[Freeipa-users] Problem with AD authentication after updating to 7.2 OS server
Morgan Marodin
morgan at marodin.it
Mon Nov 30 09:00:13 UTC 2015
I've found the problem, using DEBUG3 into SSH service:
---------------------------------------------------------------------------------
Nov 30 08:52:47 myserver sshd[9639]: debug1: Unspecified GSS failure.
Minor code may provide more information\nClock skew too great\n
Nov 30 08:52:47 myserver sshd[9639]: debug1: Got no client credentials
Nov 30 08:52:47 myserver sshd[9639]: debug3: mm_request_send entering: type
45
Nov 30 08:52:47 myserver sshd[9639]: debug3: userauth_finish: failure
partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password"
[preauth]
Nov 30 08:52:47 myserver sshd[9639]: debug1: Received
SSH2_MSG_UNIMPLEMENTED for 7 [preauth]
My client was 4 minutes early than IPA server. After syncing time via
ntpdate kerberos ticket authentication works correctly.
Thanks for your support, bye.
Morgan
2015-11-27 18:38 GMT+01:00 Sumit Bose <sbose at redhat.com>:
> On Fri, Nov 27, 2015 at 06:16:51PM +0100, Morgan Marodin wrote:
> > Yes:
> > ------
> > # ls -l /var/lib/sss/pubconf/krb5.include.d/
> > total 8
> > -rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com
> > -rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin
> >
> > So what could I try to do?
>
> 'getent passwd' should return the same entry for the user name you use
> at the login prompt and the Kerberos principal (its the name shown by
> klist in the 'Default principal:' line) e.g.:
>
> # getent passwd tu1 at ad.devel
> tu1 at ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh
> # getent passwd tu1 at AD.DEVEL
> tu1 at ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh
>
> From the logs I guess you used the name 'morgan.marodin at mydomain.com' at
> the login prompt.
>
> I assume you use ssh for the Kerberos/GSSAPI login. Please check on the
> client with klist if you got a service ticket for your linux client
> principal which should look like host/linux.client.name at IPA.DOMAIN. On
> Windows there is klist for the cmd shell as well.
>
> Additionally if there is a service ticket for the linux host sshd debug
> logs from the linux host would be useful. For this please set LogLevel to
> DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain
> confidential keys or passwords).
>
> bye,
> Sumit
>
> > Thanks, Morgan
> >
> > 2015-11-27 17:47 GMT+01:00 Sumit Bose <sbose at redhat.com>:
> >
> > > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote:
> > > > Hi Sumit.
> > > >
> > > > I don't know why, but now kerberos ticket authentication is working
> on
> > > 6.7
> > > > clients.
> > > > On 7.2 clients now password authetications with Active Directory
> > > > credentials is working ... but not with kerberos ticket.
> > >
> > > This is most likely due to some issues while mapping the Kerberos
> > > principal to the local user name.
> > >
> > > Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at
> > > the beginning of you krb5.conf file? Does
> > > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists?
> > >
> > > bye,
> > > Sumit
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151130/c7da18ad/attachment.htm>
More information about the Freeipa-users
mailing list