Hi Sumit, I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
during every ssh connection with "-k" argument.
# klisk -k 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1@ACME.EXAMPLE.COM 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM
Afrer log in with password I see:
user1@client1.acme.example.com's password: Last login: Thu Nov 6 09:51:49 2014 from -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 Default principal: user1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
- Hi All,
*>* I have a properly functioning integration between RHEL6.6/Cento6.6 and *>* Active Directory 2008 using adcli tool and sssd-ad ( *> * http://jhrozek.livejournal.com/3581.html http://jhrozek.livejournal.com/3581.html): *> > * # adcli join acme.example.com http://acme.example.com/ -U userdomain *> > * # adcli info acme.example.com http://acme.example.com/ *>* [domain] *> * domain-name = acme.example.com http://acme.example.com/ *>* domain-short = ACME *> * domain-forest = example.com http://example.com/ *> * domain-controller = dom1.acme.example.com http://dom1.acme.example.com/ *>* domain-controller-site = CENTRAL *>* domain-controller-flags = gc ldap ds kdc timeserv closest writable *>* full-secret ads-web *>* domain-controller-usable = yes *> * domain-controllers = dom1.acme.example.com http://dom1.acme.example.com/ dom2.acme.example.com http://dom2.acme.example.com/ *>* [computer] *>* computer-site = CENTRAL *> >* The sssd.conf : *> >* [sssd] *>* services = nss, pam, ssh *>* config_file_version = 2 *> * domains = ACME.EXAMPLE.COM http://acme.example.com/ *>* debug_level = 7 *> > * [domain/ACME.EXAMPLE.COM http://acme.example.com/] *>* krb5_use_enterprise_principal = false *> * krb5_realm = ACME.EXAMPLE.COM http://acme.example.com/ *>* ldap_force_upper_case_realm = true *>* ldap_account_expire_policy = ad *>* override_homedir = /home/%d/%u *>* ldap_id_mapping = true *>* subdomain_enumerate = true *>* ldap_schema = ad *>* ad_access_filter = *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com *>* ad_enable_gc = false *>* ldap_access_order = filter, expire *>* enumerate = false *>* id_provider = ad *>* auth_provider = ad *>* access_provider = ad *>* subdomains_provider = ad *>* chpass_provider = ad *> * ad_server = dom1.acme.example.com http://dom1.acme.example.com/, dom2.acme.example.com http://dom2.acme.example.com/ *> * ad_domain = acme.example.com http://acme.example.com/ *> * ad_hostname = client1.acme.example.com http://client1.acme.example.com/ *>* ad_enable_dns_sites = false *>* dyndns_update = false *>* debug_level = 7 *> > >* /etc/krb5.conf: *>* [logging] *>* default = FILE:/var/log/krb5libs.log *>* kdc = FILE:/var/log/krb5kdc.log *>* admin_server = FILE:/var/log/kadmind.log *> >* [libdefaults] *> * default_realm = acme.example.com http://acme.example.com/ *>* dns_lookup_realm = true *>* dns_lookup_kdc = true *>* ticket_lifetime = 24h *>* renew_lifetime = 7d *>* forwardable = true *>* rdns = true *>* ignore_acceptor_hostname = true *> >* [realms] *> * acme.example.com http://acme.example.com/ = { *> * kdc = acme.example.com http://acme.example.com/ *> * admin_server = acme.example.com http://acme.example.com/ *>* } *> >* [domain_realm] *> * .acme.example.com http://acme.example.com/ = acme.example.com http://acme.example.com/ *> * acme.example.com http://acme.example.com/ = acme.example.com http://acme.example.com/ *> * .example.com http://example.com/ = acme.example.com http://acme.example.com/ *> * example.com http://example.com/ = acme.example.com http://acme.example.com/ *> >* [appdefaults] *>* debug = true *> > > >* I can log in with user/password from AD to RHEL/Centos, I can change the *>* password, lock the account from AD, etc. It all works. *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt *>* work. I see in logs: *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure. *>* Minor code may provide more information\nNo key table entry found matching *>* host/client1.acme.example.com@\n * Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
- Any idea what could be the reason? All I want to achieve is to get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems without password *>* prompt. *> > >* /lm *
*>* sssd-users mailing list *> * sssd-users at lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users *> * https://lists.fedorahosted.org/mailman/listinfo/sssd-users https://lists.fedorahosted.org/mailman/listinfo/sssd-users *