<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(51,51,51)">Hello Sumit</div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(51,51,51)"> </div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(51,51,51)">ipa-client-install hasn't set krb5_realm. I did that. </div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(51,51,51)"> </div><div class="gmail_default" style="">We're using Chef-Solo to manage our systems and I have /etc/sssd/sssd.conf in chef. So it overwrote, whatever ipa-client-install put there. And that's how the mistake happened.</div><div class="gmail_default" style=""> </div><div class="gmail_default" style="">I think the ipa-client-install discovered everything right. I'm attaching the log. </div><div class="gmail_default" style=""> </div><div class="gmail_default" style="">Best regards,</div><div class="gmail_default" style="">Alexander</div><div class="gmail_default" style=""> </div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(51,51,51)"> </div><div class="gmail_default" style="font-family:tahoma,sans-serif;color:rgb(51,51,51)"> </div></div><div class="gmail_extra"> <div class="gmail_quote">2015-10-06 15:01 GMT+02:00 Sumit Bose <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Oct 06, 2015 at 11:26:42AM +0200, Alexander Skwar wrote: > Hi > > With further debugging, I discovered, that I messed up the > /etc/sssd/sssd.conf file. There, I added: > > … > [domain/customer.company.internal] > > krb5_realm = customer.company.internal > … > > > > Exactly like that. With "krb5_realm = customer.company.internal"; ie. with > the realm in lowercase letters. > > After having changed that to uppercase letters (ie. "krb5_realm = > CUSTOMER.COMPANY.INTERNAL"), it works fine. Thank you for the feedback. Can you check /var/log/ipaclient-install.log to see which realm ipa-client-install has discovered? In general ipa-client-install should be able to determine the right realm. In your case where domain and realm are the same except the case it shouldn't have set krb5_realm at all. bye, Sumit <div class="HOEnZb"><div class="h5"> > > > > Thanks for your time and help ;) > > Cheers, > Alexander > > > > 2015-10-05 14:07 GMT+02:00 Sumit Bose <<a href="mailto:sbose@redhat.com">sbose@redhat.com</a>>: > > > On Mon, Oct 05, 2015 at 09:00:13AM +0200, Alexander Skwar wrote: > > > Hi > > > > > > Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try > > > to login with SSH and enter a password. > > > > Can you try to increase the debug_level to 0xFFF0? > > > > > > > > kinit doesn't work. > > > > > > $ kinit -k > > > kinit: Permission denied while getting initial credentials > > > > > > For this test, I was root and then did a "su - user" and then "kinit -k". > > > Also after the "kinit -k", nothing is in the krb5_child.log. > > > > The 'kinit -k' has to be done as root. It will only check if the client > > can connect to the KDC at all and tries to get a TGT for the host. > > > > It's expected that during this operation nothing is added to the SSSD > > logs because the kinit utility work independent of SSSD. > > > > bye, > > Sumit > > > > > > > > Regards, > > > Alexander > > > > > > > > > 2015-10-02 17:59 GMT+02:00 Jakub Hrozek <<a href="mailto:jhrozek@redhat.com">jhrozek@redhat.com</a>>: > > > > > > > On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote: > > > > > Hello > > > > > > > > > > How do I get password authentication to work with freeipa-client > > > > > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo? > > > > > > > > > > Long version follows :) > > > > > > > > > > We've got an IPA server with the Red Hat Identity Management server > > > > > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured > > > > > users and groups there and would now like to login with SSH. When I > > > > > store a SSH key for the user account, I can login just fine, using > > > > > this SSH key. But I'd like/need to use passwords as well. And sudo > > > > > also doesn't work, when it's asking for passwords - I supposed, > > > > > it's the same root cause. > > > > > > > > > > Let's stick with SSH. > > > > > > > > > > Initially, I installed the FreeIPA client with this command line: > > > > > > > > > > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \ > > > > > --enable-dns-updates --unattended \ > > > > > --principal=admin --password=correctone \ > > > > > --domain=customer.company.internal \ > > > > > --server=auth01.customer.company.internal > > > > > > > > > > I then try to do a SSH login with: > > > > > > > > > > ssh -l ewt@customer.company.internal 192.168.229.143 > > > > > or: > > > > > ssh -l ewt 192.168.229.143 > > > > > > > > > > Password authentication doesn't work. > > > > > > > > > > In the /var/log/syslog on the system where I try to login, I find > > this: > > > > > > > > > > 2015-10-02T15:33:38.771291+02:00 mgmt02 > > [sssd[krb5_child[14154]]]: > > > > > Key table entry not found > > > > > > > > > > After having turned up the debug level of the sssd with "sssd -i -f > > -d > > > > > 0x0770 --debug-timestamps=1", I find the following in the system log > > > > > files: > > > > > > > > > > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]: > > > > > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 > > > > > tty=ssh ruser= rhost=212.71.117.1 user=ewt > > > > > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]: > > > > > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 > > > > > tty=ssh ruser= rhost=212.71.117.1 user=ewt > > > > > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]: > > > > > pam_sss(sshd:auth): received for user ewt: 4 (System error) > > > > > 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed > > > > > password for ewt from 212.71.117.1 port 58136 ssh2 > > > > > > > > > > TBH, I don't quite understand it. Anyway, in > > > > > /var/log/sssd/sssd_customer.company.internal.log I noticed: > > > > > > > > > > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] > > > > > [read_pipe_handler] (0x0400): EOF received, client finished > > > > > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] > > > > > [parse_krb5_child_response] (0x0020): message too short. > > > > > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] > > > > > [krb5_auth_done] (0x0040): Could not parse child response [22]: > > > > > Invalid argument > > > > > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] > > > > > [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed. > > > > > > > > > > Well… What am I doing wrong or what might I have forgotten? > > > > > > > > We need to also see the krb5_child.log but please check if the keytab > > is > > > > correct (ie kinit -k works). > > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project > > > > > > > > > > > > > > > > -- > > > > > > > > > Alexander > > > -- > > > => *Google+* => <a href="http://plus.skwar.me" rel="noreferrer" target="_blank">http://plus.skwar.me</a> <== > > > => *Chat* (Jabber/Google Talk) => <a href="mailto:a.skwar@gmail.com">a.skwar@gmail.com</a> <== > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project > > > > > > > -- > > > Alexander > -- > => *Google+* => <a href="http://plus.skwar.me" rel="noreferrer" target="_blank">http://plus.skwar.me</a> <== > => *Chat* (Jabber/Google Talk) => <a href="mailto:a.skwar@gmail.com">a.skwar@gmail.com</a> <== > -- > Manage your subscription for the Freeipa-users mailing list: > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </div></div></blockquote></div> <div> </div>-- <div class="gmail_signature"><div dir="ltr"><pre cols="72"> Alexander -- => Google+ => <a href="http://plus.skwar.me/" target="_blank">http://plus.skwar.me</a> <== => Chat (Jabber/Google Talk) => <a href="mailto:a.skwar@gmail.com" target="_blank">a.skwar@gmail.com</a> <== </pre><div> </div></div></div> </div>