I’ve been struggling to get SSH to work with an AD user for over 3 weeks now. I've scraped the bowels of the internet for answers, still no dice.
The issue is pretty simple in itself, I can’t SSH to a freeipa joined Centos client 7.3 with an AD user. However, kinit with any AD users as well as su works just fine. I’m running two 4.4.0 IPA servers.
I made sure the entire setup is resolving DNS properly, NTP(external to freeipa) is in sync. I’m using FQDN for hostnames.
Here’s the output from journalctl -f:
Jul 27 04:37:10 centos.ipa.ad.com sshd[2633]: pam_unix(sshd:session): session opened for user root by (uid=0) Jul 27 04:37:35 centos.ipa.ad.com su[2652]: (to admin@ad.com) root on pts/1 Jul 27 04:37:35 centos.ipa.ad.com su[2652]: pam_unix(su-l:session): session opened for user admin@ad.com by root(uid=0) Jul 27 04:37:42 centos.ipa.ad.com su[2652]: pam_unix(su-l:session): session closed for user admin@ad.com Jul 27 04:38:35 centos.ipa.ad.com sshd[2677]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse r= rhost=localhost user=admin@ad.com Jul 27 04:38:35 centos.ipa.ad.com sshd[2677]: pam_sss(sshd:auth): received for user admin@ad.com: 6 (Permission denied) Jul 27 04:38:35 centos.ipa.ad.com sshd[2674]: error: PAM: Authentication failure for admin@ad.com from localhost Jul 27 04:38:38 centos.ipa.ad.com sshd[2674]: Connection closed by ::1 [preauth]
Config files:
/etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults] default_realm = IP.AD.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IP.AD.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt
}
/etc/sssd/sssd.conf
[domain/ipa.ad.com] debug_level = 9 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.ad.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = centos.ipa.ad.com chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipaserver02.ipa.ad.com dyndns_iface = ens192 ldap_tls_cacert = /etc/ipa/ca.crt[sssd] services = nss, sudo, pam, ssh debug_level = 9 domains = ipa.ad.com [nss] homedir_substring = /home
[pam] debug_level= 9
[sudo]
[autofs]
[ssh] debug_level=9
[pac]
[ifp]
/etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV PermitRootLogin yes AuthorizedKeysFile .ssh/authorized_keys GSSAPICleanupCredentials no X11Forwarding yes UsePrivilegeSeparation sandbox # Default for new installations. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server KerberosAuthentication no PubkeyAuthentication yes UsePAM yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys GSSAPIAuthentication yes ChallengeResponseAuthentication yes AuthorizedKeysCommandUser nobody
I uploaded krb5_child.log and ldap_child.log to https://1drv.ms/f/s!AlZwwyQE2ZZ5p2b5ROa15PBkAEQD
I managed to ssh AD user login to works on both my freeipa servers. I had to modify the following files See changes in bold.
/etc/krb5.conf
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = IPA.AD.COM * dns_lookup_realm = true* * dns_lookup_kdc = true* rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid}
[realms] IPA.AD.COM = { kdc = ipaserver01.ipa.ad.com:88 master_kdc = ipaserver01.ipa.ad.com:88 admin_server = ipaserver01.ipa.ad.com:749 default_domain = ipa.ad.com pkinit_anchors = FILE:/etc/ipa/ca.crt * auth_to_local = RULE:[1:$1@$0](^.*@AD.COM http://AD.COM)s/@AD.COM/@ad.com/ http://AD.COM/@ad.com/* * auth_to_local = DEFAULT* }
[domain_realm] .ipa.ad.com = IPA.AD.COM ipa.ad.com = IPA.AD.COM ipaserver02.ipa.ad.com = IPA.AD.COM
[dbmodules] IPA.AD.COM = { db_library = ipadb.so }
/etc/resolv.conf search ipa.ad.com ad.com nameserver 127.0.0.1 *nameserver 192.168.1.2 #Seconday IPA Server*
In /etc/named.conf, I disabled dnssec-validation(dnssec-validation no;)
Not sure those settings were at all necessary.
Adding the following line sunder the [realms] for krb5.conf on my centos client machine did not make a difference.
auth_to_local = RULE:[1:$1@$0](^.*@AD.COM)s/@AD.COM/@ad.com/ auth_to_local = DEFAULT
IPv6 has been disabled in /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
If anyone has an idea what may be the issue or where to look, please reply.
Thanks Alex