On Fri, 2014-04-18 at 10:14 +0200, David Kreuter wrote:
> klist -kt /etc/krb5.keytab showing me the right principals: 
> 
> 
> 
> KVNO Timestamp Principal 
> ---- ----------------- 
> -------------------------------------------------------- 
> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> 
> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> 1 04/16/14 23:12:58 
> host/<FQDN>@<kerberos realm> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> 
> 
> 
> The principal for the machine are displayed with the right FQDN. Also the 
> machine has the right hostname containing the right domain and the machine 
> can be resolved correctly via DNS. 
> 
> 
> I have added the mentioned option to kerberos configuration and the login 
> with Kerberos authentication is working now: 
> 
> 
> 
> [libdefaults] 
> ignore_acceptor_hostname = true 
> 
> 
> I'm still wondering what is wrong with the machine's configuration. 

Do you have the shortname as first entry in /etc/hosts ?
If so put it second or remove it.

Simo.


> ----- Original Message -----
> 
> From: "Rob Crittenden" <rcrit...@redhat.com> 
> To: "David Kreuter" <david.kreu...@bytesource.net>, freeipa-users@redhat.com 
> Sent: Thursday, 17 April, 2014 12:13:48 AM 
> Subject: Re: [Freeipa-users] Keberos authentication - Unspecified GSS failure 
> 
> David Kreuter wrote: 
> > Yesterday I installed the FreeIPA client on machine and after the 
> > installation the login with password worked fine. After that I tried to 
> > login with a valid Kerberos ticket and it failed. First i traced the ssh 
> > login: 
> > 
> > ssh -vvv da...@test.example.com 
> > ---cut--- 
> > debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80), 
> > debug2: key: /home/david/.ssh/id_dsa ((nil)), 
> > debug2: key: /home/david/.ssh/id_ecdsa ((nil)), 
> > debug1: Authentications that can continue: 
> > publickey,gssapi-keyex,gssapi-with-mic 
> > debug3: start over, passed a different list 
> > publickey,gssapi-keyex,gssapi-with-mic 
> > debug3: preferred 
> > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password 
> > debug3: authmethod_lookup gssapi-keyex 
> > debug3: remaining preferred: 
> > gssapi-with-mic,publickey,keyboard-interactive,password 
> > debug3: authmethod_is_enabled gssapi-keyex 
> > debug1: Next authentication method: gssapi-keyex 
> > debug1: No valid Key exchange context 
> > debug2: we did not send a packet, disable method 
> > debug3: authmethod_lookup gssapi-with-mic 
> > debug3: remaining preferred: publickey,keyboard-interactive,password 
> > debug3: authmethod_is_enabled gssapi-with-mic 
> > debug1: Next authentication method: gssapi-with-mic 
> > debug2: we sent a gssapi-with-mic packet, wait for reply 
> > debug1: Authentications that can continue: 
> > publickey,gssapi-keyex,gssapi-with-mic 
> > debug2: we sent a gssapi-with-mic packet, wait for reply 
> > debug1: Authentications that can continue: 
> > publickey,gssapi-keyex,gssapi-with-mic 
> > debug2: we sent a gssapi-with-mic packet, wait for reply 
> > debug1: Authentications that can continue: 
> > publickey,gssapi-keyex,gssapi-with-mic 
> > debug2: we sent a gssapi-with-mic packet, wait for reply 
> > debug1: Authentications that can continue: 
> > publickey,gssapi-keyex,gssapi-with-mic 
> > debug2: we did not send a packet, disable method 
> > debug3: authmethod_lookup publickey 
> > debug3: remaining preferred: keyboard-interactive,password 
> > debug3: authmethod_is_enabled publickey 
> > debug1: Next authentication method: publickey 
> > debug1: Offering RSA public key: /home/david/.ssh/id_rsa 
> > debug3: send_pubkey_test 
> > debug2: we sent a publickey packet, wait for reply 
> > debug1: Authentications that can continue: 
> > publickey,gssapi-keyex,gssapi-with-mic 
> > debug1: Trying private key: /home/david/.ssh/id_dsa 
> > debug3: no such identity: /home/david/.ssh/id_dsa: No such file or 
> > directory 
> > debug1: Trying private key: /home/david/.ssh/id_ecdsa 
> > debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file or 
> > directory 
> > debug2: we did not send a packet, disable method 
> > debug1: No more authentication methods to try. 
> > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 
> > ---cut--- 
> > 
> > Then I enabled the log for SSH on the IPA client machine and faced 
> > following error: 
> > 
> > ---cut--- 
> > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0 
> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for "david" 
> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST to 
> > "10.100.3.2" 
> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to "ssh" 
> > Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for user 
> > david service ssh-connection method gssapi-with-mic 
> > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0 
> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS failure. 
> > Minor code may provide more information\nNo key table entry found 
> > matching host/infra01@\n 
> > ---cut--- 
> > 
> > Unspecified GSS failure. Minor code may provide more information.No key 
> > table entry found matching host/infra01@\n. 
> > 
> > After that I tried to receive a ticket on the IPA client machine and 
> > everything worked fine: 
> > 
> > kinit <user> 
> > klist 
> > Ticket cache: FILE:/tmp/krb5cc_0 
> > Default principal: david@<realm>.INFO 
> > 
> > Valid starting Expires Service principal 
> > 04/16/14 23:24:51 04/17/14 23:24:47 krbtgt/... 
> > 04/16/14 23:25:51 04/17/14 23:24:47 host/... 
> > 
> > kvno -k /etc/krb5.keytab host/... 
> > host/...: kvno = 1, keytab entry valid 
> > 
> > So the Kerberos setup on the machine seems to be fine, but still the 
> > login SSH using Keberos is not working. GSSAPI is correctly enabled in 
> > the sshd configuration file. Any hint is highly appreciated. Thanks. 
> > 
> 
> Seems like sshd looked for the wrong key. Run klist -kt /etc/krb5.keytab 
> and see what principal is there. sshd didn't look for a FQDN according 
> to your log. 
> 
> rob 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to