[Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

Alexander Skwar alexanders.mailinglists+nospam at gmail.com
Fri Oct 2 14:28:57 UTC 2015 

Hello

How do I get password authentication to work with freeipa-client
3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?

Long version follows :)

We've got an IPA server with the Red Hat Identity Management server
on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
users and groups there and would now like to login with SSH. When I
store a SSH key for the user account, I can login just fine, using
this SSH key. But I'd like/need to use passwords as well. And sudo
also doesn't work, when it's asking for passwords - I supposed,
it's the same root cause.

Let's stick with SSH.

Initially, I installed the FreeIPA client with this command line:

    ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
      --enable-dns-updates --unattended \
      --principal=admin --password=correctone \
      --domain=customer.company.internal \
      --server=auth01.customer.company.internal

I then try to do a SSH login with:

    ssh -l ewt at customer.company.internal 192.168.229.143
or:
    ssh -l ewt 192.168.229.143

Password authentication doesn't work.

In the /var/log/syslog on the system where I try to login, I find this:

    2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
Key table entry not found

After having turned up the debug level of the sssd with "sssd -i -f -d
0x0770 --debug-timestamps=1", I find the following in the system log
files:

    2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=212.71.117.1  user=ewt
    2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=212.71.117.1 user=ewt
    2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
pam_sss(sshd:auth): received for user ewt: 4 (System error)
    2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
password for ewt from 212.71.117.1 port 58136 ssh2

TBH, I don't quite understand it. Anyway, in
/var/log/sssd/sssd_customer.company.internal.log I noticed:

    (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
[read_pipe_handler] (0x0400): EOF received, client finished
    (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
[parse_krb5_child_response] (0x0020): message too short.
    (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
[krb5_auth_done] (0x0040): Could not parse child response [22]:
Invalid argument
    (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
[ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.

Well… What am I doing wrong or what might I have forgotten?

Thanks a lot and best regards,

Alexander
-- 
=>        Google+ => http://plus.skwar.me         <==
=> Chat (Jabber/Google Talk) => a.skwar at gmail.com <==

More information about the Freeipa-users mailing list