klist -kt /etc/krb5.keytab showing me the right principals:
KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> The principal for the machine are displayed with the right FQDN. Also the machine has the right hostname containing the right domain and the machine can be resolved correctly via DNS. I have added the mentioned option to kerberos configuration and the login with Kerberos authentication is working now: [libdefaults] ignore_acceptor_hostname = true I'm still wondering what is wrong with the machine's configuration. ----- Original Message ----- From: "Rob Crittenden" <rcrit...@redhat.com> To: "David Kreuter" <david.kreu...@bytesource.net>, freeipa-users@redhat.com Sent: Thursday, 17 April, 2014 12:13:48 AM Subject: Re: [Freeipa-users] Keberos authentication - Unspecified GSS failure David Kreuter wrote: > Yesterday I installed the FreeIPA client on machine and after the > installation the login with password worked fine. After that I tried to > login with a valid Kerberos ticket and it failed. First i traced the ssh > login: > > ssh -vvv da...@test.example.com > ---cut--- > debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80), > debug2: key: /home/david/.ssh/id_dsa ((nil)), > debug2: key: /home/david/.ssh/id_ecdsa ((nil)), > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic > debug3: start over, passed a different list > publickey,gssapi-keyex,gssapi-with-mic > debug3: preferred > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: > gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /home/david/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic > debug1: Trying private key: /home/david/.ssh/id_dsa > debug3: no such identity: /home/david/.ssh/id_dsa: No such file or directory > debug1: Trying private key: /home/david/.ssh/id_ecdsa > debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file or > directory > debug2: we did not send a packet, disable method > debug1: No more authentication methods to try. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). > ---cut--- > > Then I enabled the log for SSH on the IPA client machine and faced > following error: > > ---cut--- > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0 > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for "david" > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST to > "10.100.3.2" > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to "ssh" > Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for user > david service ssh-connection method gssapi-with-mic > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0 > Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS failure. > Minor code may provide more information\nNo key table entry found > matching host/infra01@\n > ---cut--- > > Unspecified GSS failure. Minor code may provide more information.No key > table entry found matching host/infra01@\n. > > After that I tried to receive a ticket on the IPA client machine and > everything worked fine: > > kinit <user> > klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: david@<realm>.INFO > > Valid starting Expires Service principal > 04/16/14 23:24:51 04/17/14 23:24:47 krbtgt/... > 04/16/14 23:25:51 04/17/14 23:24:47 host/... > > kvno -k /etc/krb5.keytab host/... > host/...: kvno = 1, keytab entry valid > > So the Kerberos setup on the machine seems to be fine, but still the > login SSH using Keberos is not working. GSSAPI is correctly enabled in > the sshd configuration file. Any hint is highly appreciated. Thanks. > Seems like sshd looked for the wrong key. Run klist -kt /etc/krb5.keytab and see what principal is there. sshd didn't look for a FQDN according to your log. rob
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
