ldap_access_filter failure possibly caused by credentials/principle not found in Kerberos database
Hi all,
I am configuring AD authentication by using SSSD+kerberos on our CentOS 6.7 cluster. The solution works fine so far except that we could not use ldap_access_filter.
Whenever I enabled ldap_access_filter (add filter to ldap_access_order), all SSH logins are denied. And the error messages are:
==> /var/log/sssd/ldap_child.log <== (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
But I believe the entry is in the keytab file already:
[root@nerv-geofront ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (des-cbc-crc) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (des-cbc-md5) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (arcfour-hmac) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (des-cbc-crc) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (des-cbc-md5) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (arcfour-hmac) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-crc) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-md5) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (arcfour-hmac)
The error messages above appear only when I enabled ldap_access_filter, so I think this is related to the kerberos keytab.
I am testing on sssd 1.12.4, samba 3.6.23.
Any idea will be appreciated.
Cheers, Derrick
On (19/09/16 05:38), klin938@gmail.com wrote:
Hi all,
I am configuring AD authentication by using SSSD+kerberos on our CentOS 6.7 cluster. The solution works fine so far except that we could not use ldap_access_filter.
Whenever I enabled ldap_access_filter (add filter to ldap_access_order), all SSH logins are denied. And the error messages are:
==> /var/log/sssd/ldap_child.log <== (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
But I believe the entry is in the keytab file already:
[root@nerv-geofront ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal
5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (des-cbc-crc) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (des-cbc-md5) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (arcfour-hmac) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (des-cbc-crc) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (des-cbc-md5) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (arcfour-hmac) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-crc) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-md5) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (arcfour-hmac)
The error messages above appear only when I enabled ldap_access_filter, so I think this is related to the kerberos keytab.
I am testing on sssd 1.12.4, samba 3.6.23.
Can you reproduce on CentOS 6.8? There is sssd 1.13.x.
BTW is there a reason for using ldap_access_filter. Try to look into simple acces provider (man sssd-simple)
LS
On Mon, Sep 19, 2016 at 05:38:05AM -0000, klin938@gmail.com wrote:
Hi all,
I am configuring AD authentication by using SSSD+kerberos on our CentOS 6.7 cluster. The solution works fine so far except that we could not use ldap_access_filter.
Whenever I enabled ldap_access_filter (add filter to ldap_access_order), all SSH logins are denied. And the error messages are:
==> /var/log/sssd/ldap_child.log <== (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.local@AD.EXAMPLE.EDU.AU' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
But I believe the entry is in the keytab file already:
The message is coming from the KDC and since you are using AD 'NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU' whould be the right principal to use becasue AD makes a difference between user-principal-names which can be used for kinit and service-principal-names which can be only used for services.
Do you have 'ldap_sasl_authid = NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU' set in the domain section of your sssd.conf? If not please try if it works after adding it.
[root@nerv-geofront ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal
5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (des-cbc-crc) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (des-cbc-md5) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96) 5 host/nerv-geofront.local@AD.EXAMPLE.EDU.AU (arcfour-hmac) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (des-cbc-crc) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (des-cbc-md5) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96) 5 host/nerv-geofront@AD.EXAMPLE.EDU.AU (arcfour-hmac) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-crc) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-md5) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (arcfour-hmac)
The error messages above appear only when I enabled ldap_access_filter, so I think this is related to the kerberos keytab.
The ldap_access_filter based check is evaluated by the access_provider in SSSD which can be configured independently of e.g. the id_provider. If e.g. you use the ad id_provider, it will figure out the right principal automatically. The ldap access_provider must be configured explicitly to use it because it will pick the first entry from the keytab which matches the realm.
HTH
bye, Sumit
I am testing on sssd 1.12.4, samba 3.6.23.
Any idea will be appreciated.
Cheers, Derrick _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
klin938@gmail.com -
Lukas Slebodnik -
Sumit Bose