Hi folks,
Any help here would be appreciated, I don't seem to see what the issue is. I can login using kinit just fine, but sssd fails when using ssh. It seems like it has something to do with the files in /var/lib/sss/pubconf going missing, which causes sssd-krb5 to fail with: Cannot find KDC for requested realm.
This is CentOS 6, sssd-1.8.0-32.el6.x86_64.
e.g. kinit logins works: [testuser@test01 ~]$ kinit Password for testuser@MYREALM.COM: Warning: Your password will expire in 41 days on Sun Mar 10 19:01:44 2013 [testuser@test01 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_501 Default principal: testuser@MYREALM.COM
Valid starting Expires Service principal 01/27/13 22:13:00 01/28/13 08:13:00 krbtgt/MYREALM.COM@MYREALM.COM renew until 02/03/13 22:12:53 [testuser@test01 ~]$
But over ssh:
/var/log/secure: Jan 27 21:57:03 test1 sshd[2882]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39 user=testuser Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): system info: [Cannot find KDC for requested realm] Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39 user=testuser Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): received for user testuser: 4 (System error) Jan 27 21:57:05 test1 sshd[2882]: Failed password for testuser from 10.74.34.39 port 55143 ssh2 Jan 27 21:57:11 test1 sshd[2883]: Connection closed by 10.74.34.39
sssd -i -d9 + SSSD_KRB5_LOCATOR_DEBUG=1 output: (Sun Jan 27 21:57:03 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x4175f0:3:testuser@MYREALM.COM] (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x248b180], connected[1], ops[(nil)], ldap[0x248b360] (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sbus_dispatch] (0x4000): dbus conn: 2485210 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sbus_dispatch] (0x4000): Dispatching. (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [be_pam_handler] (0x0100): Got request with the following data (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): domain: MYREALM.COM (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): user: testuser (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): service: sshd (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): tty: ssh (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): ruser: (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): rhost: 10.74.34.39 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): authtok type: 1 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): authtok size: 12 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): newauthtok type: 0 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): newauthtok size: 0 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): priv: 1 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data] (0x0100): cli_pid: 2882 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [krb5_pam_handler] (0x1000): Wait queue of user [testuser] is empty, running request immediately. (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0x2537a00 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0x2539b50 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [ldb] (0x4000): tevent: Destroying timer event 0x2539b50 "ltdb_timeout" (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [ldb] (0x4000): tevent: Ending timer event 0x2537a00 "ltdb_callback" (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [krb5_auth_send] (0x0100): No ccache file for user [testuser] found. (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [krb5_auth_send] (0x4000): Ccache_file is [not set] and is not active and TGT is not valid. (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [get_server_status] (0x1000): Status of server 'auth01.myrealm.com' is 'working' (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [get_port_status] (0x1000): Port status of port 88 for server 'auth01.MYREALM.COM' is 'neutral' (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [get_server_status] (0x1000): Status of server 'auth01.myrealm.com' is 'working' (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [be_resolve_server_done] (0x1000): Saving the first resolved server (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [be_resolve_server_done] (0x0200): Found address for server auth01.MYREALM.COM: [192.168.246.37] TTL 300 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [krb5_find_ccache_step] (0x4000): Recreating ccache file. (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [create_ccache_dir] (0x4000): Ccache directory name [/tmp/krb5cc_501_XXXXXX] does not contain illegal patterns. (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [2884] (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [become_user] (0x4000): Trying to become user [501][501]. (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [2884] (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [write_pipe_handler] (0x0400): All data has been sent! (Sun Jan 27 21:57:03 2013) [sssd] [main] (0x1000): krb5_child started. (Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [krb5_child_setup] (0x4000): Not using FAST. [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called (Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [get_and_save_tgt] (0x0020): 660: [-1765328230][Cannot find KDC for requested realm] (Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [tgt_req_child] (0x0020): 919: [-1765328230][Cannot find KDC for requested realm] (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [krb5_child_done] (0x4000): child response [4][1][36]. (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [check_wait_queue] (0x1000): Wait queue for user [testuser] is empty. (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [be_pam_handler_callback] (0x0100): Sending result [4][MYREALM.COM] (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [be_pam_handler_callback] (0x0100): Sent result [4][MYREALM.COM] (Sun Jan 27 21:57:03 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x751c90 (Sun Jan 27 21:57:03 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 754800 (Sun Jan 27 21:57:03 2013) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Sun Jan 27 21:57:03 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][MYREALM.COM] (Sun Jan 27 21:57:03 2013) [sssd[pam]] [pam_reply] (0x0100): pam_reply get called. (Sun Jan 27 21:57:03 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 79 (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [child_sig_handler] (0x1000): Waiting for child [2884]. (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [child_sig_handler] (0x0100): child [2884] finished successfully. (Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes
/etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = MYREALM.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true
[realms] MYREALM.COM = { kdc = auth01.myrealm.com:88 admin_server = auth01.myrealm.com default_domain = myrealm.com }
[domain_realm] .myrealm.com = MYREALM.COM myrealm.com = MYREALM.COM
/etc/sssd/sssd.conf: [sssd] debug_level = 0xFFF0 config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = MYREALM.COM [nss] debug_level = 0xFFF0 filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 debug_level = 0xFFF0 [domain/MYREALM.COM] debug_level = 0xFFF0 min_id = 1max_id = 0 ldap_page_size = 1000 enumerate = true cache_credentials = true id_provider = ldap chpass_provider = krb5 ldap_uri = ldaps://auth01.myrealm.com:3269 ldap_search_base = dc=myrealm,dc=com ldap_user_search_base = dc=myrealm,dc=com ldap_group_search_base =dc=myrealm,dc=com ldap_schema = rfc2307bis ldap_default_bind_dn = Administrator@MYREALM.COM ldap_default_authtok = p@$$word ldap_default_authtok_type = password ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_group_object_class = group ldap_user_principal = userPrincipalName ldap_user_shadow_last_change = pwdLastSet ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = false auth_provider = krb5 krb5_server = auth01.myrealm.com:88 krb5_realm = MYREALM.COM krb5_changepw_principal = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15
/etc/pam.d/password-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel