[Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
Dmitri Pal
dpal at redhat.com
Wed Feb 25 20:58:41 UTC 2015
On 02/25/2015 02:58 PM, nathan at nathanpeters.com wrote:
> I am having trouble logging in with an IPA user on Solaris 10. The
> machine is able to correctly initialize tickets using kinit. The issue
> appears to be PAM related. I am using FreeIPA 4.1.3.
>
> I have tried to follow the instructions here as best I can :
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>
> Here is my kinit and klist tests
> --------------------------------
> $ kinit ipauser1
> Password for ipauser1 at IPADOMAIN.NET:
> [07:45 PM] ipaclient5-sandbox-atdev-van:/var/log$ klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ipauser1 at IPADOMAIN.NET
>
> Valid starting Expires Service principal
> 02/25/15 19:45:10 02/26/15 19:45:10 krbtgt/IPADOMAIN.NET at IPADOMAIN.NET
> renew until 03/04/15 19:45:10
>
> Here is the last 2 lines of the output of getent passwd showing my ipa
> admin and user
> -------------------------------------------------------------------------------------
> admin:x:375200000:375200000:Administrator:/home/admin:/bin/bash
> ipauser1:x:375200006:375200006:ipa user1:/home/ipauser1:/bin/bash
>
>
> However, this is what happens when I try to login as 'ipauser1'. On the
> console I am prompted with 'Password:' I enter the valid password, and
> suddenly Putty pops up a window 'Server unexpectedly closed network
> connection'. If I try to login as ipauser1 at ipadomain.net it still fails,
> but in a different way. The putty window stays open and I get an 'Access
> denied' message and am prompted for the password again:
>
> Logs with 'ipauser1'
> --------------------
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.info] Connection from 10.5.5.57 port 57607 on 10.21.19.16 port
> 22
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: Client protocol version 2.0; client software
> version PuTTY_Release_0.63
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: no match: PuTTY_Release_0.63
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: Local version string SSH-2.0-OpenSSH_6.6
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: permanently_set_uid: 100/65534 [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: list_hostkey_types:
> ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: kex: client->server aes256-ctr hmac-sha2-256
> none [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: kex: server->client aes256-ctr hmac-sha2-256
> none [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
> [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
> 800047 auth.debug] debug1: server_input_channel_req: channel 0 request
> winadj at putty.projects.tartarus.org reply 1
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
> 800047 auth.debug] debug1: session_by_channel: session 0 channel 0
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
> 800047 auth.debug] debug1: session_input_channel_req: session 0 req
> winadj at putty.projects.tartarus.org
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received [preauth]
> Feb 25 19:46:41 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: KEX done [preauth]
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: userauth-request for user ipauser1 service
> ssh-connection method none [preauth]
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: attempt 0 failures 0 [preauth]
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: PAM: initializing for "ipauser1"
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 781331 auth.debug] PAM[761]: pam_start(sshd,ipauser1,811c170:812b8e0) -
> debug = 1
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 496445 auth.debug] PAM[761]: pam_set_item(812b8e0:service)
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 496445 auth.debug] PAM[761]: pam_set_item(812b8e0:user)
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 496445 auth.debug] PAM[761]: pam_set_item(812b8e0:conv)
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: PAM: setting PAM_RHOST to "10.5.5.57"
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 496445 auth.debug] PAM[761]: pam_set_item(812b8e0:rhost)
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: PAM: setting PAM_TTY to "ssh"
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 496445 auth.debug] PAM[761]: pam_set_item(812b8e0:tty)
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: userauth-request for user ipauser1 service
> ssh-connection method keyboard-interactive [preauth]
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: attempt 1 failures 0 [preauth]
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: keyboard-interactive devs [preauth]
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: auth2_challenge: user=ipauser1 devs= [preauth]
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: kbdint_alloc: devices 'pam' [preauth]
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.debug] debug1: auth2_challenge_start: trying authentication
> method 'pam' [preauth]
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 120752 auth.debug] PAM[763]: pam_set_item(812b8e0:conv)
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 690215 auth.debug] PAM[763]: pam_authenticate(812b8e0, 1)
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 130555 auth.debug] PAM[763]: load_modules(812b8e0,
> pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 149594 auth.debug] PAM[763]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 130555 auth.debug] PAM[763]: load_modules(812b8e0,
> pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 149594 auth.debug] PAM[763]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 130555 auth.debug] PAM[763]: load_modules(812b8e0,
> pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 149594 auth.debug] PAM[763]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 130555 auth.debug] PAM[763]: load_modules(812b8e0,
> pam_sm_authenticate)=/usr/lib/security/pam_krb5.so.1
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 149594 auth.debug] PAM[763]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 130555 auth.debug] PAM[763]: load_modules(812b8e0,
> pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 149594 auth.debug] PAM[763]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 776247 auth.debug] PAM[763]: pam_get_user(812b8e0, 812b8e0, NULL)
> Feb 25 19:46:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[761]: [ID
> 800047 auth.info] Postponed keyboard-interactive for ipauser1 from
> 10.5.5.57 port 57607 ssh2 [preauth]
> Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 120752 auth.debug] PAM[763]: pam_set_item(812b8e0:authtok)
> Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net last message
> repeated 1 time
> Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=1
> Feb 25 19:46:58 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[763]: [ID
> 549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start:
> user='ipauser1'
> Feb 25 19:47:08 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
> 800047 auth.debug] debug1: server_input_channel_req: channel 0 request
> window-change reply 0
> Feb 25 19:47:08 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
> 800047 auth.debug] debug1: session_by_channel: session 0 channel 0
> Feb 25 19:47:08 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
> 800047 auth.debug] debug1: session_input_channel_req: session 0 req
> window-change
>
> Logs with ipauser1 at ipadomain.net
> ------------------
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.info] Connection from 10.5.5.57 port 57655 on 10.21.19.16 port
> 22
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: Client protocol version 2.0; client software
> version PuTTY_Release_0.63
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: no match: PuTTY_Release_0.63
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: Local version string SSH-2.0-OpenSSH_6.6
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: permanently_set_uid: 100/65534 [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: list_hostkey_types:
> ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: kex: client->server aes256-ctr hmac-sha2-256
> none [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: kex: server->client aes256-ctr hmac-sha2-256
> none [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
> [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received [preauth]
> Feb 25 19:49:44 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: KEX done [preauth]
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: userauth-request for user
> ipauser1 at ipadomain.net service ssh-connection method none [preauth]
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: attempt 0 failures 0 [preauth]
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.info] Invalid user ipauser1 at ipadomain.net from 10.5.5.57
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.info] input_userauth_request: invalid user
> ipauser1 at ipadomain.net [preauth]
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: PAM: initializing for "ipauser1 at ipadomain.net"
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 781347 auth.debug] PAM[765]:
> pam_start(sshd,ipauser1 at ipadomain.net,811c170:812d610) - debug = 1
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 645040 auth.debug] PAM[765]: pam_set_item(812d610:service)
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 645040 auth.debug] PAM[765]: pam_set_item(812d610:user)
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 645040 auth.debug] PAM[765]: pam_set_item(812d610:conv)
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: PAM: setting PAM_RHOST to "10.5.5.57"
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 645040 auth.debug] PAM[765]: pam_set_item(812d610:rhost)
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: PAM: setting PAM_TTY to "ssh"
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 645040 auth.debug] PAM[765]: pam_set_item(812d610:tty)
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: userauth-request for user
> ipauser1 at ipadomain.net service ssh-connection method keyboard-interactive
> [preauth]
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: attempt 1 failures 0 [preauth]
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: keyboard-interactive devs [preauth]
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: auth2_challenge: user=ipauser1 at ipadomain.net
> devs= [preauth]
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: kbdint_alloc: devices 'pam' [preauth]
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: auth2_challenge_start: trying authentication
> method 'pam' [preauth]
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 269347 auth.debug] PAM[767]: pam_set_item(812d610:conv)
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 690217 auth.debug] PAM[767]: pam_authenticate(812d610, 1)
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 130556 auth.debug] PAM[767]: load_modules(812d610,
> pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 278576 auth.debug] PAM[767]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 130556 auth.debug] PAM[767]: load_modules(812d610,
> pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 278576 auth.debug] PAM[767]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 130556 auth.debug] PAM[767]: load_modules(812d610,
> pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 278576 auth.debug] PAM[767]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 130556 auth.debug] PAM[767]: load_modules(812d610,
> pam_sm_authenticate)=/usr/lib/security/pam_krb5.so.1
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 278576 auth.debug] PAM[767]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 130556 auth.debug] PAM[767]: load_modules(812d610,
> pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 278576 auth.debug] PAM[767]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 896806 auth.debug] PAM[767]: pam_get_user(812d610, 812d610, NULL)
> Feb 25 19:49:54 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.info] Postponed keyboard-interactive for invalid user
> ipauser1 at ipadomain.net from 10.5.5.57 port 57655 ssh2 [preauth]
> Feb 25 19:49:55 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
> 800047 auth.debug] debug1: server_input_channel_req: channel 0 request
> winadj at putty.projects.tartarus.org reply 1
> Feb 25 19:49:55 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
> 800047 auth.debug] debug1: session_by_channel: session 0 channel 0
> Feb 25 19:49:55 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[538]: [ID
> 800047 auth.debug] debug1: session_input_channel_req: session 0 req
> winadj at putty.projects.tartarus.org
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 269347 auth.debug] PAM[767]: pam_set_item(812d610:authtok)
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net last message
> repeated 1 time
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 564987 auth.debug] PAM[767]: pam_authenticate(812d610, 1): error No
> account present for user
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=1
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 564987 auth.debug] PAM[767]: pam_authenticate(812d610, 1): error No
> account present for user
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 219349 auth.debug] pam_unix_auth: user ipauser1 at ipadomain.net not found
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 564987 auth.debug] PAM[767]: pam_authenticate(812d610, 1): error No
> account present for user
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[767]: [ID
> 269347 auth.debug] PAM[767]: pam_set_item(812d610:authtok)
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.error] error: PAM: No account present for user for illegal
> user ipauser1 at ipadomain.net from 10.5.5.57
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.info] Failed keyboard-interactive/pam for invalid user
> ipauser1 at ipadomain.net from 10.5.5.57 port 57655 ssh2
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: userauth-request for user
> ipauser1 at ipadomain.net service ssh-connection method keyboard-interactive
> [preauth]
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: attempt 2 failures 1 [preauth]
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: keyboard-interactive devs [preauth]
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: auth2_challenge: user=ipauser1 at ipadomain.net
> devs= [preauth]
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: kbdint_alloc: devices 'pam' [preauth]
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.debug] debug1: auth2_challenge_start: trying authentication
> method 'pam' [preauth]
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 531491 auth.debug] PAM[768]: pam_set_item(812d610:conv)
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 561236 auth.debug] PAM[768]: pam_authenticate(812d610, 1)
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 195047 auth.debug] PAM[768]: load_modules(812d610,
> pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 502849 auth.debug] PAM[768]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 195047 auth.debug] PAM[768]: load_modules(812d610,
> pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 502849 auth.debug] PAM[768]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 195047 auth.debug] PAM[768]: load_modules(812d610,
> pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 502849 auth.debug] PAM[768]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 195047 auth.debug] PAM[768]: load_modules(812d610,
> pam_sm_authenticate)=/usr/lib/security/pam_krb5.so.1
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 502849 auth.debug] PAM[768]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 195047 auth.debug] PAM[768]: load_modules(812d610,
> pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 502849 auth.debug] PAM[768]: load_function: successful load of
> pam_sm_authenticate
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[768]: [ID
> 251960 auth.debug] PAM[768]: pam_get_user(812d610, 812d610, NULL)
> Feb 25 19:49:56 ipaclient5-sandbox-atdev-van.ipadomain.net sshd[765]: [ID
> 800047 auth.info] Postponed keyboard-interactive for invalid user
> ipauser1 at ipadomain.net from 10.5.5.57 port 57655 ssh2 [preauth]
>
>
>
> Here is my /etc/krb5.conf file
> ------------------------------
> [libdefaults]
> default_realm = IPADOMAIN.NET
> dns_lookup_kdc = true
>
> [realms]
> IPADOMAIN.NET = {
> kdc = 10.21.19.20
> admin_server = 10.21.19.20
> }
>
> [domain_realm]
> .ipadomain.net = IPADOMAIN.NET
> ipadomain.net = IPADOMAIN.NET
>
> [logging]
> default = FILE:/var/krb5/kdc.log
> kdc = FILE:/var/krb5/kdc.log
> kdc_rotate = {
> period = 1d
> version = 10
> }
>
> [appdefaults]
> kinit = {
> renewable = true
> forwardable= true
> }
>
> Here is my /etc/pam.conf
>
> (please note that some stuff is commented out for troubleshooting. I have
> tried with everything uncommented and it doesn't work. I have also tried
> following about 10 different ways to configure PAM that I have seen in
> other forum posts where people were having Solaris troubles and have not
> found the magic combination yet.
> ------------------------
>
> #
> #ident "@(#)pam.conf 1.31 07/12/07 SMI"
> #
> # Copyright 2007 Sun Microsystems, Inc. All rights reserved.
> # Use is subject to license terms.
> #
> # PAM configuration
> #
> # Unless explicitly defined, all services use the modules
> # defined in the "other" section.
> #
> # Modules are defined with relative pathnames, i.e., they are
> # relative to /usr/lib/security/$ISA. Absolute path names, as
> # present in this file in previous releases are still acceptable.
> #
> # Authentication management
> #
> # login service (explicit because of pam_dial_auth)
> #
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> #login auth required pam_unix_cred.so.1
> login auth sufficient pam_krb5.so.1 debug
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> #rlogin auth requisite pam_authtok_get.so.1
> #rlogin auth required pam_dhkeys.so.1
> #rlogin auth required pam_unix_cred.so.1
> #rlogin auth required pam_unix_auth.so.1
> #
> # Kerberized rlogin service
> #
> #krlogin auth required pam_unix_cred.so.1
> #krlogin auth required pam_krb5.so.1
> #
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> #
> #rsh auth required pam_unix_cred.so.1
> #
> # Kerberized rsh service
> #
> #krsh auth required pam_unix_cred.so.1
> #krsh auth required pam_krb5.so.1
> #
> # Kerberized telnet service
> #
> #ktelnet auth required pam_unix_cred.so.1
> #ktelnet auth required pam_krb5.so.1
> #
> # PPP service (explicit because of pam_dial_auth)
> #
> #ppp auth requisite pam_authtok_get.so.1
> #ppp auth required pam_dhkeys.so.1
> #ppp auth required pam_unix_cred.so.1
> #ppp auth required pam_unix_auth.so.1
> #ppp auth required pam_dial_auth.so.1
> #
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other auth requisite pam_authtok_get.so.1 debug
> other auth required pam_dhkeys.so.1 debug
> other auth required pam_unix_cred.so.1 debug
> other auth sufficient pam_krb5.so.1 debug
> other auth required pam_unix_auth.so.1 debug
> #
> # passwd command (explicit because of a different authentication module)
> #
> #passwd auth required pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> #cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other account requisite pam_roles.so.1 debug
> other account required pam_unix_account.so.1 debug
> #other account sufficient pam_ldap.so.1
> other account required pam_krb5.so.1 debug
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other session required pam_mkhomedir.so.1 skel=/etc/skel/ umask=0027
> other session required pam_unix_session.so.1
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password management
> #
> #other password required pam_dhkeys.so.1
> #other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1 force_check
> other password sufficient pam_krb5.so.1 debug
> other password required pam_authtok_store.so.1
>
>
>
>
It does not seem to recognize the user in the secan attempt but the
first attempt seems to authenticate and then disconnect.
I do not see trace from accounting session but I suspect that your pam
stack does not authorize authenticated user.
Try to allow all authenticated users first. This will prove that it is a
pam stack accounting phase configuration issue.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list