On 08/26/2015 10:00 AM, l(a)avc.su wrote:
Hi all.
I've enrolled linux machine into domain using this tutorial:
http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux
machine, or Windows machine. But I can't login using password anymore.
Although I can obtain user info, can request TGT, and operate on this
server normally, I can't login to it with pwd.
I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir
--update', so all auth should be done in SSSD. I haven't configured
winbind with sssd.
I've managed to workaround it by adding to /etc/pam.d/system-auth this
line:
auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or
maybe I'm wrong?
I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says:
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
(service pings)
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[pam]] [pam_cmd_authenticate] (0x0100): entering
pam_cmd_authenticate
[sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
[sssd[pam]] [pam_print_data] (0x0100): domain: not set
[sssd[pam]] [pam_print_data] (0x0100): user: ssh-username
[sssd[pam]] [pam_print_data] (0x0100): service: sshd
[sssd[pam]] [pam_print_data] (0x0100): tty: ssh
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971
[sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username
[sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD_GC'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed
uri 'ldap://AD.domain.local'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed
GC uri 'ldap://AD.domain.local:3268'
[sssd[be[domain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100):
Setting AD compatibility level to [6]
[sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed
uri 'ldap://AD.domain.local'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed
GC uri 'ldap://AD.domain.local'
[[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100):
Principal name is: [hostname$(a)domain.LOCAL]
[[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Using
keytab [MEMORY:/etc/krb5.keytab]
[sssd[be[domain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout
is 900
[sssd[be[domain.local]]] [sasl_bind_send] (0x0100): Executing sasl
bind mech: gssapi, user: hostname$
[sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [7973]
finished successfully.
[sssd[be[domain.local]]] [fo_set_port_status] (0x0100): Marking port 0
of server 'AD.domain.local' as 'working'
[sssd[be[domain.local]]] [set_server_common_status] (0x0100): Marking
server 'AD.domain.local' as 'working'
[sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success
[sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the
following data:
[sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
[sssd[pam]] [pam_print_data] (0x0100): domain: domain.local
[sssd[pam]] [pam_print_data] (0x0100): user: ssh-username
[sssd[pam]] [pam_print_data] (0x0100): service: sshd
[sssd[pam]] [pam_print_data] (0x0100): tty: ssh
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971
[sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username
[sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
[sssd[be[domain.local]]] [be_pam_handler] (0x0100): Got request with
the following data
[sssd[be[domain.local]]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
[sssd[be[domain.local]]] [pam_print_data] (0x0100): domain: domain.local
[sssd[be[domain.local]]] [pam_print_data] (0x0100): user: ssh-username
[sssd[be[domain.local]]] [pam_print_data] (0x0100): service: sshd
[sssd[be[domain.local]]] [pam_print_data] (0x0100): tty: ssh
[sssd[be[domain.local]]] [pam_print_data] (0x0100): ruser:
[sssd[be[domain.local]]] [pam_print_data] (0x0100): rhost:
it-a1867.domain.local
[sssd[be[domain.local]]] [pam_print_data] (0x0100): authtok type: 1
[sssd[be[domain.local]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[domain.local]]] [pam_print_data] (0x0100): priv: 1
[sssd[be[domain.local]]] [pam_print_data] (0x0100): cli_pid: 7971
[sssd[be[domain.local]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[domain.local]]] [krb5_auth_send] (0x0100): Home directory for
user [ssh-username] not known.
[sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed
uri 'ldap://AD.domain.local'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed
GC uri 'ldap://AD.domain.local'
[[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): cmd [241] uid
[704417315] gid [704400513] validate [true] enterprise principal
[true] offline [false] UPN [ssh-username(a)DOMAIN.LOCAL]
[[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): ccname:
[FILE:/tmp/krb5cc_704417315_XXXXXX] old_ccname:
[FILE:/tmp/krb5cc_704417315_9XJZwx] keytab: [/etc/krb5.keytab]
[[sssd[krb5_child[7974]]]] [check_use_fast] (0x0100): Not using FAST.
[[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot
open the PAC responder socket
This seems to be a problem.
Because it leads to access denied this is why you can't login.
PAC responder process is either not running or SELinux blocks the socket
or something along those lines. Monitor logs should show is it exists.
Cores will be there if it crashes.
What distro is it? What version? Do you see any AVCs is you are using
SELinux?
[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot
read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot
read [SSSD_KRB5_LIFETIME] from environment.
[[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100):
SSSD_KRB5_CANONICALIZE is set to [true]
(service pings)
[[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][2].
[[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac
failed, group membership for user with principal
[ssh-username\@DOMAIN.LOCAL(a)DOMAIN.LOCAL] might not be correct.
[[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590:
[13][Permission denied]
[[sssd[krb5_child[7974]]]] [get_and_save_tgt] (0x0020): 1029:
[1432158209][Unknown code UUz 1]
[[sssd[krb5_child[7974]]]] [map_krb5_error] (0x0020): 1069:
[1432158209][Unknown code UUz 1]
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Backend
returned: (0, 4, <NULL>) [Success]
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sending
result [4][domain.local]
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sent
result [4][domain.local]
[sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][domain.local]
[sssd[be[ssh-username.local]]] [child_sig_handler] (0x0100): child
[7974] finished successfully.
Here's sssd.conf:
[domain/domain.local]
debug_level = 2
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
case_sensitive = false
cache_credentials = false
krb5_auth_timeout = 30
ad_domain = domain.local
ad_hostname = hostname.domain.local
ad_server = ad.domain.local, _srv_, ad2.domain.local
ad_backup_server = 192.168.0.13
ad_gpo_access_control = disabled
ldap_user_ssh_public_key = altSecurityIdentities
[sssd]
debug_level = 2
domains = domain.local
services = nss,pam,ssh
config_file_version = 2
[nss]
filter_users = root
filter_groups = root
default_shell = /bin/bash
override_homedir = /home/%d/%u
debug_level = 2
[pam]
debug_level = 2
offline_credentials_expiration = 7 # days
offline_failed_login_attempts = 6
offline_failed_login_delay = 5 # minutes
pam_pwd_expiration_warning = 5
[ssh]
debug_level=2
Here's nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
Here's krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.LOCAL = {
# using dns lookup, nothing to write here
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Engineering Director, Identity Management and Platform Security
Red Hat, Inc.