Update:

 

Uninstalled and re-installed all realmd components.  Performed a realm join to parent domain.  Authentication to parent domain is restored but authentication to subdomain is still not working. 

 

Even though sssd is trying to authenticate to the correct domain controller it fails.  I suspect it is because sssd does not know about principal in child domain and keytab does not have entries for child domain host.

 

What do I need to do to point sssd to the master kdc in child domain and authenticate users?  Do we need to create a computer object for the server in child domain?

 

When you kinit to child domain (a.abc.com) – it fails “Response was not form master KDC” – it does go to the secondary domain controller in the child domain.

See output of KRB5_TRACE=/dev/stdout below.

Other configs and logs below:

Secure.log

Krb5.log

Output of realm list

Output of klist –k

Sssd.conf

Krb5.conf

Output of pam.d system-auth

 

[root@server01 log]# KRB5_TRACE=/dev/stdout kinit -V username@a.abc.com

Using default cache: /tmp/krb5cc_0

Using principal: username@a.abc.com

[21234] 1488228264.116970: Getting initial credentials for username@a.abc.com

[21234] 1488228264.117539: Sending request (209 bytes) to a.abc.com

[21234] 1488228264.246215: Resolving hostname sdc01.a.abc.com.

[21234] 1488228264.313399: Sending initial UDP request to dgram x.x.166.251:88

[21234] 1488228264.383772: Received answer (219 bytes) from dgram x.x.166.251:88

[21234] 1488228264.448453: Response was not from master KDC

[21234] 1488228264.448519: Received error from KDC: -1765328359/Additional pre-authentication required

[21234] 1488228264.448584: Processing preauth types: 16, 15, 19, 2

[21234] 1488228264.448622: Selected etype info: etype aes256-cts, salt "a.abc.comusername", params ""

Password for username@a.abc.com:

[21234] 1488228274.851028: AS key obtained for encrypted timestamp: aes256-cts/D574

[21234] 1488228274.851105: Encrypted timestamp (for 1488228256.665529): plain 301AA011180F32303137303232373230343431365AA10502030A27B9,

encrypted 6818747034DA70128C9E22CF1A56A1815E14509E91693BB286BB899BBAE65F321141405718086D119447EB82A34498D0E16EA8E2F5FF71CA

[21234] 1488228274.851138: Preauth module encrypted_timestamp (2) (real) returned: 0/Success

[21234] 1488228274.851170: Produced preauth for next request: 2

[21234] 1488228274.851208: Sending request (289 bytes) to a.abc.com

[21234] 1488228274.982261: Resolving hostname infsdcpci02.a.abc.com.

[21234] 1488228275.48986: Sending initial UDP request to dgram x.x.166.252:88

[21234] 1488228275.118201: Received answer (186 bytes) from dgram x.x.166.252:88

[21234] 1488228275.182721: Response was not from master KDC

[21234] 1488228275.182772: Received error from KDC: -1765328360/Preauthentication failed

[21234] 1488228275.182830: Preauth tryagain input types: 16, 15, 19, 2

[21234] 1488228275.182862: Retrying AS request with master KDC

[21234] 1488228275.182889: Getting initial credentials for username@a.abc.com

[21234] 1488228275.182963: Sending request (209 bytes) to a.abc.com (master)

kinit: Preauthentication failed while getting initial credentials

 

#########################################################################

 

secure.log – because we are using authlite for two-factor authentication, system-auth points to the auth.py script (note that it uses the same script for parent domain and successfully authenticates using two factor)

 

Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: Traceback (most recent call last):

Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]:  File "/usr/lib64/security/auth.py", line 163, in pam_sm_authenticate

Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]:    update_password(pamh)

Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]:  File "/usr/lib64/security/auth.py", line 152, in update_password

Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]:    pwd.getpwnam(domain + sep + res['OTP'])

Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: KeyError: getpwnam(): name not found: a.abc.com

\jufgkdildfnkjvceveehvtfnckjleingtneevlgugrdhngrccjuirirnhckltihb

Feb 27 17:45:34 server01 cw[30366]: pam_sss(conwrks:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

user=username@a.abc.com

Feb 27 17:45:34 server01 cw[30366]: pam_sss(conwrks:auth): received for user username@a.abc.com: 4 (System error)

 

#####################################################################################

 

Krb5.log  (In ther krb5.log, sssd authenticates to the parent domain “Attempting kinit for realm [ABC.COM” and gets “KDC policy rejects” error.

 

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [main] (0x0400): krb5_child started.

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [unpack_buffer] (0x1000): total buffer size: [145]

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [unpack_buffer] (0x0100): cmd [241] uid [1915601461] gid [1915601461] validate

[true] enterprise principal [true] offline [false] UPN [username@a.abc.com]

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [unpack_buffer] (0x2000): No old ccache

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1915601461_XXXXXX] old_ccname:

[not set] keytab: [/etc/krb5.keytab]

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [check_use_fast] (0x0100): Not using FAST.

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [become_user] (0x0200): Trying to become user [1915601461][1915601461].

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [main] (0x2000): Running as [1915601461][1915601461].

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [k5c_setup] (0x2000): Running as [1915601461][1915601461].

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from

environment.

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from

environment.

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [main] (0x0400): Will perform online auth

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [tgt_req_child] (0x1000): Attempting to get a TGT

(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]

(Mon Feb 27 14:45:34 2017) [[sssd[krb5_child[29102]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328372][KDC policy rejects request]

(Mon Feb 27 14:45:34 2017) [[sssd[krb5_child[29102]]]] [map_krb5_error] (0x0020): 1303: [-1765328372][KDC policy rejects request]

(Mon Feb 27 14:45:34 2017) [[sssd[krb5_child[29102]]]] [k5c_send_data] (0x0200): Received error code 1432158209

(Mon Feb 27 14:45:34 2017) [[sssd[krb5_child[29102]]]] [pack_response_packet] (0x2000): response packet size: [4]

(Mon Feb 27 14:45:34 2017) [[sssd[krb5_child[29102]]]] [main] (0x0400): krb5_child completed successfully

 

 

[root@server01 etc]# realm list –all   (shouldn’t this output show both realms?)

abc.com

  type: kerberos

  realm-name: ABC.COM

  domain-name: abc.com

  configured: kerberos-member

  server-software: active-directory

  client-software: sssd

  required-package: oddjob

  required-package: oddjob-mkhomedir

  required-package: sssd

  required-package: adcli

  required-package: samba-common

  login-formats: %U

  login-policy: allow-permitted-logins

  permitted-logins:

  permitted-groups: Remote Access Users@abc.com, Remote Access Users@a.abc.com

 

 

######################################################

 

[root@PHXRASPCI01 pam.d]# klist –k   (keytab only has entries for parent domain)

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   2 host/server01.abc.com@ABC.COM

   2 host/server01.abc.com@ABC.COM

   2 host/server01.abc.com@ABC.COM

   2 host/server01.abc.com@ABC.COM

   2 host/server01.abc.com@ABC.COM

   2 host/server01@ABC.COM

   2 host/server01@ABC.COM

   2 host/server01@ABC.COM

   2 host/server01@ABC.COM

   2 host/server01@ABC.COM

   2 SERVER01$@ABC.COM

   2 SERVER01$@ABC.COM

   2 SERVER01$@ABC.COM

   2 SERVER01$@ABC.COM

   2 SERVER01$@ABC.COM

[root@SERVER01 pam.d]#

 

#############################################################

 

[root@server01 etc]# more /etc/sssd/sssd.conf

 

[sssd]

domains = abc.com

config_file_version = 2

services = nss, pam

 

[domain/abc.com]

ad_domain = abc.com

krb5_realm = ABC.COM

ad_server = dc01.abc.com,dc02.abc.com,_srv_

realmd_tags = manages-system joined-with-samba

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = False

fallback_homedir = /home/%u@%d

access_provider = simple

debug_level = 8

simple_allow_groups = TDI Remote Access Users@abc.com, TDI Remote Access Users@a.abc.com

 

########################################################

 

 

[root@server01 etc]# more /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

dns_lookup_realm = true

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

# forwardable = true

rdns = false

default_realm = ABC.COM

# default_ccache_name = KEYRING:persistent:%{uid}

# kdc_timesync = 1

 

[realms]

ABC.COM = {

kdc = dc01.abc.com

kdc = dc02.abc.com

admin_server = dc01.abc.com

}

 

[domain_realm]

.abc.com = ABC.COM

abc.com = ABC.COM

 

 

 

 

##################################################

system-auth

 

 

[root@server01 pam.d]# more system-auth-ac

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        [default=1 success=ok] pam_localuser.so

auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success

auth        optional      pam_python.so /usr/lib64/security/auth.py

auth        sufficient    pam_sss.so use_first_pass forward_pass

#auth        sufficient    pam_sss.so forward_pass

auth        required      pam_deny.so

 

account     required      pam_unix.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 1000 quiet

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     required      pam_permit.so

 

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    sufficient    pam_sss.so use_authtok

password    required      pam_deny.so

 

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

-session     optional      pam_systemd.so

session     optional      pam_oddjob_mkhomedir.so umask=0077

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_sss.so

 

 

[

 

 

 

 

 

Sonia Gilbert, -Engineer II, Information Protection & Compliance Team

3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503

Sonia.Gilbert@HawaiianAir.com

 

HA Email Signature Logo