[Freeipa-devel] pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ilt-gif-ipa01.ipa.preprod.local user=aduser at corp.addomain.com

rajat gupta rajat.linux at gmail.com
Thu Aug 18 07:48:59 UTC 2016 

Thanks.

When i am trying to accesses user with password i am getting below message
in logs.

*Aug 18 09:38:17 ilt-gif-ipa02 [sssd[krb5_child[8505]]]: Cannot find KDC
for realm "ADDOMAON.COM <http://ADDOMAON.COM>"*

when i connect through ssh, it tries to contact the KDC for the realm
*ADDOMAON.COM
<http://ADDOMAON.COM>*

which should be corp.addomain.com


Do you have any further comments or suggestions that may help us.


/Rajat



On Tue, Aug 16, 2016 at 2:46 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Tue, 16 Aug 2016, rajat gupta wrote:
>
>> Hi,
>>
>>
>> I have done IPA AD trust between IPA and AD server. But trust is showing
>> offline always. But we are able to get the AD user information. And able
>> to
>> grant the  KRB ticket.
>>
>>
>>
>> # wbinfo --online-status
>> BUILTIN : online
>> IPA : online
>> *CORP : offline*
>>
> Don't use wbinfo. Its output is irrelevant starting from FreeIPA 3.3.
>
>
>>
>> #id aduser at CORP.ADDOMAIN.COM
>> uid=1007656917(aduser at corp.addomain.com) gid=1007656917(
>> aduser at corp.addomain.com) groups=1007656917(aduser at corp.addomain.com
>> ),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
>> da-eeg-intra-read at corp.addomain.com),1007600513(domain
>> users at corp.addomain.com)
>>
>>
>> [root at ilt-gif-ipa01 ~]# kinit  aduser at CORP.ADDOMAIN.COM
>> Password for aduser at CORP.ADDOMAIN.COM:
>> [root at ilt-gif-ipa01 ~]#
>> [root at ilt-gif-ipa01 ~]#
>> [root at ilt-gif-ipa01 ~]# klist
>> Ticket cache: KEYRING:persistent:0:0
>> Default principal: aduser at CORP.ADDOMAIN.COM
>>
>> Valid starting       Expires              Service principal
>> 08/11/2016 13:11:35  08/11/2016 23:11:35  krbtgt/
>> CORP.ADDOMAIN.COM at CORP.ADDOMAIN.COM
>>        renew until 08/12/2016 13:11:29
>> [root at ilt-gif-ipa01 ~]#
>>
> This is irrelevant for the trust case because you are authenticating
> against AD DCs, not IPA KDCs.
>
>
>>
>>
>> Form IPA client server we are able to get the all thinks ( KRB ticket/
>> user/groups )
>>
>> [root at ilt-gif-ipa02 ~]# getent passwd aduser at CORP.addomain.COM
>> aduser at corp.addomain.com:*:1007656917:1007656917:USER  NAME:/home/
>> corp.addomain.com/aduser:
>> [root at ilt-gif-ipa02 ~]#
>>
>>
>> [root at ilt-gif-ipa02 ~]# getent group aduser at CORP.addomain.COM
>> aduser at corp.addomain.com:*:1007656917:
>> [root at ilt-gif-ipa02 ~]#
>>
>>
>> [root at ilt-gif-ipa02 ~]# id aduser at CORP.addomain.COM
>> uid=1007656917(aduser at corp.addomain.com) gid=1007656917(
>> aduser at corp.addomain.com) groups=1007656917(aduser at corp.addomain.com
>> ),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
>> da-eeg-intra-read at corp.addomain.com),1007600513(domain
>> users at corp.addomain.com),1007725088(tfs_users at corp.addomain.com)
>>
>>
>> Also we are to ssh  to IPA client on same machine or from some other
>> machine with gss authentication. But using password authentication it’s
>> failed to login.
>>
>> *ERROR:- pam_sss(sshd:auth): authentication failure; logname*
>>
>>
>>
>> kinit aduser at CORP.ADDOMAIN.COM
>> Password for aduser at CORP.ADDOMAIN.COM:
>>
>>
>>
>> [root at ilt-gif-ipa02 ~]# ssh -vl aduser at corp.addomain.com
>> ilt-gif-ipa02.ipa.preprod.local
>> OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: /etc/ssh/ssh_config line 60: Applying options for *
>> debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
>> 22 ilt-gif-ipa02.ipa.preprod.local
>> debug1: permanently_set_uid: 0/0
>> debug1: permanently_drop_suid: 0
>> debug1: identity file /root/.ssh/id_rsa type -1
>> debug1: identity file /root/.ssh/id_rsa-cert type -1
>> debug1: identity file /root/.ssh/id_dsa type -1
>> debug1: identity file /root/.ssh/id_dsa-cert type -1
>> debug1: identity file /root/.ssh/id_ecdsa type -1
>> debug1: identity file /root/.ssh/id_ecdsa-cert type -1
>> debug1: identity file /root/.ssh/id_ed25519 type -1
>> debug1: identity file /root/.ssh/id_ed25519-cert type -1
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_6.6.1
>> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
>> debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none
>> debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none
>> debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16
>> debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16
>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>> debug1: Server host key: ECDSA
>> f0:e6:b2:66:c8:41:06:4e:83:a4:a2:c5:5a:57:24:66
>> debug1: Host 'ilt-gif-ipa02.ipa.preprod.local' is known and matches the
>> ECDSA host key.
>> debug1: Found key in /root/.ssh/known_hosts:3
>> debug1: ssh_ecdsa_verify: signature correct
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,password
>> debug1: Next authentication method: gssapi-keyex
>> debug1: No valid Key exchange context
>> debug1: Next authentication method: gssapi-with-mic
>> *debug1: Authentication succeeded (gssapi-with-mic).*
>> Authenticated to ilt-gif-ipa02.ipa.preprod.local (via proxy).
>> debug1: channel 0: new [client-session]
>> debug1: Requesting no-more-sessions at openssh.com
>> debug1: Entering interactive session.
>> debug1: Sending environment.
>> debug1: Sending env LANG = en_US.UTF-8
>> Last login: Thu Aug 11 13:17:05 2016 from ilt-gif-ipa02.ipa.preprod.local
>>
>> RHN kickstart on 2014-10-16
>>
>> -sh-4.2$ pwd
>> /home/corp.addomain.com/aduser
>> -sh-4.2$ who am i
>> aduser at corp.addomain.com pts/3        2016-08-11 13:19
>> (ilt-gif-ipa02.ipa.preprod.local)
>> -sh-4.2$
>>
>>
>>
>> ]# ssh  aduser at corp.addomain.com@ilt-gif-ipa02.ipa.preprod.local
>> e600336 at corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:
>> Permission denied, please try again.
>> e600336 at corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:
>>
>>
>> Can you please help me i am not able to login with AD user
>> password authentication.
>>
> If you cannot login with password but can with Kerberos credentials, you
> need to look into SSSD logs on the ilt-gif-ipa02.ipa.preprod.local host.
> See https://fedorahosted.org/sssd/wiki/Troubleshooting
>
>
> --
> / Alexander Bokovoy
>



-- 

*Rajat Gupta *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160818/128b727a/attachment.htm>

More information about the Freeipa-devel mailing list