We are still unable to make SSSD work with RODC.

 

While checking few other logs, came across the following under krb5_child.log. Does this help in isolating the issue in any way? 

 

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [validate_tgt] (0x0400): TGT verified using key for [host/hostname.x.y.local@X.Y.LOCAL].

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656134: Retrieving first.last@X.Y.LOCAL -> host/hostname.x.y.local@X.Y.LOCAL from MEMORY:rd_req2 with result: 0/Success

 

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656242: Retrieving host/hostname.x.y.local@X.Y.LOCAL from MEMORY:/etc/krb5.keytab (vno 5, enctype rc4-hmac) with result: 0/Success

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last\@ABC@X.Y.LOCAL] might not be correct.

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656339: Destroying ccache MEMORY:rd_req2

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/var/tmp/krb5cc_233006683]

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal first.last@X.Y.LOCAL in cache collection]

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [create_ccache] (0x0020): 733: [13][Permission denied]

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [map_krb5_error] (0x0020): 1301: [1432158209][Unknown code UUz 1]

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [k5c_send_data] (0x0200): Received error code 1432158209

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [pack_response_packet] (0x2000): response packet size: [20]

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [k5c_send_data] (0x4000): Response sent.

(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [main] (0x0400): krb5_child completed successfully

 

 

Although, the file /var/tmp/krb5cc_233006683 doesn't exist. 

 

 

 

Under /var/log/secure, we are still getting the same error message when access is denied.

 

May 12 12:12:07 hostname sshd[51001]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abcd.x.y.local user=first.last

May 12 12:12:07 hostname sshd[51001]: pam_sss(sshd:auth): received for user first.last: 4 (System error)

 

 

Thanks,

 

~ Abhi



Sent from my iPhone

On Feb 21, 2017, at 9:48 AM, Abhijit Tikekar <abhijittikekar@gmail.com> wrote:

Hi,

I tried replacing KEYRING with a FILE option but same results.

#default_ccache_name = KEYRING:persistent:%{uid}
default_ccache_name = FILE:/var/tmp/krb5cc_%{uid}


When I try using kinit -E, it asks for the principal password. But the keytab was created using a "rndpass" option so I am not really sure what to put as a password.

]# kinit -E
Password for host/hostname.x.y.local@X.Y.LOCAL:

Here is the complete krb5.conf file:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = X.Y.LOCAL
#dns_lookup_realm = true
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = true
#default_ccache_name = KEYRING:persistent:%{uid}
default_ccache_name = FILE:/var/tmp/krb5cc_%{uid}
default_keytab_name = /etc/krb5.keytab
[realms]
X.Y.LOCAL = {
kdc = RODC.x.y.local:88
admin_server = RODC.x.y.local:749
default_domain = x.y.local
}
[domain_realm]
.x.y.local = X.Y.LOCAL
x.y.local = X.Y.LOCAL




Thanks,

~ Abhi


On Tue, Feb 21, 2017 at 2:22 AM, Lukas Slebodnik <lslebodn@redhat.com> wrote:
On (20/02/17 11:33), Abhijit Tikekar wrote:
>Hi Jakub,
>
>ldap_id_mapping was set to "false" on this server. Once I set it to "true",
>both id and getent started working. But the user authentication via SSH
>still does not go through.
>
>We see the following in SSSD logs(Debug level set to 5)
>
>(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_get_account_info]
>(0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=first.last]
>(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send]
>(0x0100): Trying to resolve service 'AD_GC'
>(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]]
>[be_resolve_server_process] (0x0200): Found address for server
>RODC.x.y.local: [RODC IP] TTL 7200
>(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
>(0x0100): Constructed uri 'ldap://RODC.x.y.local'
>(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
>(0x0100): Constructed GC uri 'ldap://RODC.x.y.local:3268'
>(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]]
>[sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility
>level to [6]
>(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send]
>(0x0100): Trying to resolve service 'AD'
>(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]]
>[be_resolve_server_process] (0x0200): Found address for server
>RODC.x.y.local: [RODC IP] TTL 7200
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_cli_auth_step]
>(0x0100): expire timeout is 900
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sasl_bind_send] (0x0100):
>Executing sasl bind mech: GSSAPI, user: host/server_hostname.x.y.local
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler]
>(0x0100): child [17466] finished successfully.
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_set_port_status]
>(0x0100): Marking port 0 of server 'RODC.x.y.local' as 'working'
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [set_server_common_status]
>(0x0100): Marking server 'RODC.x.y.local' as 'working'
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]]
>[sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for
>SID S-1-5-21-<....ID....>
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [acctinfo_callback]
>(0x0100): Request processed. Returned 0,0,Success
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler] (0x0100):
>Got request with the following data
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>command: SSS_PAM_AUTHENTICATE
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>domain: x.y.local
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>user: first.last
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>service: sshd
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>tty: ssh
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>ruser:
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>rhost: remote_host.x.y.local
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>authtok type: 1
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>newauthtok type: 0
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>priv: 1
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>cli_pid: 17465
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>logon name: not set
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [krb5_auth_send] (0x0100):
>Home directory for user [first.last] not known.
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send]
>(0x0100): Trying to resolve service 'AD'
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]]
>[be_resolve_server_process] (0x0200): Found address for server
>RODC.x.y.local: [RODC IP] TTL 7200
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
>(0x0100): Constructed uri 'ldap://RODC.x.y.local'
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
>(0x0100): Constructed GC uri 'ldap://RODC.x.y.local'
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback]
>(0x0100): Backend returned: (0, 4, <NULL>) [Success]
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback]
>(0x0100): Sending result [4][x.y.local]
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback]
>(0x0100): Sent result [4][x.y.local]
>(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler]
>(0x0100): child [17467] finished successfully.
>
>
>
>*And the following under /var/log/secure*
>
>Feb 20 11:15:30 hostname sshd[17499]: pam_unix(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local
>user=first.last
>Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local
>user=first.last
>Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): received for user
>first.last: 4 (System error)
>Feb 20 11:15:37 hostname sshd[17496]: error: PAM: Authentication failure
>for first.last from remote_host.x.y.local
>
>
>*Under krb5_child.log*
>
>(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer]
>(0x0100): cmd [241] uid [xxxxxxxx] gid [yyyyyyyy] validate [true]
>enterprise principal [true] offline [false] UPN [first.last@COMPANY.COM]
>(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer]
>(0x0100): ccname: [KEYRING:persistent:xxxxxxxx] old_ccname: [not set]
>keytab: [/etc/krb5.keytab]
>(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [check_use_fast]
>(0x0100): Not using FAST.
>(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
>[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
>(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [become_user]
>(0x0200): Trying to become user [xxxxxxxx][yyyyyyyy].
>(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
>[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
>from environment.
>(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
>[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
>environment.
>(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
>[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
>(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [sss_send_pac]
>(0x0040): sss_pac_make_request failed [-1][2].
>(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [validate_tgt]
>(0x0040): sss_send_pac failed, group membership for user with principal
>[first.last\@COMPANY.COM@x.y.local] might not be correct.
>(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [create_ccache]
>(0x0020): 733: [13][Permission denied]
Here is the problem.

sssd failed to initialize krb5 context for some reason.

  kerr =  krb5_init_context(&kctx);

I can see that it tried to use keyring ccache. "ccname:
[KEYRING:persistent:xxxxxxxx]". Does it work with FILE cache?
Becasue IIRC there is KEYRING ccache in rhel6 but it does not support
collections ccache as in el7.

Are you able to kinit from command line?

I can also see that it tried to kinit with enterprise principal.

Are you able to kinit with it? "kinit -E"

Could you share your krb5.conf?

LS
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org