4:40 a.m.
Earlier this week, users reported they could no longer ssh to freeipa
joined servers using their AD login. After some inverstigation, it was
discovered if krb5_validate was set to false in the sssd.conf, AD ssh login
would start working again.
One of our IPA server is showing these errors in /var/log/messages:
Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.823685558 +0000]
- ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 786]:
slapi_access_allowed does not allow READ to ipaProtectedOperation;read_keys!
Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.826357278 +0000]
- ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1646]: Not allowed
to retrieve keytab on [IPA$(a)DOMAIN.COM] as user [fqdn=
ipaserver.ipa.domain.com,cn=computers,cn=accounts,dc=ipa,dc=domain,dc=com]!
Feb 13 20:53:28 ipaserver sssd: Failed to parse result: Insufficient access
rights
Feb 13 20:53:28 ipaserver sssd: Failed to get keytab
I could paste the the debug logs from sssd but I'm pretty sure that error
in /var/log/messages is the root cause preventing AD ssh login. I did some
research and couldn't find anything revelant.
Any ideas how to fix this ?
Thanks
--
Alexandre Pitre
alexandre.pitre(a)gmail.com
5:06 a.m.
New subject: Trusted AD users can no longer authenticate via SSH
On ke, 14 helmi 2018, Alexandre Pitre via FreeIPA-users wrote:
Earlier this week, users reported they could no longer ssh to freeipa
joined servers using their AD login. After some inverstigation, it was
discovered if krb5_validate was set to false in the sssd.conf, AD ssh login
would start working again.
One of our IPA server is showing these errors in /var/log/messages:
Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.823685558 +0000]
- ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 786]:
slapi_access_allowed does not allow READ to ipaProtectedOperation;read_keys!
Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.826357278 +0000]
- ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1646]: Not allowed
to retrieve keytab on [IPA$(a)DOMAIN.COM] as user [fqdn=
ipaserver.ipa.domain.com,cn=computers,cn=accounts,dc=ipa,dc=domain,dc=com]!
Feb 13 20:53:28 ipaserver sssd: Failed to parse result: Insufficient access
rights
Feb 13 20:53:28 ipaserver sssd: Failed to get keytab
I could paste the the debug logs from sssd but I'm pretty sure that error
in /var/log/messages is the root cause preventing AD ssh login. I did some
research and couldn't find anything revelant.
Any ideas how to fix this ?
It looks like ipaserver.ipa.domain.com is not a trust
agent. Remember
that only trust agents and trust controllers can retrieve trusted domain
object credentials to communicate to AD DCs.
--
/ Alexander Bokovoy
9:41 a.m.
Thanks Alexander that was it.
On Wed, Feb 14, 2018 at 6:06 AM, Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On ke, 14 helmi 2018, Alexandre Pitre via FreeIPA-users wrote:
> Earlier this week, users reported they could no longer ssh to freeipa
> joined servers using their AD login. After some inverstigation, it was
> discovered if krb5_validate was set to false in the sssd.conf, AD ssh
> login
> would start working again.
>
> One of our IPA server is showing these errors in /var/log/messages:
>
> Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.823685558
> +0000]
> - ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 786]:
> slapi_access_allowed does not allow READ to ipaProtectedOperation;read_key
> s!
> Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.826357278
> +0000]
> - ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1646]: Not allowed
> to retrieve keytab on [IPA$(a)DOMAIN.COM] as user [fqdn=
> ipaserver.ipa.domain.com,cn=computers,cn=accounts,dc=ipa,dc=
> domain,dc=com]!
> Feb 13 20:53:28 ipaserver sssd: Failed to parse result: Insufficient
> access
> rights
> Feb 13 20:53:28 ipaserver sssd: Failed to get keytab
>
> I could paste the the debug logs from sssd but I'm pretty sure that error
> in /var/log/messages is the root cause preventing AD ssh login. I did some
> research and couldn't find anything revelant.
>
> Any ideas how to fix this ?
>
It looks like ipaserver.ipa.domain.com is not a trust agent. Remember
that only trust agents and trust controllers can retrieve trusted domain
object credentials to communicate to AD DCs.
--
/ Alexander Bokovoy
--
Alexandre Pitre
alexandre.pitre(a)gmail.com
2256
days inactive
2256
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Alexander Bokovoy -
Alexandre Pitre