Yesterday I installed the FreeIPA client on machine and after the installation 
the login with password worked fine. After that I tried to login with a valid 
Kerberos ticket and it failed. First i traced the ssh login: 


ssh -vvv da...@test.example.com 

---cut--- 
debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80), 
debug2: key: /home/david/.ssh/id_dsa ((nil)), 
debug2: key: /home/david/.ssh/id_ecdsa ((nil)), 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug3: start over, passed a different list 
publickey,gssapi-keyex,gssapi-with-mic 
debug3: preferred 
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password 
debug3: authmethod_lookup gssapi-keyex 
debug3: remaining preferred: 
gssapi-with-mic,publickey,keyboard-interactive,password 
debug3: authmethod_is_enabled gssapi-keyex 
debug1: Next authentication method: gssapi-keyex 
debug1: No valid Key exchange context 
debug2: we did not send a packet, disable method 
debug3: authmethod_lookup gssapi-with-mic 
debug3: remaining preferred: publickey,keyboard-interactive,password 
debug3: authmethod_is_enabled gssapi-with-mic 
debug1: Next authentication method: gssapi-with-mic 
debug2: we sent a gssapi-with-mic packet, wait for reply 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug2: we sent a gssapi-with-mic packet, wait for reply 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug2: we sent a gssapi-with-mic packet, wait for reply 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug2: we sent a gssapi-with-mic packet, wait for reply 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug2: we did not send a packet, disable method 
debug3: authmethod_lookup publickey 
debug3: remaining preferred: keyboard-interactive,password 
debug3: authmethod_is_enabled publickey 
debug1: Next authentication method: publickey 
debug1: Offering RSA public key: /home/david/.ssh/id_rsa 
debug3: send_pubkey_test 
debug2: we sent a publickey packet, wait for reply 
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic 
debug1: Trying private key: /home/david/.ssh/id_dsa 
debug3: no such identity: /home/david/.ssh/id_dsa: No such file or directory 
debug1: Trying private key: /home/david/.ssh/id_ecdsa 
debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file or directory 
debug2: we did not send a packet, disable method 
debug1: No more authentication methods to try. 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 
---cut--- 


Then I enabled the log for SSH on the IPA client machine and faced following 
error: 


---cut--- 

Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0 
Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for "david" 
Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST to 
"10.100.3.2" 
Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to "ssh" 
Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for user david 
service ssh-connection method gssapi-with-mic 
Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0 
Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS failure. Minor code 
may provide more information\nNo key table entry found matching host/infra01@\n 
---cut--- 


Unspecified GSS failure. Minor code may provide more information.No key table 
entry found matching host/infra01@\n. 


After that I tried to receive a ticket on the IPA client machine and everything 
worked fine: 


kinit <user> 
klist 

Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: david@<realm>.INFO 


Valid starting Expires Service principal 
04/16/14 23:24:51 04/17/14 23:24:47 krbtgt/... 
04/16/14 23:25:51 04/17/14 23:24:47 host/... 



kvno -k /etc/krb5.keytab host/... 
host/...: kvno = 1, keytab entry valid 


So the Kerberos setup on the machine seems to be fine, but still the login SSH 
using Keberos is not working. GSSAPI is correctly enabled in the sshd 
configuration file. Any hint is highly appreciated. Thanks. 


David 

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to