Enabling the preauthentication flag for the principal does indeed get
authentication working again.
The only reason it wasn't enabled was the usual poor reason: it wasn't
the default.
Thank you for the help and the explanation!
~Dave
On Fri, Jul 15, 2016 at 3:21 PM, Sumit Bose <sbose(a)redhat.com> wrote:
> On Fri, Jul 15, 2016 at 01:04:17PM -0400, David Wilhelm wrote:
>> The NAS is also running Arch, and is the MIT kerberos 1.13.1. The
>> client is using 1.13.4 of the same package.
>>
>> On Fri, Jul 15, 2016 at 12:57 PM, Sumit Bose <sbose(a)redhat.com> wrote:
>> > On Fri, Jul 15, 2016 at 04:24:02PM -0000, David Wilhelm wrote:
>> >> After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use
sudo for kerberos-authenticated accounts. However, kinit still succeeds and "getent
passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the
credential cache folder) restores normal operation.
>
> Thanks I was able to reproduce the issue. After discussing it with a
> co-worker I opened
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454
> because we think it is originally an issue in the responder interface of
> MIT Kerberos. I would like to hear back from MIT before trying to fix
> the SSSD side.
>
> I'm pretty sure that authentication would work again if you enable
> pre-authentication for the user principals on the KDC
>
> # kadmin.local
> kadmin.local: modprinc +requires_preauth dave(a)LA-LA.LAN
>
> Is there a reason why pre-authentication is disabled? If not it is very,
> very, very recommended to enable it (not only to make SSSD work), see
> e.g.
>
http://superuser.com/questions/200010/how-does-kerberos-preauthentication...
> for some explanations.
>
> bye,
> Sumit
>
>
>> >>
>> >> My setup:
>> >> I'm running Arch linux, and have PAM set to use sssd. sssd in turn
authenticates against a kerberos instance running on my NAS, and pulls user information
from an openldap instance. PAM, kerberos, and openldap were configured by hand as a
learning experience, and have been running for about a year. DNS and NTP are working,
ldap is returning users, and kinit is succeeding on both my local machine and the server.
>> >
>> > I think I have an idea what is wrong. Can you tell me what kind of KDC
>> > you are using on the NAS and which Kerberos library is used on the
>> > client so that I can try to reproduce it locally?
>> >
>> > bye,
>> > Sumit
>> >
>> >>
>> >> This appears to be the relevant section of the logs, from krb5_child.log
(with debug_level 10):
>> >>
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400):
krb5_child started.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x1000): total buffer size: [147]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1042] gid [1001] validate [false] enterprise principal [false]
offline [false] UPN [dave(a)LA-LA.LAN]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname:
[FILE:/tmp/krb5cc_1042_93EyUo] keytab: [/etc/krb5.keytab]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast]
(0x0100): Not using FAST.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds]
(0x0200): Switch user to [1042][1001].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds]
(0x0200): Switch user to [0][0].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is
active and TGT is valid.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Trying to become user [1042][1001].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000):
Running as [1042][1001].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Trying to become user [1042][1001].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Already user [1042].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup]
(0x2000): Running as [1042][1001].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from
environment.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400):
Will perform online auth
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [LA-LA.LAN]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts
[1] EINVAL.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[sss_krb5_prompter] (0x0020): Cannot handle password prompts.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[sss_krb5_prompter] (0x4000): Prompt [0][Password for dave(a)LA-LA.LAN].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt]
(0x0020): 1296: [-1765328254][Cannot read password]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error]
(0x0020): 1365: [-1765328254][Cannot read password]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data]
(0x0200): Received error code 1432158218
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[pack_response_packet] (0x2000): response packet size: [4]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data]
(0x4000): Response sent.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400):
krb5_child completed successfully
>> >>
>> >> Please let me know if any other logs or configurations are needed.
>> >> _______________________________________________
>> >> sssd-users mailing list
>> >> sssd-users(a)lists.fedorahosted.org
>> >>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
>> > _______________________________________________
>> > sssd-users mailing list
>> > sssd-users(a)lists.fedorahosted.org
>> >
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org