[Freeipa-users] Mostly working trust, SSH failure
Erik Mackdanz
erik at infochimps.com
Thu May 19 22:18:43 UTC 2016
Hello,
I've set up a one-way trust to an Active Directory domain. Things
seem to roughly work, but something's missing.
Can any kind soul spot a problem with my configuration, or advise on
how to further troubleshoot?
Facts:
- An AD user gets 'Access denied' when SSH'ing by password to the
FreeIPA host. This is my concern.
- This AD user has not been locked out.
- getent passwd succeeds for the AD user
- A FreeIPA user can successfully SSH by password to the same FreeIPA
host.
- That FreeIPA user can then successfully kinit as the AD user (the
same AD user denied above)
- HBAC is set to the default allow_all rule, which is enabled.
Running the HBAC Test tool on the AD user confirms that they are
authorized for sshd.
This tells me something is awry in sssd.conf or sshd_config or pam.d
or HBAC.
Thanks,
Erik
I've got sssd debug to 9. Here's some output:
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_fo_reset_svc] (0x1000): Resetting all servers in service
na.bazzlegroup.com
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[set_srv_data_status] (0x0100): Marking SRV lookup of service
'na.bazzlegroup.com' as 'neutra
l'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[set_server_common_status] (0x0100): Marking server
'deda9w1004.na.bazzlegroup.com' as 'name
not resolved'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'deda9w1004.na.bazzlegroup.com' as
'neutral'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server
'deda9w1004.na.bazzlegrou
p.com' as 'neutral'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[set_srv_data_status] (0x0100): Marking SRV lookup of service
'na.bazzlegroup.com' as 'neutra
l'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[set_server_common_status] (0x0100): Marking server
'usbe9w2003.na.bazzlegroup.com' as 'name
not resolved'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'usbe9w2003.na.bazzlegroup.com' as
'neutral'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server
'usbe9w2003.na.bazzlegrou
p.com' as 'neutral'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com
offline
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_mark_subdom_offline] (0x4000): Subdomain already inactive
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed:
[1432158262]: Subdoma
in is inactive.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed:
1432158262
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sdap_id_op_destroy] (0x4000): releasing operation connection
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ipa_account_info_error_text] (0x0020): Bug: dp_error is OK on failed
request
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[acctinfo_callback] (0x0100): Request processed. Returned
3,1432158262,Account info lookup f
ailed
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sbus_dispatch] (0x4000): dbus conn: 0x7f3bf48f92c0
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sbus_dispatch] (0x4000): Dispatching.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.pamH
andler on path /org/freedesktop/sssd/dataprovider
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_req_set_domain] (0x0400): Changing request domain from
[platform.schlitz] to [na.bazzlegroup.com]
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_pam_handler] (0x0100): Got request with the following data
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): domain: na.bazzlegroup.com
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): user: MRFUN at na.bazzlegroup.com
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): service: sshd
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): tty: ssh
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): ruser:
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): rhost: 172.27.246.142
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): authtok type: 1
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): newauthtok type: 0
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): priv: 1
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): cli_pid: 9864
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): logon name: not set
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[krb5_auth_queue_send] (0x1000): Wait queue of user
[MRFUN at na.bazzlegroup.com] is empty, ru
nning request [0x7f3bf4928fb0] immediately.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_setup]
(0x4000): No mapping for: MRFUN at na.bazzlegroup.com
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_callback": 0x7f3bf48ff0a0
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_timeout": 0x7f3bf498a870
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Running timer event 0x7f3bf48ff0a0 "ltdb_callback"
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Destroying timer event 0x7f3bf498a870 "ltdb_timeout"
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Ending timer event 0x7f3bf48ff0a0 "ltdb_callback"
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[get_server_status] (0x1000): Status of server
'ipafour.platform.schlitz' is 'working'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[get_port_status] (0x1000): Port status of port 0 for server
'ipafour.platform.schlitz' i
s 'working'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to
6 seconds
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[get_server_status] (0x1000): Status of server
'ipafour.platform.schlitz' is 'working'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_resolve_server_process] (0x0200): Found address for server
ipafour.platform.schlitz:
[172.30.8.119] TTL 7200
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ipa_resolve_callback] (0x0400): Constructed uri
'ldap://ipafour.platform.schlitz'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[krb5_auth_resolve_done] (0x2000): Subdomain na.bazzlegroup.com is
inactive, will proceed off
line
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[child_handler_setup] (0x2000): Setting up signal handler up for pid
[9892]
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[child_handler_setup] (0x2000): Signal handler set up for pid [9892]
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[write_pipe_handler] (0x0400): All data has been sent!
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[child_sig_handler] (0x1000): Waiting for child [9892].
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[child_sig_handler] (0x0100): child [9892] finished successfully.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[read_pipe_handler] (0x0400): EOF received, client finished
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[parse_krb5_child_response] (0x1000): child response [0][3][40].
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[_be_fo_set_port_status] (0x8000): Setting status: PORT_WORKING.
Called from: src/providers/
krb5/krb5_auth.c: krb5_auth_done: 1039
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0100): Marking port 0 of server
'ipafour.platform.schlitz' as 'wo
rking'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[set_server_common_status] (0x0100): Marking server
'ipafour.platform.schlitz' as 'workin
g'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0400): Marking port 0 of duplicate server
'ipafour.platform.infochim
ps' as 'working'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:456139433]
for user [MRFUN at na.
bazzlegroup.com].
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): start ldb transaction (nesting: 0)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): start ldb transaction (nesting: 1)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_callback": 0x7f3bf498c360
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_timeout": 0x7f3bf498c420
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Running timer event 0x7f3bf498c360 "ltdb_callback"
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Destroying timer event 0x7f3bf498c420 "ltdb_timeout"
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Ending timer event 0x7f3bf498c360 "ltdb_callback"
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): commit ldb transaction (nesting: 1)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): commit ldb transaction (nesting: 0)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): start ldb transaction (nesting: 0)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_callback": 0x7f3bf498c130
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_timeout": 0x7f3bf491f660
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Running timer event 0x7f3bf498c130 "ltdb_callback"
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Destroying timer event 0x7f3bf491f660 "ltdb_timeout"
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Ending timer event 0x7f3bf498c130 "ltdb_callback"
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sysdb_cache_auth] (0x4000): Offline credentials expiration is [0]
days.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[check_failed_login_attempts] (0x4000): Failed login attempts [0],
allowed failed login atte
mpts [0], failed login delay [5].
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sysdb_cache_auth] (0x0100): Cached credentials not available.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): cancel ldb transaction (nesting: 0)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[krb5_auth_cache_creds] (0x0020): Offline authentication failed
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[check_wait_queue] (0x1000): Wait queue for user
[MRFUN at na.bazzlegroup.com] is empty.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[krb5_auth_queue_done] (0x1000): krb5_auth_queue request
[0x7f3bf4928fb0] done.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>)
[Success (Permission de
nied)]
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_pam_handler_callback] (0x0100): Sending result
[6][na.bazzlegroup.com]
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_pam_handler_callback] (0x0100): Sent result
[6][na.bazzlegroup.com]
My sssd.conf:
[domain/platform.schlitz]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = platform.schlitz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipafour.platform.schlitz
chpass_provider = ipa
ipa_server = ipafour.platform.schlitz
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
[sssd]
services = nss, sudo, pam, ssh, pac
config_file_version = 2
debug_level = 9
domains = platform.schlitz
[nss]
memcache_timeout = 600
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
sshd_config:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPICleanupCredentials no
X11Forwarding yes
UsePrivilegeSeparation sandbox # Default for new installations.
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
GSSAPIAuthentication yes
/etc/pam.d/sshd
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be
executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
/etc/pam.d/password-auth:
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so
nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
More information about the Freeipa-users
mailing list