[Freeipa-users] Debugging SSH password-based authentication when IPA client is in a different DNS domain
Chris Dagdigian
dag at sonsorol.org
Wed Oct 5 18:46:21 UTC 2016
Hello again,
Following up on an early query about configuring IPA clients that are in
different DNS domains than the IPA server domain & realm
This is our setup:
AD Servers & IPA:
------------------------
AD Forest #1: company-test.org
AD Forest #2: company-aws.org
IPA Server : company-ipa.org
I don't really need Kerberos or Kerberized SSO -- I really just want to
get SSH logins via passwords working before moving on to SSH keys - my
understanding of the way I'm configuring things basically breaks
Kerberos but should allow other user and authentication services to work.
Client Machine:
------------------
Hostname: client.company-aws.org
I was able to configure a client in the domain 'company-aws.org' by
abusing the ipa-client-install command:
$ client.company-aws.org> # ipa-client-install --server
ipa.company-ipa.org --domain company-ipa.com
Barring the usual warnings about losing autodiscover based failover the
above command actually worked and took me pretty far. I can launch an
AWS host and give it the standard "company-aws.org" hostname but still
bind it explicitly to an IPA server running in a different DNS domain
and realm.
The nice thing is that it appears that everything but SSH w/ passwords
is working on the client machine with the different DNS domain name
# id user at company-test.org works
# id user at company-aws.org works
# id <local IPA user> works
# getent passwd user at company-test.org works
# getent passwd user at company-aws.org works
# getent passwd <local IPA user> works
# su - user at company-test.org works
# su - user at company-aws.org works
# su - <local IPA user> works
What fails are things like:
$ ssh localhost -l user at company-aws.org
The client sees a standard "Permission Denied, please try again" error
On the client host I mainly see this in /var/log/messages:
client.company-aws.org: [sssd[krb5_child[2311]]]: Cannot find KDC for
realm "COMPANY-AWS.ORG"
I'm hesitant to make significant changes for fear of breaking the fact
that my client can actually resolve users and passwords! I'm incredibly
happy to even have the basic identities being recognized.
The problem with configuring SSH for password logins seems like it could
be somewhere in krb5.conf, ssh_config, sshd_config, sssd.conf or even
down in the PAM configuration and I'm not really where to start
troubleshooting "just SSH" when everything else seems to be working OK.
Any tips, tricks or URLs for configuring the local SSH client on IPA
clients would be appreciated. I suspect I'm a victim of either a dumb
mistake or something that needs a manual tweak after doing an IPA client
install where the client hostname is different from the IPA domain and
realm.
Can provide config files and logs but did not want to spam a huge
message in case there was a simple set of things I should be looking at
-Chris
More information about the Freeipa-users
mailing list