Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] (service pings) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: not set [sssd[pam]] [pam_print_data] (0x0100): user: ssh-username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local:3268' [sssd[be[domain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local' [[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [hostname$@domain.LOCAL] [[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] [sssd[be[domain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[domain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: hostname$ [sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [7973] finished successfully. [sssd[be[domain.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'AD.domain.local' as 'working' [sssd[be[domain.local]]] [set_server_common_status] (0x0100): Marking server 'AD.domain.local' as 'working' [sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: domain.local [sssd[pam]] [pam_print_data] (0x0100): user: ssh-username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 [sssd[be[domain.local]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[domain.local]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[be[domain.local]]] [pam_print_data] (0x0100): domain: domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): user: ssh-username [sssd[be[domain.local]]] [pam_print_data] (0x0100): service: sshd [sssd[be[domain.local]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[domain.local]]] [pam_print_data] (0x0100): ruser: [sssd[be[domain.local]]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): authtok type: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[domain.local]]] [pam_print_data] (0x0100): priv: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[be[domain.local]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[domain.local]]] [krb5_auth_send] (0x0100): Home directory for user [ssh-username] not known. [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local' [[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): cmd [241] uid [704417315] gid [704400513] validate [true] enterprise principal [true] offline [false] UPN [ssh-username@DOMAIN.LOCAL] [[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_704417315_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_704417315_9XJZwx] keytab: [/etc/krb5.keytab] [[sssd[krb5_child[7974]]]] [check_use_fast] (0x0100): Not using FAST. [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (service pings) [[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. [[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ssh-username@DOMAIN.LOCAL@DOMAIN.LOCAL] might not be correct. [[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied] [[sssd[krb5_child[7974]]]] [get_and_save_tgt] (0x0020): 1029: [1432158209][Unknown code UUz 1] [[sssd[krb5_child[7974]]]] [map_krb5_error] (0x0020): 1069: [1432158209][Unknown code UUz 1] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.local] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.local] [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][domain.local] [sssd[be[ssh-username.local]]] [child_sig_handler] (0x0100): child [7974] finished successfully.
Here's sssd.conf: [domain/domain.local] debug_level = 2
id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad
case_sensitive = false cache_credentials = false krb5_auth_timeout = 30
ad_domain = domain.local ad_hostname = hostname.domain.local ad_server = ad.domain.local, _srv_, ad2.domain.local ad_backup_server = 192.168.0.13 ad_gpo_access_control = disabled
ldap_user_ssh_public_key = altSecurityIdentities
[sssd] debug_level = 2 domains = domain.local services = nss,pam,ssh config_file_version = 2
[nss] filter_users = root filter_groups = root default_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 2
[pam] debug_level = 2 offline_credentials_expiration = 7 # days offline_failed_login_attempts = 6 offline_failed_login_delay = 5 # minutes pam_pwd_expiration_warning = 5
[ssh] debug_level=2
Here's nsswitch.conf: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus
Here's krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true
[realms] DOMAIN.LOCAL = { # using dns lookup, nothing to write here }
[domain_realm] .domain.local = DOMAIN.LOCAL domain.local = DOMAIN.LOCAL