On 5/11/2018 4:21 AM, Sumit Bose wrote:
On Thu, May 10, 2018 at 09:03:42AM -0400, TomK wrote:
> Hey Guy's,
>
> I've the following scenario:
>
> 1) srv-remote01 is behind a firewall. We typically use adcli to add hosts
> to AD but in this case port 464 is blocked so we can't use adcli on
> srv-remote01 since it errors out on the blocked port. Other ports are open
> however so normal sssd function can work once connection is established and
> krb5.keytab is generated .
464 is the kpasswd port and adcli uses it to set the machine account
password, so it is crucial for joining with adcli.
>
> 2) Since we can't get through port 464, we run the adcli on another machine
> within the same domain (MYDOM.ABC) to generate a keytab and copy over to the
> target machine srv-remote01.
>
> 3) Computer object in AD is called ad-srv-remote01 . The command we use is
> below. Note, --computer-name is set to the AD attribute type
> sAMAccountName.
Why is 'srv-remote01' used as the hostname but the AD object is called
'ad-srv-remote01'? It would make things easier if the same name would be
used.
It's an older inherited SSSD setup that wasn't done right. Hence the
ask. Before things get cleaned up, which may take time, we need the
functionality in the interim.
>
> adcli join --host-fqdn=srv-remote01 --domain=mdom.abc
> --computer-name=AD-SRV-REMOTE01 --login-user=adsrvacct01 -v -S
> rem-addc-01.mdom.abc --domain-ou="OU=Linux,OU=Servers
> Group,OU=Servers,OU=MDOM,DC=MDOM,DC=abc" --os-name="CentOS7"
> --os-version="6.7" --show-details --show-password
>
>
> So we try to use another host ( ie srv-local01 ) on the same domain to
> create a keytab while ensuring KVNO numbers match. But there's an issue
> with that as well. When we run the above, the entries in the krb5.keytab
> begin with AD-SRV-REMOTE01.
>
> So we manually use ktutil and addent to add the corresponding
> SRV-REMOTE01(a)MDOM.ABC entries etc. Using the same 120 character password
> adcli returns ( due to --show-password ) above ensuring our objects in the
> keytab all have the same password. All this because when SSSD talks to AD,
> it tries to find the true host by using SRV-REMOTE01 not the AD computer
> object name AD-SRV-REMOTE01 .
You can use
ldap_sasl_authid = AD-SRV-REMOTE01$(a)MDOM.ABC
Thank you for this. Going to give it a shot.
to tell SSSD to use a different principal. By default SSSD will take the
hostname (see above) and add the realm (and the '$' sign for AD).
Iirc AD uses different type of salt for user and computer objects in the
keys and unfortunately ktutil has no option to change the salt. But if
you call 'list -k' in ktutil it will show you the key and you can
create new entries with this key with the -key option of addent. (Btw,
this underlines why it is important to restrict access to keytab files,
they are as good as passwords).
I'm not sure which fix would be best for your environment but I hope one
is suitable for you.
bye,
Sumit
>
> However, when we try to use this keytab, we get the below set of errors.
>
> Tried with SSSD 1.12 and SSSD 1.15. Same result. Assume opening up the
> firewall right now is not an option.
>
> Anyway around this? Other then that message, there's very little more
> that's printed indicating the real cause of the failure. Is there a way to
> print more info around the -1765328360/Preauthentication failed error? It
> could be due to a number of things but it's not indicated.
>
> --
> Cheers,
> Tom K.
>
-------------------------------------------------------------------------------------
>
>
>
>
>
> [sssd[be[MDOM]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14
> [Preauthentication failed], expired on [0]
> [sssd[be[MDOM]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad
> address]
> [sssd[be[MDOM]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret
> [1432158226](Authentication Failed)
> [sssd[be[MDOM]]] [sdap_cli_connect_recv] (0x0040): Unable to establish
> connection [13]: Permission denied
>
>
>
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0400):
> ldap_child started.
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
> context initialized
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
> (0x1000): total buffer size: 41
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
> (0x1000): realm_str size: 9
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
> (0x1000): got realm_str: MDOM.ABC
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
> (0x1000): princ_str size: 8
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
> (0x1000): got princ_str: SRV-REMOTE01$
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
> (0x1000): keytab_name size: 0
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
> (0x1000): lifetime: 86400
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
> (0x0200): Will run as [0][0].
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [privileged_krb5_setup] (0x2000): Kerberos context initialized
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
> Kerberos context initialized
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [become_user]
> (0x0200): Trying to become user [0][0].
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [become_user]
> (0x0200): Already user [0].
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
> Running as [0][0].
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
> getting TGT sync
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [ldap_child_get_tgt_sync] (0x2000): got realm_name: [MDOM.ABC]
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [ldap_child_get_tgt_sync] (0x0100): Principal name is:
> [SRV-REMOTE01$(a)MDOM.ABC]
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803319: Getting
> initial credentials for SRV-REMOTE01$(a)MDOM.ABC
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803467: Looked up
> etypes in keytab: aes256-cts
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803508: Sending
> request (171 bytes) to MDOM.ABC
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803735: Initiating
> TCP connection to stream 123.123.123.123:88
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.805585: Sending TCP
> request to stream 123.123.123.123:88
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809430: Received
> answer from stream 123.123.123.123:88
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809554: Response was
> from master KDC
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809607: Received
> error from KDC: -1765328359/Additional pre-authentication required
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809681: Processing
> preauth types: 11, 19, 2, 16, 15
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809710: Selected
> etype info: etype rc4-hmac, salt "", params ""
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809755: Selected
> etype info: etype rc4-hmac, salt "", params ""
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809799: Retrieving
> SRV-REMOTE01$(a)MDOM.ABC from MEMORY:/etc/krb5.keytab (vno 0, enctype
> rc4-hmac) with result: 0/Success
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809842: AS key
> obtained for encrypted timestamp: rc4-hmac/7361
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809932: Encrypted
> timestamp (for 1525932937.809866): plain
> 301AA011180F32303138303531303036313533375AA10502030C5B8A, encrypted
E38D66FB781CE178E10659E2F3770F5109454EE5808B5929B17D113D2621E30DF3C79F819517A1AED46BD734F55092F36B343BCD
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809958: Preauth
> module encrypted_timestamp (2) (flags=1) returned: 0/Success
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809974: Produced
> preauth for next request: 2
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.810004: Sending
> request (245 bytes) to MDOM.ABC
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.810100: Initiating
> TCP connection to stream 123.123.123.123:88
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.811915: Sending TCP
> request to stream 123.123.123.123:88
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.819955: Received
> answer from stream 123.123.123.123:88
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820056: Response was
> from master KDC
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820086: Received
> error from KDC: -1765328360/Preauthentication failed
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820121: Preauth
> tryagain input types: 11, 19, 2, 16, 15
>
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials:
> Preauthentication failed
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
> [unique_filename_destructor] (0x2000): Unlinking
> [/var/lib/sss/db/ccache_MDOM.ABC_1KdDyX]
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0020):
> ldap_child_get_tgt_sync failed.
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [prepare_response]
> (0x0400): Building response for result [-1765328360]
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [pack_buffer]
> (0x2000): response size: 44
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [pack_buffer]
> (0x1000): result [14] krberr [-1765328360] msgsize [24] msg
> [Preauthentication failed]
> (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0400):
> ldap_child completed successfully
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.