[Freeipa-users] SSH auth failing in IPA trust

Troels Hansen th at casalogic.dk
Thu Aug 4 11:56:42 UTC 2016 

Hmm, well, yes, it did:

(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [unpack_buffer] (0x0100): cmd [249] uid [1349938498] gid [1349938498] validate [true] enterprise principal [false] offline [false] UPN [DREXTRHA at DR.DK]
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ipa02tst.linux.dr.dk at LINUX.DR.DK]
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18122]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [unpack_buffer] (0x0100): cmd [241] uid [1349938498] gid [1349938498] validate [true] enterprise principal [false] offline [false] UPN [DREXTRHA at DR.DK]
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1349938498] old_ccname: [KEYRING:persistent:1349938498] keytab: [/etc/krb5.keytab]
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ipa02tst.linux.dr.dk at LINUX.DR.DK]
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328378][Client 'DREXTRHA at DR.DK' not found in Kerberos database]
(Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [map_krb5_error] (0x0020): 1303: [-1765328378][Client 'DREXTRHA at DR.DK' not found in Kerberos database]

and this is actually correct, because the UPN would be DREXTRHA at DR.DK.

I found this:
https://access.redhat.com/solutions/323373

However, setting ldap_user_principal in the domain part to something non-existing doesn't seem to work.


----- On Aug 4, 2016, at 1:22 PM, Jakub Hrozek jhrozek at redhat.com wrote:

> On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote:
>> Hi, we have set up IPA in a AD trust and is about 90% done, but still have one
>> problem using SSH login.
>> 
>> Kerberos works:
>> # kdestroy
>> # kinit drextrha at NET.DR.DK
>> Password for drextrha at NET.DR.DK:
>> # klist
>> Ticket cache: KEYRING:persistent:0:0
>> Default principal: drextrha at NET.DR.DK
>> 
>> Valid starting Expires Service principal
>> 08/04/2016 12:46:17 08/04/2016 22:46:17 krbtgt/NET.DR.DK at NET.DR.DK
>> renew until 08/05/2016 12:46:09
>> 
>> 
>> I can see the user:
>> 
>> # getent passwd drextrha at NET.DR.DK
>> drextrha at net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha:
>> 
>> However, can't log in using SSH:
>> 
>> login as: drextrha at NET.DR.DK
>> drextrha at NET.DR.DK@ipa02tst.linux.dr.dk's password:
>> Access denied
>> 
>> 
>> When I look at the log files it looks correct, untill we receive a "
>> be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success
>> (System error)] " error, which I can't quite resolve or even verify if thats
>> what's causing the problem.
>> 
>> 
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds]
>> (0x0010): unsupported PAM command [249].
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds]
>> (0x0010): password not available, offline auth may not work.
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>> (0x0100): Backend returned: (0, 0, <NULL>) [Success (Success)]
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>> (0x0100): Sending result [0][net.dr.dk]
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>> (0x0100): Sent result [0][net.dr.dk]
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler] (0x0100): Got
>> request with the following data
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> command: PAM_AUTHENTICATE
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> domain: net.dr.dk
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> user: DREXTRHA at net.dr.dk
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> service: sshd
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> tty: ssh
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> ruser:
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> rhost: t01042.net.dr.dk
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> authtok type: 1
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> newauthtok type: 0
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> priv: 1
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> cli_pid: 17348
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>> logon name: not set
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [fo_resolve_service_send]
>> (0x0100): Trying to resolve service 'IPA'
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [child_sig_handler] (0x0100):
>> child [17356] finished successfully.
>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>> (0x0100): Backend returned: (0, 4, <NULL>) [Success (System error)]
> 
> Please take a look into krb5_child.log, it should have more hints on why
> the authentication failed.
> 
> (This is documented at
> https://fedorahosted.org/sssd/wiki/Troubleshooting, section
> "Troubleshooting general authentication problems")
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.

More information about the Freeipa-users mailing list