Thank you Sumit. Right now I see:
Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n
SELinux policy blocks it.
Have you seen that before?
-- After changing the policy to permissive mode, the failure from logs is gone, but I still can't log in by GSSAPI from Windows Station to client1 station:
Nov 6 14:30:01 client1 sshd[16852]: Received disconnect from 10.X.X.X: 14: No supported authentication methods available
2014-11-06 11:33 GMT+01:00 Sumit Bose sbose@redhat.com:
On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote:
Hi Sumit, I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure.
Minor
code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Kerberos in general is case sensitive. sshd is looking for host/... while the keytab only has HOST/.... The entries are created by adcli so maybe if you join with a newer version of adcli this will get fixed automatically.
As an alternative you can use ktutil to a the needed entries. Make a copy of /etc/krb5.keytab before you start ktutil. Then you can use
rkt /etc/krc5.keytab
to load the keytab.
list -e -k -t
will show you the keys with all needed detail. With
addend -k -p host/client1.acme.example.com@ACME.EXAMPLE.COM -k 2 -e aes256-cts-hmac-sha1-96
You can start adding new entires. Please repeat this wil all enc types listed for HOST/client1.acme.example.com@ACME.EXAMPLE.COM . ktutil will ask you for a key in kex, please copy the one show by 'list -e -k -t' from above.
If all is done you can write out the keytab with
wkt /etc/krb5.keytab.new
And then exchange the new one with the old one. Iirc ktutil always appends entries to existing files, so writing directly to /etc/krb5.keytab will blow up the file with duplicated entries.
HTH
bye, Sumit
during every ssh connection with "-k" argument.
# klisk -k 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1@ACME.EXAMPLE.COM 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM
Afrer log in with password I see:
user1@client1.acme.example.com's password: Last login: Thu Nov 6 09:51:49 2014 from -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 Default principal: user1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
- Hi All,
*>* I have a properly functioning integration between RHEL6.6/Cento6.6
and
*>* Active Directory 2008 using adcli tool and sssd-ad ( *>
http://jhrozek.livejournal.com/3581.html): *> >
- # adcli join acme.example.com http://acme.example.com/ -U userdomain
*> >
- # adcli info acme.example.com http://acme.example.com/
*>* [domain] *>
- domain-name = acme.example.com http://acme.example.com/
*>* domain-short = ACME *>
- domain-forest = example.com http://example.com/
*>
- domain-controller = dom1.acme.example.com <
http://dom1.acme.example.com/%3E
*>* domain-controller-site = CENTRAL *>* domain-controller-flags = gc ldap ds kdc timeserv closest writable *>* full-secret ads-web *>* domain-controller-usable = yes *>
- domain-controllers = dom1.acme.example.com
http://dom1.acme.example.com/ dom2.acme.example.com http://dom2.acme.example.com/ *>* [computer] *>* computer-site = CENTRAL *> >* The sssd.conf : *> >* [sssd] *>* services = nss, pam, ssh *>* config_file_version = 2 *>
- domains = ACME.EXAMPLE.COM http://acme.example.com/
*>* debug_level = 7 *> >
- [domain/ACME.EXAMPLE.COM http://acme.example.com/]
*>* krb5_use_enterprise_principal = false *>
- krb5_realm = ACME.EXAMPLE.COM http://acme.example.com/
*>* ldap_force_upper_case_realm = true *>* ldap_account_expire_policy = ad *>* override_homedir = /home/%d/%u *>* ldap_id_mapping = true *>* subdomain_enumerate = true *>* ldap_schema = ad *>* ad_access_filter = *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com *>* ad_enable_gc = false *>* ldap_access_order = filter, expire *>* enumerate = false *>* id_provider = ad *>* auth_provider = ad *>* access_provider = ad *>* subdomains_provider = ad *>* chpass_provider = ad *>
- ad_server = dom1.acme.example.com http://dom1.acme.example.com/,
dom2.acme.example.com http://dom2.acme.example.com/ *>
- ad_domain = acme.example.com http://acme.example.com/
*>
- ad_hostname = client1.acme.example.com <
http://client1.acme.example.com/%3E
*>* ad_enable_dns_sites = false *>* dyndns_update = false *>* debug_level = 7 *> > >* /etc/krb5.conf: *>* [logging] *>* default = FILE:/var/log/krb5libs.log *>* kdc = FILE:/var/log/krb5kdc.log *>* admin_server = FILE:/var/log/kadmind.log *> >* [libdefaults] *>
- default_realm = acme.example.com http://acme.example.com/
*>* dns_lookup_realm = true *>* dns_lookup_kdc = true *>* ticket_lifetime = 24h *>* renew_lifetime = 7d *>* forwardable = true *>* rdns = true *>* ignore_acceptor_hostname = true *> >* [realms] *>
- acme.example.com http://acme.example.com/ = {
*>
- kdc = acme.example.com http://acme.example.com/
*>
- admin_server = acme.example.com http://acme.example.com/
*>* } *> >* [domain_realm] *>
- .acme.example.com http://acme.example.com/ = acme.example.com
- acme.example.com http://acme.example.com/ = acme.example.com
- .example.com http://example.com/ = acme.example.com
- example.com http://example.com/ = acme.example.com
http://acme.example.com/ *> >* [appdefaults] *>* debug = true *> > > >* I can log in with user/password from AD to RHEL/Centos, I can change the *>* password, lock the account from AD, etc. It all works. *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it
doesnt
*>* work. I see in logs: *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS
failure.
*>* Minor code may provide more information\nNo key table entry found
matching
*>* host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
- Any idea what could be the reason? All I want to achieve is to
get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems without
password
*>* prompt. *> > >* /lm
*>* sssd-users mailing list *>
- sssd-users at lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users *>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.