On Mar 14, 2013, at 7:08 AM, Luke Kearney wrote:

> 
> On Mar 14, 2013, at 6:38 AM, KodaK wrote:
> 
>> On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney <l...@kearney.jp> wrote:
>>> Hello,
>>> 
>>> I have recently been working on integrating our solaris 10 fleet with 
>>> FreeIPA. The first 'test' host went relatively smoothly and we recently 
>>> created a new test host. Only this time it was more challenging to get the 
>>> system working.
>>> 
>>> On our original test installation every step went almost exactly as per the 
>>> documentation [ 
>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>>>  ]
>>> 
>>> On the second install we found that whilst we were able to retrieve user 
>>> account information via LDAP we could not login via ssh and kerberos for 
>>> any amount of trying. This was overcome by inserting the following line 
>>> into pam.conf
>>> 
>>> other         account            sufficient              pam_ldap.so.1
>>> 
>>> Where is had not been needed on test host1.
>>> 
>>> To the extent it works and doesn't break something else this is all fine. I 
>>> understand why it works as the information in ldap is needed to open the 
>>> terminal session, why would one need this stanza but not the other?
>>> 
>> 
>> IIRC, the instructions have you pulling information from Kerberos.
>> This explicitly allows ldap -- I would suspect that Kerberos isn't
>> working correctly on the second host.  Check time first.
>> 
> 
> Thanks for that - NTP reports that both the kerberos master and the solaris 
> client are indeed in sync. In all other respects kerberos seems to be working 
> properly, a user can obtain a ticket and can use that same ticket to ssh to 
> another host. 

There is no doubt this is somehow borked when I remove pam_ldap from the 
pam.conf file kerberos logins fail. On the KDC I see

Mar 16 02:56:19 tamachi.hq.meibin.net krb5kdc[3362](info): TGS_REQ (7 etypes 
{18 17 16 23 1 3 2}) 192.168.12.254: ISSUE: authtime 1363370170, etypes {rep=18 
tkt=17 ses=17}, lu...@hq.meibin.net for host/oiran.hq.meibin....@hq.meibin.net

pam on the client tells me

Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.info] Connection from 
192.168.12.254 port 51616
Mar 16 02:56:19 oiran sshd[526]: [ID 800047 auth.debug] debug1: Forked child 
788.
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Client protocol 
version 2.0; client software version OpenSSH_5.3
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: match: 
OpenSSH_5.3 pat OpenSSH*
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Enabling 
compatibility mode for protocol 2.0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Local version 
string SSH-2.0-Sun_SSH_1.1
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
list_hostkey_types: ssh-rsa,ssh-dss
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
SSH2_MSG_KEXINIT sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
SSH2_MSG_KEXINIT received
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: kex: 
client->server aes128-ctr hmac-md5 none
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: kex: 
server->client aes128-ctr hmac-md5 none
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Peer sent 
proposed langtags, ctos: 
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Peer sent 
proposed langtags, stoc: 
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: We proposed 
langtags, ctos: i-default
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: We proposed 
langtags, stoc: i-default
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
SSH2_MSG_KEX_DH_GEX_REQUEST received
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
SSH2_MSG_KEX_DH_GEX_GROUP sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: dh_gen_key: 
priv key bits set: 127/256
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: bits set: 
503/1024
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: expecting 
SSH2_MSG_KEX_DH_GEX_INIT
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: bits set: 
513/1024
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
SSH2_MSG_KEX_DH_GEX_REPLY sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: newkeys: mode 1
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
SSH2_MSG_NEWKEYS sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: expecting 
SSH2_MSG_NEWKEYS
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: newkeys: mode 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
SSH2_MSG_NEWKEYS received
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: KEX done
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
userauth-request for user lukek service ssh-connection method none
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 0 
initial attempt 0 failures 0 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.info] Failed none for lukek 
from 192.168.12.254 port 51616 ssh2
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
userauth-request for user lukek service ssh-connection method gssapi-with-mic
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 1 
initial attempt 0 failures 1 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Client offered 
gssapi userauth with { 1 2 840 113554 1 2 2 } (supported)
Mar 16 02:56:19 oiran automountd[502]: [ID 453631 daemon.debug] tid= 1: Adding 
connection (serverAddr=192.168.12.232)
Mar 16 02:56:19 oiran automountd[502]: [ID 776464 daemon.debug] tid= 1: 
Initialized sessionPool
Mar 16 02:56:19 oiran automountd[502]: [ID 816976 daemon.debug] tid= 1: 
Connection added [0]
Mar 16 02:56:19 oiran automountd[502]: [ID 467101 daemon.debug] tid= 1: 
connectionID=1024
Mar 16 02:56:19 oiran automountd[502]: [ID 805042 daemon.debug] tid= 1: shared=1
Mar 16 02:56:19 oiran automountd[502]: [ID 982078 daemon.debug] tid= 1: 
usedBit=0
Mar 16 02:56:19 oiran automountd[502]: [ID 727660 daemon.debug] tid= 1: 
threadID=1
Mar 16 02:56:19 oiran automountd[502]: [ID 577507 daemon.debug] tid= 1: 
serverAddr=192.168.12.232
Mar 16 02:56:19 oiran automountd[502]: [ID 939703 daemon.debug] tid= 1: 
AuthType=3
Mar 16 02:56:19 oiran automountd[502]: [ID 142272 daemon.debug] tid= 1: 
TlsType=1
Mar 16 02:56:19 oiran automountd[502]: [ID 537450 daemon.debug] tid= 1: 
SaslMech=0
Mar 16 02:56:19 oiran automountd[502]: [ID 625532 daemon.debug] tid= 1: 
SaslOpt=0
Mar 16 02:56:19 oiran automountd[502]: [ID 339871 daemon.debug] tid= 1: 
hostCertPath=/var/ldap
Mar 16 02:56:19 oiran automountd[502]: [ID 639905 daemon.debug] tid= 1: 
userID=cn=proxyagent,ou=profile,dc=hq,dc=meibin,dc=net
Mar 16 02:56:19 oiran automountd[502]: [ID 323218 daemon.debug] tid= 1: 
unlocking sessionLock
Mar 16 02:56:19 oiran sshd[788]: [ID 845850 auth.debug] PAM[788]: 
pam_start(sshd-gssapi,lukek,0:80c5578) - debug = 1
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c5578:service)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c5578:user)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c5578:conv)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c5578:rhost)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c5578:tty)
Mar 16 02:56:19 oiran sshd[788]: [ID 681795 auth.debug] PAM[788]: 
pam_acct_mgmt(80c5578, 0)
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: 
load_modules(80c5578, pam_sm_acct_mgmt)=/usr/lib/security/pam_roles.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: 
load_function: successful load of pam_sm_acct_mgmt
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: 
load_modules(80c5578, pam_sm_acct_mgmt)=/usr/lib/security/pam_unix_account.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: 
load_function: successful load of pam_sm_acct_mgmt
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: 
load_modules(80c5578, pam_sm_acct_mgmt)=/usr/lib/security/pam_krb5.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: 
load_function: successful load of pam_sm_acct_mgmt
Mar 16 02:56:19 oiran sshd[788]: [ID 573691 auth.debug] PAM[788]: 
pam_acct_mgmt(80c5578, 0): error No account present for user
Mar 16 02:56:19 oiran sshd[788]: [ID 699746 auth.debug] PAM-KRB5 (acct): 
debug=1, nowarn=0
Mar 16 02:56:19 oiran sshd[788]: [ID 531709 auth.debug] PAM-KRB5 (acct): no 
module data for KRB5_AUTOMIGRATE_DATA
Mar 16 02:56:19 oiran sshd[788]: [ID 774290 auth.debug] PAM-KRB5 (acct): no 
module data
Mar 16 02:56:19 oiran sshd[788]: [ID 712902 auth.debug] PAM-KRB5 (acct): end: 
Ignore module
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c5578:authtok)
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.info] Failed gssapi-with-mic 
for lukek from 192.168.12.254 port 51616 ssh2
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
userauth-request for user lukek service ssh-connection method gssapi-with-mic
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 2 
initial attempt 0 failures 2 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Client offered 
gssapi userauth with { 1 3 5 1 5 2 } (unsupported)
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.notice] Failed gssapi-with-mic 
for lukek from 192.168.12.254 port 51616 ssh2
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
userauth-request for user lukek service ssh-connection method gssapi-with-mic
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 3 
initial attempt 0 failures 3 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Client offered 
gssapi userauth with { 1 2 840 48018 1 2 2 } (unsupported)
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.notice] Failed gssapi-with-mic 
for lukek from 192.168.12.254 port 51616 ssh2
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
userauth-request for user lukek service ssh-connection method gssapi-with-mic
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 4 
initial attempt 0 failures 4 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Client offered 
gssapi userauth with { 1 3 6 1 5 2 5 } (unsupported)
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.notice] Failed gssapi-with-mic 
for lukek from 192.168.12.254 port 51616 ssh2
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
userauth-request for user lukek service ssh-connection method 
keyboard-interactive
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: attempt 5 
initial attempt 0 failures 5 initial failures 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: 
keyboard-interactive devs 
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c5578:conv)
Mar 16 02:56:19 oiran sshd[788]: [ID 309193 auth.debug] PAM[788]: 
pam_end(80c5578): status = No account present for user
Mar 16 02:56:19 oiran sshd[788]: [ID 845850 auth.debug] PAM[788]: 
pam_start(sshd-kbdint,lukek,80ab800:80c6d10) - debug = 1
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c6d10:service)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c6d10:user)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c6d10:conv)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c6d10:rhost)
Mar 16 02:56:19 oiran sshd[788]: [ID 547875 auth.debug] PAM[788]: 
pam_set_item(80c6d10:tty)
Mar 16 02:56:19 oiran sshd[788]: [ID 681795 auth.debug] PAM[788]: 
pam_authenticate(80c6d10, 0)
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: 
load_modules(80c6d10, 
pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: 
load_function: successful load of pam_sm_authenticate
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: 
load_modules(80c6d10, pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: 
load_function: successful load of pam_sm_authenticate
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: 
load_modules(80c6d10, pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: 
load_function: successful load of pam_sm_authenticate
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: 
load_modules(80c6d10, pam_sm_authenticate)=/usr/lib/security/pam_krb5.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: 
load_function: successful load of pam_sm_authenticate
Mar 16 02:56:19 oiran sshd[788]: [ID 705317 auth.debug] PAM[788]: 
load_modules(80c6d10, pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
Mar 16 02:56:19 oiran sshd[788]: [ID 757984 auth.debug] PAM[788]: 
load_function: successful load of pam_sm_authenticate
Mar 16 02:56:19 oiran sshd[788]: [ID 549150 auth.debug] PAM[788]: 
pam_get_user(80c6d10, 80c6d10, NULL)

None of this however gives me any idea as to where to start looking for broken 
bits. Kerberos for all intents and purposes functions but the linkage with PAM 
is some how awry….

Any pointers would be highly appreciated.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to