Hi Sumit, I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
during every ssh connection with "-k" argument.
# klisk -k 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1@ACME.EXAMPLE.COM 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM
Afrer log in with password I see:
user1@client1.acme.example.com's password: Last login: Thu Nov 6 09:51:49 2014 from -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 Default principal: user1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
- Hi All,
*>* I have a properly functioning integration between RHEL6.6/Cento6.6 and *>* Active Directory 2008 using adcli tool and sssd-ad ( *> * http://jhrozek.livejournal.com/3581.html http://jhrozek.livejournal.com/3581.html): *> > * # adcli join acme.example.com http://acme.example.com/ -U userdomain *> > * # adcli info acme.example.com http://acme.example.com/ *>* [domain] *> * domain-name = acme.example.com http://acme.example.com/ *>* domain-short = ACME *> * domain-forest = example.com http://example.com/ *> * domain-controller = dom1.acme.example.com http://dom1.acme.example.com/ *>* domain-controller-site = CENTRAL *>* domain-controller-flags = gc ldap ds kdc timeserv closest writable *>* full-secret ads-web *>* domain-controller-usable = yes *> * domain-controllers = dom1.acme.example.com http://dom1.acme.example.com/ dom2.acme.example.com http://dom2.acme.example.com/ *>* [computer] *>* computer-site = CENTRAL *> >* The sssd.conf : *> >* [sssd] *>* services = nss, pam, ssh *>* config_file_version = 2 *> * domains = ACME.EXAMPLE.COM http://acme.example.com/ *>* debug_level = 7 *> > * [domain/ACME.EXAMPLE.COM http://acme.example.com/] *>* krb5_use_enterprise_principal = false *> * krb5_realm = ACME.EXAMPLE.COM http://acme.example.com/ *>* ldap_force_upper_case_realm = true *>* ldap_account_expire_policy = ad *>* override_homedir = /home/%d/%u *>* ldap_id_mapping = true *>* subdomain_enumerate = true *>* ldap_schema = ad *>* ad_access_filter = *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com *>* ad_enable_gc = false *>* ldap_access_order = filter, expire *>* enumerate = false *>* id_provider = ad *>* auth_provider = ad *>* access_provider = ad *>* subdomains_provider = ad *>* chpass_provider = ad *> * ad_server = dom1.acme.example.com http://dom1.acme.example.com/, dom2.acme.example.com http://dom2.acme.example.com/ *> * ad_domain = acme.example.com http://acme.example.com/ *> * ad_hostname = client1.acme.example.com http://client1.acme.example.com/ *>* ad_enable_dns_sites = false *>* dyndns_update = false *>* debug_level = 7 *> > >* /etc/krb5.conf: *>* [logging] *>* default = FILE:/var/log/krb5libs.log *>* kdc = FILE:/var/log/krb5kdc.log *>* admin_server = FILE:/var/log/kadmind.log *> >* [libdefaults] *> * default_realm = acme.example.com http://acme.example.com/ *>* dns_lookup_realm = true *>* dns_lookup_kdc = true *>* ticket_lifetime = 24h *>* renew_lifetime = 7d *>* forwardable = true *>* rdns = true *>* ignore_acceptor_hostname = true *> >* [realms] *> * acme.example.com http://acme.example.com/ = { *> * kdc = acme.example.com http://acme.example.com/ *> * admin_server = acme.example.com http://acme.example.com/ *>* } *> >* [domain_realm] *> * .acme.example.com http://acme.example.com/ = acme.example.com http://acme.example.com/ *> * acme.example.com http://acme.example.com/ = acme.example.com http://acme.example.com/ *> * .example.com http://example.com/ = acme.example.com http://acme.example.com/ *> * example.com http://example.com/ = acme.example.com http://acme.example.com/ *> >* [appdefaults] *>* debug = true *> > > >* I can log in with user/password from AD to RHEL/Centos, I can change the *>* password, lock the account from AD, etc. It all works. *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt *>* work. I see in logs: *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure. *>* Minor code may provide more information\nNo key table entry found matching *>* host/client1.acme.example.com@\n * Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
- Any idea what could be the reason? All I want to achieve is to get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems without password *>* prompt. *> > >* /lm *
*>* sssd-users mailing list *> * sssd-users at lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users *> * https://lists.fedorahosted.org/mailman/listinfo/sssd-users https://lists.fedorahosted.org/mailman/listinfo/sssd-users *
On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote:
Hi Sumit, I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Kerberos in general is case sensitive. sshd is looking for host/... while the keytab only has HOST/.... The entries are created by adcli so maybe if you join with a newer version of adcli this will get fixed automatically.
As an alternative you can use ktutil to a the needed entries. Make a copy of /etc/krb5.keytab before you start ktutil. Then you can use
rkt /etc/krc5.keytab
to load the keytab.
list -e -k -t
will show you the keys with all needed detail. With
addend -k -p host/client1.acme.example.com@ACME.EXAMPLE.COM -k 2 -e aes256-cts-hmac-sha1-96
You can start adding new entires. Please repeat this wil all enc types listed for HOST/client1.acme.example.com@ACME.EXAMPLE.COM . ktutil will ask you for a key in kex, please copy the one show by 'list -e -k -t' from above.
If all is done you can write out the keytab with
wkt /etc/krb5.keytab.new
And then exchange the new one with the old one. Iirc ktutil always appends entries to existing files, so writing directly to /etc/krb5.keytab will blow up the file with duplicated entries.
HTH
bye, Sumit
during every ssh connection with "-k" argument.
# klisk -k 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1@ACME.EXAMPLE.COM 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM
Afrer log in with password I see:
user1@client1.acme.example.com's password: Last login: Thu Nov 6 09:51:49 2014 from -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 Default principal: user1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
- Hi All,
*>* I have a properly functioning integration between RHEL6.6/Cento6.6 and *>* Active Directory 2008 using adcli tool and sssd-ad ( *>
http://jhrozek.livejournal.com/3581.html): *> >
- # adcli join acme.example.com http://acme.example.com/ -U userdomain
*> >
- # adcli info acme.example.com http://acme.example.com/
*>* [domain] *>
- domain-name = acme.example.com http://acme.example.com/
*>* domain-short = ACME *>
- domain-forest = example.com http://example.com/
*>
- domain-controller = dom1.acme.example.com http://dom1.acme.example.com/
*>* domain-controller-site = CENTRAL *>* domain-controller-flags = gc ldap ds kdc timeserv closest writable *>* full-secret ads-web *>* domain-controller-usable = yes *>
- domain-controllers = dom1.acme.example.com
http://dom1.acme.example.com/ dom2.acme.example.com http://dom2.acme.example.com/ *>* [computer] *>* computer-site = CENTRAL *> >* The sssd.conf : *> >* [sssd] *>* services = nss, pam, ssh *>* config_file_version = 2 *>
- domains = ACME.EXAMPLE.COM http://acme.example.com/
*>* debug_level = 7 *> >
- [domain/ACME.EXAMPLE.COM http://acme.example.com/]
*>* krb5_use_enterprise_principal = false *>
- krb5_realm = ACME.EXAMPLE.COM http://acme.example.com/
*>* ldap_force_upper_case_realm = true *>* ldap_account_expire_policy = ad *>* override_homedir = /home/%d/%u *>* ldap_id_mapping = true *>* subdomain_enumerate = true *>* ldap_schema = ad *>* ad_access_filter = *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com *>* ad_enable_gc = false *>* ldap_access_order = filter, expire *>* enumerate = false *>* id_provider = ad *>* auth_provider = ad *>* access_provider = ad *>* subdomains_provider = ad *>* chpass_provider = ad *>
- ad_server = dom1.acme.example.com http://dom1.acme.example.com/,
dom2.acme.example.com http://dom2.acme.example.com/ *>
- ad_domain = acme.example.com http://acme.example.com/
*>
- ad_hostname = client1.acme.example.com http://client1.acme.example.com/
*>* ad_enable_dns_sites = false *>* dyndns_update = false *>* debug_level = 7 *> > >* /etc/krb5.conf: *>* [logging] *>* default = FILE:/var/log/krb5libs.log *>* kdc = FILE:/var/log/krb5kdc.log *>* admin_server = FILE:/var/log/kadmind.log *> >* [libdefaults] *>
- default_realm = acme.example.com http://acme.example.com/
*>* dns_lookup_realm = true *>* dns_lookup_kdc = true *>* ticket_lifetime = 24h *>* renew_lifetime = 7d *>* forwardable = true *>* rdns = true *>* ignore_acceptor_hostname = true *> >* [realms] *>
- acme.example.com http://acme.example.com/ = {
*>
- kdc = acme.example.com http://acme.example.com/
*>
- admin_server = acme.example.com http://acme.example.com/
*>* } *> >* [domain_realm] *>
- .acme.example.com http://acme.example.com/ = acme.example.com
- acme.example.com http://acme.example.com/ = acme.example.com
- .example.com http://example.com/ = acme.example.com
- example.com http://example.com/ = acme.example.com
http://acme.example.com/ *> >* [appdefaults] *>* debug = true *> > > >* I can log in with user/password from AD to RHEL/Centos, I can change the *>* password, lock the account from AD, etc. It all works. *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt *>* work. I see in logs: *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure. *>* Minor code may provide more information\nNo key table entry found matching *>* host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
- Any idea what could be the reason? All I want to achieve is to get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems without password *>* prompt. *> > >* /lm
*>* sssd-users mailing list *>
- sssd-users at lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users *>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
Thank you Sumit. Right now I see:
Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n
SELinux policy blocks it.
Have you seen that before?
-- After changing the policy to permissive mode, the failure from logs is gone, but I still can't log in by GSSAPI from Windows Station to client1 station:
Nov 6 14:30:01 client1 sshd[16852]: Received disconnect from 10.X.X.X: 14: No supported authentication methods available
2014-11-06 11:33 GMT+01:00 Sumit Bose sbose@redhat.com:
On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote:
Hi Sumit, I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure.
Minor
code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Kerberos in general is case sensitive. sshd is looking for host/... while the keytab only has HOST/.... The entries are created by adcli so maybe if you join with a newer version of adcli this will get fixed automatically.
As an alternative you can use ktutil to a the needed entries. Make a copy of /etc/krb5.keytab before you start ktutil. Then you can use
rkt /etc/krc5.keytab
to load the keytab.
list -e -k -t
will show you the keys with all needed detail. With
addend -k -p host/client1.acme.example.com@ACME.EXAMPLE.COM -k 2 -e aes256-cts-hmac-sha1-96
You can start adding new entires. Please repeat this wil all enc types listed for HOST/client1.acme.example.com@ACME.EXAMPLE.COM . ktutil will ask you for a key in kex, please copy the one show by 'list -e -k -t' from above.
If all is done you can write out the keytab with
wkt /etc/krb5.keytab.new
And then exchange the new one with the old one. Iirc ktutil always appends entries to existing files, so writing directly to /etc/krb5.keytab will blow up the file with duplicated entries.
HTH
bye, Sumit
during every ssh connection with "-k" argument.
# klisk -k 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1@ACME.EXAMPLE.COM 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM
Afrer log in with password I see:
user1@client1.acme.example.com's password: Last login: Thu Nov 6 09:51:49 2014 from -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 Default principal: user1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
- Hi All,
*>* I have a properly functioning integration between RHEL6.6/Cento6.6
and
*>* Active Directory 2008 using adcli tool and sssd-ad ( *>
http://jhrozek.livejournal.com/3581.html): *> >
- # adcli join acme.example.com http://acme.example.com/ -U userdomain
*> >
- # adcli info acme.example.com http://acme.example.com/
*>* [domain] *>
- domain-name = acme.example.com http://acme.example.com/
*>* domain-short = ACME *>
- domain-forest = example.com http://example.com/
*>
- domain-controller = dom1.acme.example.com <
http://dom1.acme.example.com/%3E
*>* domain-controller-site = CENTRAL *>* domain-controller-flags = gc ldap ds kdc timeserv closest writable *>* full-secret ads-web *>* domain-controller-usable = yes *>
- domain-controllers = dom1.acme.example.com
http://dom1.acme.example.com/ dom2.acme.example.com http://dom2.acme.example.com/ *>* [computer] *>* computer-site = CENTRAL *> >* The sssd.conf : *> >* [sssd] *>* services = nss, pam, ssh *>* config_file_version = 2 *>
- domains = ACME.EXAMPLE.COM http://acme.example.com/
*>* debug_level = 7 *> >
- [domain/ACME.EXAMPLE.COM http://acme.example.com/]
*>* krb5_use_enterprise_principal = false *>
- krb5_realm = ACME.EXAMPLE.COM http://acme.example.com/
*>* ldap_force_upper_case_realm = true *>* ldap_account_expire_policy = ad *>* override_homedir = /home/%d/%u *>* ldap_id_mapping = true *>* subdomain_enumerate = true *>* ldap_schema = ad *>* ad_access_filter = *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com *>* ad_enable_gc = false *>* ldap_access_order = filter, expire *>* enumerate = false *>* id_provider = ad *>* auth_provider = ad *>* access_provider = ad *>* subdomains_provider = ad *>* chpass_provider = ad *>
- ad_server = dom1.acme.example.com http://dom1.acme.example.com/,
dom2.acme.example.com http://dom2.acme.example.com/ *>
- ad_domain = acme.example.com http://acme.example.com/
*>
- ad_hostname = client1.acme.example.com <
http://client1.acme.example.com/%3E
*>* ad_enable_dns_sites = false *>* dyndns_update = false *>* debug_level = 7 *> > >* /etc/krb5.conf: *>* [logging] *>* default = FILE:/var/log/krb5libs.log *>* kdc = FILE:/var/log/krb5kdc.log *>* admin_server = FILE:/var/log/kadmind.log *> >* [libdefaults] *>
- default_realm = acme.example.com http://acme.example.com/
*>* dns_lookup_realm = true *>* dns_lookup_kdc = true *>* ticket_lifetime = 24h *>* renew_lifetime = 7d *>* forwardable = true *>* rdns = true *>* ignore_acceptor_hostname = true *> >* [realms] *>
- acme.example.com http://acme.example.com/ = {
*>
- kdc = acme.example.com http://acme.example.com/
*>
- admin_server = acme.example.com http://acme.example.com/
*>* } *> >* [domain_realm] *>
- .acme.example.com http://acme.example.com/ = acme.example.com
- acme.example.com http://acme.example.com/ = acme.example.com
- .example.com http://example.com/ = acme.example.com
- example.com http://example.com/ = acme.example.com
http://acme.example.com/ *> >* [appdefaults] *>* debug = true *> > > >* I can log in with user/password from AD to RHEL/Centos, I can change the *>* password, lock the account from AD, etc. It all works. *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it
doesnt
*>* work. I see in logs: *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS
failure.
*>* Minor code may provide more information\nNo key table entry found
matching
*>* host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
- Any idea what could be the reason? All I want to achieve is to
get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems without
password
*>* prompt. *> > >* /lm
*>* sssd-users mailing list *>
- sssd-users at lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users *>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
On 11/06/2014 08:52 AM, crony wrote:
Thank you Sumit. Right now I see:
Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n
SELinux policy blocks it.
restorecon? It is probably because the labels somehow are messed up.
Have you seen that before?
-- After changing the policy to permissive mode, the failure from logs is gone, but I still can't log in by GSSAPI from Windows Station to client1 station:
Nov 6 14:30:01 client1 sshd[16852]: Received disconnect from 10.X.X.X: 14: No supported authentication methods available
Does your client support GSSAPI? Is it enabled on Windows side?
2014-11-06 11:33 GMT+01:00 Sumit Bose <sbose@redhat.com mailto:sbose@redhat.com>:
On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote: > Hi Sumit, > I see this message: > > Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure. Minor > code may provide more information\nNo key table entry found matching > host/client1.acme.example.com@\n Kerberos in general is case sensitive. sshd is looking for host/... while the keytab only has HOST/.... The entries are created by adcli so maybe if you join with a newer version of adcli this will get fixed automatically. As an alternative you can use ktutil to a the needed entries. Make a copy of /etc/krb5.keytab before you start ktutil. Then you can use rkt /etc/krc5.keytab to load the keytab. list -e -k -t will show you the keys with all needed detail. With addend -k -p host/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> -k 2 -e aes256-cts-hmac-sha1-96 You can start adding new entires. Please repeat this wil all enc types listed for HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> . ktutil will ask you for a key in kex, please copy the one show by 'list -e -k -t' from above. If all is done you can write out the keytab with wkt /etc/krb5.keytab.new And then exchange the new one with the old one. Iirc ktutil always appends entries to existing files, so writing directly to /etc/krb5.keytab will blow up the file with duplicated entries. HTH bye, Sumit > > during every ssh connection with "-k" argument. > > # klisk -k > 2 CLIENT1$@ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > 2 CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 CLIENT1$@ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > 2 CLIENT1$@ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > 2 CLIENT1$@ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > 2 CLIENT1$@ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM <mailto:CLIENT1@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM <mailto:client1.acme.example.com@ACME.EXAMPLE.COM> > > > Afrer log in with password I see: > > user1@client1.acme.example.com <mailto:user1@client1.acme.example.com>'s password: > Last login: Thu Nov 6 09:51:49 2014 from > -sh-4.1$ klist > Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 > Default principal: user1@ACME.EXAMPLE.COM <mailto:user1@ACME.EXAMPLE.COM> > > Valid starting Expires Service principal > 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ > ACME.EXAMPLE.COM@ACME.EXAMPLE.COM <mailto:ACME.EXAMPLE.COM@ACME.EXAMPLE.COM> > renew until 11/13/14 09:57:13 > > Any idea? > > > /lm > > On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote: > >* Hi All, > *>* I have a properly functioning integration between RHEL6.6/Cento6.6 and > *>* Active Directory 2008 using adcli tool and sssd-ad ( > *> > * http://jhrozek.livejournal.com/3581.html > <http://jhrozek.livejournal.com/3581.html>): > *> > > * # adcli join acme.example.com <http://acme.example.com> <http://acme.example.com/> -U userdomain > *> > > * # adcli info acme.example.com <http://acme.example.com> <http://acme.example.com/> > *>* [domain] > *> > * domain-name = acme.example.com <http://acme.example.com> <http://acme.example.com/> > *>* domain-short = ACME > *> > * domain-forest = example.com <http://example.com> <http://example.com/> > *> > * domain-controller = dom1.acme.example.com <http://dom1.acme.example.com> <http://dom1.acme.example.com/> > *>* domain-controller-site = CENTRAL > *>* domain-controller-flags = gc ldap ds kdc timeserv closest writable > *>* full-secret ads-web > *>* domain-controller-usable = yes > *> > * domain-controllers = dom1.acme.example.com <http://dom1.acme.example.com> > <http://dom1.acme.example.com/> dom2.acme.example.com <http://dom2.acme.example.com> > <http://dom2.acme.example.com/> > *>* [computer] > *>* computer-site = CENTRAL > *> >* The sssd.conf : > *> >* [sssd] > *>* services = nss, pam, ssh > *>* config_file_version = 2 > *> > * domains = ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > *>* debug_level = 7 > *> > > * [domain/ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/>] > *>* krb5_use_enterprise_principal = false > *> > * krb5_realm = ACME.EXAMPLE.COM <http://ACME.EXAMPLE.COM> <http://acme.example.com/> > *>* ldap_force_upper_case_realm = true > *>* ldap_account_expire_policy = ad > *>* override_homedir = /home/%d/%u > *>* ldap_id_mapping = true > *>* subdomain_enumerate = true > *>* ldap_schema = ad > *>* ad_access_filter = > *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com > *>* ad_enable_gc = false > *>* ldap_access_order = filter, expire > *>* enumerate = false > *>* id_provider = ad > *>* auth_provider = ad > *>* access_provider = ad > *>* subdomains_provider = ad > *>* chpass_provider = ad > *> > * ad_server = dom1.acme.example.com <http://dom1.acme.example.com> <http://dom1.acme.example.com/>, > dom2.acme.example.com <http://dom2.acme.example.com> <http://dom2.acme.example.com/> > *> > * ad_domain = acme.example.com <http://acme.example.com> <http://acme.example.com/> > *> > * ad_hostname = client1.acme.example.com <http://client1.acme.example.com> <http://client1.acme.example.com/> > *>* ad_enable_dns_sites = false > *>* dyndns_update = false > *>* debug_level = 7 > *> > >* /etc/krb5.conf: > *>* [logging] > *>* default = FILE:/var/log/krb5libs.log > *>* kdc = FILE:/var/log/krb5kdc.log > *>* admin_server = FILE:/var/log/kadmind.log > *> >* [libdefaults] > *> > * default_realm = acme.example.com <http://acme.example.com> <http://acme.example.com/> > *>* dns_lookup_realm = true > *>* dns_lookup_kdc = true > *>* ticket_lifetime = 24h > *>* renew_lifetime = 7d > *>* forwardable = true > *>* rdns = true > *>* ignore_acceptor_hostname = true > *> >* [realms] > *> > * acme.example.com <http://acme.example.com> <http://acme.example.com/> = { > *> > * kdc = acme.example.com <http://acme.example.com> <http://acme.example.com/> > *> > * admin_server = acme.example.com <http://acme.example.com> <http://acme.example.com/> > *>* } > *> >* [domain_realm] > *> > * .acme.example.com <http://acme.example.com> <http://acme.example.com/> = acme.example.com <http://acme.example.com> > <http://acme.example.com/> > *> > * acme.example.com <http://acme.example.com> <http://acme.example.com/> = acme.example.com <http://acme.example.com> > <http://acme.example.com/> > *> > * .example.com <http://example.com> <http://example.com/> = acme.example.com <http://acme.example.com> > <http://acme.example.com/> > *> > * example.com <http://example.com> <http://example.com/> = acme.example.com <http://acme.example.com> > <http://acme.example.com/> > *> >* [appdefaults] > *>* debug = true > *> > > >* I can log in with user/password from AD to RHEL/Centos, I > can change the > *>* password, lock the account from AD, etc. It all works. > *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt > *>* work. I see in logs: > *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure. > *>* Minor code may provide more information\nNo key table entry found matching > *>* host/client1.acme.example.com@\n > * > Do you see this message when sshd is starting up or during the > connection of a client? > > What principal are shown by 'klist -k' ? > > bye, > Sumit > > > > >* Any idea what could be the reason? All I want to achieve is to get SSH-SSO > *>* working, directly from AD desktop machine to Linux systems without password > *>* prompt. > *> > >* /lm > * > >* _______________________________________________ > *>* sssd-users mailing list > *> > * sssd-users at lists.fedorahosted.org <http://lists.fedorahosted.org> > <https://lists.fedorahosted.org/mailman/listinfo/sssd-users> > *> > * https://lists.fedorahosted.org/mailman/listinfo/sssd-users > <https://lists.fedorahosted.org/mailman/listinfo/sssd-users> > * > > > -- > Pozdrawiam Leszek Miś > www: http://cronylab.pl > www: http://emerge.pl > Nothing is secure, paranoia is your friend.
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Yes, it does. Putty 0.63 from Windows 7 connected to AD2008 R2.
/lm
2014-11-06 16:36 GMT+01:00 Dmitri Pal dpal@redhat.com:
On 11/06/2014 08:52 AM, crony wrote:
Thank you Sumit. Right now I see:
Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n
SELinux policy blocks it.
restorecon? It is probably because the labels somehow are messed up.
Have you seen that before?
-- After changing the policy to permissive mode, the failure from logs is gone, but I still can't log in by GSSAPI from Windows Station to client1 station:
Nov 6 14:30:01 client1 sshd[16852]: Received disconnect from 10.X.X.X: 14: No supported authentication methods available
Does your client support GSSAPI? Is it enabled on Windows side?
2014-11-06 11:33 GMT+01:00 Sumit Bose sbose@redhat.com:
On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote:
Hi Sumit, I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure.
Minor
code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Kerberos in general is case sensitive. sshd is looking for host/... while the keytab only has HOST/.... The entries are created by adcli so maybe if you join with a newer version of adcli this will get fixed automatically.
As an alternative you can use ktutil to a the needed entries. Make a copy of /etc/krb5.keytab before you start ktutil. Then you can use
rkt /etc/krc5.keytab
to load the keytab.
list -e -k -t
will show you the keys with all needed detail. With
addend -k -p host/client1.acme.example.com@ACME.EXAMPLE.COM -k 2 -e aes256-cts-hmac-sha1-96
You can start adding new entires. Please repeat this wil all enc types listed for HOST/client1.acme.example.com@ACME.EXAMPLE.COM . ktutil will ask you for a key in kex, please copy the one show by 'list -e -k -t' from above.
If all is done you can write out the keytab with
wkt /etc/krb5.keytab.new
And then exchange the new one with the old one. Iirc ktutil always appends entries to existing files, so writing directly to /etc/krb5.keytab will blow up the file with duplicated entries.
HTH
bye, Sumit
during every ssh connection with "-k" argument.
# klisk -k 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1@ACME.EXAMPLE.COM 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM
Afrer log in with password I see:
user1@client1.acme.example.com's password: Last login: Thu Nov 6 09:51:49 2014 from -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 Default principal: user1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
- Hi All,
*>* I have a properly functioning integration between RHEL6.6/Cento6.6
and
*>* Active Directory 2008 using adcli tool and sssd-ad ( *>
http://jhrozek.livejournal.com/3581.html): *> >
- # adcli join acme.example.com http://acme.example.com/ -U
userdomain
*> >
- # adcli info acme.example.com http://acme.example.com/
*>* [domain] *>
- domain-name = acme.example.com http://acme.example.com/
*>* domain-short = ACME *>
- domain-forest = example.com http://example.com/
*>
- domain-controller = dom1.acme.example.com <
http://dom1.acme.example.com/%3E
*>* domain-controller-site = CENTRAL *>* domain-controller-flags = gc ldap ds kdc timeserv closest writable *>* full-secret ads-web *>* domain-controller-usable = yes *>
- domain-controllers = dom1.acme.example.com
http://dom1.acme.example.com/ dom2.acme.example.com http://dom2.acme.example.com/ *>* [computer] *>* computer-site = CENTRAL *> >* The sssd.conf : *> >* [sssd] *>* services = nss, pam, ssh *>* config_file_version = 2 *>
- domains = ACME.EXAMPLE.COM http://acme.example.com/
*>* debug_level = 7 *> >
- [domain/ACME.EXAMPLE.COM http://acme.example.com/]
*>* krb5_use_enterprise_principal = false *>
- krb5_realm = ACME.EXAMPLE.COM http://acme.example.com/
*>* ldap_force_upper_case_realm = true *>* ldap_account_expire_policy = ad *>* override_homedir = /home/%d/%u *>* ldap_id_mapping = true *>* subdomain_enumerate = true *>* ldap_schema = ad *>* ad_access_filter = *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com *>* ad_enable_gc = false *>* ldap_access_order = filter, expire *>* enumerate = false *>* id_provider = ad *>* auth_provider = ad *>* access_provider = ad *>* subdomains_provider = ad *>* chpass_provider = ad *>
- ad_server = dom1.acme.example.com http://dom1.acme.example.com/,
dom2.acme.example.com http://dom2.acme.example.com/ *>
- ad_domain = acme.example.com http://acme.example.com/
*>
- ad_hostname = client1.acme.example.com <
http://client1.acme.example.com/%3E
*>* ad_enable_dns_sites = false *>* dyndns_update = false *>* debug_level = 7 *> > >* /etc/krb5.conf: *>* [logging] *>* default = FILE:/var/log/krb5libs.log *>* kdc = FILE:/var/log/krb5kdc.log *>* admin_server = FILE:/var/log/kadmind.log *> >* [libdefaults] *>
- default_realm = acme.example.com http://acme.example.com/
*>* dns_lookup_realm = true *>* dns_lookup_kdc = true *>* ticket_lifetime = 24h *>* renew_lifetime = 7d *>* forwardable = true *>* rdns = true *>* ignore_acceptor_hostname = true *> >* [realms] *>
- acme.example.com http://acme.example.com/ = {
*>
- kdc = acme.example.com http://acme.example.com/
*>
- admin_server = acme.example.com http://acme.example.com/
*>* } *> >* [domain_realm] *>
- .acme.example.com http://acme.example.com/ = acme.example.com
- acme.example.com http://acme.example.com/ = acme.example.com
- .example.com http://example.com/ = acme.example.com
- example.com http://example.com/ = acme.example.com
http://acme.example.com/ *> >* [appdefaults] *>* debug = true *> > > >* I can log in with user/password from AD to RHEL/Centos, I can change the *>* password, lock the account from AD, etc. It all works. *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it
doesnt
*>* work. I see in logs: *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS
failure.
*>* Minor code may provide more information\nNo key table entry found
matching
*>* host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
- Any idea what could be the reason? All I want to achieve is to
get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems without
password
*>* prompt. *> > >* /lm
*>* sssd-users mailing list *>
- sssd-users at lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users *>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
sssd-users mailing listsssd-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Thank you, Dmitri Pal
Sr. Engineering Manager IdM portfolio Red Hat, Inc.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Nov 06, 2014 at 02:52:19PM +0100, crony wrote:
Thank you Sumit. Right now I see:
Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n
Did you, by chance, start sshd directly for debuggin purpose and not via 'service sshd start'? In this case sshd will not run with the right SELinux context. Can you send the full AVC message?
SELinux policy blocks it.
Have you seen that before?
-- After changing the policy to permissive mode, the failure from logs is gone, but I still can't log in by GSSAPI from Windows Station to client1 station:
Nov 6 14:30:01 client1 sshd[16852]: Received disconnect from 10.X.X.X: 14: No supported authentication methods available
Have you set
GSSAPIAuthentication yes
in /etc/ssh/sshd_config?
Can you check on the Windows side if you got a Kerberos service ticket for the client running sssd by calling 'klist' in the Windows cmd shell?
bye, Sumit
2014-11-06 11:33 GMT+01:00 Sumit Bose sbose@redhat.com:
On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote:
Hi Sumit, I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure.
Minor
code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Kerberos in general is case sensitive. sshd is looking for host/... while the keytab only has HOST/.... The entries are created by adcli so maybe if you join with a newer version of adcli this will get fixed automatically.
As an alternative you can use ktutil to a the needed entries. Make a copy of /etc/krb5.keytab before you start ktutil. Then you can use
rkt /etc/krc5.keytab
to load the keytab.
list -e -k -t
will show you the keys with all needed detail. With
addend -k -p host/client1.acme.example.com@ACME.EXAMPLE.COM -k 2 -e aes256-cts-hmac-sha1-96
You can start adding new entires. Please repeat this wil all enc types listed for HOST/client1.acme.example.com@ACME.EXAMPLE.COM . ktutil will ask you for a key in kex, please copy the one show by 'list -e -k -t' from above.
If all is done you can write out the keytab with
wkt /etc/krb5.keytab.new
And then exchange the new one with the old one. Iirc ktutil always appends entries to existing files, so writing directly to /etc/krb5.keytab will blow up the file with duplicated entries.
HTH
bye, Sumit
during every ssh connection with "-k" argument.
# klisk -k 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1@ACME.EXAMPLE.COM 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM
Afrer log in with password I see:
user1@client1.acme.example.com's password: Last login: Thu Nov 6 09:51:49 2014 from -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 Default principal: user1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
- Hi All,
*>* I have a properly functioning integration between RHEL6.6/Cento6.6
and
*>* Active Directory 2008 using adcli tool and sssd-ad ( *>
http://jhrozek.livejournal.com/3581.html): *> >
- # adcli join acme.example.com http://acme.example.com/ -U userdomain
*> >
- # adcli info acme.example.com http://acme.example.com/
*>* [domain] *>
- domain-name = acme.example.com http://acme.example.com/
*>* domain-short = ACME *>
- domain-forest = example.com http://example.com/
*>
- domain-controller = dom1.acme.example.com <
http://dom1.acme.example.com/%3E
*>* domain-controller-site = CENTRAL *>* domain-controller-flags = gc ldap ds kdc timeserv closest writable *>* full-secret ads-web *>* domain-controller-usable = yes *>
- domain-controllers = dom1.acme.example.com
http://dom1.acme.example.com/ dom2.acme.example.com http://dom2.acme.example.com/ *>* [computer] *>* computer-site = CENTRAL *> >* The sssd.conf : *> >* [sssd] *>* services = nss, pam, ssh *>* config_file_version = 2 *>
- domains = ACME.EXAMPLE.COM http://acme.example.com/
*>* debug_level = 7 *> >
- [domain/ACME.EXAMPLE.COM http://acme.example.com/]
*>* krb5_use_enterprise_principal = false *>
- krb5_realm = ACME.EXAMPLE.COM http://acme.example.com/
*>* ldap_force_upper_case_realm = true *>* ldap_account_expire_policy = ad *>* override_homedir = /home/%d/%u *>* ldap_id_mapping = true *>* subdomain_enumerate = true *>* ldap_schema = ad *>* ad_access_filter = *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com *>* ad_enable_gc = false *>* ldap_access_order = filter, expire *>* enumerate = false *>* id_provider = ad *>* auth_provider = ad *>* access_provider = ad *>* subdomains_provider = ad *>* chpass_provider = ad *>
- ad_server = dom1.acme.example.com http://dom1.acme.example.com/,
dom2.acme.example.com http://dom2.acme.example.com/ *>
- ad_domain = acme.example.com http://acme.example.com/
*>
- ad_hostname = client1.acme.example.com <
http://client1.acme.example.com/%3E
*>* ad_enable_dns_sites = false *>* dyndns_update = false *>* debug_level = 7 *> > >* /etc/krb5.conf: *>* [logging] *>* default = FILE:/var/log/krb5libs.log *>* kdc = FILE:/var/log/krb5kdc.log *>* admin_server = FILE:/var/log/kadmind.log *> >* [libdefaults] *>
- default_realm = acme.example.com http://acme.example.com/
*>* dns_lookup_realm = true *>* dns_lookup_kdc = true *>* ticket_lifetime = 24h *>* renew_lifetime = 7d *>* forwardable = true *>* rdns = true *>* ignore_acceptor_hostname = true *> >* [realms] *>
- acme.example.com http://acme.example.com/ = {
*>
- kdc = acme.example.com http://acme.example.com/
*>
- admin_server = acme.example.com http://acme.example.com/
*>* } *> >* [domain_realm] *>
- .acme.example.com http://acme.example.com/ = acme.example.com
- acme.example.com http://acme.example.com/ = acme.example.com
- .example.com http://example.com/ = acme.example.com
- example.com http://example.com/ = acme.example.com
http://acme.example.com/ *> >* [appdefaults] *>* debug = true *> > > >* I can log in with user/password from AD to RHEL/Centos, I can change the *>* password, lock the account from AD, etc. It all works. *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it
doesnt
*>* work. I see in logs: *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS
failure.
*>* Minor code may provide more information\nNo key table entry found
matching
*>* host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
- Any idea what could be the reason? All I want to achieve is to
get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems without
password
*>* prompt. *> > >* /lm
*>* sssd-users mailing list *>
- sssd-users at lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users *>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
Hi Sumit, I'm starting sshd by "service sshd restart" every time. You can find below logs from "tail -f /var/log/secure /var/log/audit/audit.log" from the moment of trying log in from AD Windows Station with SELinux=1
[root@client1 ~]# tail -f /var/log/secure /var/log/audit/audit.log ==> /var/log/secure <== Nov 7 08:14:08 client1 sshd[19874]: debug1: session_input_channel_req: session 0 req shell Nov 7 08:14:08 client1 sshd[19875]: debug1: Setting controlling tty using TIOCSCTTY. Nov 7 08:14:12 client1 su: pam_unix(su-l:session): session opened for user root by leszek(uid=507) Nov 7 08:14:59 client1 sshd[17287]: debug1: Got 100/242 for keepalive Nov 7 08:19:59 client1 sshd[17287]: debug1: Got 100/243 for keepalive Nov 7 08:21:27 client1 sshd[17876]: Received signal 15; terminating. Nov 7 08:21:27 client1 sshd[19980]: Set /proc/self/oom_score_adj from 0 to -1000 Nov 7 08:21:27 client1 sshd[19980]: debug1: Bind to port 22 on 0.0.0.0. Nov 7 08:21:27 client1 sshd[19980]: Server listening on 0.0.0.0 port 22. Nov 7 08:21:27 client1 sshd[19980]: socket: Address family not supported by protocol
==> /var/log/audit/audit.log <== type=PATH msg=audit(1415344887.668:20203): item=0 name="/var/lock/subsys/" inode=8204 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT type=PATH msg=audit(1415344887.668:20203): item=1 name="/var/lock/subsys/sshd" inode=51 dev=fd:03 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0 nametype=DELETE type=AVC msg=audit(1415344887.708:20204): avc: denied { read } for pid=19977 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1415344887.708:20204): arch=c000003e syscall=4 success=no exit=-13 a0=7f75ee5a6f5d a1=7fffdd78b620 a2=7fffdd78b620 a3=22 items=1 ppid=19963 pid=19977 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1213 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1415344887.708:20204): cwd="/root" type=PATH msg=audit(1415344887.708:20204): item=0 name="/var/tmp" nametype=UNKNOWN type=AVC msg=audit(1415344887.708:20205): avc: denied { read } for pid=19977 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1415344887.708:20205): arch=c000003e syscall=4 success=no exit=-13 a0=7f75ee5a6f66 a1=7fffdd78b620 a2=7fffdd78b620 a3=22 items=1 ppid=19963 pid=19977 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1213 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1415344887.708:20205): cwd="/root" type=PATH msg=audit(1415344887.708:20205): item=0 name="/usr/tmp" nametype=UNKNOWN
==> /var/log/secure <== Nov 7 08:22:27 client1 sshd[19980]: debug1: Forked child 19985. Nov 7 08:22:27 client1 sshd[19985]: Set /proc/self/oom_score_adj to 0 Nov 7 08:22:27 client1 sshd[19985]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
==> /var/log/audit/audit.log <== type=AVC msg=audit(1415344947.928:20206): avc: denied { read } for pid=19985 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1415344947.928:20206): arch=c000003e syscall=4 success=no exit=-13 a0=7f92c290df5d a1=7fff76e983d0 a2=7fff76e983d0 a3=22 items=1 ppid=19980 pid=19985 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1213 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1415344947.928:20206): cwd="/" type=PATH msg=audit(1415344947.928:20206): item=0 name="/var/tmp" nametype=UNKNOWN type=AVC msg=audit(1415344947.928:20207): avc: denied { read } for pid=19985 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1415344947.928:20207): arch=c000003e syscall=4 success=no exit=-13 a0=7f92c290df66 a1=7fff76e983d0 a2=7fff76e983d0 a3=22 items=1 ppid=19980 pid=19985 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1213 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1415344947.928:20207): cwd="/" type=PATH msg=audit(1415344947.928:20207): item=0 name="/usr/tmp" nametype=UNKNOWN
==> /var/log/secure <== Nov 7 08:22:27 client1 sshd[19985]: debug1: inetd sockets after dupping: 3, 3 Nov 7 08:22:27 client1 sshd[19985]: Connection from 10.X.X.X port 61085 Nov 7 08:22:27 client1 sshd[19985]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63 Nov 7 08:22:27 client1 sshd[19985]: debug1: no match: PuTTY_Release_0.63 Nov 7 08:22:27 client1 sshd[19985]: debug1: Enabling compatibility mode for protocol 2.0 Nov 7 08:22:27 client1 sshd[19985]: debug1: Local version string SSH-2.0-OpenSSH_5.3
==> /var/log/audit/audit.log <== type=CRYPTO_KEY_USER msg=audit(1415344948.001:20208): user pid=19988 uid=0 auid=507 ses=1213 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=1c:73:d2:ef:e3:0a:f1:9f:30:b5:76:ab:ec:97:1d:3f direction=? spid=19988 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.X.X.X terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1415344948.001:20209): user pid=19988 uid=0 auid=507 ses=1213 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=c5:7e:2c:50:ca:8a:de:47:61:7e:2e:52:78:bb:2c:83 direction=? spid=19988 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.X.X.X terminal=? res=success'
==> /var/log/secure <== Nov 7 08:22:28 client1 sshd[19988]: debug1: permanently_set_uid: 74/74 Nov 7 08:22:28 client1 sshd[19988]: debug1: list_hostkey_types: ssh-rsa,ssh-dss
==> /var/log/audit/audit.log <== type=AVC msg=audit(1415344948.005:20210): avc: denied { read } for pid=19985 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1415344948.005:20210): arch=c000003e syscall=6 success=no exit=-13 a0=7f92c5af22b0 a1=7fff76e99470 a2=7fff76e99470 a3=7fff76e99150 items=1 ppid=19980 pid=19985 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1213 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1415344948.005:20210): cwd="/" type=PATH msg=audit(1415344948.005:20210): item=0 name="/var/tmp/host_0" nametype=UNKNOWN type=AVC msg=audit(1415344948.006:20211): avc: denied { read } for pid=19985 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1415344948.006:20211): arch=c000003e syscall=87 success=no exit=-13 a0=7f92c5af22b0 a1=0 a2=0 a3=7fff76e99230 items=1 ppid=19980 pid=19985 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1213 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key="delete" type=CWD msg=audit(1415344948.006:20211): cwd="/" type=PATH msg=audit(1415344948.006:20211): item=0 name="/var/tmp/host_0" nametype=UNKNOWN type=AVC msg=audit(1415344948.231:20212): avc: denied { read } for pid=19985 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1415344948.231:20212): arch=c000003e syscall=2 success=no exit=-13 a0=7f92c5af22b0 a1=2c1 a2=180 a3=7fff76e991b0 items=1 ppid=19980 pid=19985 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1213 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key="access" type=CWD msg=audit(1415344948.231:20212): cwd="/" type=PATH msg=audit(1415344948.231:20212): item=0 name="/var/tmp/host_0" nametype=UNKNOWN
==> /var/log/secure <== Nov 7 08:22:28 client1 sshd[19985]: debug1: Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n Nov 7 08:22:28 client1 sshd[19988]: debug1: SSH2_MSG_KEXINIT sent Nov 7 08:22:28 client1 sshd[19988]: debug1: SSH2_MSG_KEXINIT received Nov 7 08:22:28 client1 sshd[19988]: debug1: kex: client->server aes256-ctr hmac-sha2-256 none
==> /var/log/audit/audit.log <== type=CRYPTO_SESSION msg=audit(1415344948.233:20213): user pid=19985 uid=0 auid=507 ses=1213 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 spid=19988 suid=74 rport=61085 laddr=10.X.X.X lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.X.X.X terminal=? res=success'
==> /var/log/secure <== Nov 7 08:22:28 client1 sshd[19988]: debug1: kex: server->client aes256-ctr hmac-sha2-256 none
==> /var/log/audit/audit.log <== type=CRYPTO_SESSION msg=audit(1415344948.233:20214): user pid=19985 uid=0 auid=507 ses=1213 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 spid=19988 suid=74 rport=61085 laddr=10.X.X.X lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.X.X.X terminal=? res=success'
==> /var/log/secure <== Nov 7 08:22:28 client1 sshd[19988]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received Nov 7 08:22:28 client1 sshd[19988]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent Nov 7 08:22:28 client1 sshd[19988]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT Nov 7 08:22:28 client1 sshd[19988]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent Nov 7 08:22:28 client1 sshd[19988]: debug1: SSH2_MSG_NEWKEYS sent Nov 7 08:22:28 client1 sshd[19988]: debug1: expecting SSH2_MSG_NEWKEYS Nov 7 08:22:28 client1 sshd[19988]: debug1: SSH2_MSG_NEWKEYS received Nov 7 08:22:28 client1 sshd[19988]: debug1: KEX done Nov 7 08:22:28 client1 sshd[19988]: debug1: userauth-request for user USER1 service ssh-connection method none Nov 7 08:22:28 client1 sshd[19988]: debug1: attempt 0 failures 0 Nov 7 08:22:28 client1 sshd[19985]: debug1: PAM: initializing for "USER1" Nov 7 08:22:28 client1 sshd[19985]: debug1: PAM: setting PAM_RHOST to " win1.acme.example.com" Nov 7 08:22:28 client1 sshd[19985]: debug1: PAM: setting PAM_TTY to "ssh" Nov 7 08:22:28 client1 sshd[19988]: debug1: userauth_send_banner: sent Nov 7 08:22:28 client1 sshd[19988]: debug1: userauth-request for user USER1 service ssh-connection method gssapi-with-mic Nov 7 08:22:28 client1 sshd[19988]: debug1: attempt 1 failures 0
==> /var/log/audit/audit.log <== type=AVC msg=audit(1415344948.799:20215): avc: denied { read } for pid=19985 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1415344948.799:20215): arch=c000003e syscall=6 success=no exit=-13 a0=7f92c5c3b970 a1=7fff76e99470 a2=7fff76e99470 a3=10 items=1 ppid=19980 pid=19985 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1213 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1415344948.799:20215): cwd="/" type=PATH msg=audit(1415344948.799:20215): item=0 name="/var/tmp/host_0" nametype=UNKNOWN type=AVC msg=audit(1415344948.799:20216): avc: denied { read } for pid=19985 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1415344948.799:20216): arch=c000003e syscall=87 success=no exit=-13 a0=7f92c5af58e0 a1=0 a2=0 a3=10 items=1 ppid=19980 pid=19985 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1213 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key="delete" type=CWD msg=audit(1415344948.799:20216): cwd="/" type=PATH msg=audit(1415344948.799:20216): item=0 name="/var/tmp/host_0" nametype=UNKNOWN type=AVC msg=audit(1415344948.800:20217): avc: denied { read } for pid=19985 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1415344948.800:20217): arch=c000003e syscall=2 success=no exit=-13 a0=7f92c5af58e0 a1=2c1 a2=180 a3=65726373662f7274 items=1 ppid=19980 pid=19985 auid=507 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1213 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key="access" type=CWD msg=audit(1415344948.800:20217): cwd="/" type=PATH msg=audit(1415344948.800:20217): item=0 name="/var/tmp/host_0" nametype=UNKNOWN
==> /var/log/secure <== Nov 7 08:22:28 client1 sshd[19985]: debug1: Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n Nov 7 08:22:28 client1 sshd[19988]: debug1: userauth-request for user USER1 service ssh-connection method keyboard-interactive Nov 7 08:22:28 client1 sshd[19988]: debug1: attempt 2 failures 0 Nov 7 08:22:28 client1 sshd[19988]: debug1: keyboard-interactive devs Nov 7 08:22:28 client1 sshd[19988]: debug1: auth2_challenge: user=USER1 devs= Nov 7 08:22:28 client1 sshd[19988]: debug1: kbdint_alloc: devices 'pam' Nov 7 08:22:28 client1 sshd[19988]: debug1: auth2_challenge_start: trying authentication method 'pam' Nov 7 08:22:28 client1 sshd[19988]: Postponed keyboard-interactive for USER1 from 10.X.X.X port 61085 ssh2
I have GSSApiAuthentication yes in the sshd_config.
Klist from the Windows machine showing no entries from sssd linux client machine.
To eliminate problem with Windows, I created another test: trying to log in by GSSAPI from sssd client client1 to the same client client1.
[leszek@client1 ~]$ ssh client1.acme.example.com -l user1
Password: Last login: Thu Nov 6 17:17:57 2014 -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_vot8Ut Default principal: USER1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/07/14 08:34:42 11/07/14 18:34:42 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/14/14 08:34:42
and another "local" connection by GSSAPI:
-sh-4.1$ ssh client1.acme.example.com -l user1 -k -vv gives me this:
debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
So the problem is within client1.
/lm
2014-11-06 21:39 GMT+01:00 Sumit Bose sbose@redhat.com:
On Thu, Nov 06, 2014 at 02:52:19PM +0100, crony wrote:
Thank you Sumit. Right now I see:
Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n
Did you, by chance, start sshd directly for debuggin purpose and not via 'service sshd start'? In this case sshd will not run with the right SELinux context. Can you send the full AVC message?
SELinux policy blocks it.
Have you seen that before?
-- After changing the policy to permissive mode, the failure from logs is gone, but I still can't log in by GSSAPI from Windows Station to client1 station:
Nov 6 14:30:01 client1 sshd[16852]: Received disconnect from 10.X.X.X:
14:
No supported authentication methods available
Have you set
GSSAPIAuthentication yes
in /etc/ssh/sshd_config?
Can you check on the Windows side if you got a Kerberos service ticket for the client running sssd by calling 'klist' in the Windows cmd shell?
bye, Sumit
2014-11-06 11:33 GMT+01:00 Sumit Bose sbose@redhat.com:
On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote:
Hi Sumit, I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure.
Minor
code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Kerberos in general is case sensitive. sshd is looking for host/... while the keytab only has HOST/.... The entries are created by adcli so maybe if you join with a newer version of adcli this will get fixed automatically.
As an alternative you can use ktutil to a the needed entries. Make a copy of /etc/krb5.keytab before you start ktutil. Then you can use
rkt /etc/krc5.keytab
to load the keytab.
list -e -k -t
will show you the keys with all needed detail. With
addend -k -p host/client1.acme.example.com@ACME.EXAMPLE.COM -k 2 -e aes256-cts-hmac-sha1-96
You can start adding new entires. Please repeat this wil all enc types listed for HOST/client1.acme.example.com@ACME.EXAMPLE.COM . ktutil
will
ask you for a key in kex, please copy the one show by 'list -e -k -t' from above.
If all is done you can write out the keytab with
wkt /etc/krb5.keytab.new
And then exchange the new one with the old one. Iirc ktutil always appends entries to existing files, so writing directly to /etc/krb5.keytab will blow up the file with duplicated entries.
HTH
bye, Sumit
during every ssh connection with "-k" argument.
# klisk -k 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1@ACME.EXAMPLE.COM 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM
Afrer log in with password I see:
user1@client1.acme.example.com's password: Last login: Thu Nov 6 09:51:49 2014 from -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 Default principal: user1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
- Hi All,
*>* I have a properly functioning integration between
RHEL6.6/Cento6.6
and
*>* Active Directory 2008 using adcli tool and sssd-ad ( *>
http://jhrozek.livejournal.com/3581.html): *> >
- # adcli join acme.example.com http://acme.example.com/ -U
userdomain
*> >
- # adcli info acme.example.com http://acme.example.com/
*>* [domain] *>
- domain-name = acme.example.com http://acme.example.com/
*>* domain-short = ACME *>
- domain-forest = example.com http://example.com/
*>
- domain-controller = dom1.acme.example.com <
http://dom1.acme.example.com/%3E
*>* domain-controller-site = CENTRAL *>* domain-controller-flags = gc ldap ds kdc timeserv closest
writable
*>* full-secret ads-web *>* domain-controller-usable = yes *>
- domain-controllers = dom1.acme.example.com
http://dom1.acme.example.com/ dom2.acme.example.com http://dom2.acme.example.com/ *>* [computer] *>* computer-site = CENTRAL *> >* The sssd.conf : *> >* [sssd] *>* services = nss, pam, ssh *>* config_file_version = 2 *>
- domains = ACME.EXAMPLE.COM http://acme.example.com/
*>* debug_level = 7 *> >
- [domain/ACME.EXAMPLE.COM http://acme.example.com/]
*>* krb5_use_enterprise_principal = false *>
- krb5_realm = ACME.EXAMPLE.COM http://acme.example.com/
*>* ldap_force_upper_case_realm = true *>* ldap_account_expire_policy = ad *>* override_homedir = /home/%d/%u *>* ldap_id_mapping = true *>* subdomain_enumerate = true *>* ldap_schema = ad *>* ad_access_filter = *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com *>* ad_enable_gc = false *>* ldap_access_order = filter, expire *>* enumerate = false *>* id_provider = ad *>* auth_provider = ad *>* access_provider = ad *>* subdomains_provider = ad *>* chpass_provider = ad *>
- ad_server = dom1.acme.example.com http://dom1.acme.example.com/,
dom2.acme.example.com http://dom2.acme.example.com/ *>
- ad_domain = acme.example.com http://acme.example.com/
*>
- ad_hostname = client1.acme.example.com <
http://client1.acme.example.com/%3E
*>* ad_enable_dns_sites = false *>* dyndns_update = false *>* debug_level = 7 *> > >* /etc/krb5.conf: *>* [logging] *>* default = FILE:/var/log/krb5libs.log *>* kdc = FILE:/var/log/krb5kdc.log *>* admin_server = FILE:/var/log/kadmind.log *> >* [libdefaults] *>
- default_realm = acme.example.com http://acme.example.com/
*>* dns_lookup_realm = true *>* dns_lookup_kdc = true *>* ticket_lifetime = 24h *>* renew_lifetime = 7d *>* forwardable = true *>* rdns = true *>* ignore_acceptor_hostname = true *> >* [realms] *>
- acme.example.com http://acme.example.com/ = {
*>
- kdc = acme.example.com http://acme.example.com/
*>
- admin_server = acme.example.com http://acme.example.com/
*>* } *> >* [domain_realm] *>
- .acme.example.com http://acme.example.com/ = acme.example.com
- acme.example.com http://acme.example.com/ = acme.example.com
- .example.com http://example.com/ = acme.example.com
- example.com http://example.com/ = acme.example.com
http://acme.example.com/ *> >* [appdefaults] *>* debug = true *> > > >* I can log in with user/password from AD to RHEL/Centos, I can change the *>* password, lock the account from AD, etc. It all works. *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple,
it
doesnt
*>* work. I see in logs: *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS
failure.
*>* Minor code may provide more information\nNo key table entry found
matching
*>* host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
>* Any idea what could be the reason? All I want to achieve is to
get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems
without
password
*>* prompt. *> > >* /lm
*>* sssd-users mailing list *>
- sssd-users at lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users *>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
On Fri, Nov 07, 2014 at 08:44:07AM +0100, crony wrote:
Hi Sumit, I'm starting sshd by "service sshd restart" every time. You can find below logs from "tail -f /var/log/secure /var/log/audit/audit.log" from the moment of trying log in from AD Windows Station with SELinux=1
[root@client1 ~]# tail -f /var/log/secure /var/log/audit/audit.log ==> /var/log/secure <== Nov 7 08:14:08 client1 sshd[19874]: debug1: session_input_channel_req: session 0 req shell Nov 7 08:14:08 client1 sshd[19875]: debug1: Setting controlling tty using TIOCSCTTY. Nov 7 08:14:12 client1 su: pam_unix(su-l:session): session opened for user root by leszek(uid=507) Nov 7 08:14:59 client1 sshd[17287]: debug1: Got 100/242 for keepalive Nov 7 08:19:59 client1 sshd[17287]: debug1: Got 100/243 for keepalive Nov 7 08:21:27 client1 sshd[17876]: Received signal 15; terminating. Nov 7 08:21:27 client1 sshd[19980]: Set /proc/self/oom_score_adj from 0 to -1000 Nov 7 08:21:27 client1 sshd[19980]: debug1: Bind to port 22 on 0.0.0.0. Nov 7 08:21:27 client1 sshd[19980]: Server listening on 0.0.0.0 port 22. Nov 7 08:21:27 client1 sshd[19980]: socket: Address family not supported by protocol
==> /var/log/audit/audit.log <== type=PATH msg=audit(1415344887.668:20203): item=0 name="/var/lock/subsys/" inode=8204 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT type=PATH msg=audit(1415344887.668:20203): item=1 name="/var/lock/subsys/sshd" inode=51 dev=fd:03 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0 nametype=DELETE type=AVC msg=audit(1415344887.708:20204): avc: denied { read } for pid=19977 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
Have you checked if there is an upate for the SELinux policy package? If I run the AVC through audit2allow in Fedora 20 I get:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy allow sshd_t var_t:lnk_file read;
I have GSSApiAuthentication yes in the sshd_config.
Klist from the Windows machine showing no entries from sssd linux client machine.
To eliminate problem with Windows, I created another test: trying to log in by GSSAPI from sssd client client1 to the same client client1.
[leszek@client1 ~]$ ssh client1.acme.example.com -l user1
Password: Last login: Thu Nov 6 17:17:57 2014 -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_vot8Ut Default principal: USER1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/07/14 08:34:42 11/07/14 18:34:42 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/14/14 08:34:42
and another "local" connection by GSSAPI:
-sh-4.1$ ssh client1.acme.example.com -l user1 -k -vv gives me this:
debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
So the problem is within client1.
I assume that on the Windows side there are still only service principals with HOST/ instead of host/. Although Windows is typically case-insensitive when it come to Kerberos there still might be a mismatch. Can you try to re-join with adcli and use the option '--service-name=homst/client1.acme.example.com@ACME.EXAMPLE.COM'
HTH
bye, Sumit
/lm
2014-11-06 21:39 GMT+01:00 Sumit Bose sbose@redhat.com:
On Thu, Nov 06, 2014 at 02:52:19PM +0100, crony wrote:
Thank you Sumit. Right now I see:
Unspecified GSS failure. Minor code may provide more information\nCannot create replay cache file /var/tmp/host_0: Permission denied\n
Did you, by chance, start sshd directly for debuggin purpose and not via 'service sshd start'? In this case sshd will not run with the right SELinux context. Can you send the full AVC message?
SELinux policy blocks it.
Have you seen that before?
-- After changing the policy to permissive mode, the failure from logs is gone, but I still can't log in by GSSAPI from Windows Station to client1 station:
Nov 6 14:30:01 client1 sshd[16852]: Received disconnect from 10.X.X.X:
14:
No supported authentication methods available
Have you set
GSSAPIAuthentication yes
in /etc/ssh/sshd_config?
Can you check on the Windows side if you got a Kerberos service ticket for the client running sssd by calling 'klist' in the Windows cmd shell?
bye, Sumit
2014-11-06 11:33 GMT+01:00 Sumit Bose sbose@redhat.com:
On Thu, Nov 06, 2014 at 10:56:50AM +0100, crony wrote:
Hi Sumit, I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure.
Minor
code may provide more information\nNo key table entry found matching host/client1.acme.example.com@\n
Kerberos in general is case sensitive. sshd is looking for host/... while the keytab only has HOST/.... The entries are created by adcli so maybe if you join with a newer version of adcli this will get fixed automatically.
As an alternative you can use ktutil to a the needed entries. Make a copy of /etc/krb5.keytab before you start ktutil. Then you can use
rkt /etc/krc5.keytab
to load the keytab.
list -e -k -t
will show you the keys with all needed detail. With
addend -k -p host/client1.acme.example.com@ACME.EXAMPLE.COM -k 2 -e aes256-cts-hmac-sha1-96
You can start adding new entires. Please repeat this wil all enc types listed for HOST/client1.acme.example.com@ACME.EXAMPLE.COM . ktutil
will
ask you for a key in kex, please copy the one show by 'list -e -k -t' from above.
If all is done you can write out the keytab with
wkt /etc/krb5.keytab.new
And then exchange the new one with the old one. Iirc ktutil always appends entries to existing files, so writing directly to /etc/krb5.keytab will blow up the file with duplicated entries.
HTH
bye, Sumit
during every ssh connection with "-k" argument.
# klisk -k 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1@ACME.EXAMPLE.COM 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 CLIENT1$@ACME.EXAMPLE.COM http://acme.example.com/ 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/CLIENT1@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 HOST/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/CLIENT1@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM 2 RestrictedKrbHost/client1.acme.example.com@ACME.EXAMPLE.COM
Afrer log in with password I see:
user1@client1.acme.example.com's password: Last login: Thu Nov 6 09:51:49 2014 from -sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786 Default principal: user1@ACME.EXAMPLE.COM
Valid starting Expires Service principal 11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/ ACME.EXAMPLE.COM@ACME.EXAMPLE.COM renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
- Hi All,
*>* I have a properly functioning integration between
RHEL6.6/Cento6.6
and
*>* Active Directory 2008 using adcli tool and sssd-ad ( *>
http://jhrozek.livejournal.com/3581.html): *> >
- # adcli join acme.example.com http://acme.example.com/ -U
userdomain
*> >
- # adcli info acme.example.com http://acme.example.com/
*>* [domain] *>
- domain-name = acme.example.com http://acme.example.com/
*>* domain-short = ACME *>
- domain-forest = example.com http://example.com/
*>
- domain-controller = dom1.acme.example.com <
http://dom1.acme.example.com/%3E
*>* domain-controller-site = CENTRAL *>* domain-controller-flags = gc ldap ds kdc timeserv closest
writable
*>* full-secret ads-web *>* domain-controller-usable = yes *>
- domain-controllers = dom1.acme.example.com
http://dom1.acme.example.com/ dom2.acme.example.com http://dom2.acme.example.com/ *>* [computer] *>* computer-site = CENTRAL *> >* The sssd.conf : *> >* [sssd] *>* services = nss, pam, ssh *>* config_file_version = 2 *>
- domains = ACME.EXAMPLE.COM http://acme.example.com/
*>* debug_level = 7 *> >
- [domain/ACME.EXAMPLE.COM http://acme.example.com/]
*>* krb5_use_enterprise_principal = false *>
- krb5_realm = ACME.EXAMPLE.COM http://acme.example.com/
*>* ldap_force_upper_case_realm = true *>* ldap_account_expire_policy = ad *>* override_homedir = /home/%d/%u *>* ldap_id_mapping = true *>* subdomain_enumerate = true *>* ldap_schema = ad *>* ad_access_filter = *>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com *>* ad_enable_gc = false *>* ldap_access_order = filter, expire *>* enumerate = false *>* id_provider = ad *>* auth_provider = ad *>* access_provider = ad *>* subdomains_provider = ad *>* chpass_provider = ad *>
- ad_server = dom1.acme.example.com http://dom1.acme.example.com/,
dom2.acme.example.com http://dom2.acme.example.com/ *>
- ad_domain = acme.example.com http://acme.example.com/
*>
- ad_hostname = client1.acme.example.com <
http://client1.acme.example.com/%3E
*>* ad_enable_dns_sites = false *>* dyndns_update = false *>* debug_level = 7 *> > >* /etc/krb5.conf: *>* [logging] *>* default = FILE:/var/log/krb5libs.log *>* kdc = FILE:/var/log/krb5kdc.log *>* admin_server = FILE:/var/log/kadmind.log *> >* [libdefaults] *>
- default_realm = acme.example.com http://acme.example.com/
*>* dns_lookup_realm = true *>* dns_lookup_kdc = true *>* ticket_lifetime = 24h *>* renew_lifetime = 7d *>* forwardable = true *>* rdns = true *>* ignore_acceptor_hostname = true *> >* [realms] *>
- acme.example.com http://acme.example.com/ = {
*>
- kdc = acme.example.com http://acme.example.com/
*>
- admin_server = acme.example.com http://acme.example.com/
*>* } *> >* [domain_realm] *>
- .acme.example.com http://acme.example.com/ = acme.example.com
- acme.example.com http://acme.example.com/ = acme.example.com
- .example.com http://example.com/ = acme.example.com
- example.com http://example.com/ = acme.example.com
http://acme.example.com/ *> >* [appdefaults] *>* debug = true *> > > >* I can log in with user/password from AD to RHEL/Centos, I can change the *>* password, lock the account from AD, etc. It all works. *> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple,
it
doesnt
*>* work. I see in logs: *> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS
failure.
*>* Minor code may provide more information\nNo key table entry found
matching
*>* host/client1.acme.example.com@\n
Do you see this message when sshd is starting up or during the connection of a client?
What principal are shown by 'klist -k' ?
bye, Sumit
> >* Any idea what could be the reason? All I want to achieve is to
get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems
without
password
*>* prompt. *> > >* /lm
*>* sssd-users mailing list *>
- sssd-users at lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users *>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
-- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
On (07/11/14 11:39), Sumit Bose wrote:
On Fri, Nov 07, 2014 at 08:44:07AM +0100, crony wrote:
Hi Sumit, I'm starting sshd by "service sshd restart" every time. You can find below logs from "tail -f /var/log/secure /var/log/audit/audit.log" from the moment of trying log in from AD Windows Station with SELinux=1
[root@client1 ~]# tail -f /var/log/secure /var/log/audit/audit.log ==> /var/log/secure <== Nov 7 08:14:08 client1 sshd[19874]: debug1: session_input_channel_req: session 0 req shell Nov 7 08:14:08 client1 sshd[19875]: debug1: Setting controlling tty using TIOCSCTTY. Nov 7 08:14:12 client1 su: pam_unix(su-l:session): session opened for user root by leszek(uid=507) Nov 7 08:14:59 client1 sshd[17287]: debug1: Got 100/242 for keepalive Nov 7 08:19:59 client1 sshd[17287]: debug1: Got 100/243 for keepalive Nov 7 08:21:27 client1 sshd[17876]: Received signal 15; terminating. Nov 7 08:21:27 client1 sshd[19980]: Set /proc/self/oom_score_adj from 0 to -1000 Nov 7 08:21:27 client1 sshd[19980]: debug1: Bind to port 22 on 0.0.0.0. Nov 7 08:21:27 client1 sshd[19980]: Server listening on 0.0.0.0 port 22. Nov 7 08:21:27 client1 sshd[19980]: socket: Address family not supported by protocol
==> /var/log/audit/audit.log <== type=PATH msg=audit(1415344887.668:20203): item=0 name="/var/lock/subsys/" inode=8204 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT type=PATH msg=audit(1415344887.668:20203): item=1 name="/var/lock/subsys/sshd" inode=51 dev=fd:03 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0 nametype=DELETE type=AVC msg=audit(1415344887.708:20204): avc: denied { read } for pid=19977 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
Have you checked if there is an upate for the SELinux policy package? If I run the AVC through audit2allow in Fedora 20 I get:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy allow sshd_t var_t:lnk_file read;
Or the problem can be that file has wrong context. "restorecon -rv /var/lock/" can help.
LS
Hi Community, I just want to say thank you for your help! As Sumit said, I tried the newest adcli version and after manually added another principal (Kerberos in general is case sensitive. sshd is looking for host/...while the keytab only has HOST/.) I can correctly log in to RHEL station by GSSAPI from Windows Machine.
Cheers! /lm
2014-11-07 11:43 GMT+01:00 Lukas Slebodnik lslebodn@redhat.com:
On (07/11/14 11:39), Sumit Bose wrote:
On Fri, Nov 07, 2014 at 08:44:07AM +0100, crony wrote:
Hi Sumit, I'm starting sshd by "service sshd restart" every time. You can find below logs from "tail -f /var/log/secure /var/log/audit/audit.log" from the moment of trying log in from AD
Windows
Station with SELinux=1
[root@client1 ~]# tail -f /var/log/secure /var/log/audit/audit.log ==> /var/log/secure <== Nov 7 08:14:08 client1 sshd[19874]: debug1: session_input_channel_req: session 0 req shell Nov 7 08:14:08 client1 sshd[19875]: debug1: Setting controlling tty
using
TIOCSCTTY. Nov 7 08:14:12 client1 su: pam_unix(su-l:session): session opened for
user
root by leszek(uid=507) Nov 7 08:14:59 client1 sshd[17287]: debug1: Got 100/242 for keepalive Nov 7 08:19:59 client1 sshd[17287]: debug1: Got 100/243 for keepalive Nov 7 08:21:27 client1 sshd[17876]: Received signal 15; terminating. Nov 7 08:21:27 client1 sshd[19980]: Set /proc/self/oom_score_adj from
0 to
-1000 Nov 7 08:21:27 client1 sshd[19980]: debug1: Bind to port 22 on 0.0.0.0. Nov 7 08:21:27 client1 sshd[19980]: Server listening on 0.0.0.0 port
Nov 7 08:21:27 client1 sshd[19980]: socket: Address family not
supported
by protocol
==> /var/log/audit/audit.log <== type=PATH msg=audit(1415344887.668:20203): item=0
name="/var/lock/subsys/"
inode=8204 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT type=PATH msg=audit(1415344887.668:20203): item=1 name="/var/lock/subsys/sshd" inode=51 dev=fd:03 mode=0100640 ouid=0
ogid=0
rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0 nametype=DELETE type=AVC msg=audit(1415344887.708:20204): avc: denied { read } for pid=19977 comm="sshd" name="tmp" dev=dm-3 ino=925 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
Have you checked if there is an upate for the SELinux policy package? If I run the AVC through audit2allow in Fedora 20 I get:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy allow sshd_t var_t:lnk_file read;
Or the problem can be that file has wrong context. "restorecon -rv /var/lock/" can help.
LS
sssd-users@lists.fedorahosted.org