Exactly, this was the issue. After fixing the etc hosts configuration kerberos  
authentication works fine for this machine without having this special krb 
option set. Thanks!

On 18 April 2014 15:49:50 CEST, Simo Sorce <s...@redhat.com> wrote:
>On Fri, 2014-04-18 at 10:14 +0200, David Kreuter wrote:
>> klist -kt /etc/krb5.keytab showing me the right principals: 
>> 
>> 
>> 
>> KVNO Timestamp Principal 
>> ---- -----------------
>-------------------------------------------------------- 
>> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> 
>> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> 1 04/16/14 23:12:58
>host/<FQDN>@<kerberos realm> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos
>realm> 
>> 
>> 
>> The principal for the machine are displayed with the right FQDN. Also
>the machine has the right hostname containing the right domain and the
>machine can be resolved correctly via DNS. 
>> 
>> 
>> I have added the mentioned option to kerberos configuration and the
>login with Kerberos authentication is working now: 
>> 
>> 
>> 
>> [libdefaults] 
>> ignore_acceptor_hostname = true 
>> 
>> 
>> I'm still wondering what is wrong with the machine's configuration. 
>
>Do you have the shortname as first entry in /etc/hosts ?
>If so put it second or remove it.
>
>Simo.
>
>
>> ----- Original Message -----
>> 
>> From: "Rob Crittenden" <rcrit...@redhat.com> 
>> To: "David Kreuter" <david.kreu...@bytesource.net>,
>freeipa-users@redhat.com 
>> Sent: Thursday, 17 April, 2014 12:13:48 AM 
>> Subject: Re: [Freeipa-users] Keberos authentication - Unspecified GSS
>failure 
>> 
>> David Kreuter wrote: 
>> > Yesterday I installed the FreeIPA client on machine and after the 
>> > installation the login with password worked fine. After that I
>tried to 
>> > login with a valid Kerberos ticket and it failed. First i traced
>the ssh 
>> > login: 
>> > 
>> > ssh -vvv da...@test.example.com 
>> > ---cut--- 
>> > debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80), 
>> > debug2: key: /home/david/.ssh/id_dsa ((nil)), 
>> > debug2: key: /home/david/.ssh/id_ecdsa ((nil)), 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug3: start over, passed a different list 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug3: preferred 
>> >
>gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password 
>> > debug3: authmethod_lookup gssapi-keyex 
>> > debug3: remaining preferred: 
>> > gssapi-with-mic,publickey,keyboard-interactive,password 
>> > debug3: authmethod_is_enabled gssapi-keyex 
>> > debug1: Next authentication method: gssapi-keyex 
>> > debug1: No valid Key exchange context 
>> > debug2: we did not send a packet, disable method 
>> > debug3: authmethod_lookup gssapi-with-mic 
>> > debug3: remaining preferred:
>publickey,keyboard-interactive,password 
>> > debug3: authmethod_is_enabled gssapi-with-mic 
>> > debug1: Next authentication method: gssapi-with-mic 
>> > debug2: we sent a gssapi-with-mic packet, wait for reply 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug2: we sent a gssapi-with-mic packet, wait for reply 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug2: we sent a gssapi-with-mic packet, wait for reply 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug2: we sent a gssapi-with-mic packet, wait for reply 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug2: we did not send a packet, disable method 
>> > debug3: authmethod_lookup publickey 
>> > debug3: remaining preferred: keyboard-interactive,password 
>> > debug3: authmethod_is_enabled publickey 
>> > debug1: Next authentication method: publickey 
>> > debug1: Offering RSA public key: /home/david/.ssh/id_rsa 
>> > debug3: send_pubkey_test 
>> > debug2: we sent a publickey packet, wait for reply 
>> > debug1: Authentications that can continue: 
>> > publickey,gssapi-keyex,gssapi-with-mic 
>> > debug1: Trying private key: /home/david/.ssh/id_dsa 
>> > debug3: no such identity: /home/david/.ssh/id_dsa: No such file or
>directory 
>> > debug1: Trying private key: /home/david/.ssh/id_ecdsa 
>> > debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file
>or 
>> > directory 
>> > debug2: we did not send a packet, disable method 
>> > debug1: No more authentication methods to try. 
>> > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 
>> > ---cut--- 
>> > 
>> > Then I enabled the log for SSH on the IPA client machine and faced 
>> > following error: 
>> > 
>> > ---cut--- 
>> > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0 
>> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for
>"david" 
>> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST
>to 
>> > "10.100.3.2" 
>> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to
>"ssh" 
>> > Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for
>user 
>> > david service ssh-connection method gssapi-with-mic 
>> > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0 
>> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS
>failure. 
>> > Minor code may provide more information\nNo key table entry found 
>> > matching host/infra01@\n 
>> > ---cut--- 
>> > 
>> > Unspecified GSS failure. Minor code may provide more information.No
>key 
>> > table entry found matching host/infra01@\n. 
>> > 
>> > After that I tried to receive a ticket on the IPA client machine
>and 
>> > everything worked fine: 
>> > 
>> > kinit <user> 
>> > klist 
>> > Ticket cache: FILE:/tmp/krb5cc_0 
>> > Default principal: david@<realm>.INFO 
>> > 
>> > Valid starting Expires Service principal 
>> > 04/16/14 23:24:51 04/17/14 23:24:47 krbtgt/... 
>> > 04/16/14 23:25:51 04/17/14 23:24:47 host/... 
>> > 
>> > kvno -k /etc/krb5.keytab host/... 
>> > host/...: kvno = 1, keytab entry valid 
>> > 
>> > So the Kerberos setup on the machine seems to be fine, but still
>the 
>> > login SSH using Keberos is not working. GSSAPI is correctly enabled
>in 
>> > the sshd configuration file. Any hint is highly appreciated.
>Thanks. 
>> > 
>> 
>> Seems like sshd looked for the wrong key. Run klist -kt
>/etc/krb5.keytab 
>> and see what principal is there. sshd didn't look for a FQDN
>according 
>> to your log. 
>> 
>> rob 
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>-- 
>Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to