[Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
Jakub Hrozek
jhrozek at redhat.com
Wed Dec 7 21:21:39 UTC 2016
On Wed, Dec 07, 2016 at 06:19:06PM +0000, James Harrison wrote:
> Hi all,
>
> I am trying to authenticate an ubuntu Precise (12.06) fully patched system. Its enrolled into a FreeIPA server. The following trace is the output of syslog auth sssd/*.log and full debug (-ddd) from the sshd service.
>
> I am getting a PAM error at the end of the procedure. Also I cant seem to authenticate against the public ssh key from the id override user.
>
> I appreciate any help you can send my way.
>
> Best regards,
>
> James Harrison
> Below is more information
>
>
> root at jamesprecise:~# kinit x_james.harrison at AD.DOMAIN.LOCAL
> Password for x_james.harrison at AD.DOMAIN.LOCAL:
>
> root at jamesprecise:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: x_james.harrison at AD.DOMAIN.LOCAL
>
> Valid starting Expires Service principal
> 07/12/16 17:56:30 08/12/16 03:56:30 krbtgt/AD.DOMAIN.LOCAL at AD.DOMAIN.LOCAL
> renew until 08/12/16 17:56:23
>
> root at jamesprecise:~# id x_james.harrison at AD.DOMAIN.LOCAL
> uid=1039812876(x_james.harrison at ad.domain.local) gid=1039812876(x_james.harrison at ad.domain.local) groups=1039812876(x_james.harrison at ad.domain.local)
HBAC denied the login, which is probably related to the supplementary
groups not being resolved. This ancient SSSD version doesn't support
returning supplementary groups unless you log in -- during the login
attempt, the PAC responder should be able to decode the group
memberships from the PAC and store the groups.
So I'd look if the PAC responder is enabled and running and see if the
krb5_child resolves the SIDs during password authentication (or if PAC
responder is contacted during password-less authentication).
> root at pul-lv-ipa-02 ~]# ipa idoverrideuser-show External_AD_views x_james.harrison at ad.domain.local
> Anchor to override: x_james.harrison at ad.domain.local
> User login: x_james.harrison
> Login shell: /bin/bash
> SSH public key: ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABAQDK1pj2U7H9olLs1xKmcmZVEBMWpaHjxF2LttsdfqfQxm810qMru/WsvzHqu0m5Ugu0FYsPxRLQrAEB8WPsPoh5Y0q5qYPgm5aDOZZEXfCPyuRwdQ+XLfQJ3gnGjW4r/XLEiNVpO9eKsFs0ifspNAJ1ndddddddddddddddd7h40rlHlOIqV/z8Omg6XnFBh9dIfiXtpYDOxe+512RpjtHE98s+NfIpUTT7MGNLHB5o/DqFXEJPH7Pp1bKwxWNvfCb5a71vcE695dQ31QYVYwpSwFmFogewgpV/OCb+S4SUdUq1xg0fmkhYr3d4UXFr91MDimyOBWk9Aai7NkOHPszmHJp
> JamesHarrison
Overrides are not supported with this version.
>
>
> Here are the software versions:
>
> root at jamesprecise:# dpkg -l | grep -i freeipa
> ii freeipa-client 3.3.4-0ubuntu3.1~precise0.1 FreeIPA centralized identity framework -- client
> ii libipa-hbac0 1.11.5-1ubuntu3~precise1 FreeIPA HBAC Evaluator library
> ii python-freeipa 3.3.4-0ubuntu3.1~precise0.1 FreeIPA centralized identity framework -- python modules
> ii python-libipa-hbac 1.11.5-1ubuntu3~precise1 Python bindings for the FreeIPA HBAC Evaluator library
>
> root at jamesprecise:# dpkg -l | grep -i openssh-server
> ii openssh-server 1:5.9p1-5ubuntu1.10 secure shell (SSH) server, for secure access from remote machines
>
>
> root at jamesprecise:/var/log# dpkg -l | grep -i sssd
> ii libsss-idmap0 1.11.5-1ubuntu3~precise1 ID mapping library for SSSD
> ii sssd 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- metapackage
> ii sssd-ad 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- Active Directory back end
> ii sssd-ad-common 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- PAC responder
> ii sssd-common 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- common files
> ii sssd-ipa 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- IPA back end
> ii sssd-krb5 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- Kerberos back end
> ii sssd-krb5-common 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- Kerberos helpers
> ii sssd-ldap 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- LDAP back end
> ii sssd-proxy 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- proxy back end
> ii sudo 1.8.9p5-1ubuntu1.1~sssd1 Provide limited super user privileges to specific users
All is all, I would suggest to upgrade to something more recent..
More information about the Freeipa-users
mailing list