On Sat, Nov 17, 2018 at 03:24:29AM -0000, Sergei Gerasenko wrote:
I've run into a dead end debugging a case of passwordless authentication between two
IPA'd hosts. Running `sshd -p 5000 -d` on the receiving host (let's call it
HOST_B), I see this:
Postponed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 [preauth]
debug1: Received some client credentials
debug1: ssh_gssapi_k5login_exists: Checking existence of file /home/USER/.k5login
Failed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2
The client then gets an interactive password prompt. Here are some facts and things
* If I put the user into `.k5login` on the receiving host and it works.
Does .k5login for the user on the receiving host contain other entries
as well? In this case you might want to set 'k5login_authoritative=
false' in krb5.conf (see man krb5.conf) for details.
If typically .k5login does not exist there might be an issue mapping the
Kerberos principal to the local user name. SSSD should create
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin which configures
SSSD's localauth plugin. To be able to read this libkrb5 needs and
entry like 'includedir /var/lib/sss/pubconf/krb5.include.d/' in
> * The receiving host is correctly enrolled into IPA. I can ssh from it to other hosts
> * I can issue `kvno host/HOST_B` on the connecting host and I get a service ticket.
> * It looks like all this happens before any pam stuff kicks in (?). So I'm ruling
PAM issues out.
> * No errors in the logs of the KDCs.
> * The ticket from the connecting host is not expired.
> * The sssd version is 1.16.0.
> * Turning up the debugging in sssd with `debug_level = 7` for the domain section
doesn't reveal anything obvious.
> What else could I check?
> Thanks for any ideas,
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: