[Freeipa-users] Problem with AD authentication after updating to 7.2 OS server
Sumit Bose
sbose at redhat.com
Fri Nov 27 17:38:03 UTC 2015
On Fri, Nov 27, 2015 at 06:16:51PM +0100, Morgan Marodin wrote:
> Yes:
> ------
> # ls -l /var/lib/sss/pubconf/krb5.include.d/
> total 8
> -rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com
> -rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin
>
> So what could I try to do?
'getent passwd' should return the same entry for the user name you use
at the login prompt and the Kerberos principal (its the name shown by
klist in the 'Default principal:' line) e.g.:
# getent passwd tu1 at ad.devel
tu1 at ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh
# getent passwd tu1 at AD.DEVEL
tu1 at ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh
>From the logs I guess you used the name 'morgan.marodin at mydomain.com' at
the login prompt.
I assume you use ssh for the Kerberos/GSSAPI login. Please check on the
client with klist if you got a service ticket for your linux client
principal which should look like host/linux.client.name at IPA.DOMAIN. On
Windows there is klist for the cmd shell as well.
Additionally if there is a service ticket for the linux host sshd debug
logs from the linux host would be useful. For this please set LogLevel to
DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain
confidential keys or passwords).
bye,
Sumit
> Thanks, Morgan
>
> 2015-11-27 17:47 GMT+01:00 Sumit Bose <sbose at redhat.com>:
>
> > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote:
> > > Hi Sumit.
> > >
> > > I don't know why, but now kerberos ticket authentication is working on
> > 6.7
> > > clients.
> > > On 7.2 clients now password authetications with Active Directory
> > > credentials is working ... but not with kerberos ticket.
> >
> > This is most likely due to some issues while mapping the Kerberos
> > principal to the local user name.
> >
> > Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at
> > the beginning of you krb5.conf file? Does
> > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists?
> >
> > bye,
> > Sumit
> >
More information about the Freeipa-users
mailing list