Hi everyone,
I am pretty new to freeipa and i like it a lot but I have one problem which I cannot solve I am using ipa-server (freeipa-server) on ubuntu 18.10 and ipa-clients debian 9, so I am not using ipa-client package only nscd & sssd and configuration. All clients are successfully enrolled provided with keytab file. Some clients works fine and it looks like this (in /var/log/auth.log):
Nov 26 17:54:02 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: NEEDED_PREAUTH: host/some-working-host.domain.com@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM, Additional pre-authentication required Nov 26 17:54:02 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: ISSUE: authtime 1543254842, etypes {rep=18 tkt=18 ses=18}, host/some-working-host.domain.com@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM Nov 26 17:54:02 ipa krb5kdc[1345]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: ISSUE: authtime 1543254842, etypes {rep=18 tkt=18 ses=18}, host/some-working-host.domain.com@DOMAIN.COM for ldap/ipa.domain.com@DOMAIN.COM
and some are not provided with the ldap line:
Nov 26 18:12:51 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: NEEDED_PREAUTH: host/some-not-working-host.domain.com@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM, Additional pre-authentication required Nov 26 18:12:51 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: ISSUE: authtime 1543255971, etypes {rep=18 tkt=18 ses=18}, host/some-not-working-host.domain.com@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM
(lines with "closing down fd 12" was omitted, also hostnames IPs and domains was replaced)
I've checked DNS settings, time difference and various logs but with no success. I've also try to remove rm -f /var/lib/sss/db/* and reinstall client packages. Do you have any idea where and what should I look for regarding this issue?
On 11/26/18 7:38 PM, Jaroslav Shejbal via FreeIPA-users wrote:
Hi everyone,
I am pretty new to freeipa and i like it a lot but I have one problem which I cannot solve I am using ipa-server (freeipa-server) on ubuntu 18.10 and ipa-clients debian 9, so I am not using ipa-client package only nscd & sssd and configuration. All clients are successfully enrolled provided with keytab file. Some clients works fine and it looks like this (in /var/log/auth.log):
Nov 26 17:54:02 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: NEEDED_PREAUTH: host/some-working-host.domain.com@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM, Additional pre-authentication required Nov 26 17:54:02 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: ISSUE: authtime 1543254842, etypes {rep=18 tkt=18 ses=18}, host/some-working-host.domain.com@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM Nov 26 17:54:02 ipa krb5kdc[1345]: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: ISSUE: authtime 1543254842, etypes {rep=18 tkt=18 ses=18}, host/some-working-host.domain.com@DOMAIN.COM for ldap/ipa.domain.com@DOMAIN.COM
and some are not provided with the ldap line:
What exactly is not working? The line with ISSUE .. for ldap/ipa.domain.com@DOMAIN.COM shows that the host is using kerberos authentication to the LDAP service. To check if that part is working on your client, you can do [client]# kinit -kt /etc/krb5.keytab [client]# ldapsearch -h $MASTER -Y GSSAPI -b "" -s base
HTH, flo
Nov 26 18:12:51 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: NEEDED_PREAUTH: host/some-not-working-host.domain.com@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM, Additional pre-authentication required Nov 26 18:12:51 ipa krb5kdc[1345]: AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) AA.BB.CC.DD: ISSUE: authtime 1543255971, etypes {rep=18 tkt=18 ses=18}, host/some-not-working-host.domain.com@DOMAIN.COM for krbtgt/DOMAIN.COM@DOMAIN.COM
(lines with "closing down fd 12" was omitted, also hostnames IPs and domains was replaced)
I've checked DNS settings, time difference and various logs but with no success. I've also try to remove rm -f /var/lib/sss/db/* and reinstall client packages. Do you have any idea where and what should I look for regarding this issue? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
the main problem is that getent passwd <user> and getent group <group> gives no output exit code 2.
I've managed to solve original posted issue (by installing libsasl2-modules-gssapi-mit package), but the main problem persist.
Sending output from commands provided, but it looks like that everything is alright.
[client]# kinit -V -kt /etc/krb5.keytab Using default cache: /tmp/krb5cc_0 Using principal: host/client.domain.com@DOMAIN.COM Using keytab: /etc/krb5.keytab Authenticated to Kerberos v5
[client]# ldapsearch -h $MASTER -Y GSSAPI -b "" -s base SASL/GSSAPI authentication started SASL username: host/client.domain.com@DOMAIN.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# dn: objectClass: top namingContexts: cn=changelog namingContexts: dc=domain,dc=com namingContexts: o=ipaca defaultnamingcontext: dc=domain,dc=com supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.10 supportedExtension: 2.16.840.1.113730.3.8.10.3 supportedExtension: 2.16.840.1.113730.3.8.10.4 supportedExtension: 2.16.840.1.113730.3.8.10.4.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 2.16.840.1.113730.3.8.10.1 supportedExtension: 2.16.840.1.113730.3.8.10.5 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.12 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.9 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 2.16.840.1.113730.3.6.5 supportedExtension: 2.16.840.1.113730.3.6.6 supportedExtension: 2.16.840.1.113730.3.6.7 supportedExtension: 2.16.840.1.113730.3.6.8 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8 supportedControl: 1.3.6.1.4.1.4203.666.5.16 supportedControl: 2.16.840.1.113730.3.8.10.6 supportedControl: 2.16.840.1.113730.3.8.10.7 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 2.16.840.1.113730.3.4.20 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.13 supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: 389 Project vendorVersion: 389-Directory/1.4.0.18 B2018.283.2156 dataversion: 020181123114138020181123114138020181123114138 netscapemdsuffix: cn=ldap://dc=ipa,dc=domain,dc=com:389 lastusn: 5070 changeLog: cn=changelog firstchangenumber: 0 lastchangenumber: 0 ipatopologypluginversion: 1.0 ipatopologyismanaged: on ipaDomainLevel: 1
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
Do you have any other idea what to check ? Thanks.
Jaroslav
Hi, I've completely solved my issue, the last part was missing libnss-sss. I wonder that this package was not some dependency, anyway here is the list of packages needed to run client under current stable debian(stretch):
- nscd - sssd - sssd-tools - libsasl2-modules-gssapi-mit - libgsasl7 - libnss-sss - libsss-sudo
But be aware it can be incomplete.
Jaroslav
freeipa-users@lists.fedorahosted.org