On Fri, 2014-04-18 at 10:14 +0200, David Kreuter wrote: > klist -kt /etc/krb5.keytab showing me the right principals: > > > > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> > 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> 1 04/16/14 23:12:58 > host/<FQDN>@<kerberos realm> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> > > > The principal for the machine are displayed with the right FQDN. Also the > machine has the right hostname containing the right domain and the machine > can be resolved correctly via DNS. > > > I have added the mentioned option to kerberos configuration and the login > with Kerberos authentication is working now: > > > > [libdefaults] > ignore_acceptor_hostname = true > > > I'm still wondering what is wrong with the machine's configuration.
Do you have the shortname as first entry in /etc/hosts ? If so put it second or remove it. Simo. > ----- Original Message ----- > > From: "Rob Crittenden" <[email protected]> > To: "David Kreuter" <[email protected]>, [email protected] > Sent: Thursday, 17 April, 2014 12:13:48 AM > Subject: Re: [Freeipa-users] Keberos authentication - Unspecified GSS failure > > David Kreuter wrote: > > Yesterday I installed the FreeIPA client on machine and after the > > installation the login with password worked fine. After that I tried to > > login with a valid Kerberos ticket and it failed. First i traced the ssh > > login: > > > > ssh -vvv [email protected] > > ---cut--- > > debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80), > > debug2: key: /home/david/.ssh/id_dsa ((nil)), > > debug2: key: /home/david/.ssh/id_ecdsa ((nil)), > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug3: start over, passed a different list > > publickey,gssapi-keyex,gssapi-with-mic > > debug3: preferred > > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > > debug3: authmethod_lookup gssapi-keyex > > debug3: remaining preferred: > > gssapi-with-mic,publickey,keyboard-interactive,password > > debug3: authmethod_is_enabled gssapi-keyex > > debug1: Next authentication method: gssapi-keyex > > debug1: No valid Key exchange context > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup gssapi-with-mic > > debug3: remaining preferred: publickey,keyboard-interactive,password > > debug3: authmethod_is_enabled gssapi-with-mic > > debug1: Next authentication method: gssapi-with-mic > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup publickey > > debug3: remaining preferred: keyboard-interactive,password > > debug3: authmethod_is_enabled publickey > > debug1: Next authentication method: publickey > > debug1: Offering RSA public key: /home/david/.ssh/id_rsa > > debug3: send_pubkey_test > > debug2: we sent a publickey packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug1: Trying private key: /home/david/.ssh/id_dsa > > debug3: no such identity: /home/david/.ssh/id_dsa: No such file or > > directory > > debug1: Trying private key: /home/david/.ssh/id_ecdsa > > debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file or > > directory > > debug2: we did not send a packet, disable method > > debug1: No more authentication methods to try. > > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). > > ---cut--- > > > > Then I enabled the log for SSH on the IPA client machine and faced > > following error: > > > > ---cut--- > > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0 > > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for "david" > > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST to > > "10.100.3.2" > > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to "ssh" > > Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for user > > david service ssh-connection method gssapi-with-mic > > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0 > > Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS failure. > > Minor code may provide more information\nNo key table entry found > > matching host/infra01@\n > > ---cut--- > > > > Unspecified GSS failure. Minor code may provide more information.No key > > table entry found matching host/infra01@\n. > > > > After that I tried to receive a ticket on the IPA client machine and > > everything worked fine: > > > > kinit <user> > > klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: david@<realm>.INFO > > > > Valid starting Expires Service principal > > 04/16/14 23:24:51 04/17/14 23:24:47 krbtgt/... > > 04/16/14 23:25:51 04/17/14 23:24:47 host/... > > > > kvno -k /etc/krb5.keytab host/... > > host/...: kvno = 1, keytab entry valid > > > > So the Kerberos setup on the machine seems to be fine, but still the > > login SSH using Keberos is not working. GSSAPI is correctly enabled in > > the sshd configuration file. Any hint is highly appreciated. Thanks. > > > > Seems like sshd looked for the wrong key. Run klist -kt /etc/krb5.keytab > and see what principal is there. sshd didn't look for a FQDN according > to your log. > > rob > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
