[Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts

Sumit Bose sbose at redhat.com
Thu Dec 8 16:33:26 UTC 2016 

On Thu, Dec 08, 2016 at 09:29:34AM -0500, Chris Dagdigian wrote:
> 
> Sumit Bose wrote:
> > > >  Am I being stupid (again?)  Obviously the krb5_validate=false setting needs
> > > >  to be fixed. Just not sure if I should work on a fix within 4.2 or move to
> > > >  4.4 and see if it gets resolved as part of other changes.
> > 
> > The validation issue might have different reasons. One might be
> > https://fedorahosted.org/sssd/ticket/3103  where SSSD creates a wrong
> > Kerberos configuration snippet. Fixes are available for sssd-1.13 and
> > later. But there might be other reasons as well.
> > 
> > If you don't mind please send the krb5_child.log with debug_level=10
> > covering an authentication attempt with 'krb5_validate = true' and the
> > content of /var/lib/sss/pubconf/krb5.include.d/domain_realm_your_domain.
> 
> Thanks Sumit,
> 
> Info you requested is attached. These logs are from a client machine. I
> confirmed that I could not authenticate with krb5_validate = True and that I
> could authenticate when I switched krb5_validate=false.  I set the value to
> "True", turned up debug logging to 10 and then stopped SSSD service after my
> 3 login tries to try to constrain the log volume.
> 
> Still ended up with 1200+ lines in krb5_child.log though
> 
> Here is the info you requested (sanitized)
> 
> URL to krb5_child.log since it is pretty lengthy:
> -------------------------------------------------------------
> http://chrisdag.me/krb5_child.log.txt
> 
> 
> And we actually had 2 domain_realm* files which is I think due to our
> difference in DNS for client hostnames vs DNS for the IPA server:
> Our CAPATH info does look like that SSSD issue you mentioned (ticket 3103)
> ...
> 
> 
> This is domain_realm_companyaws_org:
> ------------------------------------------------------
> [domain_realm]
> .COMPANY.ORG = COMPANY.ORG
> COMPANY.ORG = COMPANY.ORG
> .EAME.COMPANY.ORG = EAME.COMPANY.ORG
> EAME.COMPANY.ORG = EAME.COMPANY.ORG
> .APAC.COMPANY.ORG = APAC.COMPANY.ORG
> APAC.COMPANY.ORG = APAC.COMPANY.ORG
> .LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
> LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
> .NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
> NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
> [capaths]
> COMPANY.ORG = {
>   COMPANYAWS.ORG = COMPANY.ORG
> }
> COMPANYAWS.ORG = {
>   COMPANY.ORG = COMPANY.ORG
> }
> EAME.COMPANY.ORG = {
>   COMPANYAWS.ORG = COMPANY.ORG
> }
> COMPANYAWS.ORG = {
>   EAME.COMPANY.ORG = COMPANY.ORG
> }
> APAC.COMPANY.ORG = {
>   COMPANYAWS.ORG = COMPANY.ORG
> }
> COMPANYAWS.ORG = {
>   APAC.COMPANY.ORG = COMPANY.ORG
> }
> LATAM.COMPANY.ORG = {
>   COMPANYAWS.ORG = COMPANY.ORG
> }
> COMPANYAWS.ORG = {
>   LATAM.COMPANY.ORG = COMPANY.ORG
> }
> NAFTA.COMPANY.ORG = {
>   COMPANYAWS.ORG = COMPANY.ORG
> }
> COMPANYAWS.ORG = {
>   NAFTA.COMPANY.ORG = COMPANY.ORG
> }
> 
> 
> 
> 
> And this is domain_realm_companyidm_org:
> ------------------------------------------------------------
> [domain_realm]
> .COMPANY.ORG = COMPANY.ORG
> COMPANY.ORG = COMPANY.ORG
> .EAME.COMPANY.ORG = EAME.COMPANY.ORG
> EAME.COMPANY.ORG = EAME.COMPANY.ORG
> .APAC.COMPANY.ORG = APAC.COMPANY.ORG
> APAC.COMPANY.ORG = APAC.COMPANY.ORG
> .LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
> LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
> .NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
> NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
> [capaths]
> COMPANYAWS.ORG = {
>   COMPANYIDM.ORG = COMPANYAWS.ORG
> }
> COMPANYIDM.ORG = {
>   COMPANYAWS.ORG = COMPANYAWS.ORG
> }
> COMPANY.ORG = {
>   COMPANYIDM.ORG = COMPANY.ORG
> }
> COMPANYIDM.ORG = {
>   COMPANY.ORG = COMPANY.ORG
> }
> EAME.COMPANY.ORG = {
>   COMPANYIDM.ORG = COMPANY.ORG
> }
> COMPANYIDM.ORG = {
>   EAME.COMPANY.ORG = COMPANY.ORG
> }
> APAC.COMPANY.ORG = {
>   COMPANYIDM.ORG = COMPANY.ORG
> }
> COMPANYIDM.ORG = {
>   APAC.COMPANY.ORG = COMPANY.ORG
> }
> LATAM.COMPANY.ORG = {
>   COMPANYIDM.ORG = COMPANY.ORG
> }
> COMPANYIDM.ORG = {
>   LATAM.COMPANY.ORG = COMPANY.ORG
> }
> NAFTA.COMPANY.ORG = {
>   COMPANYIDM.ORG = COMPANY.ORG
> }
> COMPANYIDM.ORG = {
>   NAFTA.COMPANY.ORG = COMPANY.ORG
> }


Yes, you are right the capaths are wrong.


Adding:

[capaths]
COMPANYAWS.ORG = {
  COMPANYIDM.ORG = COMPANYAWS.ORG
}
COMPANYIDM.ORG = {
  COMPANYAWS.ORG = COMPANYAWS.ORG
  COMPANY.ORG = COMPANY.ORG
  EAME.COMPANY.ORG = COMPANY.ORG
  APAC.COMPANY.ORG = COMPANY.ORG
  LATAM.COMPANY.ORG = COMPANY.ORG
  NAFTA.COMPANY.ORG = COMPANY.ORG
}
COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
EAME.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
APAC.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
LATAM.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
NAFTA.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}

at the very beginning of /etc/krb5.conf before and include or includedir
directives should fix it. With the broken configuration libkrb5 thinks
that there direct trust between NAFTA.COMPANY.ORG and COMPANYIDM.ORG
which is not the case, everything has to go via COMPANY.ORG because
that's the domain which trusts COMPANYIDM.ORG.

Updating SSSD to a version with the fix might help as well.

HTH

bye,
Sumit

More information about the Freeipa-users mailing list