[Freeipa-users] Troubleshooting SSO
Sumit Bose
sbose at redhat.com
Mon Mar 30 14:58:18 UTC 2015
On Mon, Mar 30, 2015 at 10:09:00AM -0400, Gould, Joshua wrote:
> I configured the .k5login per the RH docs.
>
> $ cat .k5login
> adm-faru03 at TEST.OSUWMC
> TEST.OSUWMC\adm-faru03
The second line is not needed. Please note that .k5login must only be
read-writable for the owner.
Can you check by calling klist in a Windows Command window if you got
a proper host/... ticket for the IPA host?
What version of IPA and SSSD are you using.
Can you check if the following works on a IPA host:
kinit adm-faru03 at TEST.OSUWMC
kvno host/name.of.the.ipa-client.to.login at IPA.REALM
ssh -v -l adm-faru03 at test.osuwmc name.of.the.ipa-client.to.login
The error messages return by the ssh -v output might help to see why
GSSAPI auth failed.
bye,
Sumit
> $
>
>
> I upped the debugging to DEBUG3 but I can¹t make sense of the error. Can
> you help? I¹m getting better but I can¹t get this one yet.
>
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: Connection from 10.80.5.239 port
> 50824 on 10.127.26.73 port 22
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Client protocol version
> 2.0; client software version PuTTY_Release_0.64
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: no match:
> PuTTY_Release_0.64
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Enabling compatibility
> mode for protocol 2.0
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Local version string
> SSH-2.0-OpenSSH_6.6.1
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: fd 3 setting O_NONBLOCK
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: ssh_sandbox_init:
> preparing rlimit sandbox
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: Network child is on pid
> 12794
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: preauth child monitor
> started
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SELinux support enabled
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3:
> ssh_selinux_change_context: setting context from
> 'system_u:system_r:sshd_t:s0-s0:c0.c1023' to
> 'system_u:system_r:sshd_net_t:s0-s0:c0.c1023' [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: privsep user:group 74:74
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: permanently_set_uid:
> 74/74 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: list_hostkey_types:
> ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT sent
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT
> received [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha
> 2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchan
> ge-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.c
> om,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc
> ,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysato
> r.liu.se [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.c
> om,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc
> ,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysato
> r.liu.se [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,
> umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at op
> enssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-
> md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at open
> ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.c
> om,hmac-sha1-96,hmac-md5-96 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,
> umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at op
> enssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-
> md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at open
> ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.c
> om,hmac-sha1-96,hmac-md5-96 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> none,zlib at openssh.com [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> none,zlib at openssh.com [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> first_kex_follows 0 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> reserved 0 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,dif
> fie-hellman-group14-sha1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024-
> sha1 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> ssh-rsa,ssh-dss [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-ctr,aes192-cbc,aes
> 128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,a
> rcfour128 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-ctr,aes192-cbc,aes
> 128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,a
> rcfour128 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> none,zlib [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> none,zlib [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> first_kex_follows 0 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit:
> reserved 0 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: mac_setup: setup
> hmac-sha2-256 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: kex: client->server
> aes256-ctr hmac-sha2-256 none [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: mac_setup: setup
> hmac-sha2-256 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: kex: server->client
> aes256-ctr hmac-sha2-256 none [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: kex:
> diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 120 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3:
> mm_request_receive_expect entering: type 121 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking
> request 120
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 121
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: kex:
> diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 120 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3:
> mm_request_receive_expect entering: type 121 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking
> request 120
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 121
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 0 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_choose_dh: waiting
> for MONITOR_ANS_MODULI [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3:
> mm_request_receive_expect entering: type 1 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking
> request 0
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_moduli: got
> parameters: 1024 4096 8192
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 1
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 0 used
> once, disabling now
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_choose_dh: remaining
> 0 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1:
> SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: bits set: 2077/4096
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: expecting
> SSH2_MSG_KEX_DH_GEX_INIT [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: bits set: 2021/4096
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_key_sign entering
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 6 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_key_sign: waiting for
> MONITOR_ANS_SIGN [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3:
> mm_request_receive_expect entering: type 7 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking
> request 6
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_sign
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_sign:
> signature 0x7f4788d8c440(271)
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 7
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 6 used
> once, disabling now
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1:
> SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_derive_keys [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: set_newkeys: mode 1
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_NEWKEYS sent
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: expecting
> SSH2_MSG_NEWKEYS [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: set_newkeys: mode 0
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_NEWKEYS
> received [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: KEX done [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: userauth-request for
> user adm-faru03 at test.osuwmc service ssh-connection method none [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: attempt 0 failures 0
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_getpwnamallow
> entering [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 8 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_getpwnamallow:
> waiting for MONITOR_ANS_PWNAM [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3:
> mm_request_receive_expect entering: type 9 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking
> request 8
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_pwnamallow
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: Trying to reverse map
> address 10.80.5.239.
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: parse_server_config:
> config reprocess config len 899
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_pwnamallow:
> sending MONITOR_ANS_PWNAM: 1
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 9
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 8 used
> once, disabling now
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: input_userauth_request:
> setting up authctxt for adm-faru03 at test.osuwmc [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_start_pam entering
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 100 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_inform_authserv
> entering [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 4 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_inform_authrole
> entering [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 80 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: input_userauth_request:
> try method none [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: userauth_finish: failure
> partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password"
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking
> request 100
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: PAM: initializing for
> "adm-faru03 at test.osuwmc"
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: PAM: setting PAM_RHOST
> to "svr-addc-vt01.test.osuwmc"
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: PAM: setting PAM_TTY to
> "ssh"
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 100 used
> once, disabling now
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: userauth-request for
> user adm-faru03 at test.osuwmc service ssh-connection method gssapi-with-mic
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: attempt 1 failures 0
> [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: input_userauth_request:
> try method gssapi-with-mic [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 42 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3:
> mm_request_receive_expect entering: type 43 [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering [preauth]
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking
> request 4
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_authserv:
> service=ssh-connection, style=
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 4 used
> once, disabling now
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking
> request 80
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_authrole: role=
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 80 used
> once, disabling now
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking
> request 42
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 43
> Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: Postponed gssapi-with-mic for
> adm-faru03 at test.osuwmc from 10.80.5.239 port 50824 ssh2 [preauth]
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug1: userauth-request for
> user adm-faru03 at test.osuwmc service ssh-connection method password
> [preauth]
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug1: attempt 2 failures 0
> [preauth]
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug2: input_userauth_request:
> try method password [preauth]
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: mm_auth_password
> entering [preauth]
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send
> entering: type 12 [preauth]
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: mm_auth_password:
> waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3:
> mm_request_receive_expect entering: type 13 [preauth]
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering [preauth]
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive
> entering
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking
> request 12
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: PAM: sshpam_passwd_conv
> called with 1 messages
> Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=svr-addc-vt01.test.osuwmc user=adm-faru03 at test.osuwmc
> Mar 30 09:57:25 mid-ipa-vp01 sshd[12793]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=svr-addc-vt01.test.osuwmc user=adm-faru03 at test.osuwmc
> Mar 30 09:57:25 mid-ipa-vp01 sshd[12793]: debug1: PAM: password
> authentication accepted for adm-faru03 at test.osuwmc
>
>
>
> On 3/30/15, 9:35 AM, "Sumit Bose" <sbose at redhat.com> wrote:
>
> >assuming you have a valid Kerberos ticket the most probable reason is
> >that libkrb5 cannot properly relate the Kerberos principal from the
> >ticket to the local user name you use at the login prompt. With DEBUG3
> >you should see some messages containing '*userok*'. If you see failures
> >related to these messages it most probable is this case.
> >
> >Recent versions of SSSD will configure a plugin for libkrb5 which can
> >handle this. But for older version you either have to create a .k5login
> >file in the users home directory containing the Kerberos principal or
> >use auth_to_local directives in /etc/krb5.conf as described in
> >https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeipa.org_page_A
> >ctive-5FDirectory-5Ftrust-5Fsetup-23Edit-5F.2Fetc.2Fkrb5.conf&d=AwIDaQ&c=k
> >9MF1d71ITtkuJx-PdWme51dKbmfPEvxwt8SFEkBfs4&r=C8H0y1Bn8C6Mf5i9qrqkUDy3xSk8z
> >PbIs_SvJwojC24&m=4CkfthdUOBBXSFdkUzW4imHzEchORW-ZPDVNXQlaZ3A&s=a7-Ti-Mlcie
> >m4dhsLicRf0Qg6sZDhThV-kMNED2rYug&e=
> >
> >HTH
> >
> >bye,
> >Sumit
>
>
More information about the Freeipa-users
mailing list