On ma, 30 marras 2020, mir mal via FreeIPA-users wrote:
Hi,
I've enabled lvl 9 debug, I've started from 6 to see if there is anything obvious, but I can't see anything. It looks like on lvl 6 the difference between successful and not successful login is that the not successful one is not even triggering SSS_PAM_ACCT_MGMT command. What's interesting is that if I destroy c111111 user ticket from the machine and try login again, it will fail but my current login user can see that the krb ticket has been created. On lvl 9 I can see communication with IPA server is successful as well as it's querying all user info. I've disabled krb5_store_password_if_offline and cleared sssd cache on the host but still the same thing. The symptoms are almost like krb won't check the password and just return OK to ssh.
WHat exact command do you use on the client side? How do you login to ssh server? With Kerberos ticket or with a password?
sshd performs own GSSAPI negotiation. In the case user logs with GSSAPI to sshd server, sshd server does authentication and then, if 'UsePAM yes', does ask PAM stack for an authorization and session.
In the case of using a password, sshd performs PAM stack authentication and then SSSD is involved, indeed, in acquiring a Kerberos ticket by reusing a password given by sshd to the PAM stack.
So you need to see in sshd logs (debug3 at least) what does it see/deal with.
c111111@csc-64:/home/ubuntu$ klist -l Principal name Cache name
c111111@STUXNET.LAB KEYRING:persistent:1938600006:krb_ccache_VaG0P4I
When failing the following is not process at all, it just return OK (Mon Nov 30 07:05:50 2020) [sssd[be[stuxnet.lab]]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (Mon Nov 30 07:05:50 2020) [sssd[be[stuxnet.lab]]] [child_sig_handler] (0x0100): child [602785] finished successfully.
when successful the lvl 6 log continue with: (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [dp_pam_handler_send] (0x0100): Got request with the following data (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): domain: stuxnet.lab (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): user: c111111@stuxnet.lab (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): service: sshd (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): tty: ssh (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): ruser: (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): rhost: 10.0.0.6 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): cli_pid: 602527 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): logon name: not set (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): flags: 0 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [dp_attach_req] (0x0400): DP Request [PAM Account #7]: New request. Flags [0000]. (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [sdap_access_send] (0x0400): Performing access check for user [c111111@stuxnet.lab] (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...