On Tue, Feb 28, 2017 at 02:31:08AM +0000, Gilbert, Sonia wrote:
Update:
Uninstalled and re-installed all realmd components. Performed a realm join to parent domain. Authentication to parent domain is restored but authentication to subdomain is still not working.
Even though sssd is trying to authenticate to the correct domain controller it fails. I suspect it is because sssd does not know about principal in child domain and keytab does not have entries for child domain host.
What do I need to do to point sssd to the master kdc in child domain and authenticate users? Do we need to create a computer object for the server in child domain?
When you kinit to child domain (a.abc.com) - it fails "Response was not form master KDC" - it does go to the secondary domain controller in the child domain.
The 'Response was not form master KDC' is just an info message not an error message. Using a secondary domain controller is completely ok during authentication, additionally AD does not use the 'master KDC' concept at all.
Since there is a trust relationship between parent and subdomain it is sufficient to have a keytab entry for only one domain. And as you can see during the kinit call the keytab isn't used at all. SSSD will use it after the TGT is received to validate the ticket but even here keys from one domain are sufficient.
See output of KRB5_TRACE=/dev/stdout below. Other configs and logs below: Secure.log Krb5.log Output of realm list Output of klist -k Sssd.conf Krb5.conf Output of pam.d system-auth
[root@server01 log]# KRB5_TRACE=/dev/stdout kinit -V username@a.abc.com Using default cache: /tmp/krb5cc_0 Using principal: username@a.abc.com [21234] 1488228264.116970: Getting initial credentials for username@a.abc.com [21234] 1488228264.117539: Sending request (209 bytes) to a.abc.com [21234] 1488228264.246215: Resolving hostname sdc01.a.abc.com. [21234] 1488228264.313399: Sending initial UDP request to dgram x.x.166.251:88 [21234] 1488228264.383772: Received answer (219 bytes) from dgram x.x.166.251:88 [21234] 1488228264.448453: Response was not from master KDC [21234] 1488228264.448519: Received error from KDC: -1765328359/Additional pre-authentication required [21234] 1488228264.448584: Processing preauth types: 16, 15, 19, 2 [21234] 1488228264.448622: Selected etype info: etype aes256-cts, salt "a.abc.comusername", params "" Password for username@a.abc.com: [21234] 1488228274.851028: AS key obtained for encrypted timestamp: aes256-cts/D574 [21234] 1488228274.851105: Encrypted timestamp (for 1488228256.665529): plain 301AA011180F32303137303232373230343431365AA10502030A27B9, encrypted 6818747034DA70128C9E22CF1A56A1815E14509E91693BB286BB899BBAE65F321141405718086D119447EB82A34498D0E16EA8E2F5FF71CA [21234] 1488228274.851138: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [21234] 1488228274.851170: Produced preauth for next request: 2 [21234] 1488228274.851208: Sending request (289 bytes) to a.abc.com [21234] 1488228274.982261: Resolving hostname infsdcpci02.a.abc.com. [21234] 1488228275.48986: Sending initial UDP request to dgram x.x.166.252:88 [21234] 1488228275.118201: Received answer (186 bytes) from dgram x.x.166.252:88 [21234] 1488228275.182721: Response was not from master KDC [21234] 1488228275.182772: Received error from KDC: -1765328360/Preauthentication failed [21234] 1488228275.182830: Preauth tryagain input types: 16, 15, 19, 2 [21234] 1488228275.182862: Retrying AS request with master KDC [21234] 1488228275.182889: Getting initial credentials for username@a.abc.com [21234] 1488228275.182963: Sending request (209 bytes) to a.abc.com (master) kinit: Preauthentication failed while getting initial credentials
The most probable reason for a 'Preauthentication failed' error is a wrong password. Did you change the password for 'username@a.abc.com' recently? Maybe there are replication issues between the AD domain controllers and the password was not updated correctly on some controllers?
A different reason might be different times on the DCs and the client, but I would expect different error codes in this case.
bye, Sumit
#########################################################################
secure.log - because we are using authlite for two-factor authentication, system-auth points to the auth.py script (note that it uses the same script for parent domain and successfully authenticates using two factor)
Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: Traceback (most recent call last): Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: File "/usr/lib64/security/auth.py", line 163, in pam_sm_authenticate Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: update_password(pamh) Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: File "/usr/lib64/security/auth.py", line 152, in update_password Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: pwd.getpwnam(domain + sep + res['OTP']) Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: KeyError: getpwnam(): name not found: a.abc.com \jufgkdildfnkjvceveehvtfnckjleingtneevlgugrdhngrccjuirirnhckltihb Feb 27 17:45:34 server01 cw[30366]: pam_sss(conwrks:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=username@a.abc.com Feb 27 17:45:34 server01 cw[30366]: pam_sss(conwrks:auth): received for user username@a.abc.com: 4 (System error)
#####################################################################################
Krb5.log (In ther krb5.log, sssd authenticates to the parent domain "Attempting kinit for realm [ABC.COM" and gets "KDC policy rejects" error.
(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [main] (0x0400): krb5_child started. (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [unpack_buffer] (0x1000): total buffer size: [145] (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [unpack_buffer] (0x0100): cmd [241] uid [1915601461] gid [1915601461] validate [true] enterprise principal [true] offline [false] UPN [username@a.abc.com] (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [unpack_buffer] (0x2000): No old ccache (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1915601461_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [become_user] (0x0200): Trying to become user [1915601461][1915601461]. (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [main] (0x2000): Running as [1915601461][1915601461]. (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [k5c_setup] (0x2000): Running as [1915601461][1915601461]. (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [main] (0x0400): Will perform online auth (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM] (Mon Feb 27 14:45:34 2017) [[sssd[krb5_child[29102]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328372][KDC policy rejects request] (Mon Feb 27 14:45:34 2017) [[sssd[krb5_child[29102]]]] [map_krb5_error] (0x0020): 1303: [-1765328372][KDC policy rejects request] (Mon Feb 27 14:45:34 2017) [[sssd[krb5_child[29102]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Mon Feb 27 14:45:34 2017) [[sssd[krb5_child[29102]]]] [pack_response_packet] (0x2000): response packet size: [4] (Mon Feb 27 14:45:34 2017) [[sssd[krb5_child[29102]]]] [main] (0x0400): krb5_child completed successfully
[root@server01 etc]# realm list -all (shouldn't this output show both realms?) abc.com type: kerberos realm-name: ABC.COM domain-name: abc.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups: Remote Access Users@abc.com, Remote Access Users@a.abc.com
######################################################
[root@PHXRASPCI01 pam.d]# klist -k (keytab only has entries for parent domain) Keytab name: FILE:/etc/krb5.keytab KVNO Principal
2 host/server01.abc.com@ABC.COM 2 host/server01.abc.com@ABC.COM 2 host/server01.abc.com@ABC.COM 2 host/server01.abc.com@ABC.COM 2 host/server01.abc.com@ABC.COM 2 host/server01@ABC.COM 2 host/server01@ABC.COM 2 host/server01@ABC.COM 2 host/server01@ABC.COM 2 host/server01@ABC.COM 2 SERVER01$@ABC.COM 2 SERVER01$@ABC.COM 2 SERVER01$@ABC.COM 2 SERVER01$@ABC.COM 2 SERVER01$@ABC.COM [root@SERVER01 pam.d]#
#############################################################
[root@server01 etc]# more /etc/sssd/sssd.conf
[sssd] domains = abc.com config_file_version = 2 services = nss, pam
[domain/abc.com] ad_domain = abc.com krb5_realm = ABC.COM ad_server = dc01.abc.com,dc02.abc.com,_srv_ realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = simple debug_level = 8 simple_allow_groups = TDI Remote Access Users@abc.com, TDI Remote Access Users@a.abc.com
########################################################
[root@server01 etc]# more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d # forwardable = true rdns = false default_realm = ABC.COM # default_ccache_name = KEYRING:persistent:%{uid} # kdc_timesync = 1
[realms] ABC.COM = { kdc = dc01.abc.com kdc = dc02.abc.com admin_server = dc01.abc.com }
[domain_realm] .abc.com = ABC.COM abc.com = ABC.COM
################################################## system-auth
[root@server01 pam.d]# more system-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth optional pam_python.so /usr/lib64/security/auth.py auth sufficient pam_sss.so use_first_pass forward_pass #auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
[
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team 3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503 Sonia.Gilbert@HawaiianAir.commailto:Sonia.Gilbert@HawaiianAir.com
[HA Email Signature Logo]
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org