Dmitri Pal писал 2015-08-27 01:25:
On 08/26/2015 01:13 PM, l@avc.su wrote:
Dmitri Pal wrote 2015-08-26 19:39:
On 08/26/2015 10:00 AM, l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: ... [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
This seems to be a problem. Because it leads to access denied this is why you can't login. PAC responder process is either not running or SELinux blocks the socket or something along those lines. Monitor logs should show is it exists. ...
As I can see in man sssd.conf, PAC is a service, but I haven't enabled it in sssd.conf: [sssd] services = nss,pam,ssh
Should I set it, or PAC runs anyway?
I think it should be running anyways but this stretches the limits of my knowledge. Looking at the man pages it seems like it needs to be added explicitly. Please try adding it. I think the [pac] section needs to be added too later in the file even if it is empty.
Thanks.
I've added PAC to list of service, but still can't login.
Here's debug5 log: [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'username' matched without domain, user is username [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [username@domain.local] [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'username' matched without domain, user is username [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [username@domain.local] [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'username' matched without domain, user is username [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [username@domain.local] [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'username' matched without domain, user is username [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [username@domain.local] [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'username' matched without domain, user is username [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: not set [sssd[pam]] [pam_print_data] (0x0100): user: username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9196 [sssd[pam]] [pam_print_data] (0x0100): logon name: username [sssd[be[domain.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=username] [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' [sssd[be[domain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc.domain.local: [192.168.0.10] TTL 1200 [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc.domain.local:3268' [sssd[be[domain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc.domain.local: [192.168.0.10] TTL 1200 [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc.domain.local' [[sssd[ldap_child[9198]]]] [unpack_buffer] (0x0200): Will run as [0][0]. [[sssd[ldap_child[9198]]]] [become_user] (0x0200): Trying to become user [0][0]. [[sssd[ldap_child[9198]]]] [become_user] (0x0200): Already user [0]. [[sssd[ldap_child[9198]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host$@domain.LOCAL] [[sssd[ldap_child[9198]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] (service pings) [sssd[be[domain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[domain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host$ [sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [9198] finished successfully. [sssd[be[domain.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'dc.domain.local' as 'working' [sssd[be[domain.local]]] [set_server_common_status] (0x0100): Marking server 'dc.domain.local' as 'working' [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [username@domain.local] [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: domain.local [sssd[pam]] [pam_print_data] (0x0100): user: username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9196 [sssd[pam]] [pam_print_data] (0x0100): logon name: username [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 [sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success [sssd[be[domain.local]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[domain.local]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[be[domain.local]]] [pam_print_data] (0x0100): domain: domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): user: username [sssd[be[domain.local]]] [pam_print_data] (0x0100): service: sshd [sssd[be[domain.local]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[domain.local]]] [pam_print_data] (0x0100): ruser: [sssd[be[domain.local]]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): authtok type: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[domain.local]]] [pam_print_data] (0x0100): priv: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): cli_pid: 9196 [sssd[be[domain.local]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[domain.local]]] [krb5_auth_send] (0x0100): Home directory for user [username] not known. [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc.domain.local: [172.20.192.10] TTL 1200 [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc.domain.local' [[sssd[krb5_child[9199]]]] [unpack_buffer] (0x0100): cmd [241] uid [704417315] gid [704400513] validate [true] enterprise principal [true] offline [false] UPN [username@OUTERNDOMAIN.COM] [[sssd[krb5_child[9199]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_704417315_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] [[sssd[krb5_child[9199]]]] [check_use_fast] (0x0100): Not using FAST. [sssd[pac]] [sss_cmd_get_version] (0x0200): Received client version [1]. [sssd[pac]] [sss_cmd_get_version] (0x0200): Offered version [1]. [[sssd[krb5_child[9199]]]] [become_user] (0x0200): Trying to become user [704417315][704400513]. [[sssd[krb5_child[9199]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[9199]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[9199]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] [sssd[pac]] [responder_get_domain_by_id] (0x0040): Unknown domain id [S-1-18-1], checking for possible subdomains! [sssd[pac]] [responder_get_domain_by_id] (0x0040): Unknown domain id [S-1-18-1], checking for possible subdomains! [sssd[pac]] [responder_get_domain_by_id] (0x0040): Unknown domain id [S-1-18-1], checking for possible subdomains! [sssd[pac]] [pac_lookup_sids_done] (0x0040): No domain found for SID [S-1-18-1]. [sssd[pac]] [responder_get_domain_by_id] (0x0040): Unknown domain id [S-1-18-1], checking for possible subdomains! [sssd[pac]] [pac_save_memberships_next] (0x0080): responder_get_domain_by_id failed, will try next group [[sssd[krb5_child[9199]]]] [create_ccache] (0x0020): 590: [13][Permission denied] [[sssd[krb5_child[9199]]]] [get_and_save_tgt] (0x0020): 1029: [1432158209][Unknown code UUz 1] [[sssd[krb5_child[9199]]]] [map_krb5_error] (0x0020): 1069: [1432158209][Unknown code UUz 1] [[sssd[krb5_child[9199]]]] [k5c_send_data] (0x0200): Received error code 1432158209 [sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [9199] finished successfully. [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.local] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.local] [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][domain.local] [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. [sssd[pam]] [pam_reply] (0x0200): blen: 28 [sssd[pac]] [client_recv] (0x0200): Client disconnected!
I can see that it can't resolve domain id S-1-18-1. I havent' found much about it -- only couple of pages that states SID as Win2012 security entities. Could this be an error: [[sssd[krb5_child[9199]]]] [unpack_buffer] (0x0100): cmd [241] uid [704417315] gid [704400513] validate [true] enterprise principal [true] offline [false] UPN [username@OUTERNDOMAIN.COM]
UPN is from 'outerdomain'.
Or this? [[sssd[krb5_child[9199]]]] [k5c_send_data] (0x0200): Received error code 1432158209
I've looked into pam.d configs, but theres nothing suspicious. I can attach them also.
Thank you.