On Fri, Nov 07, 2014 at 08:44:07AM +0100, crony wrote:
Hi Sumit, I'm starting sshd by "service sshd restart" every time. You can find below logs from "tail -f /var/log/secure /var/log/audit/audit.log" from the moment of trying log in from AD Windows Station with SELinux=1
[root@client1 ~]# tail -f /var/log/secure /var/log/audit/audit.log ==> /var/log/secure <== Nov 7 08:14:08 client1 sshd[19874]: debug1: session_input_channel_req: session 0 req shell Nov 7 08:14:08 client1 sshd[19875]: debug1: Setting controlling tty using TIOCSCTTY. Nov 7 08:14:12 client1 su: pam_unix(su-l:session): session opened for user root by leszek(uid=507) Nov 7 08:14:59 client1 sshd[17287]: debug1: Got 100/242 for keepalive Nov 7 08:19:59 client1 sshd[17287]: debug1: Got 100/243 for keepalive Nov 7 08:21:27 client1 sshd[17876]: Received signal 15; terminating. Nov 7 08:21:27 client1 sshd[19980]: Set /proc/self/oom_score_adj from 0 to -1000 Nov 7 08:21:27 client1 sshd[19980]: debug1: Bind to port 22 on 0.0.0.0. Nov 7 08:21:27 client1 sshd[19980]: Server listening on 0.0.0.0 port 22. Nov 7 08:21:27 client1 sshd[19980]: socket: Address family not supported by protocol
==> /var/log/audit/audit.log <== type=PATH msg=audit(1415344887.668:20203): item=0 name="/var/lock/subsys/" inode=8204 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT type=PATH msg=audit(1415344887.668:20203): item=1 name="/var/lock/subsys/sshd" inode=51 dev=fd:03 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0 nametype=DELETE type=AVC msg=audit(1415344887.708:20204): avc: denied { read } for pid=19977 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
Have you checked if there is an upate for the SELinux policy package? If I run the AVC through audit2allow in Fedora 20 I get:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy allow sshd_t var_t:lnk_file read;
I have GSSApiAuthentication yes in the sshd_config.
Klist from the Windows machine showing no entries from sssd linux client machine.
To eliminate problem with Windows, I created another test: trying to log in by GSSAPI from sssd client client1 to the same client client1.
[leszek@client1 ~]$ ssh client1.acme.example.com -l user1
Password: Last login: Thu Nov 6 17:17:57 2014 -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_vot8Ut Default principal: USER1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/07/14 08:34:42 11/07/14 18:34:42 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/14/14 08:34:42
and another "local" connection by GSSAPI:
-sh-4.1$ ssh client1.acme.example.com -l user1 -k -vv gives me this:
debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
So the problem is within client1.
I assume that on the Windows side there are still only service principals with HOST/ instead of host/. Although Windows is typically case-insensitive when it come to Kerberos there still might be a mismatch. Can you try to re-join with adcli and use the option '--service-name=homst/client1.acme.example.com@ACME.EXAMPLE.COM'
HTH
bye, Sumit
/lm
2014-11-06 21:39 GMT+01:00 Sumit Bose sbose@redhat.com:
On Thu, Nov 06, 2014 at 02:52:19PM +0100, crony wrote:
Thank you Sumit. Right now I see:
Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n
Did you, by chance, start sshd directly for debuggin purpose and not via 'service sshd start'? In this case sshd will not run with the right SELinux context. Can you send the full AVC message?
SELinux policy blocks it.
Have you seen that before?
-- After changing the policy to permissive mode, the failure from logs is gone, but I still can't log in by GSSAPI from Windows Station to client1 station:
Nov 6 14:30:01 client1 sshd[16852]: Received disconnect from 10.X.X.X:
14:
No supported authentication methods available
Have you set
GSSAPIAuthentication yes
in /etc/ssh/sshd_config?
Can you check on the Windows side if you got a Kerberos service ticket for the client running sssd by calling 'klist' in the Windows cmd shell?
bye, Sumit
2014-11-06 11:33 GMT+01:00 Sumit Bose sbose@redhat.com:
On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote:
Hi Sumit, I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure.
Minor
code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Kerberos in general is case sensitive. sshd is looking for host/... while the keytab only has HOST/.... The entries are created by adcli so maybe if you join with a newer version of adcli this will get fixed automatically.
As an alternative you can use ktutil to a the needed entries. Make a copy of /etc/krb5.keytab before you start ktutil. Then you can use
rkt /etc/krc5.keytab
to load the keytab.
list -e -k -t
will show you the keys with all needed detail. With
addend -k -p host/client1.acme.example.com@ACME.EXAMPLE.COM -k 2 -e aes256-cts-hmac-sha1-96
You can start adding new entires. Please repeat this wil all enc types listed for HOST/client1.acme.example.com@ACME.EXAMPLE.COM . ktutil
will
ask you for a key in kex, please copy the one show by 'list -e -k -t' from above.
If all is done you can write out the keytab with
wkt /etc/krb5.keytab.new
And then exchange the new one with the old one. Iirc ktutil always appends entries to existing files, so writing directly to /etc/krb5.keytab will blow up the file with duplicated entries.
HTH
bye, Sumit
during every ssh connection with "-k" argument.
# klisk -k 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1@ACME.EXAMPLE.COM 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM
Afrer log in with password I see:
user1@client1.acme.example.com's password: Last login: Thu Nov 6 09:51:49 2014 from -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 Default principal: user1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
- Hi All,
*>* I have a properly functioning integration between
RHEL6.6/Cento6.6
and
*>* Active Directory 2008 using adcli tool and sssd-ad ( *>
http://jhrozek.livejournal.com/3581.html): *> >
- # adcli join acme.example.com http://acme.example.com/ -U
userdomain
*> >
- # adcli info acme.example.com http://acme.example.com/
*>* [domain] *>
- domain-name = acme.example.com http://acme.example.com/
*>* domain-short = ACME *>
- domain-forest = example.com http://example.com/
*>
- domain-controller = dom1.acme.example.com <
http://dom1.acme.example.com/%3E
*>* domain-controller-site = CENTRAL *>* domain-controller-flags = gc ldap ds kdc timeserv closest
writable
*>* full-secret ads-web *>* domain-controller-usable = yes *>
- domain-controllers = dom1.acme.example.com
http://dom1.acme.example.com/ dom2.acme.example.com http://dom2.acme.example.com/ *>* [computer] *>* computer-site = CENTRAL *> >* The sssd.conf : *> >* [sssd] *>* services = nss, pam, ssh *>* config_file_version = 2 *>
- domains = ACME.EXAMPLE.COM http://acme.example.com/
*>* debug_level = 7 *> >
- [domain/ACME.EXAMPLE.COM http://acme.example.com/]
*>* krb5_use_enterprise_principal = false *>
- krb5_realm = ACME.EXAMPLE.COM http://acme.example.com/
*>* ldap_force_upper_case_realm = true *>* ldap_account_expire_policy = ad *>* override_homedir = /home/%d/%u *>* ldap_id_mapping = true *>* subdomain_enumerate = true *>* ldap_schema = ad *>* ad_access_filter = *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com *>* ad_enable_gc = false *>* ldap_access_order = filter, expire *>* enumerate = false *>* id_provider = ad *>* auth_provider = ad *>* access_provider = ad *>* subdomains_provider = ad *>* chpass_provider = ad *>
- ad_server = dom1.acme.example.com http://dom1.acme.example.com/,
dom2.acme.example.com http://dom2.acme.example.com/ *>
- ad_domain = acme.example.com http://acme.example.com/
*>
- ad_hostname = client1.acme.example.com <
http://client1.acme.example.com/%3E
*>* ad_enable_dns_sites = false *>* dyndns_update = false *>* debug_level = 7 *> > >* /etc/krb5.conf: *>* [logging] *>* default = FILE:/var/log/krb5libs.log *>* kdc = FILE:/var/log/krb5kdc.log *>* admin_server = FILE:/var/log/kadmind.log *> >* [libdefaults] *>
- default_realm = acme.example.com http://acme.example.com/
*>* dns_lookup_realm = true *>* dns_lookup_kdc = true *>* ticket_lifetime = 24h *>* renew_lifetime = 7d *>* forwardable = true *>* rdns = true *>* ignore_acceptor_hostname = true *> >* [realms] *>
- acme.example.com http://acme.example.com/ = {
*>
- kdc = acme.example.com http://acme.example.com/
*>
- admin_server = acme.example.com http://acme.example.com/
*>* } *> >* [domain_realm] *>
- .acme.example.com http://acme.example.com/ = acme.example.com
- acme.example.com http://acme.example.com/ = acme.example.com
- .example.com http://example.com/ = acme.example.com
- example.com http://example.com/ = acme.example.com
http://acme.example.com/ *> >* [appdefaults] *>* debug = true *> > > >* I can log in with user/password from AD to RHEL/Centos, I can change the *>* password, lock the account from AD, etc. It all works. *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple,
it
doesnt
*>* work. I see in logs: *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS
failure.
*>* Minor code may provide more information\nNo key table entry found
matching
*>* host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
> >* Any idea what could be the reason? All I want to achieve is to
get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems
without
password
*>* prompt. *> > >* /lm
*>* sssd-users mailing list *>
- sssd-users at lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users *>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.