[Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?

Chris Dagdigian dag at sonsorol.org
Tue Nov 22 15:37:06 UTC 2016 

Upfront
  - I know this question is fairly common and I do read the list and 
archives, honest!
  - I'm following the SSSD troubleshooting wiki and running with debug 
settings for PAM and SSH
  - Still not quite sure where my config problem lies

  - I see "Server not found in kerberos database" in /var/log/messages 
so I think I have a simple /etc/krb5.conf error; possibly a very simple 
root cause like my client can't use DNS to autodiscover a KDC. Not 100% 
sure how to confirm that


Setup:

  - We run an IPA server at COMPANY-IDM.ORG with the goal of using it as 
"glue" for multiple Active Directory relationships
  - Successful trusts made with a number of test AD forest and domains, 
including SSH logins all working fine
  - Got the Trust set up to the real COMPANY.ORG forest last night
  - Trust to COMPANY.ORG went in just fine
  - We can fetch trusted domains through COMPANY.ORG and see all the 
children we expect to see (excellent!)

Situation:

  - I can resolve username at NAFTA.COMPANY.ORG on IPA server and bound client
  - I can "kinit username at NAFTA.COMPANY.ORG" on the IPA server and ipa 
managed client
  - From root I can "sudo username at nafta.company.org" on IPA and client 
server and end up as proper user in proper homedir
  - I can login via SSH to IPA server and client machines as 
user at TESTDOMAIN.ORG
  - ping COMPANY.ORG and NAFTA.COMPANY.ORG resolves to the remote AD 
servers so I think DNS forwarding is OK

BUT -- any sort of "ssh username at nafta.company.org" fails, client sees 
variations of "permission denied"; nothing super useful so far in 
security, ssh or sssd logs

So basically password checking is broken for the actual COMPANY.ORG 
trust we set up last night.

When I had this issue with our test AD domains I think the answer was 
that "client could not discover which KDC to contact for password 
checking" so our response was to customize the krb5.conf file to 
explicitly enable DNS lookups..

This feels to me like either I've messed up sssd.conf or perhaps more 
likely I'm missing a config setting in krb5.conf that is specific to 
password checking for COMPANY.ORG and NAFTA.COMPANY.org


We are running in AWS with VPC Flow Logs enabled and there are no 
obvious REJECT logs showing blockage of traffic to KDC or Domain Controllers


Seeking tips and any guidance people can provide!

Without burying people in log and config data, here is what I think the 
relevant info on our side is:

/etc/krb5.conf (IPA client)
---------------------------------

[libdefaults]

   default_realm = COMPANY-IDM.ORG
   dns_lookup_realm = true
   dns_lookup_kdc = true
   rdns = false
   ticket_lifetime = 24h
   forwardable = yes
   udp_preference_limit = 0
   default_ccache_name = KEYRING:persistent:%{uid}

[realms]

   COMPANY-IDM.ORG = {
     kdc = usaeilidmp001.company-idm.org:88
     master_kdc = usaeilidmp001.company-idm.org:88
     admin_server = usaeilidmp001.company-idm.org:749
     default_domain = company-idm.org
     pkinit_anchors = FILE:/etc/ipa/ca.crt

   }

[domain_realm]

ipa-client.company-aws.org = COMPANY-IDM.ORG

[capaths]

COMPANY-AWS.ORG = {

   COMPANY-IDM.ORG = COMPANY-AWS.ORG

}

COMPANY-IDM.ORG = {

   COMPANY-AWS.ORG = COMPANY-AWS.ORG

}



Here is /etc/sssd/sssd.conf from an IPA client:
---------------------------------------------------------

[domain/company-idm.org]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = company-idm.org
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname =  client.company-aws.org
chpass_provider = ipa
ipa_server = _srv_, usaeilidmp001.company-idm.org
dns_discovery_domain = company-idm.org

[sssd]

debug_level = 6
services = nss, sudo, pam, ssh
config_file_version = 2

domains = company-idm.org

[nss]

homedir_substring = /home

[pam]

debug_level = 10

[sudo]

[autofs]

[ssh]

debug_level = 6

[pac]

[ifp]



And finally after turning on debug here is some output from sssd_pam.log 
with debug mode set:
-----------

(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_check_user_search] (0x0400): 
Returning info for user [username at NAFTA.COMPANY.ORG]
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pd_set_primary_name] (0x0400): 
User's primary name is username at NAFTA.COMPANY.ORG (Tue Nov 22 14:55:07 
2016) [sssd[pam]] [pam_initgr_cache_set] (0x2000): 
[username at nafta.COMPANY.ORG] added to PAM initgroup cache
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): 
Sending request with the following data:
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): 
command: PAM_OPEN_SESSION
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): 
domain: NAFTA.COMPANY.ORG (Tue Nov 22 14:55:07 2016) [sssd[pam]] 
[pam_print_data] (0x0100): user: username at NAFTA.COMPANY.ORG (Tue Nov 22 
14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su-l
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: 
pts/0
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: 
root
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: 
not set
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): 
authtok type: 0
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): 
newauthtok type: 0
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): 
cli_pid: 3939
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): logon 
name: username at nafta.COMPANY.ORG
  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 
0x7f98ae9cd8d0
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): 
pam_dp_send_req returned 0
  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [sss_dp_req_destructor] 
(0x0400): Deleting request: [0x7f98ac9eb090:3:username at NAFTA.COMPANY.ORG]
  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): 
0x7f98ae9cd8d0
  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus 
conn: 0x7f98ae9c6ce0
  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [sbus_dispatch] (0x4000): 
Dispatching.
(Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [0 (Success)][NAFTA.COMPANY.ORG]
  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply 
called with result [0]: Success.
  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 35
  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [reset_idle_timer] (0x4000): 
Idle timer re-set for client [0x7f98ae9ccf20][19]
(Tue Nov 22 14:55:12 2016) [sssd[pam]] [pam_initgr_cache_remove] 
(0x2000): [username at nafta.COMPANY.ORG] removed from PAM initgroup cache


pam_sshd has this to say:<mailto:dag at syngentaaws.org>

Nov 22 15:01:25 usaeilvdip001 sshd[4041]: pam_sss(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=usaeilvdip001.syngentaaws.org user=username at nafta.company.org 
<mailto:t859531 at nafta.syngenta.org>
Nov 22 15:01:25 usaeilvdip001 sshd[4041]: pam_sss(sshd:auth): received 
for user username at nafta.company.org <mailto:t859531 at nafta.syngenta.org>: 
4 (System error)
Nov 22 15:01:25 usaeilvdip001 sshd[4041]: Failed password for 
username at nafta.company.org <mailto:t859531 at nafta.syngenta.org> from 
10.127.64.12 port 33812 ssh2
Nov 22 15:01:29 usaeilvdip001 sshd[4041]: pam_sss(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=usaeilvdip001.syngentaaws.org user=username at nafta.company.org 
<mailto:t859531 at nafta.syngenta.org>
Nov 22 15:01:29 usaeilvdip001 sshd[4041]: pam_sss(sshd:auth): received 
for user username at nafta.company.org <mailto:t859531 at nafta.syngenta.org>: 
4 (System error)
Nov 22 15:01:29 usaeilvdip001 sshd[4041]: Failed password for 
username at nafta.company.org <mailto:t859531 at nafta.syngenta.org> from 
10.127.64.12 port 33812 ssh2
Nov 22 15:01:31 usaeilvdip001 sshd[4041]: Connection closed by 
10.127.64.12 [preauth]



And this seems pretty clear from /var/log/messages right after I fail 
with SSH as a NAFTA.COMPANY.ORG user:

Nov 22 15:29:43 usaeilvdip001 [sssd[krb5_child[4099]]]: Server not found 
in Kerberos database
Nov 22 15:29:43 usaeilvdip001 [sssd[krb5_child[4099]]]: Server not found 
in Kerberos database
Nov 22 15:29:54 usaeilvdip001 [sssd[krb5_child[4102]]]: Server not found 
in Kerberos database
Nov 22 15:29:54 usaeilvdip001 [sssd[krb5_child[4102]]]: Server not found 
in Kerberos database


I've played with simple edits to /etc/krb5.conf to explicitly set a 
realm for COMPANY.ORG so I could list kdc entries but it is either not 
working or I've got a syntax misunderstanding.

For instance I've tried to add this to krb5.conf on the client 
underneath the IPA REALM entry:

   COMPANY.ORG = {

     kdc = company.org:88

     master_kdc = company.org:88

     admin_server = company.org

   }


Any tips / help greatly appreciated


Regards,
Chris

More information about the Freeipa-users mailing list