[Freeipa-users] Solaris Clients

Luke Kearney luke at kearney.jp
Fri Mar 15 17:59:13 UTC 2013 

On Mar 14, 2013, at 7:08 AM, Luke Kearney wrote:

> 
> On Mar 14, 2013, at 6:38 AM, KodaK wrote:
> 
>> On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney <luke at kearney.jp> wrote:
>>> Hello,
>>> 
>>> I have recently been working on integrating our solaris 10 fleet with FreeIPA. The first 'test' host went relatively smoothly and we recently created a new test host. Only this time it was more challenging to get the system working.
>>> 
>>> On our original test installation every step went almost exactly as per the documentation [ http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html ]
>>> 
>>> On the second install we found that whilst we were able to retrieve user account information via LDAP we could not login via ssh and kerberos for any amount of trying. This was overcome by inserting the following line into pam.conf
>>> 
>>> other         account            sufficient              pam_ldap.so.1
>>> 
>>> Where is had not been needed on test host1.
>>> 
>>> To the extent it works and doesn't break something else this is all fine. I understand why it works as the information in ldap is needed to open the terminal session, why would one need this stanza but not the other?
>>> 
>> 
>> IIRC, the instructions have you pulling information from Kerberos.
>> This explicitly allows ldap -- I would suspect that Kerberos isn't
>> working correctly on the second host.  Check time first.
>> 
> 
> Thanks for that - NTP reports that both the kerberos master and the solaris client are indeed in sync. In all other respects kerberos seems to be working properly, a user can obtain a ticket and can use that same ticket to ssh to another host. 

There is no doubt this is somehow borked when I remove pam_ldap from the pam.conf file kerberos logins fail. On the KDC I see

Mar 16 02:56:19 tamachi.hq.meibin.net krb5kdc[3362](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.12.254: ISSUE: authtime 1363370170, etypes {rep=18 tkt=17 ses=17}, lukek at HQ.MEIBIN.NET for host/oiran.hq.meibin.net at HQ.MEIBIN.NET

pam on the client tells me

Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.info] Connection from 192.168.12.254 port 51616
Mar 16 02:56:19 oiran sshd[526]: [ID 800047 auth.debug] debug1: Forked child 788.
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Client protocol version 2.0; client software version OpenSSH_5.3
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: match: OpenSSH_5.3 pat OpenSSH*
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Local version string SSH-2.0-Sun_SSH_1.1
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: list_hostkey_types: ssh-rsa,ssh-dss
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: kex: client->server aes128-ctr hmac-md5 none
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: kex: server->client aes128-ctr hmac-md5 none
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Peer sent proposed langtags, ctos: 
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Peer sent proposed langtags, stoc: 
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: We proposed langtags, ctos: i-default
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: We proposed langtags, stoc: i-default
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: dh_gen_key: priv key bits set: 127/256
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: bits set: 503/1024
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: bits set: 513/1024
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: newkeys: mode 1
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: newkeys: mode 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: KEX done
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: userauth-request for user lukek service ssh-connection method none
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.info] Failed none for lukek from 192.168.12.254 port 51616 ssh2
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: userauth-request for user lukek service ssh-connection method gssapi-with-mic
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 } (supported)
Mar 16 02:56:19 oiran automountd[502]: [ID 453631 daemon.debug] tid= 1: Adding connection (serverAddr=192.168.12.232)
Mar 16 02:56:19 oiran automountd[502]: [ID 776464 daemon.debug] tid= 1: Initialized sessionPool
Mar 16 02:56:19 oiran automountd[502]: [ID 816976 daemon.debug] tid= 1: Connection added [0]
Mar 16 02:56:19 oiran automountd[502]: [ID 467101 daemon.debug] tid= 1: connectionID=1024
Mar 16 02:56:19 oiran automountd[502]: [ID 805042 daemon.debug] tid= 1: shared=1
Mar 16 02:56:19 oiran automountd[502]: [ID 982078 daemon.debug] tid= 1: usedBit=0
Mar 16 02:56:19 oiran automountd[502]: [ID 727660 daemon.debug] tid= 1: threadID=1
Mar 16 02:56:19 oiran automountd[502]: [ID 577507 daemon.debug] tid= 1: serverAddr=192.168.12.232
Mar 16 02:56:19 oiran automountd[502]: [ID 939703 daemon.debug] tid= 1: AuthType=3
Mar 16 02:56:19 oiran automountd[502]: [ID 142272 daemon.debug] tid= 1: TlsType=1
Mar 16 02:56:19 oiran automountd[502]: [ID 537450 daemon.debug] tid= 1: SaslMech=0
Mar 16 02:56:19 oiran automountd[502]: [ID 625532 daemon.debug] tid= 1: SaslOpt=0
Mar 16 02:56:19 oiran automountd[502]: [ID 339871 daemon.debug] tid= 1: hostCertPath=/var/ldap
Mar 16 02:56:19 oiran automountd[502]: [ID 639905 daemon.debug] tid= 1: userID=cn=proxyagent,ou=profile,dc=hq,dc=meibin,dc=net
Mar 16 02:56:19 oiran automountd[502]: [ID 323218 daemon.debug] tid= 1: unlocking sessionLock
Mar 16 02:56:19 oiran sshd[788]: [ID 845850 auth.debug] PAM[788]: pam_start(sshd-gssapi,lukek,0:80c5578) - debug = 1
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c5578:service)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c5578:user)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c5578:conv)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c5578:rhost)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c5578:tty)
Mar 16 02:56:19 oiran sshd[788]: [ID 681795 auth.debug] PAM[788]: pam_acct_mgmt(80c5578, 0)
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: load_modules(80c5578, pam_sm_acct_mgmt)=/usr/lib/security/pam_roles.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: load_function: successful load of pam_sm_acct_mgmt
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: load_modules(80c5578, pam_sm_acct_mgmt)=/usr/lib/security/pam_unix_account.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: load_function: successful load of pam_sm_acct_mgmt
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: load_modules(80c5578, pam_sm_acct_mgmt)=/usr/lib/security/pam_krb5.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: load_function: successful load of pam_sm_acct_mgmt
Mar 16 02:56:19 oiran sshd[788]: [ID 573691 auth.debug] PAM[788]: pam_acct_mgmt(80c5578, 0): error No account present for user
Mar 16 02:56:19 oiran sshd[788]: [ID 699746 auth.debug] PAM-KRB5 (acct): debug=1, nowarn=0
Mar 16 02:56:19 oiran sshd[788]: [ID 531709 auth.debug] PAM-KRB5 (acct): no module data for KRB5_AUTOMIGRATE_DATA
Mar 16 02:56:19 oiran sshd[788]: [ID 774290 auth.debug] PAM-KRB5 (acct): no module data
Mar 16 02:56:19 oiran sshd[788]: [ID 712902 auth.debug] PAM-KRB5 (acct): end: Ignore module
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c5578:authtok)
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.info] Failed gssapi-with-mic for lukek from 192.168.12.254 port 51616 ssh2
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: userauth-request for user lukek service ssh-connection method gssapi-with-mic
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 2 initial attempt 0 failures 2 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Client offered gssapi userauth with { 1 3 5 1 5 2 } (unsupported)
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.notice] Failed gssapi-with-mic for lukek from 192.168.12.254 port 51616 ssh2
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: userauth-request for user lukek service ssh-connection method gssapi-with-mic
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 3 initial attempt 0 failures 3 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Client offered gssapi userauth with { 1 2 840 48018 1 2 2 } (unsupported)
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.notice] Failed gssapi-with-mic for lukek from 192.168.12.254 port 51616 ssh2
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: userauth-request for user lukek service ssh-connection method gssapi-with-mic
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 4 initial attempt 0 failures 4 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Client offered gssapi userauth with { 1 3 6 1 5 2 5 } (unsupported)
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.notice] Failed gssapi-with-mic for lukek from 192.168.12.254 port 51616 ssh2
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: userauth-request for user lukek service ssh-connection method keyboard-interactive
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 5 initial attempt 0 failures 5 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: keyboard-interactive devs 
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c5578:conv)
Mar 16 02:56:19 oiran sshd[788]: [ID 309193 auth.debug] PAM[788]: pam_end(80c5578): status = No account present for user
Mar 16 02:56:19 oiran sshd[788]: [ID 845850 auth.debug] PAM[788]: pam_start(sshd-kbdint,lukek,80ab800:80c6d10) - debug = 1
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c6d10:service)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c6d10:user)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c6d10:conv)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c6d10:rhost)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: pam_set_item(80c6d10:tty)
Mar 16 02:56:19 oiran sshd[788]: [ID 681795 auth.debug] PAM[788]: pam_authenticate(80c6d10, 0)
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: load_modules(80c6d10, pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: load_function: successful load of pam_sm_authenticate
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: load_modules(80c6d10, pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: load_function: successful load of pam_sm_authenticate
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: load_modules(80c6d10, pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: load_function: successful load of pam_sm_authenticate
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: load_modules(80c6d10, pam_sm_authenticate)=/usr/lib/security/pam_krb5.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: load_function: successful load of pam_sm_authenticate
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: load_modules(80c6d10, pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: load_function: successful load of pam_sm_authenticate
Mar 16 02:56:19 oiran sshd[788]: [ID 549150 auth.debug] PAM[788]: pam_get_user(80c6d10, 80c6d10, NULL)

None of this however gives me any idea as to where to start looking for broken bits. Kerberos for all intents and purposes functions but the linkage with PAM is some how awry….

Any pointers would be highly appreciated.

More information about the Freeipa-users mailing list