Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] (service pings) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: not set [sssd[pam]] [pam_print_data] (0x0100): user: ssh-username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local:3268' [sssd[be[domain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local' [[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [hostname$@domain.LOCAL] [[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] [sssd[be[domain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[domain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: hostname$ [sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [7973] finished successfully. [sssd[be[domain.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'AD.domain.local' as 'working' [sssd[be[domain.local]]] [set_server_common_status] (0x0100): Marking server 'AD.domain.local' as 'working' [sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: domain.local [sssd[pam]] [pam_print_data] (0x0100): user: ssh-username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 [sssd[be[domain.local]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[domain.local]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[be[domain.local]]] [pam_print_data] (0x0100): domain: domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): user: ssh-username [sssd[be[domain.local]]] [pam_print_data] (0x0100): service: sshd [sssd[be[domain.local]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[domain.local]]] [pam_print_data] (0x0100): ruser: [sssd[be[domain.local]]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): authtok type: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[domain.local]]] [pam_print_data] (0x0100): priv: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[be[domain.local]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[domain.local]]] [krb5_auth_send] (0x0100): Home directory for user [ssh-username] not known. [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local' [[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): cmd [241] uid [704417315] gid [704400513] validate [true] enterprise principal [true] offline [false] UPN [ssh-username@DOMAIN.LOCAL] [[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_704417315_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_704417315_9XJZwx] keytab: [/etc/krb5.keytab] [[sssd[krb5_child[7974]]]] [check_use_fast] (0x0100): Not using FAST. [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (service pings) [[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. [[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ssh-username@DOMAIN.LOCAL@DOMAIN.LOCAL] might not be correct. [[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied] [[sssd[krb5_child[7974]]]] [get_and_save_tgt] (0x0020): 1029: [1432158209][Unknown code UUz 1] [[sssd[krb5_child[7974]]]] [map_krb5_error] (0x0020): 1069: [1432158209][Unknown code UUz 1] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.local] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.local] [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][domain.local] [sssd[be[ssh-username.local]]] [child_sig_handler] (0x0100): child [7974] finished successfully.
Here's sssd.conf: [domain/domain.local] debug_level = 2
id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad
case_sensitive = false cache_credentials = false krb5_auth_timeout = 30
ad_domain = domain.local ad_hostname = hostname.domain.local ad_server = ad.domain.local, _srv_, ad2.domain.local ad_backup_server = 192.168.0.13 ad_gpo_access_control = disabled
ldap_user_ssh_public_key = altSecurityIdentities
[sssd] debug_level = 2 domains = domain.local services = nss,pam,ssh config_file_version = 2
[nss] filter_users = root filter_groups = root default_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 2
[pam] debug_level = 2 offline_credentials_expiration = 7 # days offline_failed_login_attempts = 6 offline_failed_login_delay = 5 # minutes pam_pwd_expiration_warning = 5
[ssh] debug_level=2
Here's nsswitch.conf: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus
Here's krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true
[realms] DOMAIN.LOCAL = { # using dns lookup, nothing to write here }
[domain_realm] .domain.local = DOMAIN.LOCAL domain.local = DOMAIN.LOCAL
On 08/26/2015 10:00 AM, l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] (service pings) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ssh-username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: not set [sssd[pam]] [pam_print_data] (0x0100): user: ssh-username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local:3268' [sssd[be[domain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local' [[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [hostname$@domain.LOCAL] [[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] [sssd[be[domain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[domain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: hostname$ [sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [7973] finished successfully. [sssd[be[domain.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'AD.domain.local' as 'working' [sssd[be[domain.local]]] [set_server_common_status] (0x0100): Marking server 'AD.domain.local' as 'working' [sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [ssh-username@domain.local] [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: domain.local [sssd[pam]] [pam_print_data] (0x0100): user: ssh-username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 [sssd[be[domain.local]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[domain.local]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[be[domain.local]]] [pam_print_data] (0x0100): domain: domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): user: ssh-username [sssd[be[domain.local]]] [pam_print_data] (0x0100): service: sshd [sssd[be[domain.local]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[domain.local]]] [pam_print_data] (0x0100): ruser: [sssd[be[domain.local]]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): authtok type: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[domain.local]]] [pam_print_data] (0x0100): priv: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): cli_pid: 7971 [sssd[be[domain.local]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[domain.local]]] [krb5_auth_send] (0x0100): Home directory for user [ssh-username] not known. [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD.domain.local' [[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): cmd [241] uid [704417315] gid [704400513] validate [true] enterprise principal [true] offline [false] UPN [ssh-username@DOMAIN.LOCAL] [[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_704417315_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_704417315_9XJZwx] keytab: [/etc/krb5.keytab] [[sssd[krb5_child[7974]]]] [check_use_fast] (0x0100): Not using FAST. [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
This seems to be a problem. Because it leads to access denied this is why you can't login. PAC responder process is either not running or SELinux blocks the socket or something along those lines. Monitor logs should show is it exists. Cores will be there if it crashes. What distro is it? What version? Do you see any AVCs is you are using SELinux?
[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (service pings) [[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. [[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ssh-username@DOMAIN.LOCAL@DOMAIN.LOCAL] might not be correct. [[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied] [[sssd[krb5_child[7974]]]] [get_and_save_tgt] (0x0020): 1029: [1432158209][Unknown code UUz 1] [[sssd[krb5_child[7974]]]] [map_krb5_error] (0x0020): 1069: [1432158209][Unknown code UUz 1] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.local] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.local] [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][domain.local] [sssd[be[ssh-username.local]]] [child_sig_handler] (0x0100): child [7974] finished successfully.
Here's sssd.conf: [domain/domain.local] debug_level = 2
id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad
case_sensitive = false cache_credentials = false krb5_auth_timeout = 30
ad_domain = domain.local ad_hostname = hostname.domain.local ad_server = ad.domain.local, _srv_, ad2.domain.local ad_backup_server = 192.168.0.13 ad_gpo_access_control = disabled
ldap_user_ssh_public_key = altSecurityIdentities
[sssd] debug_level = 2 domains = domain.local services = nss,pam,ssh config_file_version = 2
[nss] filter_users = root filter_groups = root default_shell = /bin/bash override_homedir = /home/%d/%u debug_level = 2
[pam] debug_level = 2 offline_credentials_expiration = 7 # days offline_failed_login_attempts = 6 offline_failed_login_delay = 5 # minutes pam_pwd_expiration_warning = 5
[ssh] debug_level=2
Here's nsswitch.conf: passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus
Here's krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true
[realms] DOMAIN.LOCAL = { # using dns lookup, nothing to write here }
[domain_realm] .domain.local = DOMAIN.LOCAL domain.local = DOMAIN.LOCAL
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Dmitri Pal wrote 2015-08-26 19:39:
On 08/26/2015 10:00 AM, l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for ... [704417315] gid [704400513] validate [true] enterprise principal [true] offline [false] UPN [ssh-username@DOMAIN.LOCAL] [[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_704417315_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_704417315_9XJZwx] keytab: [/etc/krb5.keytab] [[sssd[krb5_child[7974]]]] [check_use_fast] (0x0100): Not using FAST. [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
This seems to be a problem. Because it leads to access denied this is why you can't login. PAC responder process is either not running or SELinux blocks the socket or something along those lines. Monitor logs should show is it exists. Cores will be there if it crashes. What distro is it? What version? Do you see any AVCs is you are using SELinux?
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Dmitri. Thank you for the reply. I'm using CentOS 6.7 with SSSD v. 1.12.4 SELinux is disabled on this machine, since this is testing environment.
As I can see in man sssd.conf, PAC is a service, but I haven't enabled it in sssd.conf: [sssd] services = nss,pam,ssh
Should I set it, or PAC runs anyway?
Thanks.
On 08/26/2015 01:13 PM, l@avc.su wrote:
Dmitri Pal wrote 2015-08-26 19:39:
On 08/26/2015 10:00 AM, l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for ... [704417315] gid [704400513] validate [true] enterprise principal [true] offline [false] UPN [ssh-username@DOMAIN.LOCAL] [[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_704417315_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_704417315_9XJZwx] keytab: [/etc/krb5.keytab] [[sssd[krb5_child[7974]]]] [check_use_fast] (0x0100): Not using FAST. [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
This seems to be a problem. Because it leads to access denied this is why you can't login. PAC responder process is either not running or SELinux blocks the socket or something along those lines. Monitor logs should show is it exists. Cores will be there if it crashes. What distro is it? What version? Do you see any AVCs is you are using SELinux?
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Dmitri. Thank you for the reply. I'm using CentOS 6.7 with SSSD v. 1.12.4 SELinux is disabled on this machine, since this is testing environment.
As I can see in man sssd.conf, PAC is a service, but I haven't enabled it in sssd.conf: [sssd] services = nss,pam,ssh
Should I set it, or PAC runs anyway?
I think it should be running anyways but this stretches the limits of my knowledge. Looking at the man pages it seems like it needs to be added explicitly. Please try adding it. I think the [pac] section needs to be added too later in the file even if it is empty.
Thanks.
Dmitri Pal писал 2015-08-27 01:25:
On 08/26/2015 01:13 PM, l@avc.su wrote:
Dmitri Pal wrote 2015-08-26 19:39:
On 08/26/2015 10:00 AM, l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: ... [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
This seems to be a problem. Because it leads to access denied this is why you can't login. PAC responder process is either not running or SELinux blocks the socket or something along those lines. Monitor logs should show is it exists. ...
As I can see in man sssd.conf, PAC is a service, but I haven't enabled it in sssd.conf: [sssd] services = nss,pam,ssh
Should I set it, or PAC runs anyway?
I think it should be running anyways but this stretches the limits of my knowledge. Looking at the man pages it seems like it needs to be added explicitly. Please try adding it. I think the [pac] section needs to be added too later in the file even if it is empty.
Thanks.
I've added PAC to list of service, but still can't login.
Here's debug5 log: [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'username' matched without domain, user is username [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [username@domain.local] [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'username' matched without domain, user is username [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [username@domain.local] [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'username' matched without domain, user is username [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [username@domain.local] [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'username' matched without domain, user is username [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [username] from [<ALL>] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [username@domain.local] [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'username' matched without domain, user is username [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: not set [sssd[pam]] [pam_print_data] (0x0100): user: username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9196 [sssd[pam]] [pam_print_data] (0x0100): logon name: username [sssd[be[domain.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=username] [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' [sssd[be[domain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc.domain.local: [192.168.0.10] TTL 1200 [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc.domain.local:3268' [sssd[be[domain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc.domain.local: [192.168.0.10] TTL 1200 [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc.domain.local' [[sssd[ldap_child[9198]]]] [unpack_buffer] (0x0200): Will run as [0][0]. [[sssd[ldap_child[9198]]]] [become_user] (0x0200): Trying to become user [0][0]. [[sssd[ldap_child[9198]]]] [become_user] (0x0200): Already user [0]. [[sssd[ldap_child[9198]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host$@domain.LOCAL] [[sssd[ldap_child[9198]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] (service pings) [sssd[be[domain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[domain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host$ [sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [9198] finished successfully. [sssd[be[domain.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'dc.domain.local' as 'working' [sssd[be[domain.local]]] [set_server_common_status] (0x0100): Marking server 'dc.domain.local' as 'working' [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [username@domain.local] [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: domain.local [sssd[pam]] [pam_print_data] (0x0100): user: username [sssd[pam]] [pam_print_data] (0x0100): service: sshd [sssd[pam]] [pam_print_data] (0x0100): tty: ssh [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9196 [sssd[pam]] [pam_print_data] (0x0100): logon name: username [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 [sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success [sssd[be[domain.local]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[domain.local]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[be[domain.local]]] [pam_print_data] (0x0100): domain: domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): user: username [sssd[be[domain.local]]] [pam_print_data] (0x0100): service: sshd [sssd[be[domain.local]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[domain.local]]] [pam_print_data] (0x0100): ruser: [sssd[be[domain.local]]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local [sssd[be[domain.local]]] [pam_print_data] (0x0100): authtok type: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[domain.local]]] [pam_print_data] (0x0100): priv: 1 [sssd[be[domain.local]]] [pam_print_data] (0x0100): cli_pid: 9196 [sssd[be[domain.local]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[domain.local]]] [krb5_auth_send] (0x0100): Home directory for user [username] not known. [sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[domain.local]]] [be_resolve_server_process] (0x0200): Found address for server dc.domain.local: [172.20.192.10] TTL 1200 [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc.domain.local' [sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc.domain.local' [[sssd[krb5_child[9199]]]] [unpack_buffer] (0x0100): cmd [241] uid [704417315] gid [704400513] validate [true] enterprise principal [true] offline [false] UPN [username@OUTERNDOMAIN.COM] [[sssd[krb5_child[9199]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_704417315_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] [[sssd[krb5_child[9199]]]] [check_use_fast] (0x0100): Not using FAST. [sssd[pac]] [sss_cmd_get_version] (0x0200): Received client version [1]. [sssd[pac]] [sss_cmd_get_version] (0x0200): Offered version [1]. [[sssd[krb5_child[9199]]]] [become_user] (0x0200): Trying to become user [704417315][704400513]. [[sssd[krb5_child[9199]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[9199]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[9199]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] [sssd[pac]] [responder_get_domain_by_id] (0x0040): Unknown domain id [S-1-18-1], checking for possible subdomains! [sssd[pac]] [responder_get_domain_by_id] (0x0040): Unknown domain id [S-1-18-1], checking for possible subdomains! [sssd[pac]] [responder_get_domain_by_id] (0x0040): Unknown domain id [S-1-18-1], checking for possible subdomains! [sssd[pac]] [pac_lookup_sids_done] (0x0040): No domain found for SID [S-1-18-1]. [sssd[pac]] [responder_get_domain_by_id] (0x0040): Unknown domain id [S-1-18-1], checking for possible subdomains! [sssd[pac]] [pac_save_memberships_next] (0x0080): responder_get_domain_by_id failed, will try next group [[sssd[krb5_child[9199]]]] [create_ccache] (0x0020): 590: [13][Permission denied] [[sssd[krb5_child[9199]]]] [get_and_save_tgt] (0x0020): 1029: [1432158209][Unknown code UUz 1] [[sssd[krb5_child[9199]]]] [map_krb5_error] (0x0020): 1069: [1432158209][Unknown code UUz 1] [[sssd[krb5_child[9199]]]] [k5c_send_data] (0x0200): Received error code 1432158209 [sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [9199] finished successfully. [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.local] [sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.local] [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][domain.local] [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. [sssd[pam]] [pam_reply] (0x0200): blen: 28 [sssd[pac]] [client_recv] (0x0200): Client disconnected!
I can see that it can't resolve domain id S-1-18-1. I havent' found much about it -- only couple of pages that states SID as Win2012 security entities. Could this be an error: [[sssd[krb5_child[9199]]]] [unpack_buffer] (0x0100): cmd [241] uid [704417315] gid [704400513] validate [true] enterprise principal [true] offline [false] UPN [username@OUTERNDOMAIN.COM]
UPN is from 'outerdomain'.
Or this? [[sssd[krb5_child[9199]]]] [k5c_send_data] (0x0200): Received error code 1432158209
I've looked into pam.d configs, but theres nothing suspicious. I can attach them also.
Thank you.
On (26/08/15 17:00), l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (service pings) [[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. [[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ssh-username@DOMAIN.LOCAL@DOMAIN.LOCAL] might not be correct.
Previous error messages are not critical. We just print an error message if pac responder does not run.
[[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied]
Here is a problem. The error occured on line 590 and it is really unexpected. The initialisation of krb5_context failed (krb5_init_context)
We can also see the reason: Permission denied. I cannot explain why. I added krb5 experts to CC.
BTW you mentioned you have disabled SELinux. Could you change it to permissive and try one more time?
LS
Lukas Slebodnik писал 2015-08-27 09:07:
On (26/08/15 17:00), l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: ... [[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied]
Here is a problem. The error occured on line 590 and it is really unexpected. The initialisation of krb5_context failed (krb5_init_context)
We can also see the reason: Permission denied. I cannot explain why. I added krb5 experts to CC.
BTW you mentioned you have disabled SELinux. Could you change it to permissive and try one more time?
LS
Hi Lukas. Thank you for the hint, I've found the cause. My krb5.conf had 600 permissions. I've updated to 644 accordingly this thread: http://comments.gmane.org/gmane.linux.redhat.sssd.user/1946 Now everything seems to work fine. I'll look through the logs more closely later today to be sure.
I'm using SSSD v.1.12.4, on CentOS 6.7. I don't know, should it be noted as bug or not, but I can file a report.
Thank you :)
On (27/08/15 09:41), l@avc.su wrote:
Lukas Slebodnik писал 2015-08-27 09:07:
On (26/08/15 17:00), l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: ... [[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied]
Here is a problem. The error occured on line 590 and it is really unexpected. The initialisation of krb5_context failed (krb5_init_context)
We can also see the reason: Permission denied. I cannot explain why. I added krb5 experts to CC.
BTW you mentioned you have disabled SELinux. Could you change it to permissive and try one more time?
LS
Hi Lukas. Thank you for the hint, I've found the cause. My krb5.conf had 600 permissions. I've updated to 644 accordingly this thread: http://comments.gmane.org/gmane.linux.redhat.sssd.user/1946 Now everything seems to work fine. I'll look through the logs more closely later today to be sure.
I'm using SSSD v.1.12.4, on CentOS 6.7. I don't know, should it be noted as bug or not, but I can file a report.
The main question is that which process created krb5.conf which such wrong permissions.
If it was caused by command line utility please file a bug.
LS
Lukas Slebodnik писал 2015-08-27 10:20:
On (27/08/15 09:41), l@avc.su wrote:
Lukas Slebodnik писал 2015-08-27 09:07:
On (26/08/15 17:00), l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server ... Here's what debug4 says: ... [[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied]
Here is a problem. The error occured on line 590 and it is really unexpected. The initialisation of krb5_context failed (krb5_init_context)
We can also see the reason: Permission denied. I cannot explain why. I added krb5 experts to CC.
Hi Lukas. Thank you for the hint, I've found the cause. My krb5.conf had 600 permissions. I've updated to 644 accordingly this thread: http://comments.gmane.org/gmane.linux.redhat.sssd.user/1946 Now everything seems to work fine. I'll look through the logs more closely later today to be sure.
I'm using SSSD v.1.12.4, on CentOS 6.7. I don't know, should it be noted as bug or not, but I can file a report.
The main question is that which process created krb5.conf which such wrong permissions.
If it was caused by command line utility please file a bug.
LS
I'm afraid it was caused by me. I'm deploying this configuration with Ansible, and set permissions explictly. I didn't knew krb5.conf should be world-readable. I thought since sssd crashes when sssd.conf is not in 600, it also checks configs it relies. Maybe, it could be a feature request?
On Thu, 2015-08-27 at 08:07 +0200, Lukas Slebodnik wrote:
On (26/08/15 17:00), l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (service pings) [[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. [[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ssh-username@DOMAIN.LOCAL@DOMAIN.LOCAL] might not be correct.
Previous error messages are not critical. We just print an error message if pac responder does not run.
[[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied]
Here is a problem. The error occured on line 590 and it is really unexpected. The initialisation of krb5_context failed (krb5_init_context)
We can also see the reason: Permission denied. I cannot explain why. I added krb5 experts to CC.
No access to krb5.conf ?
BTW you mentioned you have disabled SELinux. Could you change it to permissive and try one more time?
LS
On (27/08/15 08:29), Simo Sorce wrote:
On Thu, 2015-08-27 at 08:07 +0200, Lukas Slebodnik wrote:
On (26/08/15 17:00), l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (service pings) [[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. [[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ssh-username@DOMAIN.LOCAL@DOMAIN.LOCAL] might not be correct.
Previous error messages are not critical. We just print an error message if pac responder does not run.
[[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied]
Here is a problem. The error occured on line 590 and it is really unexpected. The initialisation of krb5_context failed (krb5_init_context)
We can also see the reason: Permission denied. I cannot explain why. I added krb5 experts to CC.
No access to krb5.conf ?
Yes, see https://lists.fedorahosted.org/pipermail/sssd-users/2015-August/003393.html
:-)
LS
sssd-users@lists.fedorahosted.org
-
Dmitri Pal -
l@avc.su -
Lukas Slebodnik -
Simo Sorce