[Freeipa-users] SSH auth failing in IPA trust
Jakub Hrozek
jhrozek at redhat.com
Thu Aug 4 11:22:29 UTC 2016
On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote:
> Hi, we have set up IPA in a AD trust and is about 90% done, but still have one problem using SSH login.
>
> Kerberos works:
> # kdestroy
> # kinit drextrha at NET.DR.DK
> Password for drextrha at NET.DR.DK:
> # klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: drextrha at NET.DR.DK
>
> Valid starting Expires Service principal
> 08/04/2016 12:46:17 08/04/2016 22:46:17 krbtgt/NET.DR.DK at NET.DR.DK
> renew until 08/05/2016 12:46:09
>
>
> I can see the user:
>
> # getent passwd drextrha at NET.DR.DK
> drextrha at net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha:
>
> However, can't log in using SSH:
>
> login as: drextrha at NET.DR.DK
> drextrha at NET.DR.DK@ipa02tst.linux.dr.dk's password:
> Access denied
>
>
> When I look at the log files it looks correct, untill we receive a " be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success (System error)] " error, which I can't quite resolve or even verify if thats what's causing the problem.
>
>
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249].
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work.
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success (Success)]
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] (0x0100): Sending result [0][net.dr.dk]
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] (0x0100): Sent result [0][net.dr.dk]
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler] (0x0100): Got request with the following data
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): domain: net.dr.dk
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): user: DREXTRHA at net.dr.dk
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): service: sshd
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): tty: ssh
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): ruser:
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): rhost: t01042.net.dr.dk
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): authtok type: 1
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): newauthtok type: 0
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): priv: 1
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): cli_pid: 17348
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): logon name: not set
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [child_sig_handler] (0x0100): child [17356] finished successfully.
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success (System error)]
Please take a look into krb5_child.log, it should have more hints on why
the authentication failed.
(This is documented at
https://fedorahosted.org/sssd/wiki/Troubleshooting, section
"Troubleshooting general authentication problems")
More information about the Freeipa-users
mailing list