Hi,
I've run into a dead end debugging a case of passwordless authentication between two IPA'd hosts. Running `sshd -p 5000 -d` on the receiving host (let's call it HOST_B), I see this:
``` Postponed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 [preauth] debug1: Received some client credentials debug1: ssh_gssapi_k5login_exists: Checking existence of file /home/USER/.k5login Failed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 ```
The client then gets an interactive password prompt. Here are some facts and things I've tried:
* If I put the user into `.k5login` on the receiving host and it works. * The receiving host is correctly enrolled into IPA. I can ssh from it to other hosts using GSSAPI. * I can issue `kvno host/HOST_B` on the connecting host and I get a service ticket. * It looks like all this happens before any pam stuff kicks in (?). So I'm ruling PAM issues out. * No errors in the logs of the KDCs. * The ticket from the connecting host is not expired. * The sssd version is 1.16.0. * Turning up the debugging in sssd with `debug_level = 7` for the domain section doesn't reveal anything obvious.
What else could I check?
Thanks for any ideas, SG
On Sat, Nov 17, 2018 at 03:24:29AM -0000, Sergei Gerasenko wrote:
Hi,
I've run into a dead end debugging a case of passwordless authentication between two IPA'd hosts. Running `sshd -p 5000 -d` on the receiving host (let's call it HOST_B), I see this:
Postponed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 [preauth] debug1: Received some client credentials debug1: ssh_gssapi_k5login_exists: Checking existence of file /home/USER/.k5login Failed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2
The client then gets an interactive password prompt. Here are some facts and things I've tried:
- If I put the user into `.k5login` on the receiving host and it works.
Does .k5login for the user on the receiving host contain other entries as well? In this case you might want to set 'k5login_authoritative= false' in krb5.conf (see man krb5.conf) for details.
If typically .k5login does not exist there might be an issue mapping the Kerberos principal to the local user name. SSSD should create /var/lib/sss/pubconf/krb5.include.d/localauth_plugin which configures SSSD's localauth plugin. To be able to read this libkrb5 needs and entry like 'includedir /var/lib/sss/pubconf/krb5.include.d/' in /etc/krb5.conf.
HTH
bye, Sumit
- The receiving host is correctly enrolled into IPA. I can ssh from it to other hosts using GSSAPI.
- I can issue `kvno host/HOST_B` on the connecting host and I get a service ticket.
- It looks like all this happens before any pam stuff kicks in (?). So I'm ruling PAM issues out.
- No errors in the logs of the KDCs.
- The ticket from the connecting host is not expired.
- The sssd version is 1.16.0.
- Turning up the debugging in sssd with `debug_level = 7` for the domain section doesn't reveal anything obvious.
What else could I check?
Thanks for any ideas, SG _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org