[Freeipa-users] SSH auth failing in IPA trust

Troels Hansen th at casalogic.dk
Thu Aug 4 12:31:46 UTC 2016 

Solved it myself.....

http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html

Apparently its well known, and will be solved in 7.3

----- On Aug 4, 2016, at 1:56 PM, Troels Hansen th at casalogic.dk wrote:

> Hmm, well, yes, it did:
> 
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [unpack_buffer] (0x0100):
> cmd [249] uid [1349938498] gid [1349938498] validate [true] enterprise
> principal [false] offline [false] UPN [DREXTRHA at DR.DK]
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
> [host/ipa02tst.linux.dr.dk at LINUX.DR.DK]
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18122]]]] [set_canonicalize_option]
> (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [set_lifetime_options]
> (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [set_lifetime_options]
> (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [set_canonicalize_option]
> (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [unpack_buffer] (0x0100):
> cmd [241] uid [1349938498] gid [1349938498] validate [true] enterprise
> principal [false] offline [false] UPN [DREXTRHA at DR.DK]
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [unpack_buffer] (0x0100):
> ccname: [KEYRING:persistent:1349938498] old_ccname:
> [KEYRING:persistent:1349938498] keytab: [/etc/krb5.keytab]
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
> [host/ipa02tst.linux.dr.dk at LINUX.DR.DK]
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [set_lifetime_options]
> (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [set_lifetime_options]
> (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [set_canonicalize_option]
> (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [get_and_save_tgt]
> (0x0020): 1234: [-1765328378][Client 'DREXTRHA at DR.DK' not found in Kerberos
> database]
> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [map_krb5_error]
> (0x0020): 1303: [-1765328378][Client 'DREXTRHA at DR.DK' not found in Kerberos
> database]
> 
> and this is actually correct, because the UPN would be DREXTRHA at DR.DK.
> 
> I found this:
> https://access.redhat.com/solutions/323373
> 
> However, setting ldap_user_principal in the domain part to something
> non-existing doesn't seem to work.
> 
> 
> ----- On Aug 4, 2016, at 1:22 PM, Jakub Hrozek jhrozek at redhat.com wrote:
> 
>> On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote:
>>> Hi, we have set up IPA in a AD trust and is about 90% done, but still have one
>>> problem using SSH login.
>>> 
>>> Kerberos works:
>>> # kdestroy
>>> # kinit drextrha at NET.DR.DK
>>> Password for drextrha at NET.DR.DK:
>>> # klist
>>> Ticket cache: KEYRING:persistent:0:0
>>> Default principal: drextrha at NET.DR.DK
>>> 
>>> Valid starting Expires Service principal
>>> 08/04/2016 12:46:17 08/04/2016 22:46:17 krbtgt/NET.DR.DK at NET.DR.DK
>>> renew until 08/05/2016 12:46:09
>>> 
>>> 
>>> I can see the user:
>>> 
>>> # getent passwd drextrha at NET.DR.DK
>>> drextrha at net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha:
>>> 
>>> However, can't log in using SSH:
>>> 
>>> login as: drextrha at NET.DR.DK
>>> drextrha at NET.DR.DK@ipa02tst.linux.dr.dk's password:
>>> Access denied
>>> 
>>> 
>>> When I look at the log files it looks correct, untill we receive a "
>>> be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success
>>> (System error)] " error, which I can't quite resolve or even verify if thats
>>> what's causing the problem.
>>> 
>>> 
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds]
>>> (0x0010): unsupported PAM command [249].
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds]
>>> (0x0010): password not available, offline auth may not work.
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>>> (0x0100): Backend returned: (0, 0, <NULL>) [Success (Success)]
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>>> (0x0100): Sending result [0][net.dr.dk]
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>>> (0x0100): Sent result [0][net.dr.dk]
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler] (0x0100): Got
>>> request with the following data
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> command: PAM_AUTHENTICATE
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> domain: net.dr.dk
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> user: DREXTRHA at net.dr.dk
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> service: sshd
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> tty: ssh
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> ruser:
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> rhost: t01042.net.dr.dk
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> authtok type: 1
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> newauthtok type: 0
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> priv: 1
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> cli_pid: 17348
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>> logon name: not set
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [fo_resolve_service_send]
>>> (0x0100): Trying to resolve service 'IPA'
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [child_sig_handler] (0x0100):
>>> child [17356] finished successfully.
>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>>> (0x0100): Backend returned: (0, 4, <NULL>) [Success (System error)]
>> 
>> Please take a look into krb5_child.log, it should have more hints on why
>> the authentication failed.
>> 
>> (This is documented at
>> https://fedorahosted.org/sssd/wiki/Troubleshooting, section
>> "Troubleshooting general authentication problems")
>> 
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
> 
> --
> Med venlig hilsen
> 
> Troels Hansen
> 
> Systemkonsulent
> 
> Casalogic A/S
> 
> 
> T (+45) 70 20 10 63
> 
> M (+45) 22 43 71 57
> 
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
> meget mere.
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.

More information about the Freeipa-users mailing list