I’ve been struggling to get SSH to work with an AD user for over 3 weeks
now. I've scraped the bowels of the internet for answers, still no dice.
The issue is pretty simple in itself, I can’t SSH to a freeipa joined
Centos client 7.3 with an AD user. However, kinit with any AD users as well
as su works just fine. I’m running two 4.4.0 IPA servers.
I made sure the entire setup is resolving DNS properly, NTP(external to
freeipa) is in sync. I’m using FQDN for hostnames.
Here’s the output from journalctl -f:
Jul 27 04:37:10
centos.ipa.ad.com sshd[2633]: pam_unix(sshd:session):
session opened for user root by (uid=0)
Jul 27 04:37:35
centos.ipa.ad.com su[2652]: (to admin(a)ad.com) root on pts/1
Jul 27 04:37:35
centos.ipa.ad.com su[2652]: pam_unix(su-l:session): session
opened for user admin(a)ad.com by root(uid=0)
Jul 27 04:37:42
centos.ipa.ad.com su[2652]: pam_unix(su-l:session): session
closed for user admin(a)ad.com
Jul 27 04:38:35
centos.ipa.ad.com sshd[2677]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruse r=
rhost=localhost user=admin(a)ad.com
Jul 27 04:38:35
centos.ipa.ad.com sshd[2677]: pam_sss(sshd:auth): received
for user admin(a)ad.com: 6 (Permission denied)
Jul 27 04:38:35
centos.ipa.ad.com sshd[2674]: error: PAM: Authentication
failure for admin(a)ad.com from localhost
Jul 27 04:38:38
centos.ipa.ad.com sshd[2674]: Connection closed by ::1
[preauth]
Config files:
/etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm =
IP.AD.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IP.AD.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
/etc/sssd/sssd.conf
[
domain/ipa.ad.com]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain =
ipa.ad.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname =
centos.ipa.ad.com
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_,
ipaserver02.ipa.ad.com
dyndns_iface = ens192
ldap_tls_cacert = /etc/ipa/ca.crt[sssd]
services = nss, sudo, pam, ssh
debug_level = 9
domains =
ipa.ad.com
[nss]
homedir_substring = /home
[pam]
debug_level= 9
[sudo]
[autofs]
[ssh]
debug_level=9
[pac]
[ifp]
/etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
GSSAPICleanupCredentials no
X11Forwarding yes
UsePrivilegeSeparation sandbox # Default for new installations.
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommandUser nobody
I uploaded krb5_child.log and ldap_child.log to
https://1drv.ms/f/s!AlZwwyQE2ZZ5p2b5ROa15PBkAEQD
I managed to ssh AD user login to works on both my freeipa servers. I had
to modify the following files See changes in bold.
/etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm =
IPA.AD.COM
* dns_lookup_realm = true*
* dns_lookup_kdc = true*
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.AD.COM = {
kdc = ipaserver01.ipa.ad.com:88
master_kdc = ipaserver01.ipa.ad.com:88
admin_server = ipaserver01.ipa.ad.com:749
default_domain =
ipa.ad.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
* auth_to_local = RULE:[1:$1@$0](^.*@AD.COM
<
http://AD.COM>)s/@AD.COM/@ad.com/ <
http://AD.COM/@ad.com/>*
* auth_to_local = DEFAULT*
}
[domain_realm]
.ipa.ad.com =
IPA.AD.COM
ipa.ad.com =
IPA.AD.COM
ipaserver02.ipa.ad.com =
IPA.AD.COM
[dbmodules]
IPA.AD.COM = {
db_library = ipadb.so
}
/etc/resolv.conf
search
ipa.ad.com ad.com
nameserver 127.0.0.1
*nameserver 192.168.1.2 #Seconday IPA Server*
In /etc/named.conf, I disabled dnssec-validation(dnssec-validation no;)
Not sure those settings were at all necessary.
Adding the following line sunder the [realms] for krb5.conf on my centos
client machine did not make a difference.
auth_to_local = RULE:[1:$1@$0](^.*@AD.COM)s/@AD.COM/@ad.com/
auth_to_local = DEFAULT
IPv6 has been disabled in /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
If anyone has an idea what may be the issue or where to look, please reply.
Thanks
Alex