Hi Sumit,
I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure. Minor
code may provide more information\nNo key table entry found matching
host/client1.acme.example.com@\n
during every ssh connection with "-k" argument.
# klisk -k
2 CLIENT1$(a)ACME.EXAMPLE.COM <
http://acme.example.com/>
2 CLIENT1(a)ACME.EXAMPLE.COM
2 CLIENT1$(a)ACME.EXAMPLE.COM <
http://acme.example.com/>
2 CLIENT1$(a)ACME.EXAMPLE.COM <
http://acme.example.com/>
2 CLIENT1$(a)ACME.EXAMPLE.COM <
http://acme.example.com/>
2 CLIENT1$(a)ACME.EXAMPLE.COM <
http://acme.example.com/>
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
Afrer log in with password I see:
user1(a)client1.acme.example.com's password:
Last login: Thu Nov 6 09:51:49 2014 from
-sh-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786
Default principal: user1(a)ACME.EXAMPLE.COM
Valid starting Expires Service principal
11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/
ACME.EXAMPLE.COM(a)ACME.EXAMPLE.COM
renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
* Hi All,
*>* I have a properly functioning integration
between RHEL6.6/Cento6.6 and
*>* Active Directory 2008 using adcli tool and sssd-ad (
*>
*
http://jhrozek.livejournal.com/3581.html
<
http://jhrozek.livejournal.com/3581.html>):
*> >
* # adcli join
acme.example.com <
http://acme.example.com/> -U userdomain
*> >
* # adcli info
acme.example.com <
http://acme.example.com/>
*>* [domain]
*>
* domain-name =
acme.example.com <
http://acme.example.com/>
*>* domain-short = ACME
*>
* domain-forest =
example.com <
http://example.com/>
*>
* domain-controller =
dom1.acme.example.com <
http://dom1.acme.example.com/>
*>* domain-controller-site = CENTRAL
*>* domain-controller-flags = gc ldap ds kdc timeserv closest writable
*>* full-secret ads-web
*>* domain-controller-usable = yes
*>
* domain-controllers =
dom1.acme.example.com
<
http://dom1.acme.example.com/> dom2.acme.example.com
<
http://dom2.acme.example.com/>
*>* [computer]
*>* computer-site = CENTRAL
*> >* The sssd.conf :
*> >* [sssd]
*>* services = nss, pam, ssh
*>* config_file_version = 2
*>
* domains =
ACME.EXAMPLE.COM <
http://acme.example.com/>
*>* debug_level = 7
*> >
* [
domain/ACME.EXAMPLE.COM <
http://acme.example.com/>]
*>* krb5_use_enterprise_principal = false
*>
* krb5_realm =
ACME.EXAMPLE.COM <
http://acme.example.com/>
*>* ldap_force_upper_case_realm = true
*>* ldap_account_expire_policy = ad
*>* override_homedir = /home/%d/%u
*>* ldap_id_mapping = true
*>* subdomain_enumerate = true
*>* ldap_schema = ad
*>* ad_access_filter =
*>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com
*>* ad_enable_gc = false
*>* ldap_access_order = filter, expire
*>* enumerate = false
*>* id_provider = ad
*>* auth_provider = ad
*>* access_provider = ad
*>* subdomains_provider = ad
*>* chpass_provider = ad
*>
* ad_server =
dom1.acme.example.com <
http://dom1.acme.example.com/>,
dom2.acme.example.com <
http://dom2.acme.example.com/>
*>
* ad_domain =
acme.example.com <
http://acme.example.com/>
*>
* ad_hostname =
client1.acme.example.com <
http://client1.acme.example.com/>
*>* ad_enable_dns_sites = false
*>* dyndns_update = false
*>* debug_level = 7
*> > >* /etc/krb5.conf:
*>* [logging]
*>* default = FILE:/var/log/krb5libs.log
*>* kdc = FILE:/var/log/krb5kdc.log
*>* admin_server = FILE:/var/log/kadmind.log
*> >* [libdefaults]
*>
* default_realm =
acme.example.com <
http://acme.example.com/>
*>* dns_lookup_realm = true
*>* dns_lookup_kdc = true
*>* ticket_lifetime = 24h
*>* renew_lifetime = 7d
*>* forwardable = true
*>* rdns = true
*>* ignore_acceptor_hostname = true
*> >* [realms]
*>
*
acme.example.com <
http://acme.example.com/> = {
*>
* kdc =
acme.example.com <
http://acme.example.com/>
*>
* admin_server =
acme.example.com <
http://acme.example.com/>
*>* }
*> >* [domain_realm]
*>
* .acme.example.com <
http://acme.example.com/> =
acme.example.com
<
http://acme.example.com/>
*>
*
acme.example.com <
http://acme.example.com/> =
acme.example.com
<
http://acme.example.com/>
*>
* .example.com <
http://example.com/> =
acme.example.com
<
http://acme.example.com/>
*>
*
example.com <
http://example.com/> =
acme.example.com
<
http://acme.example.com/>
*> >* [appdefaults]
*>* debug = true
*> > > >* I can log in with user/password from AD to RHEL/Centos, I
can change the
*>* password, lock the account from AD, etc. It all works.
*> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt
*>* work. I see in logs:
*> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure.
*>* Minor code may provide more information\nNo key table entry found matching
*>* host/client1.acme.example.com@\n
*
Do you see this message when sshd is starting up or during the
connection of a client?
What principal are shown by 'klist -k' ?
bye,
Sumit
> >* Any idea what could be the reason? All I want to achieve
is to get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems
without password
*>* prompt.
*> > >* /lm
*
* _______________________________________________
*>*
sssd-users mailing list
*>
* sssd-users at
lists.fedorahosted.org
<
https://lists.fedorahosted.org/mailman/listinfo/sssd-users>
*>
*
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
<
https://lists.fedorahosted.org/mailman/listinfo/sssd-users>
*
--
Pozdrawiam Leszek Miś
www:
http://cronylab.pl
www:
http://emerge.pl
Nothing is secure, paranoia is your friend.