Hi Sumit,
I'm starting sshd by "service sshd restart" every time.
You can find below logs from "tail -f /var/log/secure
/var/log/audit/audit.log" from the moment of trying log in from AD Windows
Station with SELinux=1
[root@client1 ~]# tail -f /var/log/secure /var/log/audit/audit.log
==> /var/log/secure <==
Nov 7 08:14:08 client1 sshd[19874]: debug1: session_input_channel_req:
session 0 req shell
Nov 7 08:14:08 client1 sshd[19875]: debug1: Setting controlling tty using
TIOCSCTTY.
Nov 7 08:14:12 client1 su: pam_unix(su-l:session): session opened for user
root by leszek(uid=507)
Nov 7 08:14:59 client1 sshd[17287]: debug1: Got 100/242 for keepalive
Nov 7 08:19:59 client1 sshd[17287]: debug1: Got 100/243 for keepalive
Nov 7 08:21:27 client1 sshd[17876]: Received signal 15; terminating.
Nov 7 08:21:27 client1 sshd[19980]: Set /proc/self/oom_score_adj from 0 to
-1000
Nov 7 08:21:27 client1 sshd[19980]: debug1: Bind to port 22 on 0.0.0.0.
Nov 7 08:21:27 client1 sshd[19980]: Server listening on 0.0.0.0 port 22.
Nov 7 08:21:27 client1 sshd[19980]: socket: Address family not supported
by protocol
==> /var/log/audit/audit.log <==
type=PATH msg=audit(1415344887.668:20203): item=0 name="/var/lock/subsys/"
inode=8204 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:var_lock_t:s0 nametype=PARENT
type=PATH msg=audit(1415344887.668:20203): item=1
name="/var/lock/subsys/sshd" inode=51 dev=fd:03 mode=0100640 ouid=0 ogid=0
rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0 nametype=DELETE
type=AVC msg=audit(1415344887.708:20204): avc: denied { read } for
pid=19977 comm="sshd" name="tmp" dev=dm-3 ino=925
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
Have you checked if there is an upate for the SELinux policy package? If
I run the AVC through audit2allow in Fedora 20 I get:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
allow sshd_t var_t:lnk_file read;
I have GSSApiAuthentication yes in the sshd_config.
Klist from the Windows machine showing no entries from sssd linux client
machine.
To eliminate problem with Windows, I created another test: trying to log in
by GSSAPI from sssd client client1 to the same client client1.
[leszek@client1 ~]$ ssh
client1.acme.example.com -l user1
Password:
Last login: Thu Nov 6 17:17:57 2014
-sh-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_127283727_vot8Ut
Default principal: USER1(a)ACME.EXAMPLE.COM
Valid starting Expires Service principal
11/07/14 08:34:42 11/07/14 18:34:42 krbtgt/
ACME.EXAMPLE.COM(a)ACME.EXAMPLE.COM
renew until 11/14/14 08:34:42
and another "local" connection by GSSAPI:
-sh-4.1$ ssh
client1.acme.example.com -l user1 -k -vv gives me this:
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
So the problem is within client1.
I assume that on the Windows side there are still only service
principals with HOST/ instead of host/. Although Windows is typically
case-insensitive when it come to Kerberos there still might be a
mismatch. Can you try to re-join with adcli and use the option
'--service-name=homst/client1.acme.example.com(a)ACME.EXAMPLE.COM'
HTH
bye,
Sumit
/lm
2014-11-06 21:39 GMT+01:00 Sumit Bose <sbose(a)redhat.com>:
> On Thu, Nov 06, 2014 at 02:52:19PM +0100, crony wrote:
> > Thank you Sumit.
> > Right now I see:
> >
> > Unspecified GSS failure. Minor code may provide more information\nCannot
> > create replay cache file /var/tmp/host_0: Permission denied\n
>
> Did you, by chance, start sshd directly for debuggin purpose and not
> via 'service sshd start'? In this case sshd will not run with the right
> SELinux context. Can you send the full AVC message?
>
> >
> > SELinux policy blocks it.
> >
> > Have you seen that before?
> >
> > --
> > After changing the policy to permissive mode, the failure from logs is
> > gone, but I still can't log in by GSSAPI from Windows Station to client1
> > station:
> >
> > Nov 6 14:30:01 client1 sshd[16852]: Received disconnect from 10.X.X.X:
> 14:
> > No supported authentication methods available
>
> Have you set
>
> GSSAPIAuthentication yes
>
> in /etc/ssh/sshd_config?
>
> Can you check on the Windows side if you got a Kerberos service ticket
> for the client running sssd by calling 'klist' in the Windows cmd shell?
>
> bye,
> Sumit
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > 2014-11-06 11:33 GMT+01:00 Sumit Bose <sbose(a)redhat.com>:
> >
> > > On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote:
> > > > Hi Sumit,
> > > > I see this message:
> > > >
> > > > Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure.
> > > Minor
> > > > code may provide more information\nNo key table entry found matching
> > > > host/client1.acme.example.com@\n
> > >
> > > Kerberos in general is case sensitive. sshd is looking for host/...
> > > while the keytab only has HOST/.... The entries are created by adcli so
> > > maybe if you join with a newer version of adcli this will get fixed
> > > automatically.
> > >
> > > As an alternative you can use ktutil to a the needed entries. Make a
> > > copy of /etc/krb5.keytab before you start ktutil. Then you can use
> > >
> > > rkt /etc/krc5.keytab
> > >
> > > to load the keytab.
> > >
> > > list -e -k -t
> > >
> > > will show you the keys with all needed detail. With
> > >
> > > addend -k -p host/client1.acme.example.com(a)ACME.EXAMPLE.COM -k 2 -e
> > > aes256-cts-hmac-sha1-96
> > >
> > > You can start adding new entires. Please repeat this wil all enc types
> > > listed for HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM . ktutil
> will
> > > ask you for a key in kex, please copy the one show by 'list -e -k
-t'
> > > from above.
> > >
> > > If all is done you can write out the keytab with
> > >
> > > wkt /etc/krb5.keytab.new
> > >
> > > And then exchange the new one with the old one. Iirc ktutil always
> > > appends entries to existing files, so writing directly to
> > > /etc/krb5.keytab will blow up the file with duplicated entries.
> > >
> > > HTH
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > during every ssh connection with "-k" argument.
> > > >
> > > > # klisk -k
> > > > 2 CLIENT1$(a)ACME.EXAMPLE.COM <
http://acme.example.com/>
> > > > 2 CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 CLIENT1$(a)ACME.EXAMPLE.COM <
http://acme.example.com/>
> > > > 2 CLIENT1$(a)ACME.EXAMPLE.COM <
http://acme.example.com/>
> > > > 2 CLIENT1$(a)ACME.EXAMPLE.COM <
http://acme.example.com/>
> > > > 2 CLIENT1$(a)ACME.EXAMPLE.COM <
http://acme.example.com/>
> > > > 2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > > 2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > > 2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > > 2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > > 2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > > 2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > > 2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
> > > >
> > > >
> > > > Afrer log in with password I see:
> > > >
> > > > user1(a)client1.acme.example.com's password:
> > > > Last login: Thu Nov 6 09:51:49 2014 from
> > > > -sh-4.1$ klist
> > > > Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786
> > > > Default principal: user1(a)ACME.EXAMPLE.COM
> > > >
> > > > Valid starting Expires Service principal
> > > > 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/
> > > > ACME.EXAMPLE.COM(a)ACME.EXAMPLE.COM
> > > > renew until 11/13/14 09:57:13
> > > >
> > > > Any idea?
> > > >
> > > >
> > > > /lm
> > > >
> > > > On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
> > > > >* Hi All,
> > > > *>* I have a properly functioning integration between
> RHEL6.6/Cento6.6
> > > and
> > > > *>* Active Directory 2008 using adcli tool and sssd-ad (
> > > > *>
> > > > *
http://jhrozek.livejournal.com/3581.html
> > > > <
http://jhrozek.livejournal.com/3581.html>):
> > > > *> >
> > > > * # adcli join
acme.example.com <
http://acme.example.com/> -U
> userdomain
> > > > *> >
> > > > * # adcli info
acme.example.com <
http://acme.example.com/>
> > > > *>* [domain]
> > > > *>
> > > > * domain-name =
acme.example.com <
http://acme.example.com/>
> > > > *>* domain-short = ACME
> > > > *>
> > > > * domain-forest =
example.com <
http://example.com/>
> > > > *>
> > > > * domain-controller =
dom1.acme.example.com <
> > >
http://dom1.acme.example.com/>
> > > > *>* domain-controller-site = CENTRAL
> > > > *>* domain-controller-flags = gc ldap ds kdc timeserv closest
> writable
> > > > *>* full-secret ads-web
> > > > *>* domain-controller-usable = yes
> > > > *>
> > > > * domain-controllers =
dom1.acme.example.com
> > > > <
http://dom1.acme.example.com/> dom2.acme.example.com
> > > > <
http://dom2.acme.example.com/>
> > > > *>* [computer]
> > > > *>* computer-site = CENTRAL
> > > > *> >* The sssd.conf :
> > > > *> >* [sssd]
> > > > *>* services = nss, pam, ssh
> > > > *>* config_file_version = 2
> > > > *>
> > > > * domains =
ACME.EXAMPLE.COM <
http://acme.example.com/>
> > > > *>* debug_level = 7
> > > > *> >
> > > > * [
domain/ACME.EXAMPLE.COM <
http://acme.example.com/>]
> > > > *>* krb5_use_enterprise_principal = false
> > > > *>
> > > > * krb5_realm =
ACME.EXAMPLE.COM <
http://acme.example.com/>
> > > > *>* ldap_force_upper_case_realm = true
> > > > *>* ldap_account_expire_policy = ad
> > > > *>* override_homedir = /home/%d/%u
> > > > *>* ldap_id_mapping = true
> > > > *>* subdomain_enumerate = true
> > > > *>* ldap_schema = ad
> > > > *>* ad_access_filter =
> > > > *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com
> > > > *>* ad_enable_gc = false
> > > > *>* ldap_access_order = filter, expire
> > > > *>* enumerate = false
> > > > *>* id_provider = ad
> > > > *>* auth_provider = ad
> > > > *>* access_provider = ad
> > > > *>* subdomains_provider = ad
> > > > *>* chpass_provider = ad
> > > > *>
> > > > * ad_server =
dom1.acme.example.com
<
http://dom1.acme.example.com/>,
> > > >
dom2.acme.example.com <
http://dom2.acme.example.com/>
> > > > *>
> > > > * ad_domain =
acme.example.com <
http://acme.example.com/>
> > > > *>
> > > > * ad_hostname =
client1.acme.example.com <
> > >
http://client1.acme.example.com/>
> > > > *>* ad_enable_dns_sites = false
> > > > *>* dyndns_update = false
> > > > *>* debug_level = 7
> > > > *> > >* /etc/krb5.conf:
> > > > *>* [logging]
> > > > *>* default = FILE:/var/log/krb5libs.log
> > > > *>* kdc = FILE:/var/log/krb5kdc.log
> > > > *>* admin_server = FILE:/var/log/kadmind.log
> > > > *> >* [libdefaults]
> > > > *>
> > > > * default_realm =
acme.example.com <
http://acme.example.com/>
> > > > *>* dns_lookup_realm = true
> > > > *>* dns_lookup_kdc = true
> > > > *>* ticket_lifetime = 24h
> > > > *>* renew_lifetime = 7d
> > > > *>* forwardable = true
> > > > *>* rdns = true
> > > > *>* ignore_acceptor_hostname = true
> > > > *> >* [realms]
> > > > *>
> > > > *
acme.example.com <
http://acme.example.com/> = {
> > > > *>
> > > > * kdc =
acme.example.com <
http://acme.example.com/>
> > > > *>
> > > > * admin_server =
acme.example.com <
http://acme.example.com/>
> > > > *>* }
> > > > *> >* [domain_realm]
> > > > *>
> > > > * .acme.example.com <
http://acme.example.com/> =
acme.example.com
> > > > <
http://acme.example.com/>
> > > > *>
> > > > *
acme.example.com <
http://acme.example.com/> =
acme.example.com
> > > > <
http://acme.example.com/>
> > > > *>
> > > > * .example.com <
http://example.com/> =
acme.example.com
> > > > <
http://acme.example.com/>
> > > > *>
> > > > *
example.com <
http://example.com/> =
acme.example.com
> > > > <
http://acme.example.com/>
> > > > *> >* [appdefaults]
> > > > *>* debug = true
> > > > *> > > >* I can log in with user/password from AD to
RHEL/Centos, I
> > > > can change the
> > > > *>* password, lock the account from AD, etc. It all works.
> > > > *> > >* The problem is within GSSAPI SSH-SSO Authentication.
Simple,
> it
> > > doesnt
> > > > *>* work. I see in logs:
> > > > *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified
GSS
> > > failure.
> > > > *>* Minor code may provide more information\nNo key table entry
found
> > > matching
> > > > *>* host/client1.acme.example.com@\n
> > > > *
> > > > Do you see this message when sshd is starting up or during the
> > > > connection of a client?
> > > >
> > > > What principal are shown by 'klist -k' ?
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > > > > > >* Any idea what could be the reason? All I want to
achieve is to
> > > get SSH-SSO
> > > > *>* working, directly from AD desktop machine to Linux systems
> without
> > > password
> > > > *>* prompt.
> > > > *> > >* /lm
> > > > *
> > > > >* _______________________________________________
> > > > *>* sssd-users mailing list
> > > > *>
> > > > * sssd-users at
lists.fedorahosted.org
> > > > <
https://lists.fedorahosted.org/mailman/listinfo/sssd-users>
> > > > *>
> > > > *
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> > > > <
https://lists.fedorahosted.org/mailman/listinfo/sssd-users>
> > > > *
> > > >
> > > >
> > > > --
> > > > Pozdrawiam Leszek Miś
> > > > www:
http://cronylab.pl
> > > > www:
http://emerge.pl
> > > > Nothing is secure, paranoia is your friend.
> > >
> >
> >
> >
> > --
> > Pozdrawiam Leszek Miś
> > www:
http://cronylab.pl
> > www:
http://emerge.pl
> > Nothing is secure, paranoia is your friend.
>
--
Pozdrawiam Leszek Miś
www:
http://cronylab.pl
www:
http://emerge.pl
Nothing is secure, paranoia is your friend.