On 11/06/2014 08:52 AM, crony wrote:
Thank you Sumit. Right now I see:
Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n
SELinux policy blocks it.
restorecon? It is probably because the labels somehow are messed up.
Have you seen that before?
-- After changing the policy to permissive mode, the failure from logs is gone, but I still can't log in by GSSAPI from Windows Station to client1 station:
Nov 6 14:30:01 client1 sshd[16852]: Received disconnect from 10.X.X.X: 14: No supported authentication methods available
Does your client support GSSAPI? Is it enabled on Windows side?
2014-11-06 11:33 GMT+01:00 Sumit Bose <sbose@redhat.com mailto:sbose@redhat.com>:
On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote: > Hi Sumit, > I see this message: > > Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure. Minor > code may provide more information\nNo key table entry found matching > host/client1.acme.example.com@\n Kerberos in general is case sensitive. sshd is looking for host/... while the keytab only has HOST/.... The entries are created by adcli so maybe if you join with a newer version of adcli this will get fixed automatically. As an alternative you can use ktutil to a the needed entries. Make a copy of /etc/krb5.keytab before you start ktutil. Then you can use rkt /etc/krc5.keytab to load the keytab. list -e -k -t will show you the keys with all needed detail. With addend -k -p host/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> -k 2 -e aes256-cts-hmac-sha1-96 You can start adding new entires. Please repeat this wil all enc types listed for HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> . ktutil will ask you for a key in kex, please copy the one show by 'list -e -k -t' from above. If all is done you can write out the keytab with wkt /etc/krb5.keytab.new And then exchange the new one with the old one. Iirc ktutil always appends entries to existing files, so writing directly to /etc/krb5.keytab will blow up the file with duplicated entries. HTH bye, Sumit > > during every ssh connection with "-k" argument. > > # klisk -k > 2 CLIENT1$@ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > 2 CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 CLIENT1$@ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > 2 CLIENT1$@ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > 2 CLIENT1$@ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > 2 CLIENT1$@ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > > > Afrer log in with password I see: > > user1@client1.acme.example.com <mailto:user1@client1.acme.example.com>'s password: > Last login: Thu Nov 6 09:51:49 2014 from > -sh-4.1$ klist > Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 > Default principal: user1@ACME.EXAMPLE.COM <mailto:user1@ACME.EXAMPLE.COM> > > Valid starting Expires Service principal > 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ > ACME.EXAMPLE.COM@ACME.EXAMPLE.COM <mailto:ACME.EXAMPLE.COM@ACME.EXAMPLE.COM> > renew until 11/13/14 09:57:13 > > Any idea? > > > /lm > > On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote: > >* Hi All, > *>* I have a properly functioning integration between RHEL6.6/Cento6.6 and > *>* Active Directory 2008 using adcli tool and sssd-ad ( > *> > * http://jhrozek.livejournal.com/3581.html > <http://jhrozek.livejournal.com/3581.html>): > *> > > * # adcli join acme.example.com <http://acme.example.com> <http://acme.example.com/> -U userdomain > *> > > * # adcli info acme.example.com <http://acme.example.com> <http://acme.example.com/> > *>* [domain] > *> > * domain-name = acme.example.com <http://acme.example.com> <http://acme.example.com/> > *>* domain-short = ACME > *> > * domain-forest = example.com <http://example.com> <http://example.com/> > *> > * domain-controller = dom1.acme.example.com <http://dom1.acme.example.com> <http://dom1.acme.example.com/> > *>* domain-controller-site = CENTRAL > *>* domain-controller-flags = gc ldap ds kdc timeserv closest writable > *>* full-secret ads-web > *>* domain-controller-usable = yes > *> > * domain-controllers = dom1.acme.example.com <http://dom1.acme.example.com> > <http://dom1.acme.example.com/> dom2.acme.example.com <http://dom2.acme.example.com> > <http://dom2.acme.example.com/> > *>* [computer] > *>* computer-site = CENTRAL > *> >* The sssd.conf : > *> >* [sssd] > *>* services = nss, pam, ssh > *>* config_file_version = 2 > *> > * domains = ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > *>* debug_level = 7 > *> > > * [domain/ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/>] > *>* krb5_use_enterprise_principal = false > *> > * krb5_realm = ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > *>* ldap_force_upper_case_realm = true > *>* ldap_account_expire_policy = ad > *>* override_homedir = /home/%d/%u > *>* ldap_id_mapping = true > *>* subdomain_enumerate = true > *>* ldap_schema = ad > *>* ad_access_filter = > *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com > *>* ad_enable_gc = false > *>* ldap_access_order = filter, expire > *>* enumerate = false > *>* id_provider = ad > *>* auth_provider = ad > *>* access_provider = ad > *>* subdomains_provider = ad > *>* chpass_provider = ad > *> > * ad_server = dom1.acme.example.com <http://dom1.acme.example.com> <http://dom1.acme.example.com/>, > dom2.acme.example.com <http://dom2.acme.example.com> <http://dom2.acme.example.com/> > *> > * ad_domain = acme.example.com <http://acme.example.com> <http://acme.example.com/> > *> > * ad_hostname = client1.acme.example.com <http://client1.acme.example.com> <http://client1.acme.example.com/> > *>* ad_enable_dns_sites = false > *>* dyndns_update = false > *>* debug_level = 7 > *> > >* /etc/krb5.conf: > *>* [logging] > *>* default = FILE:/var/log/krb5libs.log > *>* kdc = FILE:/var/log/krb5kdc.log > *>* admin_server = FILE:/var/log/kadmind.log > *> >* [libdefaults] > *> > * default_realm = acme.example.com <http://acme.example.com> <http://acme.example.com/> > *>* dns_lookup_realm = true > *>* dns_lookup_kdc = true > *>* ticket_lifetime = 24h > *>* renew_lifetime = 7d > *>* forwardable = true > *>* rdns = true > *>* ignore_acceptor_hostname = true > *> >* [realms] > *> > * acme.example.com <http://acme.example.com> <http://acme.example.com/> = { > *> > * kdc = acme.example.com <http://acme.example.com> <http://acme.example.com/> > *> > * admin_server = acme.example.com <http://acme.example.com> <http://acme.example.com/> > *>* } > *> >* [domain_realm] > *> > * .acme.example.com <http://acme.example.com> <http://acme.example.com/> = acme.example.com <http://acme.example.com> > <http://acme.example.com/> > *> > * acme.example.com <http://acme.example.com> <http://acme.example.com/> = acme.example.com <http://acme.example.com> > <http://acme.example.com/> > *> > * .example.com <http://example.com> <http://example.com/> = acme.example.com <http://acme.example.com> > <http://acme.example.com/> > *> > * example.com <http://example.com> <http://example.com/> = acme.example.com <http://acme.example.com> > <http://acme.example.com/> > *> >* [appdefaults] > *>* debug = true > *> > > >* I can log in with user/password from AD to RHEL/Centos, I > can change the > *>* password, lock the account from AD, etc. It all works. > *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt > *>* work. I see in logs: > *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure. > *>* Minor code may provide more information\nNo key table entry found matching > *>* host/client1.acme.example.com@\n > * > Do you see this message when sshd is starting up or during the > connection of a client? > > What principal are shown by 'klist -k' ? > > bye, > Sumit > > > > >* Any idea what could be the reason? All I want to achieve is to get SSH-SSO > *>* working, directly from AD desktop machine to Linux systems without password > *>* prompt. > *> > >* /lm > * > >* _______________________________________________ > *>* sssd-users mailing list > *> > * sssd-users at lists.fedorahosted.org <http://lists.fedorahosted.org> > <https://lists.fedorahosted.org/mailman/listinfo/sssd-users> > *> > * https://lists.fedorahosted.org/mailman/listinfo/sssd-users > <https://lists.fedorahosted.org/mailman/listinfo/sssd-users> > * > > > -- > Pozdrawiam Leszek Miś > www: http://cronylab.pl > www: http://emerge.pl > Nothing is secure, paranoia is your friend.
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users