[Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

Alexander Skwar alexanders.mailinglists+nospam at gmail.com
Tue Oct 6 09:26:42 UTC 2015 

Hi

With further debugging, I discovered, that I messed up the
/etc/sssd/sssd.conf file. There, I added:

…
[domain/customer.company.internal]

krb5_realm = customer.company.internal
…



Exactly like that. With "krb5_realm = customer.company.internal"; ie. with
the realm in lowercase letters.

After having changed that to uppercase letters (ie. "krb5_realm =
CUSTOMER.COMPANY.INTERNAL"), it works fine.



Thanks for your time and help ;)

Cheers,
Alexander



2015-10-05 14:07 GMT+02:00 Sumit Bose <sbose at redhat.com>:

> On Mon, Oct 05, 2015 at 09:00:13AM +0200, Alexander Skwar wrote:
> > Hi
> >
> > Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try
> > to login with SSH and enter a password.
>
> Can you try to increase the debug_level to 0xFFF0?
>
> >
> > kinit doesn't work.
> >
> > $ kinit -k
> > kinit: Permission denied while getting initial credentials
> >
> > For this test, I was root and then did a "su - user" and then "kinit -k".
> > Also after the "kinit -k", nothing is in the krb5_child.log.
>
> The 'kinit -k' has to be done as root. It will only check if the client
> can connect to the KDC at all and tries to get a TGT for the host.
>
> It's expected that during this operation nothing is added to the SSSD
> logs because the kinit utility work independent of SSSD.
>
> bye,
> Sumit
>
> >
> > Regards,
> > Alexander
> >
> >
> > 2015-10-02 17:59 GMT+02:00 Jakub Hrozek <jhrozek at redhat.com>:
> >
> > > On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> > > > Hello
> > > >
> > > > How do I get password authentication to work with freeipa-client
> > > > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
> > > >
> > > > Long version follows :)
> > > >
> > > > We've got an IPA server with the Red Hat Identity Management server
> > > > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> > > > users and groups there and would now like to login with SSH. When I
> > > > store a SSH key for the user account, I can login just fine, using
> > > > this SSH key. But I'd like/need to use passwords as well. And sudo
> > > > also doesn't work, when it's asking for passwords - I supposed,
> > > > it's the same root cause.
> > > >
> > > > Let's stick with SSH.
> > > >
> > > > Initially, I installed the FreeIPA client with this command line:
> > > >
> > > >     ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
> > > >       --enable-dns-updates --unattended \
> > > >       --principal=admin --password=correctone \
> > > >       --domain=customer.company.internal \
> > > >       --server=auth01.customer.company.internal
> > > >
> > > > I then try to do a SSH login with:
> > > >
> > > >     ssh -l ewt at customer.company.internal 192.168.229.143
> > > > or:
> > > >     ssh -l ewt 192.168.229.143
> > > >
> > > > Password authentication doesn't work.
> > > >
> > > > In the /var/log/syslog on the system where I try to login, I find
> this:
> > > >
> > > >     2015-10-02T15:33:38.771291+02:00 mgmt02
> [sssd[krb5_child[14154]]]:
> > > > Key table entry not found
> > > >
> > > > After having turned up the debug level of the sssd with "sssd -i -f
> -d
> > > > 0x0770 --debug-timestamps=1", I find the following in the system log
> > > > files:
> > > >
> > > >     2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> > > > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> > > > tty=ssh ruser= rhost=212.71.117.1  user=ewt
> > > >     2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> > > > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> > > > tty=ssh ruser= rhost=212.71.117.1 user=ewt
> > > >     2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> > > > pam_sss(sshd:auth): received for user ewt: 4 (System error)
> > > >     2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> > > > password for ewt from 212.71.117.1 port 58136 ssh2
> > > >
> > > > TBH, I don't quite understand it. Anyway, in
> > > > /var/log/sssd/sssd_customer.company.internal.log I noticed:
> > > >
> > > >     (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > > [read_pipe_handler] (0x0400): EOF received, client finished
> > > >     (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > > [parse_krb5_child_response] (0x0020): message too short.
> > > >     (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > > [krb5_auth_done] (0x0040): Could not parse child response [22]:
> > > > Invalid argument
> > > >     (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > > [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
> > > >
> > > > Well… What am I doing wrong or what might I have forgotten?
> > >
> > > We need to also see the krb5_child.log but please check if the keytab
> is
> > > correct (ie kinit -k works).
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > >
> >
> >
> >
> > --
> >
> >
> > Alexander
> > --
> > =>        *Google+* => http://plus.skwar.me         <==
> > => *Chat* (Jabber/Google Talk) => a.skwar at gmail.com <==
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>


-- 


Alexander
-- 
=>        *Google+* => http://plus.skwar.me         <==
=> *Chat* (Jabber/Google Talk) => a.skwar at gmail.com <==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151006/4f788bc4/attachment.htm>

More information about the Freeipa-users mailing list