[Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

Jakub Hrozek jhrozek at redhat.com
Wed Dec 7 21:21:39 UTC 2016 

On Wed, Dec 07, 2016 at 06:19:06PM +0000, James Harrison wrote:
> Hi all,
> 
> I am trying to authenticate an ubuntu Precise (12.06) fully patched system. Its enrolled into a FreeIPA server. The following trace is the output of syslog auth sssd/*.log and full debug (-ddd) from the sshd service.
> 
> I am getting a PAM error at the end of the procedure. Also I cant seem to authenticate against the public ssh key from the id override user.
> 
> I appreciate any help you can send my way.
> 
> Best regards,
> 
> James Harrison
> Below is more information
> 
> 
> root at jamesprecise:~# kinit x_james.harrison at AD.DOMAIN.LOCAL
> Password for x_james.harrison at AD.DOMAIN.LOCAL:
> 
> root at jamesprecise:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: x_james.harrison at AD.DOMAIN.LOCAL
> 
> Valid starting     Expires            Service principal
> 07/12/16 17:56:30  08/12/16 03:56:30  krbtgt/AD.DOMAIN.LOCAL at AD.DOMAIN.LOCAL
>     renew until 08/12/16 17:56:23
> 
> root at jamesprecise:~# id x_james.harrison at AD.DOMAIN.LOCAL
> uid=1039812876(x_james.harrison at ad.domain.local) gid=1039812876(x_james.harrison at ad.domain.local) groups=1039812876(x_james.harrison at ad.domain.local)

HBAC denied the login, which is probably related to the supplementary
groups not being resolved. This ancient SSSD version doesn't support
returning supplementary groups unless you log in -- during the login
attempt, the PAC responder should be able to decode the group
memberships from the PAC and store the groups.

So I'd look if the PAC responder is enabled and running and see if the
krb5_child resolves the SIDs during password authentication (or if PAC
responder is contacted during password-less authentication).

> root at pul-lv-ipa-02 ~]# ipa  idoverrideuser-show External_AD_views x_james.harrison at ad.domain.local
>   Anchor to override: x_james.harrison at ad.domain.local
>   User login: x_james.harrison
>   Login shell: /bin/bash
>   SSH public key: ssh-rsa
>                   AAAAB3NzaC1yc2EAAAADAQABAAABAQDK1pj2U7H9olLs1xKmcmZVEBMWpaHjxF2LttsdfqfQxm810qMru/WsvzHqu0m5Ugu0FYsPxRLQrAEB8WPsPoh5Y0q5qYPgm5aDOZZEXfCPyuRwdQ+XLfQJ3gnGjW4r/XLEiNVpO9eKsFs0ifspNAJ1ndddddddddddddddd7h40rlHlOIqV/z8Omg6XnFBh9dIfiXtpYDOxe+512RpjtHE98s+NfIpUTT7MGNLHB5o/DqFXEJPH7Pp1bKwxWNvfCb5a71vcE695dQ31QYVYwpSwFmFogewgpV/OCb+S4SUdUq1xg0fmkhYr3d4UXFr91MDimyOBWk9Aai7NkOHPszmHJp
>                   JamesHarrison

Overrides are not supported with this version.

> 
> 
> Here are the software versions:
> 
> root at jamesprecise:# dpkg -l | grep -i freeipa
> ii  freeipa-client                             3.3.4-0ubuntu3.1~precise0.1        FreeIPA centralized identity framework -- client
> ii  libipa-hbac0                               1.11.5-1ubuntu3~precise1           FreeIPA HBAC Evaluator library
> ii  python-freeipa                             3.3.4-0ubuntu3.1~precise0.1        FreeIPA centralized identity framework -- python modules
> ii  python-libipa-hbac                         1.11.5-1ubuntu3~precise1           Python bindings for the FreeIPA HBAC Evaluator library
> 
> root at jamesprecise:# dpkg -l | grep -i openssh-server
> ii  openssh-server                             1:5.9p1-5ubuntu1.10                secure shell (SSH) server, for secure access from remote machines
> 
> 
> root at jamesprecise:/var/log# dpkg -l | grep -i sssd
> ii  libsss-idmap0                              1.11.5-1ubuntu3~precise1           ID mapping library for SSSD
> ii  sssd                                       1.11.5-1ubuntu3~precise1           System Security Services Daemon -- metapackage
> ii  sssd-ad                                    1.11.5-1ubuntu3~precise1           System Security Services Daemon -- Active Directory back end
> ii  sssd-ad-common                             1.11.5-1ubuntu3~precise1           System Security Services Daemon -- PAC responder
> ii  sssd-common                                1.11.5-1ubuntu3~precise1           System Security Services Daemon -- common files
> ii  sssd-ipa                                   1.11.5-1ubuntu3~precise1           System Security Services Daemon -- IPA back end
> ii  sssd-krb5                                  1.11.5-1ubuntu3~precise1           System Security Services Daemon -- Kerberos back end
> ii  sssd-krb5-common                           1.11.5-1ubuntu3~precise1           System Security Services Daemon -- Kerberos helpers
> ii  sssd-ldap                                  1.11.5-1ubuntu3~precise1           System Security Services Daemon -- LDAP back end
> ii  sssd-proxy                                 1.11.5-1ubuntu3~precise1           System Security Services Daemon -- proxy back end
> ii  sudo                                       1.8.9p5-1ubuntu1.1~sssd1           Provide limited super user privileges to specific users

All is all, I would suggest to upgrade to something more recent..

More information about the Freeipa-users mailing list