.addomain.com),1007600513(domain
>users at corp.addomain.com),1007725088(tfs_users at corp.addomain.com)
>
>
>Also we are to ssh to IPA client on same machine or from some other
>machine with gss authentication. But using password authentication it’s
>failed to login.
>
>*ERROR:- pam_sss(sshd:auth): authentication failure; logname*
>
>
>kinit aduser at CORP.ADDOMAIN.COM
>Password for aduser at CORP.ADDOMAIN.COM:
>
>
>
>[root at ilt-gif-ipa02 ~]# ssh -vl aduser at corp.addomain.com
>ilt-gif-ipa02.ipa.preprod.local
>OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
>debug1: Reading configuration data /etc/ssh/ssh_config
>debug1: /etc/ssh/ssh_config line 60: Applying options for *
>debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
>22 ilt-gif-ipa02.ipa.preprod.local
>debug1: permanently_set_uid: 0/0
>debug1: permanently_drop_suid: 0
>debug1: identity file /root/.ssh/id_rsa type -1
>debug1: identity file /root/.ssh/id_rsa-cert type -1
>debug1: identity file /root/.ssh/id_dsa type -1
>debug1: identity file /root/.ssh/id_dsa-cert type -1
>debug1: identity file /root/.ssh/id_ecdsa type -1
>debug1: identity file /root/.ssh/id_ecdsa-cert type -1
>debug1: identity file /root/.ssh/id_ed25519 type -1
>debug1: identity file /root/.ssh/id_ed25519-cert type -1
>debug1: Enabling compatibility mode for protocol 2.0
>debug1: Local version string SSH-2.0-OpenSSH_6.6.1
>debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
>debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
>debug1: SSH2_MSG_KEXINIT sent
>debug1: SSH2_MSG_KEXINIT received
>debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none
>debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none
>debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16
>debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16
>debug1: sending SSH2_MSG_KEX_ECDH_INIT
>debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>debug1: Server host key: ECDSA
>f0:e6:b2:66:c8:41:06:4e:83:a4:a2:c5:5a:57:24:66
>debug1: Host 'ilt-gif-ipa02.ipa.preprod.local' is known and matches the
>ECDSA host key.
>debug1: Found key in /root/.ssh/known_hosts:3
>debug1: ssh_ecdsa_verify: signature correct
>debug1: SSH2_MSG_NEWKEYS sent
>debug1: expecting SSH2_MSG_NEWKEYS
>debug1: SSH2_MSG_NEWKEYS received
>debug1: SSH2_MSG_SERVICE_REQUEST sent
>debug1: SSH2_MSG_SERVICE_ACCEPT received
>debug1: Authentications that can continue:
>publickey,gssapi-keyex,gssapi-with-mic,password
>debug1: Next authentication method: gssapi-keyex
>debug1: No valid Key exchange context
>debug1: Next authentication method: gssapi-with-mic
>*debug1: Authentication succeeded (gssapi-with-mic).*
>Authenticated to ilt-gif-ipa02.ipa.preprod.local (via proxy).
>debug1: channel 0: new [client-session]
>debug1: Requesting no-more-sessions at openssh.com
>debug1: Entering interactive session.
>debug1: Sending environment.
>debug1: Sending env LANG = en_US.UTF-8
>Last login: Thu Aug 11 13:17:05 2016 from ilt-gif-ipa02.ipa.preprod.local
>
>RHN kickstart on 2014-10-16
>
>-sh-4.2$ pwd
>/home/corp.addomain.com/aduser
>-sh-4.2$ who am i
>aduser at corp.addomain.com pts/3 2016-08-11 13:19
>(ilt-gif-ipa02.ipa.preprod.local)
>-sh-4.2$
>
>
>
>]# ssh aduser at corp.addomain.com@ilt-gif-ipa02.ipa.preprod.local
>e600336 at corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:
>Permission denied, please try again.
>e600336 at corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:
>
>
>Can you please help me i am not able to login with AD user
>password authentication.
If you cannot login with password but can with Kerberos credentials, you
need to look into SSSD logs on the ilt-gif-ipa02.ipa.preprod.local host.
See https://fedorahosted.org/sssd/wiki/Troubleshooting
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list