On Thu, Nov 06, 2014 at 02:52:19PM +0100, crony wrote:
Thank you Sumit. Right now I see:
Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n
Did you, by chance, start sshd directly for debuggin purpose and not via 'service sshd start'? In this case sshd will not run with the right SELinux context. Can you send the full AVC message?
SELinux policy blocks it.
Have you seen that before?
-- After changing the policy to permissive mode, the failure from logs is gone, but I still can't log in by GSSAPI from Windows Station to client1 station:
Nov 6 14:30:01 client1 sshd[16852]: Received disconnect from 10.X.X.X: 14: No supported authentication methods available
Have you set
GSSAPIAuthentication yes
in /etc/ssh/sshd_config?
Can you check on the Windows side if you got a Kerberos service ticket for the client running sssd by calling 'klist' in the Windows cmd shell?
bye, Sumit
2014-11-06 11:33 GMT+01:00 Sumit Bose sbose@redhat.com:
On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote:
Hi Sumit, I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure.
Minor
code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Kerberos in general is case sensitive. sshd is looking for host/... while the keytab only has HOST/.... The entries are created by adcli so maybe if you join with a newer version of adcli this will get fixed automatically.
As an alternative you can use ktutil to a the needed entries. Make a copy of /etc/krb5.keytab before you start ktutil. Then you can use
rkt /etc/krc5.keytab
to load the keytab.
list -e -k -t
will show you the keys with all needed detail. With
addend -k -p host/client1.acme.example.com@ACME.EXAMPLE.COM -k 2 -e aes256-cts-hmac-sha1-96
You can start adding new entires. Please repeat this wil all enc types listed for HOST/client1.acme.example.com@ACME.EXAMPLE.COM . ktutil will ask you for a key in kex, please copy the one show by 'list -e -k -t' from above.
If all is done you can write out the keytab with
wkt /etc/krb5.keytab.new
And then exchange the new one with the old one. Iirc ktutil always appends entries to existing files, so writing directly to /etc/krb5.keytab will blow up the file with duplicated entries.
HTH
bye, Sumit
during every ssh connection with "-k" argument.
# klisk -k 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1@ACME.EXAMPLE.COM 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM
Afrer log in with password I see:
user1@client1.acme.example.com's password: Last login: Thu Nov 6 09:51:49 2014 from -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 Default principal: user1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
- Hi All,
*>* I have a properly functioning integration between RHEL6.6/Cento6.6
and
*>* Active Directory 2008 using adcli tool and sssd-ad ( *>
http://jhrozek.livejournal.com/3581.html): *> >
- # adcli join acme.example.com http://acme.example.com/ -U userdomain
*> >
- # adcli info acme.example.com http://acme.example.com/
*>* [domain] *>
- domain-name = acme.example.com http://acme.example.com/
*>* domain-short = ACME *>
- domain-forest = example.com http://example.com/
*>
- domain-controller = dom1.acme.example.com <
http://dom1.acme.example.com/%3E
*>* domain-controller-site = CENTRAL *>* domain-controller-flags = gc ldap ds kdc timeserv closest writable *>* full-secret ads-web *>* domain-controller-usable = yes *>
- domain-controllers = dom1.acme.example.com
http://dom1.acme.example.com/ dom2.acme.example.com http://dom2.acme.example.com/ *>* [computer] *>* computer-site = CENTRAL *> >* The sssd.conf : *> >* [sssd] *>* services = nss, pam, ssh *>* config_file_version = 2 *>
- domains = ACME.EXAMPLE.COM http://acme.example.com/
*>* debug_level = 7 *> >
- [domain/ACME.EXAMPLE.COM http://acme.example.com/]
*>* krb5_use_enterprise_principal = false *>
- krb5_realm = ACME.EXAMPLE.COM http://acme.example.com/
*>* ldap_force_upper_case_realm = true *>* ldap_account_expire_policy = ad *>* override_homedir = /home/%d/%u *>* ldap_id_mapping = true *>* subdomain_enumerate = true *>* ldap_schema = ad *>* ad_access_filter = *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com *>* ad_enable_gc = false *>* ldap_access_order = filter, expire *>* enumerate = false *>* id_provider = ad *>* auth_provider = ad *>* access_provider = ad *>* subdomains_provider = ad *>* chpass_provider = ad *>
- ad_server = dom1.acme.example.com http://dom1.acme.example.com/,
dom2.acme.example.com http://dom2.acme.example.com/ *>
- ad_domain = acme.example.com http://acme.example.com/
*>
- ad_hostname = client1.acme.example.com <
http://client1.acme.example.com/%3E
*>* ad_enable_dns_sites = false *>* dyndns_update = false *>* debug_level = 7 *> > >* /etc/krb5.conf: *>* [logging] *>* default = FILE:/var/log/krb5libs.log *>* kdc = FILE:/var/log/krb5kdc.log *>* admin_server = FILE:/var/log/kadmind.log *> >* [libdefaults] *>
- default_realm = acme.example.com http://acme.example.com/
*>* dns_lookup_realm = true *>* dns_lookup_kdc = true *>* ticket_lifetime = 24h *>* renew_lifetime = 7d *>* forwardable = true *>* rdns = true *>* ignore_acceptor_hostname = true *> >* [realms] *>
- acme.example.com http://acme.example.com/ = {
*>
- kdc = acme.example.com http://acme.example.com/
*>
- admin_server = acme.example.com http://acme.example.com/
*>* } *> >* [domain_realm] *>
- .acme.example.com http://acme.example.com/ = acme.example.com
- acme.example.com http://acme.example.com/ = acme.example.com
- .example.com http://example.com/ = acme.example.com
- example.com http://example.com/ = acme.example.com
http://acme.example.com/ *> >* [appdefaults] *>* debug = true *> > > >* I can log in with user/password from AD to RHEL/Centos, I can change the *>* password, lock the account from AD, etc. It all works. *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it
doesnt
*>* work. I see in logs: *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS
failure.
*>* Minor code may provide more information\nNo key table entry found
matching
*>* host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
- Any idea what could be the reason? All I want to achieve is to
get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems without
password
*>* prompt. *> > >* /lm
*>* sssd-users mailing list *>
- sssd-users at lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users *>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.