The PAC contains password credentials among other things: http://blogs.msdn.com/b/openspecification/archive/2009/04/24/understanding-microsoft-kerberos-pac-validation.aspx
I don't know if I understand well PAC - I don't need it until now . AD, multidomain logins , kerberized NFS works well without explicit PAC service in SSSD. How could it help? Best, Longina
> -----Oprindelig meddelelse----- > Fra: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- > bounces@lists.fedorahosted.org] På vegne af Sumit Bose > Sendt: 10. juli 2015 10:22 > Til: End-user discussions about the System Security Services Daemon > Emne: Re: [SSSD-users] ssh passwordless with sssd-1.12.5 > > On Thu, Jul 09, 2015 at 04:06:05PM +0000, Longina Przybyszewska wrote: > > Hi, > > I have SSSD setup with AD as auth/id provider in multi domain trust realm, > and POSIX attributes in AD for users. > > With this setup users can use short names (short names match > sSAMaccount name in AD user object)) for login and get access to > > their homedir ,NFS mounted with Kerberos security. > > The "short user names" are unique across domains in realm. > > > > Setup works fine, even after recently made possible sssd upgrade to 1.12.5 > (all Linux clients run Ubuntu LTS). > > > > We would like to establish passwordless ssh between all AD-integrated > clients - and have problems. > > The important detail is, that all machines are in one domain, while users > can be from other domains inclusive, machine's domain . > > > > Until now, passwordless ssh is possible when user and machine are from > the same domain . > > > > Users from domains other than machines's own domain , are asked for > passwd. > > All tickets for host and nfs service in user's cache seems to be ok. > > > > After debugging ssh/sshd session it seems that connection ssh< - -> sshd > fails on user authorization. > > Any ideas? > > > > > > Ssh client side debug: > > ---------------------------------- > > [9537] 1436450526.619393: Got service principal > > host/lnx.a.c.realm@A.C.REALM [9537] 1436450526.621139: ccselect can't > > find appropriate cache for server principal > > host/lnx.a.c.realm@A.C.REALM [9537] 1436450526.621254: Getting > > credentials longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM using > > ccache FILE:/tmp/krb5cc_XXXXX_CN76dg [9537] 1436450526.621355: > > Retrieving longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM from > > FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success [9537] > > 1436450526.621490: Creating authenticator for longina@N.C.REALM -> > > host/lnx.a.c.realm@A.C.REALM, seqnum 1059254370, subkey > > aes256-cts/4255, session key aes256-cts/2F16 > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > [9537] 1436450526.623050: Convert service host (service with host as > > instance) on host lnx.a.c.realmto principal [9537] 1436450526.624716: > > Remote host after forward canonicalization: lnx.a.c.realm [9537] > > 1436450526.624760: Remote host after reverse DNS processing: > > lnx.a.c.realm [9537] 1436450526.624793: Got service principal > > host/lnx.a.c.realm@A.C.REALM [9537] 1436450526.626601: ccselect can't > > find appropriate cache for server principal > > host/lnx.a.c.realm@A.C.REALM [9537] 1436450526.626719: Getting > > credentials longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM using > > ccache FILE:/tmp/krb5cc_XXXXX_CN76dg [9537] 1436450526.626821: > > Retrieving longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM from > > FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success [9537] > > 1436450526.626984: Getting credentials longina@N.C.REALM -> > > host/lnx.a.c.realm@A.C.REALM using ccache > > FILE:/tmp/krb5cc_XXXXX_CN76dg [9537] 1436450526.627067: Retrieving > > longina@N.C.REALM -> host/lnx.a.c.realm@A.C.REALM from > > FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success [9537] > > 1436450526.627162: Creating authenticator for longina@N.C.REALM -> > > host/lnx.a.c.realm@A.C.REALM, seqnum 778106202, subkey > > aes256-cts/CBE6, session key aes256-cts/2F16 > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup publickey > > > > > > sshd server side debug: > > ------------------------------------ > > .... > > debug2: input_userauth_request: setting up authctxt for longina > > [preauth] > > debug3: mm_start_pam entering [preauth] > > debug3: mm_request_send entering: type 100 [preauth] > > debug3: mm_inform_authserv entering [preauth] > > debug3: mm_request_send entering: type 4 [preauth] > > debug2: input_userauth_request: try method none [preauth] > > debug3: userauth_finish: failure partial=0 next > > methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth] > > debug3: mm_request_receive entering > > debug3: monitor_read: checking request 100 > > debug1: PAM: initializing for "longina" > > debug1: PAM: setting PAM_RHOST to "10.80.8.108" > > debug1: PAM: setting PAM_TTY to "ssh" > > debug2: monitor_read: 100 used once, disabling now > > debug3: mm_request_receive entering > > debug3: monitor_read: checking request 4 > > debug3: mm_answer_authserv: service=ssh-connection, style=, role= > > debug2: monitor_read: 4 used once, disabling now > > debug1: userauth-request for user longina service ssh-connection > > method gssapi-with-mic [preauth] > > debug1: attempt 1 failures 0 [preauth] > > debug2: input_userauth_request: try method gssapi-with-mic [preauth] > > debug3: mm_request_send entering: type 42 [preauth] > > debug3: mm_request_receive_expect entering: type 43 [preauth] > > debug3: mm_request_receive entering [preauth] > > debug3: mm_request_receive entering > > debug3: monitor_read: checking request 42 > > debug3: mm_request_send entering: type 43 Postponed gssapi-with-mic > > for longina from 10.80.8.108 port 53479 ssh2 [preauth] > > debug3: mm_request_send entering: type 44 [preauth] > > debug3: mm_request_receive_expect entering: type 45 [preauth] > > debug3: mm_request_send entering: type 47 Failed gssapi-with-mic for > > longina from 10.80.8.108 port 53479 ssh2 > > debug3: mm_ssh_gssapi_userok: user not authenticated [preauth] > > Chances are that mapping the Kerberos principal to the local user name fails. > > Since the Kerberos ticket only contains the Kerberos principal and it is not > desirable that any user with a valid Kerberos ticket can log in as any local user > the Kerberos client library has to do some mapping between the Kerberos > principal and the local user name. > > There are various mapping schemes available. For testing (especially since I'm > not too familiar with Kerberos on Ubuntu) I would recommend to create a > .k5login file in the home directory of the user you want to log in as. The > .k5login file should contain the Kerberos principal which should be allowed to > log in as this user, e.g. longina@N.C.REALM in your case (please note that > Kerberos is case-sensitive). Please check permissions on .k5login as well, only > the user itself should be able to access it. > > If this works but you don't want to add a .k5login file for every user please > tell me which Kerberos version is used on your Ubuntu system to see which > other schemes are available. > > HTH > > bye, > Sumit > > > > debug3: userauth_finish: failure partial=0 next > > methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth] > > debug1: userauth-request for user longina service ssh-connection > > method gssapi-with-mic [preauth] > > debug1: attempt 2 failures 1 [preauth] > > debug2: input_userauth_request: try method gssapi-with-mic [preauth] > > debug3: userauth_finish: failure partial=0 next > > methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth] > > debug1: userauth-request for user longina service ssh-connection > > method gssapi-with-mic [preauth] > > debug1: attempt 3 failures 1 [preauth] > > debug2: input_userauth_request: try method gssapi-with-mic [preauth] > > debug3: userauth_finish: failure partial=0 next > > methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth] > > debug1: userauth-request for user longina service ssh-connection > > method gssapi-with-mic [preauth] > > debug1: attempt 4 failures 1 [preauth] > > debug2: input_userauth_request: try method gssapi-with-mic [preauth] > > debug3: userauth_finish: failure partial=0 next > > methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth] > > > > > > sssd.conf > > ------------- > > [nss] > > debug_level = 9 > > filter_groups = root > > filter_users = > > > root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news > > ,mailman,nscd > > #override_home_directory = /home/%u > > > > [sssd] > > debug_level = 6 > > domains = n.c.realm,a.c.realm,c.realm > > #default_domain_suffix = c.realm > > config_file_version = 2 > > services = nss,pam,ssh > > > > [pam] > > pam_verbosity = 3 > > debug_level = 9 > > > > > > [domain/n.c.realm] > > debug_level = 9 > > dyndns_update = false > > id_provider = ad > > access_provider = ad > > auth_provider = ad > > chpass_provider = ad > > ad_domain = n.c.realm > > krb5_realm = N.C.REALM > > default_shell = /bin/bash > > use_fully_qualified_names = False > > ldap_id_mapping = False > > subdomains_provider = none > > ad_hostname = lnx.a.c.realm > > ad_gpo_access_control = disabled > > > > [domain/a.c.realm] > > debug_level = 9 > > dyndns_update = false > > id_provider = ad > > access_provider = ad > > auth_provider = ad > > chpass_provider = ad > > ad_domain = a.c.realm > > krb5_realm = A.C.REALM > > default_shell = /bin/bash > > use_fully_qualified_names = False > > ldap_id_mapping = False > > subdomains_provider = none > > ad_hostname = lnx.a.c.realm > > ad_gpo_access_control = disabled > > > > [domain/c.realm] > > debug_level = 9 > > dyndns_update = true > > dyndns_update_ptr = false > > ad_hostname = lnx.a.c.realm > > id_provider = ad > > access_provider = ad > > auth_provider = ad > > chpass_provider = ad > > ad_domain = c.realm > > krb5_realm = C.REALM > > default_shell = /bin/bash > > use_fully_qualified_names = False > > ldap_id_mapping = False > > subdomains_provider = none > > ad_gpo_access_control = disabled > > > > > > best > > Longina > > > _______________________________________________ > > sssd-users mailing list > > sssd-users@lists.fedorahosted.org > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users