Hi,
I tried replacing KEYRING with a FILE option but same results.
#default_ccache_name = KEYRING:persistent:%{uid} default_ccache_name = FILE:/var/tmp/krb5cc_%{uid}
When I try using kinit -E, it asks for the principal password. But the keytab was created using a "rndpass" option so I am not really sure what to put as a password.
]# kinit -E Password for host/hostname.x.y.local@X.Y.LOCAL:
Here is the complete krb5.conf file:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = X.Y.LOCAL #dns_lookup_realm = true dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = true #default_ccache_name = KEYRING:persistent:%{uid} default_ccache_name = FILE:/var/tmp/krb5cc_%{uid} default_keytab_name = /etc/krb5.keytab [realms] X.Y.LOCAL = { kdc = RODC.x.y.local:88 admin_server = RODC.x.y.local:749 default_domain = x.y.local } [domain_realm] .x.y.local = X.Y.LOCAL x.y.local = X.Y.LOCAL
Thanks,
~ Abhi
On Tue, Feb 21, 2017 at 2:22 AM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (20/02/17 11:33), Abhijit Tikekar wrote:
Hi Jakub,
ldap_id_mapping was set to "false" on this server. Once I set it to
"true",
both id and getent started working. But the user authentication via SSH still does not go through.
We see the following in SSSD logs(Debug level set to 5)
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=first.last] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local:3268' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sasl_bind_send]
(0x0100):
Executing sasl bind mech: GSSAPI, user: host/server_hostname.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17466] finished successfully. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]]
[set_server_common_status]
(0x0100): Marking server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for SID S-1-5-21-<....ID....> (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler]
(0x0100):
Got request with the following data (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
command: SSS_PAM_AUTHENTICATE (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
domain: x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
user: first.last (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
service: sshd (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
tty: ssh (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
ruser: (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
rhost: remote_host.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
authtok type: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
newauthtok type: 0 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
priv: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
cli_pid: 17465 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
logon name: not set (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [krb5_auth_send]
(0x0100):
Home directory for user [first.last] not known. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17467] finished successfully.
*And the following under /var/log/secure*
Feb 20 11:15:30 hostname sshd[17499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): received for
user
first.last: 4 (System error) Feb 20 11:15:37 hostname sshd[17496]: error: PAM: Authentication failure for first.last from remote_host.x.y.local
*Under krb5_child.log*
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxx] gid [yyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [first.last@COMPANY.COM] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:xxxxxxxx] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [become_user] (0x0200): Trying to become user [xxxxxxxx][yyyyyyyy]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME]
from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
[true]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@COMPANY.COM@x.y.local] might not be correct. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [create_ccache] (0x0020): 733: [13][Permission denied]
Here is the problem.
sssd failed to initialize krb5 context for some reason.
kerr = krb5_init_context(&kctx);
I can see that it tried to use keyring ccache. "ccname: [KEYRING:persistent:xxxxxxxx]". Does it work with FILE cache? Becasue IIRC there is KEYRING ccache in rhel6 but it does not support collections ccache as in el7.
Are you able to kinit from command line?
I can also see that it tried to kinit with enterprise principal.
Are you able to kinit with it? "kinit -E"
Could you share your krb5.conf?
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org