On 19/06/2019 16:20, Sumit Bose via FreeIPA-users wrote:
On Wed, Jun 19, 2019 at 12:34:54PM +0100, lejeczek via FreeIPA-users
wrote:
> On 19/06/2019 10:09, Sumit Bose via FreeIPA-users wrote:
>> On Wed, Jun 19, 2019 at 09:26:30AM +0100, lejeczek via FreeIPA-users wrote:
>>> On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote:
>>>> On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users
wrote:
>>>>> hi guys
>>>>>
>>>>> I think it was asked on the list before but I still cannot find the
thread.
>>>>>
>>>>> Should AD's users be able to login to IPA's
clients(non-replica) in a
>>>>> pretty vanilla setup? Those users can login to IPA masters okey.
>>>>>
>>>>> I have not created any HBACs yet, nor added new hostgroups etc.
>>>>>
>>>>> When I ssh to IPA's client that client denies that user &
shows:
>>>>>
>>>>> pam_sss(sshd:auth): received for user user1@private: 6 (Permission
denied)
>>>> Hi,
>>>>
>>>> 'Permission denied' is typically returned during the PAM access
control
>>>> step 'pam_sss(sshd:account)'. For auth there should be only a few
cases
>>>> like an expired unser in AD, but in this case login to the IPA masters
>>>> shouldn't work as well.
>>>>
>>>> Please add 'debug_level=9' at least to the [pam] and
[domain/...]
>>>> section of sssd.conf on the client, restart SSSD, try to authentication
>>>> and send the logs from /var/log/sssd.
>>>>
>>>> bye,
>>>> Sumit
>>> hi,
>>>
>>> before I dump the whole lot of logs this is a snippet at the moment ssh
>>> auth fails after debug_level=9
>>>
>>> ..
>>>
>>> k,cn=users,cn=mine.private,cn=sysdb] has set [ts_cache] attrs.
>>> (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [ldb] (0x4000):
>>> commit ldb transaction (nesting: 0)
>>> (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [krb5_auth_done]
>>> (0x0100): Backend is marked offline, retry later!
>>> (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]]
>>> [check_wait_queue] (0x1000): Wait queue for user [pawel(a)mine.private] is
>>> empty.
>>> ..
>>>
>>> does the above give out any clues?
>> Do you see a message like 'Timeout for child [1234] reached. In case KDC
>> is distant or network is slow you may consider increasing value of
>> krb5_auth_timeout.' before the ones you have send? If that's the case
>> please add
>>
>> krb5_auth_timeout = 30
>>
>> to the [domain/...] section of sssd.conf, restart SSSD and try again.
>> Please note that SSSD does more that just authenticating the user by
>> requesting a Kerberos ticket, the ticket is validate as well which
>> causes additional requests to the IPA server and AD DCs. This might need
>> a bit longer than the default timeout of 6s.
>>
>> HTH
>>
>> bye,
>> Sumit
> both masters & clients are on the same net fabric. I fear it's something
> more complex, I've emailed you zipped logs.
Thanks for the logs. The important message is "Cannot find KDC for realm
...". I guess that you have 'dns_lookup_kdc = false' in /etc/krb5.conf.
Typically ipa-client-install with set this to 'dns_lookup_kdc = true'
but there are some conditions where it might leave it on 'false'. Please
try to set it to 'true' and try again.
If you have set it to 'false' on purpose because you do not want to use
DNS to resolve KDC from other realms you have to add a section in the
[realms] section for the realm listed in the error message and add at
least one 'kdc = fully.qualified.name.or.ip.of.a.kdc.of.the.realm' line
in this section.
HTH
bye,
Sumit
Ok, the maybe to make it more bizzare, I've had it:
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MINE.PRIVATE
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MINE.PRIVATE= {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
kdc = 10.5.5.104
}
[domain_realm]
.MINE.PRIVATE= MINE.PRIVATE
MINE.PRIVATE= MINE.PRIVATE
halfspeed-r.MINE.PRIVATE= MINE.PRIVATE
and even after adding: kdc = 10.5.5.104
I still get permission denied.
I presume you saw in sssd_pam.log
...
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [9 (Authentication service cannot retrieve authentication
info)][ad
.mine.private]
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x56399823af70
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x563998243fe0
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Running timer
event 0x56399823af70 "ltdb_callback"
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Destroying timer
event 0x563998243fe0 "ltdb_timeout"
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Ending timer
event 0x56399823af70 "ltdb_callback"
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [9]: Authentication service cannot retrieve
authentication info.
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_reply] (0x0020): Unknown PAM
call [249].
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x56399823ca30
...
What does that mean?
many thanks, L.
> To add - putty off the AD DC does ssh to IPA's clients
successfully with
> gssapi, to the same clients which fail when no gssapi but with password
> is used.
>
> many thanks, L.
>
>>> many thanks, L.
>>>
>>>>> ...
>>>>>
>>>>> many thanks, L.
>>>>>
>>>>> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>>>>> 93059F241EEEE1D0769A85F455918ABF21224EBA
>>>>> uid lejeczek <peljasz(a)yahoo.co.uk>
>>>>> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
>>>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>>> 93059F241EEEE1D0769A85F455918ABF21224EBA
>>> uid lejeczek <peljasz(a)yahoo.co.uk>
>>> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
> 93059F241EEEE1D0769A85F455918ABF21224EBA
> uid lejeczek <peljasz(a)yahoo.co.uk>
> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...