On 08/26/2015 10:00 AM, l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] (service pings) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: not set [sssd[pam]] [pam_print_data] (0x0100): user: ssh-username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local:3268' [sssd[be[domain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local' [[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [hostname$@domain.LOCAL] [[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] [sssd[be[domain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[domain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: hostname$ [sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [7973] finished successfully. [sssd[be[domain.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'AD.domain.local' as 'working' [sssd[be[domain.local]]] [set_server_common_status] (0x0100): Marking server 'AD.domain.local' as 'working' [sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: domain.local [sssd[pam]] [pam_print_data] (0x0100): user: ssh-username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 [sssd[be[domain.local]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[domain.local]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[be[domain.local]]] [pam_print_data] (0x0100): domain: domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): user: ssh-username [sssd[be[domain.local]]] [pam_print_data] (0x0100): service: sshd [sssd[be[domain.local]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[domain.local]]] [pam_print_data] (0x0100): ruser: [sssd[be[domain.local]]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): authtok type: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[domain.local]]] [pam_print_data] (0x0100): priv: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[be[domain.local]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[domain.local]]] [krb5_auth_send] (0x0100): Home directory for user [ssh-username] not known. [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local' [[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): cmd [241] uid [704417315] gid [704400513] validate [true] enterprise principal [true] offline [false] UPN [ssh-username@DOMAIN.LOCAL] [[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_704417315_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_704417315_9XJZwx] keytab: [/etc/krb5.keytab] [[sssd[krb5_child[7974]]]] [check_use_fast] (0x0100): Not using FAST. [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
This seems to be a problem. Because it leads to access denied this is why you can't login. PAC responder process is either not running or SELinux blocks the socket or something along those lines. Monitor logs should show is it exists. Cores will be there if it crashes. What distro is it? What version? Do you see any AVCs is you are using SELinux?
[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (service pings) [[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. [[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ssh-username@DOMAIN.LOCAL@DOMAIN.LOCAL] might not be correct. [[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied] [[sssd[krb5_child[7974]]]] [get_and_save_tgt] (0x0020): 1029: [1432158209][Unknown code UUz 1] [[sssd[krb5_child[7974]]]] [map_krb5_error] (0x0020): 1069: [1432158209][Unknown code UUz 1] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.local] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.local] [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][domain.local] [sssd[be[ssh-username.local]]] [child_sig_handler] (0x0100): child [7974] finished successfully.
Here's sssd.conf: [domain/domain.local] debug_level = 2
id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad
case_sensitive = false cache_credentials = false krb5_auth_timeout = 30
ad_domain = domain.local ad_hostname = hostname.domain.local ad_server = ad.domain.local, _srv_, ad2.domain.local ad_backup_server = 192.168.0.13 ad_gpo_access_control = disabled
ldap_user_ssh_public_key = altSecurityIdentities
[sssd] debug_level = 2 domains = domain.local services = nss,pam,ssh config_file_version = 2
[nss] filter_users = root filter_groups = root default_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 2
[pam] debug_level = 2 offline_credentials_expiration = 7 # days offline_failed_login_attempts = 6 offline_failed_login_delay = 5 # minutes pam_pwd_expiration_warning = 5
[ssh] debug_level=2
Here's nsswitch.conf: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus
Here's krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true
[realms] DOMAIN.LOCAL = { # using dns lookup, nothing to write here }
[domain_realm] .domain.local = DOMAIN.LOCAL domain.local = DOMAIN.LOCAL
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users