I have a problem with getting a krb-ticket when logging in to my CentOS 6.6 server. Any idea on how to troubleshoot?
after login with AD-credentionals
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name
[ola@galaxy ~]$ sssd --version
1.11.6
kerberos looks like it works, and the same config works on CentOS7.1
sssd -i -d9 log filtered with krb http://pastebin.com/XywvGEmR
[ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 19:11:12 04/15/15 05:11:15 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 19:11:12
my sssd.conf [ola@galaxy ~]$ sudo cat /etc/sssd/sssd.conf [sudo] password for ola: [sssd] domains = ENSKEDE.LOCAL services = nss, pam, pac config_file_version = 2
[domain/ENSKEDE.LOCAL] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = true ldap_id_mapping = False ldap_referrals = false krb5_use_kdcinfo = false krb5_store_password_if_offline = true
[ola@galaxy ~]$ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ENSKEDE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid}
Any idea on how to troubleshoot?
On Tue, Apr 14, 2015 at 07:14:11PM +0200, Ola Nystrom wrote:
I have a problem with getting a krb-ticket when logging in to my CentOS 6.6 server. Any idea on how to troubleshoot?
after login with AD-credentionals
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name
[ola@galaxy ~]$ sssd --version
1.11.6
kerberos looks like it works, and the same config works on CentOS7.1
sssd -i -d9 log filtered with krb http://pastebin.com/XywvGEmR
[ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 19:11:12 04/15/15 05:11:15 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 19:11:12
my sssd.conf [ola@galaxy ~]$ sudo cat /etc/sssd/sssd.conf [sudo] password for ola: [sssd] domains = ENSKEDE.LOCAL services = nss, pam, pac config_file_version = 2
[domain/ENSKEDE.LOCAL] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = true ldap_id_mapping = False ldap_referrals = false krb5_use_kdcinfo = false krb5_store_password_if_offline = true
[ola@galaxy ~]$ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ENSKEDE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid}
Any idea on how to troubleshoot?
This document might be a good start: https://fedorahosted.org/sssd/wiki/Troubleshooting along with describing how exactly you logged in (su from root would be expected to not yield any ccache)
I login via ssh to the server with SecureCRT and openssh from another server. No difference in the result.
On Tue, Apr 14, 2015 at 7:50 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Apr 14, 2015 at 07:14:11PM +0200, Ola Nystrom wrote:
I have a problem with getting a krb-ticket when logging in to my CentOS
6.6
server. Any idea on how to troubleshoot?
after login with AD-credentionals
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name
[ola@galaxy ~]$ sssd --version
1.11.6
kerberos looks like it works, and the same config works on CentOS7.1
sssd -i -d9 log filtered with krb http://pastebin.com/XywvGEmR
[ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 19:11:12 04/15/15 05:11:15 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 19:11:12
my sssd.conf [ola@galaxy ~]$ sudo cat /etc/sssd/sssd.conf [sudo] password for ola: [sssd] domains = ENSKEDE.LOCAL services = nss, pam, pac config_file_version = 2
[domain/ENSKEDE.LOCAL] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = true ldap_id_mapping = False ldap_referrals = false krb5_use_kdcinfo = false krb5_store_password_if_offline = true
[ola@galaxy ~]$ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ENSKEDE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid}
Any idea on how to troubleshoot?
This document might be a good start: https://fedorahosted.org/sssd/wiki/Troubleshooting along with describing how exactly you logged in (su from root would be expected to not yield any ccache) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
No reason more than troubleshooting last night. I should revert to the very basic setup I was starting with.
new sssd.conf [root@galaxy sssd]# cat /etc/sssd/sssd.conf [sssd] domains = ENSKEDE.LOCAL services = nss, pam, pac config_file_version = 2
[domain/ENSKEDE.LOCAL] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = true ldap_id_mapping = False enumerate=false
same problem. New debuglog (sssd -d9 -i 2>&1 | grep kb) http://pastebin.com/CWPiZkwP
On Tue, Apr 14, 2015 at 7:51 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Apr 14, 2015 at 07:14:11PM +0200, Ola Nystrom wrote:
ldap_referrals = false
referrals are already disabled by default with the ad provider btw
krb5_use_kdcinfo = false
Any particular reason to disable kdcinfo files?
krb5_store_password_if_offline = true
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On (14/04/15 20:09), Ola Nystrom wrote:
No reason more than troubleshooting last night. I should revert to the very basic setup I was starting with.
new sssd.conf [root@galaxy sssd]# cat /etc/sssd/sssd.conf [sssd] domains = ENSKEDE.LOCAL services = nss, pam, pac config_file_version = 2
[domain/ENSKEDE.LOCAL] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = true ldap_id_mapping = False enumerate=false
same problem. New debuglog (sssd -d9 -i 2>&1 | grep kb) http://pastebin.com/CWPiZkwP
Are you sure it is a log file from CentOS 6.6?
[sssd[be[ENSKEDE.LOCAL]]] [krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:11103] for user [ola].
Because CentOS 6.6 does not have a KEYRING ccache. You need to use either DIR or FILE.
LS
On (14/04/15 19:14), Ola Nystrom wrote:
I have a problem with getting a krb-ticket when logging in to my CentOS 6.6 server. Any idea on how to troubleshoot?
after login with AD-credentionals
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name
[ola@galaxy ~]$ sssd --version
1.11.6
kerberos looks like it works, and the same config works on CentOS7.1
sssd -i -d9 log filtered with krb http://pastebin.com/XywvGEmR
[ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 19:11:12 04/15/15 05:11:15 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 19:11:12
my sssd.conf [ola@galaxy ~]$ sudo cat /etc/sssd/sssd.conf [sudo] password for ola: [sssd] domains = ENSKEDE.LOCAL services = nss, pam, pac config_file_version = 2
[domain/ENSKEDE.LOCAL] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = true ldap_id_mapping = False ldap_referrals = false krb5_use_kdcinfo = false krb5_store_password_if_offline = true
[ola@galaxy ~]$ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ENSKEDE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid}
I will reply to this mail as well. It should work if you remove default_ccache_name from krb5.conf. CentOS 6.6 has older version of krb5. KEYRING ccache can only work on CentOS7.
LS
I was a bit unsure of the KEYRING-support myself. But I have CentOS 6.6 and use KEYRING.
[ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist *Ticket cache: KEYRING:persistent:11103* Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 22:27:09 04/15/15 08:27:13 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 22:27:09 [ola@galaxy ~]$ cat /etc/redhat-release CentOS release 6.6 (Final)
On Tue, Apr 14, 2015 at 10:08 PM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (14/04/15 19:14), Ola Nystrom wrote:
I have a problem with getting a krb-ticket when logging in to my CentOS
6.6
server. Any idea on how to troubleshoot?
after login with AD-credentionals
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name
[ola@galaxy ~]$ sssd --version
1.11.6
kerberos looks like it works, and the same config works on CentOS7.1
sssd -i -d9 log filtered with krb http://pastebin.com/XywvGEmR
[ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 19:11:12 04/15/15 05:11:15 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 19:11:12
my sssd.conf [ola@galaxy ~]$ sudo cat /etc/sssd/sssd.conf [sudo] password for ola: [sssd] domains = ENSKEDE.LOCAL services = nss, pam, pac config_file_version = 2
[domain/ENSKEDE.LOCAL] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = true ldap_id_mapping = False ldap_referrals = false krb5_use_kdcinfo = false krb5_store_password_if_offline = true
[ola@galaxy ~]$ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ENSKEDE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_ccache_name = KEYRING:persistent:%{uid}
I will reply to this mail as well. It should work if you remove default_ccache_name from krb5.conf. CentOS 6.6 has older version of krb5. KEYRING ccache can only work on CentOS7.
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On (14/04/15 22:27), Ola Nystrom wrote:
I was a bit unsure of the KEYRING-support myself. But I have CentOS 6.6 and use KEYRING.
[ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist *Ticket cache: KEYRING:persistent:11103* Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 22:27:09 04/15/15 08:27:13 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 22:27:09 [ola@galaxy ~]$ cat /etc/redhat-release CentOS release 6.6 (Final)
Intresting :-)
I though problem is with keyring ccache due to following lines in log. [sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:11103] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal ola@ENSKEDE.LOCAL in cache collection]
bu there is also line: [krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:11103] for user [ola]
Do you have set enviroment variable KRB5CCNAME?
Could you try to export KRB5CCNAME=KEYRING:persistent:11103 after login? It would help us to find whether ticket was created. Please check time of creation.
LS
Sure, I have that envirnment variable defined.
[ola@galaxy ~]$ export | grep KRB5CCNAME declare -x KRB5CCNAME="KEYRING:persistent:11103"
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name
[ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL:
[ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 23:08:55 04/15/15 09:08:58 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 23:08:55
[ola@galaxy ~]$ grep ola /etc/passwd
[ola@galaxy ~]$ getent passwd ola ola:*:11103:11116:Ola Nystrom:/home/ola:/bin/bash
On Tue, Apr 14, 2015 at 11:02 PM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (14/04/15 22:27), Ola Nystrom wrote:
I was a bit unsure of the KEYRING-support myself. But I have CentOS 6.6 and use KEYRING.
[ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist *Ticket cache: KEYRING:persistent:11103* Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 22:27:09 04/15/15 08:27:13 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 22:27:09 [ola@galaxy ~]$ cat /etc/redhat-release CentOS release 6.6 (Final)
Intresting :-)
I though problem is with keyring ccache due to following lines in log. [sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:11103] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal ola@ENSKEDE.LOCAL in cache collection]
bu there is also line: [krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:11103] for user [ola]
Do you have set enviroment variable KRB5CCNAME?
Could you try to export KRB5CCNAME=KEYRING:persistent:11103 after login? It would help us to find whether ticket was created. Please check time of creation.
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On (14/04/15 23:09), Ola Nystrom wrote:
Sure, I have that envirnment variable defined.
[ola@galaxy ~]$ export | grep KRB5CCNAME declare -x KRB5CCNAME="KEYRING:persistent:11103"
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name
[ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL:
[ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 23:08:55 04/15/15 09:08:58 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 23:08:55
[ola@galaxy ~]$ grep ola /etc/passwd
[ola@galaxy ~]$ getent passwd ola ola:*:11103:11116:Ola Nystrom:/home/ola:/bin/bash
That's strange.
Could you test without "default_ccache_name" in krb5.conf? I'm curious wheter it will work or no.
LS
Removed the line from krb5.conf restarted sssd
Still same issue
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name [ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 23:36:33 04/15/15 09:36:36 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 23:36:33 [ola@galaxy ~]$ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ENSKEDE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false [ola@galaxy ~]$
On Tue, Apr 14, 2015 at 11:20 PM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (14/04/15 23:09), Ola Nystrom wrote:
Sure, I have that envirnment variable defined.
[ola@galaxy ~]$ export | grep KRB5CCNAME declare -x KRB5CCNAME="KEYRING:persistent:11103"
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name
[ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL:
[ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 23:08:55 04/15/15 09:08:58 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 23:08:55
[ola@galaxy ~]$ grep ola /etc/passwd
[ola@galaxy ~]$ getent passwd ola ola:*:11103:11116:Ola Nystrom:/home/ola:/bin/bash
That's strange.
Could you test without "default_ccache_name" in krb5.conf? I'm curious wheter it will work or no.
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Apr 14, 2015 at 11:36:46PM +0200, Ola Nystrom wrote:
Removed the line from krb5.conf restarted sssd
Still same issue
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name [ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 23:36:33 04/15/15 09:36:36 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 23:36:33 [ola@galaxy ~]$ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ENSKEDE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false [ola@galaxy ~]$
This is really strange. What I think Lukas was getting at was "try FILE" ccache.
Can you also remove the SSSD cache to start clean, I wonder if SSSD is trying to reuse the old ccache (yes, we should revive Simo's patches to stop saving ccache to sysdb unless really needed).
On (14/04/15 23:36), Ola Nystrom wrote:
Removed the line from krb5.conf restarted sssd
Still same issue
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name [ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 23:36:33 04/15/15 09:36:36 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 23:36:33 [ola@galaxy ~]$ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ENSKEDE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false [ola@galaxy ~]$
Please try to find out in sssd log file whether ccache was created (FILE). You should see full patch in log file to this ccache file. If the file with ticket exists and is a valid (test with exporting KRB5CCNAME) then we need to figure out why the enviroment variable KRB5CCNAME was not set after logging in
BTW how did you configure pam stack? You might find some useful tips on wiki https://fedorahosted.org/sssd/wiki/Troubleshooting
LS
On Wed, Apr 15, 2015 at 08:21:08AM +0200, Lukas Slebodnik wrote:
On (14/04/15 23:36), Ola Nystrom wrote:
Removed the line from krb5.conf restarted sssd
Still same issue
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name [ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 23:36:33 04/15/15 09:36:36 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 23:36:33 [ola@galaxy ~]$ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ENSKEDE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false [ola@galaxy ~]$
Please try to find out in sssd log file whether ccache was created (FILE). You should see full patch in log file to this ccache file. If the file with ticket exists and is a valid (test with exporting KRB5CCNAME) then we need to figure out why the enviroment variable KRB5CCNAME was not set after logging in
cache should be cleared, otherwise the KEYRING ccname might be reused..
Ok, so I have to really remove all files. Not just use sss_cache as I do when I am lazy.
It works now.
[root@galaxy ~]# rm -f /var/lib/sss/mc/* [root@galaxy ~]# rm -f /var/lib/sss/db/*
Then sssd use the config.
sss_cache -E did not do the trick.
Question now is, if kerberos supports KEYRING and sssd supports KEYRING why does it not work with when sssd saved my ticket to the KEYRING on CentOS6.6 ?
On Wed, Apr 15, 2015 at 8:51 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Wed, Apr 15, 2015 at 08:21:08AM +0200, Lukas Slebodnik wrote:
On (14/04/15 23:36), Ola Nystrom wrote:
Removed the line from krb5.conf restarted sssd
Still same issue
[ola@galaxy ~]$ klist klist: No credentials cache found while retrieving principal name [ola@galaxy ~]$ kinit Password for ola@ENSKEDE.LOCAL: [ola@galaxy ~]$ klist Ticket cache: KEYRING:persistent:11103 Default principal: ola@ENSKEDE.LOCAL
Valid starting Expires Service principal 04/14/15 23:36:33 04/15/15 09:36:36 krbtgt/ENSKEDE.LOCAL@ENSKEDE.LOCAL renew until 04/21/15 23:36:33 [ola@galaxy ~]$ cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ENSKEDE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false [ola@galaxy ~]$
Please try to find out in sssd log file whether ccache was created
(FILE).
You should see full patch in log file to this ccache file. If the file
with
ticket exists and is a valid (test with exporting KRB5CCNAME) then we need to figure out why the enviroment variable KRB5CCNAME was not set
after
logging in
cache should be cleared, otherwise the KEYRING ccname might be reused.. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, Apr 15, 2015 at 10:40:48AM +0200, Ola Nystrom wrote:
Ok, so I have to really remove all files. Not just use sss_cache as I do when I am lazy.
It works now.
[root@galaxy ~]# rm -f /var/lib/sss/mc/* [root@galaxy ~]# rm -f /var/lib/sss/db/*
Then sssd use the config.
sss_cache -E did not do the trick.
Yes, sss_cache doesn't remove any entries, just invalidates existing entries so that they are available should you go offline.
Good.
Question now is, if kerberos supports KEYRING and sssd supports KEYRING why does it not work with when sssd saved my ticket to the KEYRING on CentOS6.6 ?
I'm not sure if the 6.6 support for KEYRING, especially on the kernel side and maybe on the libkrb5 side as well is complete. We only tested the feature on 7.0 and newer.
On Wed, 2015-04-15 at 11:18 +0200, Jakub Hrozek wrote:
On Wed, Apr 15, 2015 at 10:40:48AM +0200, Ola Nystrom wrote:
Ok, so I have to really remove all files. Not just use sss_cache as I do when I am lazy.
It works now.
[root@galaxy ~]# rm -f /var/lib/sss/mc/* [root@galaxy ~]# rm -f /var/lib/sss/db/*
Then sssd use the config.
sss_cache -E did not do the trick.
Yes, sss_cache doesn't remove any entries, just invalidates existing entries so that they are available should you go offline.
Good.
Question now is, if kerberos supports KEYRING and sssd supports KEYRING why does it not work with when sssd saved my ticket to the KEYRING on CentOS6.6 ?
I'm not sure if the 6.6 support for KEYRING, especially on the kernel side and maybe on the libkrb5 side as well is complete. We only tested the feature on 7.0 and newer.
6.6 does support the KEYRING ccache type, but it is not a Cache Collection enabled type. Most importantly there is no user keyring available in that kernel so the keyring is tied to the session creating it. Basically as soon as it is created it will get orpahned and visible only to SSSD.
Please do not use the KEYRING type with Centos/RHEL 6 it wont work the way you expect.
Simo.
On (15/04/15 10:40), Ola Nystrom wrote:
Ok, so I have to really remove all files. Not just use sss_cache as I do when I am lazy.
It works now.
[root@galaxy ~]# rm -f /var/lib/sss/mc/* [root@galaxy ~]# rm -f /var/lib/sss/db/*
Then sssd use the config.
sss_cache -E did not do the trick.
Question now is, if kerberos supports KEYRING and sssd supports KEYRING why does it not work with when sssd saved my ticket to the KEYRING on CentOS6.6 ?
I'm sure what kind of system do you use. I was not able to kinit on el6.6 with exported KEYRING ccache. and sssd returned pam system error (I was not able to authenticate)
krb5_child.log -------------- [sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:1239005441] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal lg-user1201-077648@SSSDAD.COM in cache collection] [create_ccache] (0x4000): Initializing ccache of type [KEYRING] [get_and_save_tgt] (0x0020): 1029: [-1765328187][Error writing to credentials cache] [map_krb5_error] (0x0020): 1069: [-1765328187][Error writing to credentials cache] [k5c_send_data] (0x0200): Received error code 1432158209 [pack_response_packet] (0x2000): response packet size: [20]
sssd_sssdad.com.log -------------- [read_pipe_handler] (0x0400): EOF received, client finished [parse_krb5_child_response] (0x1000): child response [1432158209][6][8]. [check_wait_queue] (0x1000): Wait queue for user [lg-user1201-077648] is empty. [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] [be_pam_handler_callback] (0x0100): Sending result [4][sssdad.com] [be_pam_handler_callback] (0x0100): Sent result [4][sssdad.com]
secure.log -------------- Apr 15 04:11:32 hp-dl380pgen8-02-vm-6 su: pam_unix(su:session): session opened for user test by root(uid=0) Apr 15 04:11:40 hp-dl380pgen8-02-vm-6 su: pam_unix(su:auth): authentication failure; logname=root uid=500 euid=0 tty=pts/6 ruser=test rhost= user=lg-user1201-077648@sssdad.com Apr 15 04:11:42 hp-dl380pgen8-02-vm-6 su: pam_sss(su:auth): authentication failure; logname=root uid=500 euid=0 tty=pts/6 ruser=test rhost= user=lg-user1201-077648@sssdad.com Apr 15 04:11:42 hp-dl380pgen8-02-vm-6 su: pam_sss(su:auth): received for user lg-user1201-077648@sssdad.com: 4 (System error)
shell with manually exported KRB5CCNAME=KEYRING:persistent:1239005441 -------------- [lg-user1201-077648@sssdad.com@test ~]$ getent passwd lg-user1201-077648@sssdad.com lg-user1201-077648@sssdad.com:*:1239005441:1239000513:lg-user1201-077648:/home/sssdad.com/lg-user1201-077648:/bin/bash
[lg-user1201-077648@sssdad.com@test ~]$ env | grep KRB KRB5CCNAME=KEYRING:persistent:1239005441
[lg-user1201-077648@sssdad.com@test ad_large_dataset]$ klist klist: Key has been revoked while getting default ccache
Do you have default krb5 on CentOS6? Is it a bare-metal machine, VM, or container?
LS
This is a VM running CentOS6.6 I have EPEL enabled, but it doesn't look like any krb5 is from EPEL.
[root@galaxy ~]# yum info krb5-workstation sssd-krb5 sssd-krb5-common krb5-libs | egrep 'Name|Version|Release|From repo' Name : krb5-libs Version : 1.10.3 Release : 37.el6_6
From repo : updates
Name : krb5-workstation Version : 1.10.3 Release : 37.el6_6
From repo : updates
Name : sssd-krb5 Version : 1.11.6 Release : 30.el6_6.4
From repo : updates
Name : sssd-krb5-common Version : 1.11.6 Release : 30.el6_6.4
From repo : updates
Name : krb5-libs Version : 1.10.3 Release : 37.el6_6
On Wed, Apr 15, 2015 at 1:27 PM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (15/04/15 10:40), Ola Nystrom wrote:
Ok, so I have to really remove all files. Not just use sss_cache as I do when I am lazy.
It works now.
[root@galaxy ~]# rm -f /var/lib/sss/mc/* [root@galaxy ~]# rm -f /var/lib/sss/db/*
Then sssd use the config.
sss_cache -E did not do the trick.
Question now is, if kerberos supports KEYRING and sssd supports KEYRING
why
does it not work with when sssd saved my ticket to the KEYRING on
CentOS6.6
?
I'm sure what kind of system do you use. I was not able to kinit on el6.6 with exported KEYRING ccache. and sssd returned pam system error (I was not able to authenticate)
krb5_child.log
[sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:1239005441] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal lg-user1201-077648@SSSDAD.COM in cache collection] [create_ccache] (0x4000): Initializing ccache of type [KEYRING] [get_and_save_tgt] (0x0020): 1029: [-1765328187][Error writing to credentials cache] [map_krb5_error] (0x0020): 1069: [-1765328187][Error writing to credentials cache] [k5c_send_data] (0x0200): Received error code 1432158209 [pack_response_packet] (0x2000): response packet size: [20]
sssd_sssdad.com.log
[read_pipe_handler] (0x0400): EOF received, client finished [parse_krb5_child_response] (0x1000): child response [1432158209][6][8]. [check_wait_queue] (0x1000): Wait queue for user [lg-user1201-077648] is empty. [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] [be_pam_handler_callback] (0x0100): Sending result [4][sssdad.com] [be_pam_handler_callback] (0x0100): Sent result [4][sssdad.com]
secure.log
Apr 15 04:11:32 hp-dl380pgen8-02-vm-6 su: pam_unix(su:session): session opened for user test by root(uid=0) Apr 15 04:11:40 hp-dl380pgen8-02-vm-6 su: pam_unix(su:auth): authentication failure; logname=root uid=500 euid=0 tty=pts/6 ruser=test rhost= user=lg-user1201-077648@sssdad.com Apr 15 04:11:42 hp-dl380pgen8-02-vm-6 su: pam_sss(su:auth): authentication failure; logname=root uid=500 euid=0 tty=pts/6 ruser=test rhost= user= lg-user1201-077648@sssdad.com Apr 15 04:11:42 hp-dl380pgen8-02-vm-6 su: pam_sss(su:auth): received for user lg-user1201-077648@sssdad.com: 4 (System error)
shell with manually exported KRB5CCNAME=KEYRING:persistent:1239005441
[lg-user1201-077648@sssdad.com@test ~]$ getent passwd lg-user1201-077648@sssdad.com lg-user1201-077648@sssdad.com: *:1239005441:1239000513:lg-user1201-077648:/home/ sssdad.com/lg-user1201-077648:/bin/bash
[lg-user1201-077648@sssdad.com@test ~]$ env | grep KRB KRB5CCNAME=KEYRING:persistent:1239005441
[lg-user1201-077648@sssdad.com@test ad_large_dataset]$ klist klist: Key has been revoked while getting default ccache
Do you have default krb5 on CentOS6? Is it a bare-metal machine, VM, or container?
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Lukas Slebodnik -
Ola Nystrom -
Simo Sorce