[Freeipa-users] SSH auth failing in IPA trust

Troels Hansen th at casalogic.dk
Thu Aug 4 13:39:26 UTC 2016 

Hmm, was too fast.

ldap_user_principal = nosuchattr
subdomain_inherit = ldap_user_principal

Works, but ONLY from the IPA server.

If I do the same from a client, I still get:

(Thu Aug  4 15:32:05 2016) [[sssd[krb5_child[16374]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328378][Client 'DREXTRHA at DR.DK' not found in Kerberos database]
(Thu Aug  4 15:32:05 2016) [[sssd[krb5_child[16374]]]] [map_krb5_error] (0x0020): 1303: [-1765328378][Client 'DREXTRHA at DR.DK' not found in Kerberos database]
(Thu Aug  4 15:32:05 2016) [[sssd[krb5_child[16374]]]] [k5c_send_data] (0x0200): Received error code 1432158209

Any reason for this not working on a normal client ?


----- On Aug 4, 2016, at 2:31 PM, Troels Hansen th at casalogic.dk wrote:

> Solved it myself.....
> 
> http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html
> 
> Apparently its well known, and will be solved in 7.3
> 
> ----- On Aug 4, 2016, at 1:56 PM, Troels Hansen th at casalogic.dk wrote:
> 
>> Hmm, well, yes, it did:
>> 
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [unpack_buffer] (0x0100):
>> cmd [249] uid [1349938498] gid [1349938498] validate [true] enterprise
>> principal [false] offline [false] UPN [DREXTRHA at DR.DK]
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [k5c_setup_fast]
>> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
>> [host/ipa02tst.linux.dr.dk at LINUX.DR.DK]
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18122]]]] [set_canonicalize_option]
>> (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [set_lifetime_options]
>> (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [set_lifetime_options]
>> (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18121]]]] [set_canonicalize_option]
>> (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [unpack_buffer] (0x0100):
>> cmd [241] uid [1349938498] gid [1349938498] validate [true] enterprise
>> principal [false] offline [false] UPN [DREXTRHA at DR.DK]
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [unpack_buffer] (0x0100):
>> ccname: [KEYRING:persistent:1349938498] old_ccname:
>> [KEYRING:persistent:1349938498] keytab: [/etc/krb5.keytab]
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [k5c_setup_fast]
>> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
>> [host/ipa02tst.linux.dr.dk at LINUX.DR.DK]
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [set_lifetime_options]
>> (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [set_lifetime_options]
>> (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [set_canonicalize_option]
>> (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [get_and_save_tgt]
>> (0x0020): 1234: [-1765328378][Client 'DREXTRHA at DR.DK' not found in Kerberos
>> database]
>> (Thu Aug  4 13:46:58 2016) [[sssd[krb5_child[18124]]]] [map_krb5_error]
>> (0x0020): 1303: [-1765328378][Client 'DREXTRHA at DR.DK' not found in Kerberos
>> database]
>> 
>> and this is actually correct, because the UPN would be DREXTRHA at DR.DK.
>> 
>> I found this:
>> https://access.redhat.com/solutions/323373
>> 
>> However, setting ldap_user_principal in the domain part to something
>> non-existing doesn't seem to work.
>> 
>> 
>> ----- On Aug 4, 2016, at 1:22 PM, Jakub Hrozek jhrozek at redhat.com wrote:
>> 
>>> On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote:
>>>> Hi, we have set up IPA in a AD trust and is about 90% done, but still have one
>>>> problem using SSH login.
>>>> 
>>>> Kerberos works:
>>>> # kdestroy
>>>> # kinit drextrha at NET.DR.DK
>>>> Password for drextrha at NET.DR.DK:
>>>> # klist
>>>> Ticket cache: KEYRING:persistent:0:0
>>>> Default principal: drextrha at NET.DR.DK
>>>> 
>>>> Valid starting Expires Service principal
>>>> 08/04/2016 12:46:17 08/04/2016 22:46:17 krbtgt/NET.DR.DK at NET.DR.DK
>>>> renew until 08/05/2016 12:46:09
>>>> 
>>>> 
>>>> I can see the user:
>>>> 
>>>> # getent passwd drextrha at NET.DR.DK
>>>> drextrha at net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha:
>>>> 
>>>> However, can't log in using SSH:
>>>> 
>>>> login as: drextrha at NET.DR.DK
>>>> drextrha at NET.DR.DK@ipa02tst.linux.dr.dk's password:
>>>> Access denied
>>>> 
>>>> 
>>>> When I look at the log files it looks correct, untill we receive a "
>>>> be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success
>>>> (System error)] " error, which I can't quite resolve or even verify if thats
>>>> what's causing the problem.
>>>> 
>>>> 
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds]
>>>> (0x0010): unsupported PAM command [249].
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds]
>>>> (0x0010): password not available, offline auth may not work.
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>>>> (0x0100): Backend returned: (0, 0, <NULL>) [Success (Success)]
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>>>> (0x0100): Sending result [0][net.dr.dk]
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>>>> (0x0100): Sent result [0][net.dr.dk]
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler] (0x0100): Got
>>>> request with the following data
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> command: PAM_AUTHENTICATE
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> domain: net.dr.dk
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> user: DREXTRHA at net.dr.dk
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> service: sshd
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> tty: ssh
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> ruser:
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> rhost: t01042.net.dr.dk
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> authtok type: 1
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> newauthtok type: 0
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> priv: 1
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> cli_pid: 17348
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100):
>>>> logon name: not set
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [fo_resolve_service_send]
>>>> (0x0100): Trying to resolve service 'IPA'
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [child_sig_handler] (0x0100):
>>>> child [17356] finished successfully.
>>>> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback]
>>>> (0x0100): Backend returned: (0, 4, <NULL>) [Success (System error)]
>>> 
>>> Please take a look into krb5_child.log, it should have more hints on why
>>> the authentication failed.
>>> 
>>> (This is documented at
>>> https://fedorahosted.org/sssd/wiki/Troubleshooting, section
>>> "Troubleshooting general authentication problems")
>>> 
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>> 
>> --
>> Med venlig hilsen
>> 
>> Troels Hansen
>> 
>> Systemkonsulent
>> 
>> Casalogic A/S
>> 
>> 
>> T (+45) 70 20 10 63
>> 
>> M (+45) 22 43 71 57
>> 
>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
>> meget mere.
>> 
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
> 
> --
> Med venlig hilsen
> 
> Troels Hansen
> 
> Systemkonsulent
> 
> Casalogic A/S
> 
> 
> T (+45) 70 20 10 63
> 
> M (+45) 22 43 71 57
> 
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
> meget mere.
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.

More information about the Freeipa-users mailing list