We are still unable to make SSSD work with RODC.
While checking few other logs, came across the following under krb5_child.log. Does this
help in isolating the issue in any way?
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [validate_tgt] (0x0400): TGT
verified using key for [host/hostname.x.y.local(a)X.Y.LOCAL].
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000):
[50688] 1494602280.656134: Retrieving first.last(a)X.Y.LOCAL ->
host/hostname.x.y.local(a)X.Y.LOCAL from MEMORY:rd_req2 with result: 0/Success
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000):
[50688] 1494602280.656242: Retrieving host/hostname.x.y.local(a)X.Y.LOCAL from
MEMORY:/etc/krb5.keytab (vno 5, enctype rc4-hmac) with result: 0/Success
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][2].
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [validate_tgt] (0x0040):
sss_send_pac failed, group membership for user with principal [first.last\@ABC(a)X.Y.LOCAL]
might not be correct.
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000):
[50688] 1494602280.656339: Destroying ccache MEMORY:rd_req2
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_get_ccache_name_for_principal]
(0x4000): Location: [FILE:/var/tmp/krb5cc_233006683]
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_get_ccache_name_for_principal]
(0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal
first.last(a)X.Y.LOCAL in cache collection]
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [create_ccache] (0x0020): 733:
[13][Permission denied]
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [map_krb5_error] (0x0020): 1301:
[1432158209][Unknown code UUz 1]
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [k5c_send_data] (0x0200): Received
error code 1432158209
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [pack_response_packet] (0x2000):
response packet size: [20]
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [k5c_send_data] (0x4000): Response
sent.
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [main] (0x0400): krb5_child
completed successfully
Although, the file /var/tmp/krb5cc_233006683 doesn't exist.
Under /var/log/secure, we are still getting the same error message when access is denied.
May 12 12:12:07 hostname sshd[51001]: pam_sss(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=abcd.x.y.local user=first.last
May 12 12:12:07 hostname sshd[51001]: pam_sss(sshd:auth): received for user first.last: 4
(System error)
Thanks,
~ Abhi
Sent from my iPhone
On Feb 21, 2017, at 9:48 AM, Abhijit Tikekar
<abhijittikekar(a)gmail.com> wrote:
Hi,
I tried replacing KEYRING with a FILE option but same results.
#default_ccache_name = KEYRING:persistent:%{uid}
default_ccache_name = FILE:/var/tmp/krb5cc_%{uid}
When I try using kinit -E, it asks for the principal password. But the keytab was created
using a "rndpass" option so I am not really sure what to put as a password.
]# kinit -E
Password for host/hostname.x.y.local(a)X.Y.LOCAL:
Here is the complete krb5.conf file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = X.Y.LOCAL
#dns_lookup_realm = true
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = true
#default_ccache_name = KEYRING:persistent:%{uid}
default_ccache_name = FILE:/var/tmp/krb5cc_%{uid}
default_keytab_name = /etc/krb5.keytab
[realms]
X.Y.LOCAL = {
kdc = RODC.x.y.local:88
admin_server = RODC.x.y.local:749
default_domain = x.y.local
}
[domain_realm]
.x.y.local = X.Y.LOCAL
x.y.local = X.Y.LOCAL
Thanks,
~ Abhi
> On Tue, Feb 21, 2017 at 2:22 AM, Lukas Slebodnik <lslebodn(a)redhat.com> wrote:
> On (20/02/17 11:33), Abhijit Tikekar wrote:
> >Hi Jakub,
> >
> >ldap_id_mapping was set to "false" on this server. Once I set it to
"true",
> >both id and getent started working. But the user authentication via SSH
> >still does not go through.
> >
> >We see the following in SSSD logs(Debug level set to 5)
> >
> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_get_account_info]
> >(0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=first.last]
> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send]
> >(0x0100): Trying to resolve service 'AD_GC'
> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]]
> >[be_resolve_server_process] (0x0200): Found address for server
> >RODC.x.y.local: [RODC IP] TTL 7200
> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
> >(0x0100): Constructed uri 'ldap://RODC.x.y.local'
> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
> >(0x0100): Constructed GC uri 'ldap://RODC.x.y.local:3268'
> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]]
> >[sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility
> >level to [6]
> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send]
> >(0x0100): Trying to resolve service 'AD'
> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]]
> >[be_resolve_server_process] (0x0200): Found address for server
> >RODC.x.y.local: [RODC IP] TTL 7200
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_cli_auth_step]
> >(0x0100): expire timeout is 900
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sasl_bind_send] (0x0100):
> >Executing sasl bind mech: GSSAPI, user: host/server_hostname.x.y.local
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler]
> >(0x0100): child [17466] finished successfully.
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_set_port_status]
> >(0x0100): Marking port 0 of server 'RODC.x.y.local' as 'working'
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [set_server_common_status]
> >(0x0100): Marking server 'RODC.x.y.local' as 'working'
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]]
> >[sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for
> >SID S-1-5-21-<....ID....>
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [acctinfo_callback]
> >(0x0100): Request processed. Returned 0,0,Success
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler] (0x0100):
> >Got request with the following data
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >command: SSS_PAM_AUTHENTICATE
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >domain: x.y.local
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >user: first.last
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >service: sshd
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >tty: ssh
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >ruser:
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >rhost: remote_host.x.y.local
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >authtok type: 1
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >newauthtok type: 0
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >priv: 1
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >cli_pid: 17465
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
> >logon name: not set
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [krb5_auth_send] (0x0100):
> >Home directory for user [first.last] not known.
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send]
> >(0x0100): Trying to resolve service 'AD'
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]]
> >[be_resolve_server_process] (0x0200): Found address for server
> >RODC.x.y.local: [RODC IP] TTL 7200
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
> >(0x0100): Constructed uri 'ldap://RODC.x.y.local'
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
> >(0x0100): Constructed GC uri 'ldap://RODC.x.y.local'
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback]
> >(0x0100): Backend returned: (0, 4, <NULL>) [Success]
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback]
> >(0x0100): Sending result [4][x.y.local]
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback]
> >(0x0100): Sent result [4][x.y.local]
> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler]
> >(0x0100): child [17467] finished successfully.
> >
> >
> >
> >*And the following under /var/log/secure*
> >
> >Feb 20 11:15:30 hostname sshd[17499]: pam_unix(sshd:auth): authentication
> >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local
> >user=first.last
> >Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): authentication
> >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local
> >user=first.last
> >Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): received for user
> >first.last: 4 (System error)
> >Feb 20 11:15:37 hostname sshd[17496]: error: PAM: Authentication failure
> >for first.last from remote_host.x.y.local
> >
> >
> >*Under krb5_child.log*
> >
> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer]
> >(0x0100): cmd [241] uid [xxxxxxxx] gid [yyyyyyyy] validate [true]
> >enterprise principal [true] offline [false] UPN [first.last(a)COMPANY.COM]
> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer]
> >(0x0100): ccname: [KEYRING:persistent:xxxxxxxx] old_ccname: [not set]
> >keytab: [/etc/krb5.keytab]
> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [check_use_fast]
> >(0x0100): Not using FAST.
> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
> >[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [become_user]
> >(0x0200): Trying to become user [xxxxxxxx][yyyyyyyy].
> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
> >[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> >from environment.
> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
> >[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> >environment.
> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
> >[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [sss_send_pac]
> >(0x0040): sss_pac_make_request failed [-1][2].
> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [validate_tgt]
> >(0x0040): sss_send_pac failed, group membership for user with principal
> >[first.last\@COMPANY.COM(a)x.y.local] might not be correct.
> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [create_ccache]
> >(0x0020): 733: [13][Permission denied]
> Here is the problem.
>
> sssd failed to initialize krb5 context for some reason.
>
> kerr = krb5_init_context(&kctx);
>
> I can see that it tried to use keyring ccache. "ccname:
> [KEYRING:persistent:xxxxxxxx]". Does it work with FILE cache?
> Becasue IIRC there is KEYRING ccache in rhel6 but it does not support
> collections ccache as in el7.
>
> Are you able to kinit from command line?
>
> I can also see that it tried to kinit with enterprise principal.
>
> Are you able to kinit with it? "kinit -E"
>
> Could you share your krb5.conf?
>
> LS
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org