Hi,

I have SSSD setup with AD as  auth/id provider  in multi domain trust realm, and POSIX attributes in AD for users.

With this setup users can use short names (short names  match   sSAMaccount name in AD user object)) for login and get access to

their  homedir ,NFS mounted with Kerberos security.

The “short user names” are unique  across domains in realm.

 

Setup works fine, even after recently made possible sssd upgrade to 1.12.5  (all Linux clients run Ubuntu LTS).

 

We would like to establish passwordless ssh between all AD-integrated clients – and have problems.

The important detail is, that all machines are in one domain, while   users can be   from other domains inclusive, machine’s domain .

 

Until now, passwordless ssh is possible when user and machine are from the same domain .

 

Users from domains other than machines’s own domain , are asked for passwd.

All  tickets for host and  nfs service in user’s cache seems to be ok.

 

After debugging ssh/sshd session it seems that connection ssh< - -> sshd fails on  user  authorization.

Any ideas?

 

 

Ssh client side  debug:

----------------------------------

[9537] 1436450526.619393: Got service principal host/lnx.a.c.realm@A.C.REALM

[9537] 1436450526.621139: ccselect can't find appropriate cache for server principal host/lnx.a.c.realm@A.C.REALM

[9537] 1436450526.621254: Getting credentials longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM using ccache FILE:/tmp/krb5cc_XXXXX_CN76dg

[9537] 1436450526.621355: Retrieving longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM from FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success

[9537] 1436450526.621490: Creating authenticator for longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM, seqnum 1059254370, subkey aes256-cts/4255, session key aes256-cts/2F16

debug2: we sent a gssapi-with-mic packet, wait for reply

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

[9537] 1436450526.623050: Convert service host (service with host as instance) on host lnx.a.c.realmto principal

[9537] 1436450526.624716: Remote host after forward canonicalization: lnx.a.c.realm

[9537] 1436450526.624760: Remote host after reverse DNS processing: lnx.a.c.realm

[9537] 1436450526.624793: Got service principal host/lnx.a.c.realm@A.C.REALM

[9537] 1436450526.626601: ccselect can't find appropriate cache for server principal host/lnx.a.c.realm@A.C.REALM

[9537] 1436450526.626719: Getting credentials longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM using ccache FILE:/tmp/krb5cc_XXXXX_CN76dg

[9537] 1436450526.626821: Retrieving longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM from FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success

[9537] 1436450526.626984: Getting credentials longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM using ccache FILE:/tmp/krb5cc_XXXXX_CN76dg

[9537] 1436450526.627067: Retrieving longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM from FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success

[9537] 1436450526.627162: Creating authenticator for longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM, seqnum 778106202, subkey aes256-cts/CBE6, session key aes256-cts/2F16

debug2: we sent a gssapi-with-mic packet, wait for reply

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug2: we did not send a packet, disable method

debug3: authmethod_lookup publickey

 

 

sshd server side debug:

------------------------------------

....

debug2: input_userauth_request: setting up authctxt for longina [preauth]

debug3: mm_start_pam entering [preauth]

debug3: mm_request_send entering: type 100 [preauth]

debug3: mm_inform_authserv entering [preauth]

debug3: mm_request_send entering: type 4 [preauth]

debug2: input_userauth_request: try method none [preauth]

debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]

debug3: mm_request_receive entering

debug3: monitor_read: checking request 100

debug1: PAM: initializing for "longina"

debug1: PAM: setting PAM_RHOST to "10.80.8.108"

debug1: PAM: setting PAM_TTY to "ssh"

debug2: monitor_read: 100 used once, disabling now

debug3: mm_request_receive entering

debug3: monitor_read: checking request 4

debug3: mm_answer_authserv: service=ssh-connection, style=, role=

debug2: monitor_read: 4 used once, disabling now

debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic [preauth]

debug1: attempt 1 failures 0 [preauth]

debug2: input_userauth_request: try method gssapi-with-mic [preauth]

debug3: mm_request_send entering: type 42 [preauth]

debug3: mm_request_receive_expect entering: type 43 [preauth]

debug3: mm_request_receive entering [preauth]

debug3: mm_request_receive entering

debug3: monitor_read: checking request 42

debug3: mm_request_send entering: type 43

Postponed gssapi-with-mic for longina from 10.80.8.108 port 53479 ssh2 [preauth]

debug3: mm_request_send entering: type 44 [preauth]

debug3: mm_request_receive_expect entering: type 45 [preauth]

debug3: mm_request_send entering: type 47

Failed gssapi-with-mic for longina from 10.80.8.108 port 53479 ssh2

debug3: mm_ssh_gssapi_userok: user not authenticated [preauth]

debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]

debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic [preauth]

debug1: attempt 2 failures 1 [preauth]

debug2: input_userauth_request: try method gssapi-with-mic [preauth]

debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]

debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic [preauth]

debug1: attempt 3 failures 1 [preauth]

debug2: input_userauth_request: try method gssapi-with-mic [preauth]

debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]

debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic [preauth]

debug1: attempt 4 failures 1 [preauth]

debug2: input_userauth_request: try method gssapi-with-mic [preauth]

debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]

 

 

sssd.conf

-------------

[nss]

debug_level = 9

filter_groups = root

filter_users = root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd

#override_home_directory = /home/%u

 

[sssd]

debug_level = 6

domains = n.c.realm,a.c.realm,c.realm

#default_domain_suffix = c.realm

config_file_version = 2

services = nss,pam,ssh

 

[pam]

pam_verbosity = 3

debug_level = 9

 

 

[domain/n.c.realm]

debug_level = 9

dyndns_update = false

id_provider = ad

access_provider = ad

auth_provider = ad

chpass_provider = ad

ad_domain = n.c.realm

krb5_realm = N.C.REALM

default_shell = /bin/bash

use_fully_qualified_names = False

ldap_id_mapping = False

subdomains_provider = none

ad_hostname = lnx.a.c.realm

ad_gpo_access_control = disabled

 

[domain/a.c.realm]

debug_level = 9

dyndns_update = false

id_provider = ad

access_provider = ad

auth_provider = ad

chpass_provider = ad

ad_domain = a.c.realm

krb5_realm = A.C.REALM

default_shell = /bin/bash

use_fully_qualified_names = False

ldap_id_mapping = False

subdomains_provider = none

ad_hostname = lnx.a.c.realm

ad_gpo_access_control = disabled

 

[domain/c.realm]

debug_level = 9

dyndns_update = true

dyndns_update_ptr = false

ad_hostname = lnx.a.c.realm

id_provider = ad

access_provider = ad

auth_provider = ad

chpass_provider = ad

ad_domain = c.realm

krb5_realm = C.REALM

default_shell = /bin/bash

use_fully_qualified_names = False

ldap_id_mapping = False

subdomains_provider = none

ad_gpo_access_control = disabled

 

 

best

Longina