Thanks. When i am trying to accesses user with password i am getting below message in logs.
*Aug 18 09:38:17 ilt-gif-ipa02 [sssd[krb5_child[8505]]]: Cannot find KDC for realm "ADDOMAON.COM <http://ADDOMAON.COM>"* when i connect through ssh, it tries to contact the KDC for the realm *ADDOMAON.COM <http://ADDOMAON.COM>* which should be corp.addomain.com Do you have any further comments or suggestions that may help us. /Rajat On Tue, Aug 16, 2016 at 2:46 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Tue, 16 Aug 2016, rajat gupta wrote: > >> Hi, >> >> >> I have done IPA AD trust between IPA and AD server. But trust is showing >> offline always. But we are able to get the AD user information. And able >> to >> grant the KRB ticket. >> >> >> >> # wbinfo --online-status >> BUILTIN : online >> IPA : online >> *CORP : offline* >> > Don't use wbinfo. Its output is irrelevant starting from FreeIPA 3.3. > > >> >> #id adu...@corp.addomain.com >> uid=1007656917(adu...@corp.addomain.com) gid=1007656917( >> adu...@corp.addomain.com) groups=1007656917(adu...@corp.addomain.com >> ),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829( >> da-eeg-intra-r...@corp.addomain.com),1007600513(domain >> us...@corp.addomain.com) >> >> >> [root@ilt-gif-ipa01 ~]# kinit adu...@corp.addomain.com >> Password for adu...@corp.addomain.com: >> [root@ilt-gif-ipa01 ~]# >> [root@ilt-gif-ipa01 ~]# >> [root@ilt-gif-ipa01 ~]# klist >> Ticket cache: KEYRING:persistent:0:0 >> Default principal: adu...@corp.addomain.com >> >> Valid starting Expires Service principal >> 08/11/2016 13:11:35 08/11/2016 23:11:35 krbtgt/ >> corp.addomain....@corp.addomain.com >> renew until 08/12/2016 13:11:29 >> [root@ilt-gif-ipa01 ~]# >> > This is irrelevant for the trust case because you are authenticating > against AD DCs, not IPA KDCs. > > >> >> >> Form IPA client server we are able to get the all thinks ( KRB ticket/ >> user/groups ) >> >> [root@ilt-gif-ipa02 ~]# getent passwd adu...@corp.addomain.com >> adu...@corp.addomain.com:*:1007656917:1007656917:USER NAME:/home/ >> corp.addomain.com/aduser: >> [root@ilt-gif-ipa02 ~]# >> >> >> [root@ilt-gif-ipa02 ~]# getent group adu...@corp.addomain.com >> adu...@corp.addomain.com:*:1007656917: >> [root@ilt-gif-ipa02 ~]# >> >> >> [root@ilt-gif-ipa02 ~]# id adu...@corp.addomain.com >> uid=1007656917(adu...@corp.addomain.com) gid=1007656917( >> adu...@corp.addomain.com) groups=1007656917(adu...@corp.addomain.com >> ),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829( >> da-eeg-intra-r...@corp.addomain.com),1007600513(domain >> us...@corp.addomain.com),1007725088(tfs_us...@corp.addomain.com) >> >> >> Also we are to ssh to IPA client on same machine or from some other >> machine with gss authentication. But using password authentication it’s >> failed to login. >> >> *ERROR:- pam_sss(sshd:auth): authentication failure; logname* >> >> >> >> kinit adu...@corp.addomain.com >> Password for adu...@corp.addomain.com: >> >> >> >> [root@ilt-gif-ipa02 ~]# ssh -vl adu...@corp.addomain.com >> ilt-gif-ipa02.ipa.preprod.local >> OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: /etc/ssh/ssh_config line 60: Applying options for * >> debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p >> 22 ilt-gif-ipa02.ipa.preprod.local >> debug1: permanently_set_uid: 0/0 >> debug1: permanently_drop_suid: 0 >> debug1: identity file /root/.ssh/id_rsa type -1 >> debug1: identity file /root/.ssh/id_rsa-cert type -1 >> debug1: identity file /root/.ssh/id_dsa type -1 >> debug1: identity file /root/.ssh/id_dsa-cert type -1 >> debug1: identity file /root/.ssh/id_ecdsa type -1 >> debug1: identity file /root/.ssh/id_ecdsa-cert type -1 >> debug1: identity file /root/.ssh/id_ed25519 type -1 >> debug1: identity file /root/.ssh/id_ed25519-cert type -1 >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_6.6.1 >> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 >> debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com none >> debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com none >> debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16 >> debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16 >> debug1: sending SSH2_MSG_KEX_ECDH_INIT >> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY >> debug1: Server host key: ECDSA >> f0:e6:b2:66:c8:41:06:4e:83:a4:a2:c5:5a:57:24:66 >> debug1: Host 'ilt-gif-ipa02.ipa.preprod.local' is known and matches the >> ECDSA host key. >> debug1: Found key in /root/.ssh/known_hosts:3 >> debug1: ssh_ecdsa_verify: signature correct >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> debug1: SSH2_MSG_NEWKEYS received >> debug1: SSH2_MSG_SERVICE_REQUEST sent >> debug1: SSH2_MSG_SERVICE_ACCEPT received >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,password >> debug1: Next authentication method: gssapi-keyex >> debug1: No valid Key exchange context >> debug1: Next authentication method: gssapi-with-mic >> *debug1: Authentication succeeded (gssapi-with-mic).* >> Authenticated to ilt-gif-ipa02.ipa.preprod.local (via proxy). >> debug1: channel 0: new [client-session] >> debug1: Requesting no-more-sessi...@openssh.com >> debug1: Entering interactive session. >> debug1: Sending environment. >> debug1: Sending env LANG = en_US.UTF-8 >> Last login: Thu Aug 11 13:17:05 2016 from ilt-gif-ipa02.ipa.preprod.local >> >> RHN kickstart on 2014-10-16 >> >> -sh-4.2$ pwd >> /home/corp.addomain.com/aduser >> -sh-4.2$ who am i >> adu...@corp.addomain.com pts/3 2016-08-11 13:19 >> (ilt-gif-ipa02.ipa.preprod.local) >> -sh-4.2$ >> >> >> >> ]# ssh adu...@corp.addomain.com@ilt-gif-ipa02.ipa.preprod.local >> e600...@corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password: >> Permission denied, please try again. >> e600...@corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password: >> >> >> Can you please help me i am not able to login with AD user >> password authentication. >> > If you cannot login with password but can with Kerberos credentials, you > need to look into SSSD logs on the ilt-gif-ipa02.ipa.preprod.local host. > See https://fedorahosted.org/sssd/wiki/Troubleshooting > > > -- > / Alexander Bokovoy > -- *Rajat Gupta *
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
