[Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?

Sumit Bose sbose at redhat.com
Tue Nov 22 15:49:30 UTC 2016 

On Tue, Nov 22, 2016 at 10:37:06AM -0500, Chris Dagdigian wrote:
> Upfront
>  - I know this question is fairly common and I do read the list and
> archives, honest!
>  - I'm following the SSSD troubleshooting wiki and running with debug
> settings for PAM and SSH
>  - Still not quite sure where my config problem lies
> 
>  - I see "Server not found in kerberos database" in /var/log/messages so I
> think I have a simple /etc/krb5.conf error; possibly a very simple root
> cause like my client can't use DNS to autodiscover a KDC. Not 100% sure how
> to confirm that

Please send the full krb5_child.log with debug_level=10 in the
[domain/...] section of sssd.conf. My current guess is the ticket
validation fails. Which version of SSSD are you using?

bye,
Sumit

> 
> 
> Setup:
> 
>  - We run an IPA server at COMPANY-IDM.ORG with the goal of using it as
> "glue" for multiple Active Directory relationships
>  - Successful trusts made with a number of test AD forest and domains,
> including SSH logins all working fine
>  - Got the Trust set up to the real COMPANY.ORG forest last night
>  - Trust to COMPANY.ORG went in just fine
>  - We can fetch trusted domains through COMPANY.ORG and see all the children
> we expect to see (excellent!)
> 
> Situation:
> 
>  - I can resolve username at NAFTA.COMPANY.ORG on IPA server and bound client
>  - I can "kinit username at NAFTA.COMPANY.ORG" on the IPA server and ipa
> managed client
>  - From root I can "sudo username at nafta.company.org" on IPA and client
> server and end up as proper user in proper homedir
>  - I can login via SSH to IPA server and client machines as
> user at TESTDOMAIN.ORG
>  - ping COMPANY.ORG and NAFTA.COMPANY.ORG resolves to the remote AD servers
> so I think DNS forwarding is OK
> 
> BUT -- any sort of "ssh username at nafta.company.org" fails, client sees
> variations of "permission denied"; nothing super useful so far in security,
> ssh or sssd logs
> 
> So basically password checking is broken for the actual COMPANY.ORG trust we
> set up last night.
> 
> When I had this issue with our test AD domains I think the answer was that
> "client could not discover which KDC to contact for password checking" so
> our response was to customize the krb5.conf file to explicitly enable DNS
> lookups..
> 
> This feels to me like either I've messed up sssd.conf or perhaps more likely
> I'm missing a config setting in krb5.conf that is specific to password
> checking for COMPANY.ORG and NAFTA.COMPANY.org
> 
> 
> We are running in AWS with VPC Flow Logs enabled and there are no obvious
> REJECT logs showing blockage of traffic to KDC or Domain Controllers
> 
> 
> Seeking tips and any guidance people can provide!
> 
> Without burying people in log and config data, here is what I think the
> relevant info on our side is:
> 
> /etc/krb5.conf (IPA client)
> ---------------------------------
> 
> [libdefaults]
> 
>   default_realm = COMPANY-IDM.ORG
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
> 
>   COMPANY-IDM.ORG = {
>     kdc = usaeilidmp001.company-idm.org:88
>     master_kdc = usaeilidmp001.company-idm.org:88
>     admin_server = usaeilidmp001.company-idm.org:749
>     default_domain = company-idm.org
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
> 
>   }
> 
> [domain_realm]
> 
> ipa-client.company-aws.org = COMPANY-IDM.ORG
> 
> [capaths]
> 
> COMPANY-AWS.ORG = {
> 
>   COMPANY-IDM.ORG = COMPANY-AWS.ORG
> 
> }
> 
> COMPANY-IDM.ORG = {
> 
>   COMPANY-AWS.ORG = COMPANY-AWS.ORG
> 
> }
> 
> 
> 
> Here is /etc/sssd/sssd.conf from an IPA client:
> ---------------------------------------------------------
> 
> [domain/company-idm.org]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = company-idm.org
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname =  client.company-aws.org
> chpass_provider = ipa
> ipa_server = _srv_, usaeilidmp001.company-idm.org
> dns_discovery_domain = company-idm.org
> 
> [sssd]
> 
> debug_level = 6
> services = nss, sudo, pam, ssh
> config_file_version = 2
> 
> domains = company-idm.org
> 
> [nss]
> 
> homedir_substring = /home
> 
> [pam]
> 
> debug_level = 10
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> debug_level = 6
> 
> [pac]
> 
> [ifp]
> 
> 
> 
> And finally after turning on debug here is some output from sssd_pam.log
> with debug mode set:
> -----------
> 
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_check_user_search] (0x0400):
> Returning info for user [username at NAFTA.COMPANY.ORG]
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pd_set_primary_name] (0x0400):
> User's primary name is username at NAFTA.COMPANY.ORG (Tue Nov 22 14:55:07 2016)
> [sssd[pam]] [pam_initgr_cache_set] (0x2000): [username at nafta.COMPANY.ORG]
> added to PAM initgroup cache
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
> request with the following data:
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): command:
> PAM_OPEN_SESSION
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): domain:
> NAFTA.COMPANY.ORG (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data]
> (0x0100): user: username at NAFTA.COMPANY.ORG (Tue Nov 22 14:55:07 2016)
> [sssd[pam]] [pam_print_data] (0x0100): service: su-l
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/0
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> root
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not
> set
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok
> type: 0
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
> type: 0
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> 3939
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_print_data] (0x0100): logon
> name: username at nafta.COMPANY.ORG
>  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [sbus_add_timeout] (0x2000):
> 0x7f98ae9cd8d0
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> pam_dp_send_req returned 0
>  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [sss_dp_req_destructor] (0x0400):
> Deleting request: [0x7f98ac9eb090:3:username at NAFTA.COMPANY.ORG]
>  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000):
> 0x7f98ae9cd8d0
>  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
> 0x7f98ae9c6ce0
>  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [sbus_dispatch] (0x4000):
> Dispatching.
> (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200):
> received: [0 (Success)][NAFTA.COMPANY.ORG]
>  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> called with result [0]: Success.
>  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 35
>  (Tue Nov 22 14:55:07 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0x7f98ae9ccf20][19]
> (Tue Nov 22 14:55:12 2016) [sssd[pam]] [pam_initgr_cache_remove] (0x2000):
> [username at nafta.COMPANY.ORG] removed from PAM initgroup cache
> 
> 
> pam_sshd has this to say:<mailto:dag at syngentaaws.org>
> 
> Nov 22 15:01:25 usaeilvdip001 sshd[4041]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=usaeilvdip001.syngentaaws.org user=username at nafta.company.org
> <mailto:t859531 at nafta.syngenta.org>
> Nov 22 15:01:25 usaeilvdip001 sshd[4041]: pam_sss(sshd:auth): received for
> user username at nafta.company.org <mailto:t859531 at nafta.syngenta.org>: 4
> (System error)
> Nov 22 15:01:25 usaeilvdip001 sshd[4041]: Failed password for
> username at nafta.company.org <mailto:t859531 at nafta.syngenta.org> from
> 10.127.64.12 port 33812 ssh2
> Nov 22 15:01:29 usaeilvdip001 sshd[4041]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=usaeilvdip001.syngentaaws.org user=username at nafta.company.org
> <mailto:t859531 at nafta.syngenta.org>
> Nov 22 15:01:29 usaeilvdip001 sshd[4041]: pam_sss(sshd:auth): received for
> user username at nafta.company.org <mailto:t859531 at nafta.syngenta.org>: 4
> (System error)
> Nov 22 15:01:29 usaeilvdip001 sshd[4041]: Failed password for
> username at nafta.company.org <mailto:t859531 at nafta.syngenta.org> from
> 10.127.64.12 port 33812 ssh2
> Nov 22 15:01:31 usaeilvdip001 sshd[4041]: Connection closed by 10.127.64.12
> [preauth]
> 
> 
> 
> And this seems pretty clear from /var/log/messages right after I fail with
> SSH as a NAFTA.COMPANY.ORG user:
> 
> Nov 22 15:29:43 usaeilvdip001 [sssd[krb5_child[4099]]]: Server not found in
> Kerberos database
> Nov 22 15:29:43 usaeilvdip001 [sssd[krb5_child[4099]]]: Server not found in
> Kerberos database
> Nov 22 15:29:54 usaeilvdip001 [sssd[krb5_child[4102]]]: Server not found in
> Kerberos database
> Nov 22 15:29:54 usaeilvdip001 [sssd[krb5_child[4102]]]: Server not found in
> Kerberos database
> 
> 
> I've played with simple edits to /etc/krb5.conf to explicitly set a realm
> for COMPANY.ORG so I could list kdc entries but it is either not working or
> I've got a syntax misunderstanding.
> 
> For instance I've tried to add this to krb5.conf on the client underneath
> the IPA REALM entry:
> 
>   COMPANY.ORG = {
> 
>     kdc = company.org:88
> 
>     master_kdc = company.org:88
> 
>     admin_server = company.org
> 
>   }
> 
> 
> Any tips / help greatly appreciated
> 
> 
> Regards,
> Chris
> 
> 
> 
> 
> 
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list