[Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

Bobby Prins bobby.prins at proxy.nl
Fri Jun 12 15:28:23 UTC 2015 

On Jun 11, 2015, at 15:37, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> 
> On Thu, 11 Jun 2015, Bobby Prins wrote:
>> On Apr 7, 2015, at 13:41, Bobby Prins <bobby.prins at proxy.nl> wrote:
>>> 
>>> 
>>>> On Apr 3, 2015, at 14:40, Bobby Prins <bobby.prins at proxy.nl> wrote:
>>>> 
>>>>> ----- Oorspronkelijk bericht -----
>>>>> Van: "Alexander Bokovoy" <abokovoy at redhat.com>
>>>>> Aan: "Bobby Prins" <bobby.prins at proxy.nl>
>>>>> Cc: dpal at redhat.com, freeipa-users at redhat.com
>>>>> Verzonden: Vrijdag 3 april 2015 14:26:17
>>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
>>>>> 
>>>>> On Fri, 03 Apr 2015, Bobby Prins wrote:
>>>>>>> ----- Oorspronkelijk bericht -----
>>>>>>> Van: "Alexander Bokovoy" <abokovoy at redhat.com>
>>>>>>> Aan: "Bobby Prins" <bobby.prins at proxy.nl>
>>>>>>> Cc: dpal at redhat.com, freeipa-users at redhat.com
>>>>>>> Verzonden: Vrijdag 3 april 2015 12:45:07
>>>>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
>>>>>>> 
>>>>>>> On Fri, 03 Apr 2015, Bobby Prins wrote:
>>>>>>>> access:
>>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133
>>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3
>>>>>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
>>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL
>>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0
>>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL
>>>>>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0
>>>>>>> Above there are two lookups:
>>>>>>> 
>>>>>>> - successful lookup for user bprings at example.com
>>>>>>> - unsuccessful lookup for user bprins
>>>>>>> 
>>>>>>> What is causing to perform a lookup without @example.com? Compat tree
>>>>>>> presents AD users fully qualified, it is the only way it knows to
>>>>>>> trigger lookup via SSSD on IPA master for these users (because non-fully
>>>>>>> qualified users are in IPA LDAP tree already and copied to compat tree
>>>>>>> automatically).
>>>>>> This seems to be (standard?) behaviour of the AIX LDAP client. Did some
>>>>>> more tests with different accounts and always see the two lookups. I
>>>>>> doubt if I can influence that..
>>>>> No, this is not standard -- I haven't seen such behavior when testing
>>>>> FreeIPA with AIX last autumn.
>>>>> --
>>>>> / Alexander Bokovoy
>>>> OK, with the idsldap client software and an AD trust configured? This is on AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might try AIX6.1 as well. What works is creating the user object in freeIPA so the lookup succeeds. After that I can authenticate succesfully against AD. Not the solution I'm looking for though.
>>> Did some tests with AIX5.3 and then I don’t run into any issues. There is no lookup to be seen after entering my username on AIX5.3 (as there was on AIX7.1), only the authentication request which succeeds. Will test AIX6.1 later on..
>> 
>> AIX6.1 also worked without any problems. In the end my methods.cfg was causing the problems on AIX7.1. After deleting these lines authentication worked:
>> 
>> KRB5:
>>      program = /usr/lib/security/KRB5
>>      program_64 = /usr/lib/security/KRB5_64
>>      options = authonly,kadmind=no
>> 
>> KRB5LDAP:
>>      options = auth=KRB5,db=LDAP
>> 
>> So my methods.cfg now looks like this:
>> 
>> LDAP:
>>      program = /usr/lib/security/LDAP
>>      program_64 = /usr/lib/security/LDAP64
>> 
>> NIS:
>>      program = /usr/lib/security/NIS
>>      program_64 = /usr/lib/security/NIS_64
>> 
>> DCE:
>>      program = /usr/lib/security/DCE
>> 
>> I was not expecting this since I was not using KRB5 or KRB5LDAP in /etc/security/user. Well, I’m glad I got this sorted out now :)
> Great. Could you please write your configurations up somewhere so that
> we can have an article on freeipa.org detailing the configs for future
> users?

Yes, I will do that Alexander. Hope to have some time for that next week.

> -- 
> / Alexander Bokovoy

More information about the Freeipa-users mailing list