I’ve been struggling to get SSH to work with an AD user for over 3 weeks
now. I've scraped the bowels of the internet for answers, still no dice.

The issue is pretty simple in itself, I can’t SSH to a freeipa joined
Centos client 7.3 with an AD user. However, kinit with any AD users as well
as su works just fine. I’m running two 4.4.0 IPA servers.

I made sure the entire setup is resolving DNS properly, NTP(external to
freeipa) is in sync. I’m using FQDN for hostnames.

Here’s the output from journalctl -f:

Jul 27 04:37:10 centos.ipa.ad.com sshd[2633]: pam_unix(sshd:session):
session opened for user root by (uid=0)
Jul 27 04:37:35 centos.ipa.ad.com su[2652]: (to ad...@ad.com) root on pts/1
Jul 27 04:37:35 centos.ipa.ad.com su[2652]: pam_unix(su-l:session): session
opened for user ad...@ad.com by root(uid=0)
Jul 27 04:37:42 centos.ipa.ad.com su[2652]: pam_unix(su-l:session): session
closed for user ad...@ad.com
Jul 27 04:38:35 centos.ipa.ad.com sshd[2677]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruse  r=
rhost=localhost user=ad...@ad.com
Jul 27 04:38:35 centos.ipa.ad.com sshd[2677]: pam_sss(sshd:auth): received
for user ad...@ad.com: 6 (Permission denied)
Jul 27 04:38:35 centos.ipa.ad.com sshd[2674]: error: PAM: Authentication
failure for ad...@ad.com from localhost
Jul 27 04:38:38 centos.ipa.ad.com sshd[2674]: Connection closed by ::1
[preauth]



Config files:

/etc/krb5.conf

#File modified by ipa-client-install

includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IP.AD.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}
[realms]
  IP.AD.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }

/etc/sssd/sssd.conf

[domain/ipa.ad.com]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.ad.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = centos.ipa.ad.com
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipaserver02.ipa.ad.com
dyndns_iface = ens192
ldap_tls_cacert = /etc/ipa/ca.crt[sssd]
services = nss, sudo, pam, ssh
debug_level = 9
domains = ipa.ad.com
[nss]
homedir_substring = /home

[pam]
debug_level= 9

[sudo]

[autofs]

[ssh]
debug_level=9

[pac]

[ifp]



/etc/ssh/sshd_config

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile      .ssh/authorized_keys
GSSAPICleanupCredentials no
X11Forwarding yes
UsePrivilegeSeparation sandbox          # Default for new installations.
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommandUser nobody


I uploaded krb5_child.log and ldap_child.log to
https://1drv.ms/f/s!AlZwwyQE2ZZ5p2b5ROa15PBkAEQD

I managed to ssh AD user login to works on both my freeipa servers. I had
to modify the following files See changes in bold.

/etc/krb5.conf

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = IPA.AD.COM
* dns_lookup_realm = true*
* dns_lookup_kdc = true*
 rdns = false
 ticket_lifetime = 24h
 forwardable = true
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 IPA.AD.COM = {
  kdc = ipaserver01.ipa.ad.com:88
  master_kdc = ipaserver01.ipa.ad.com:88
  admin_server = ipaserver01.ipa.ad.com:749
  default_domain = ipa.ad.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
*  auth_to_local = RULE:[1:$1@$0](^.*@AD.COM
<http://AD.COM>)s/@AD.COM/@ad.com/ <http://AD.COM/@ad.com/>*
*  auth_to_local = DEFAULT*
}

[domain_realm]
 .ipa.ad.com = IPA.AD.COM
 ipa.ad.com = IPA.AD.COM
 ipaserver02.ipa.ad.com = IPA.AD.COM

[dbmodules]
  IPA.AD.COM = {
    db_library = ipadb.so
  }

/etc/resolv.conf
search ipa.ad.com ad.com
nameserver 127.0.0.1
*nameserver 192.168.1.2 #Seconday IPA Server*

In /etc/named.conf, I disabled dnssec-validation(dnssec-validation no;)

Not sure those settings were at all necessary.


Adding the following line sunder the [realms] for krb5.conf on my centos
client machine did not make a difference.

 auth_to_local = RULE:[1:$1@$0](^.*@AD.COM)s/@AD.COM/@ad.com/
 auth_to_local = DEFAULT

IPv6 has been disabled in /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

If anyone has an idea what may be the issue or where to look, please reply.

Thanks
 Alex
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to