> On 4 Feb 2025, at 17:58, Alexander Bokovoy <[email protected]> wrote:
>
> On Аўт, 04 лют 2025, Djerk Geurts via FreeIPA-users wrote:
>> Hi All,
>>
>> Testing an Ansible playbook, I’m running into what looks like throttling
>> issues. But the ssh debug logs list something else. Has anyone seen this
>> happen before?
>>
>> debug1: kex_input_ext_info: [email protected]=<0>
>> debug3: receive packet: type 6
>> debug2: service_accept: ssh-userauth
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug3: send packet: type 50
>> debug3: receive packet: type 51
>> debug1: Authentications that can continue:
>> publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
>> debug3: start over, passed a different list
>> publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
>> debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey
>>
>> debug3: authmethod_lookup gssapi-with-mic
>> debug3: remaining preferred: gssapi-keyex,hostbased,publickey
>>
>> debug3: authmethod_is_enabled gssapi-with-mic
>> debug1: Next authentication method: gssapi-with-mic
>>
>> debug1: No credentials were supplied, or the credentials were unavailable or
>> inaccessible
>> No Kerberos credentials available: Disk quota exceeded
>>
>> debug1: No credentials were supplied, or the credentials were unavailable or
>> inaccessible
>> No Kerberos credentials available: Disk quota exceeded
>>
>> debug2: we did not send a packet, disable method
>> debug3: authmethod_lookup gssapi-keyex
>>
>> debug3: remaining preferred: hostbased,publickey
>> debug3: authmethod_lookup publickey
>>
>> debug3: remaining preferred: ,publickey
>> debug3: authmethod_is_enabled publickey
>>
>> debug1: Next authentication method: publickey
>>
>> SSH between the hosts works fine, and the playbook runs fine until
>> some/all/most ssh sessions start to fail like this. Disk quota is fine
>> on the Ansible host and the targets.
>>
>> The solution is probably to use key-based authentication, but as
>> Kerberos is attempted first, I want to make sure I’m not
>> hammering/killing an IPA server by Ansible trying Kerberos auth to 150
>> servers sequentially. Also, I want to be prepared for if/when another
>> user ends up doing the same thing.
>
> 'Disk quota exceeded' error message probably comes from use of KEYRING:
> credentials cache collection. May be switch to KCM: or DIR: types for
> the ansible runs?
>
> See man page for keyrings(7) which also describes kernel keyring limits
> for individual non-root users.
Thank you, that’s been really helpful.
For those who are curious how to switch from keyring to KCM:
sudo apt install sssd-kcm
sudo systemctl enable --now ssd-kcm.socket
sudo vi /etc/krb5.conf
```
[libdefaults]
...
#default_ccache_name = KEYRING:persistent:%{uid}
default_ccache_name = KCM:
```
sudo systemctl restart sssd
Verify with klist.
The above ensured consistent Kerberos authentication for Ansible playbooks on
Ubuntu 22.04.
Sources used:
- https://access.redhat.com/solutions/5506571
- https://manpages.ubuntu.com/manpages/jammy/man8/sssd-kcm.8.html
--
Thanks,
Djerk Geurts--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
