On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote:
> SSO works intermittently. I’m having trouble tracing the issue. Here is what 
> I see from /var/log/secure. Where should I look for more detail to figure out 
> why the SSO login is failing?

assuming you have a valid Kerberos ticket the most probable reason is
that libkrb5 cannot properly relate the Kerberos principal from the
ticket to the local user name you use at the login prompt. With DEBUG3
you should see some messages containing '*userok*'. If you see failures
related to these messages it most probable is this case.

Recent versions of SSSD will configure a plugin for libkrb5 which can
handle this. But for older version you either have to create a .k5login
file in the users home directory containing the Kerberos principal or
use auth_to_local directives in /etc/krb5.conf as described in
http://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fkrb5.conf

HTH

bye,
Sumit

> 
> Mar 30 08:47:39 mid-ipa-vp01 sshd[9317]: Starting session: shell on pts/0 for 
> root from 10.34.149.105 port 49725
> Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: Setting controlling tty 
> using TIOCSCTTY.
> Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: PAM: reinitializing 
> credentials
> Mar 30 08:47:39 mid-ipa-vp01 sshd[9322]: debug1: permanently_set_uid: 0/0
> Mar 30 08:49:05 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
> rtype keepal...@openssh.com want_reply 1
> Mar 30 08:50:05 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
> rtype keepal...@openssh.com want_reply 1
> Mar 30 08:51:57 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
> rtype keepal...@openssh.com want_reply 1
> Mar 30 08:52:57 mid-ipa-vp01 sshd[9317]: debug1: server_input_global_request: 
> rtype keepal...@openssh.com want_reply 1
> Mar 30 08:53:51 mid-ipa-vp01 sshd[1388]: debug1: Forked child 12621.
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: Set /proc/self/oom_score_adj to 0
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: rexec start in 5 out 5 
> newsock 5 pipe 7 sock 8
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: inetd sockets after 
> dupping: 3, 3
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: Connection from 10.80.5.239 port 
> 52982 on 10.127.26.73 port 22
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Client protocol version 
> 2.0; client software version PuTTY_Release_0.64
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: no match: PuTTY_Release_0.64
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Enabling compatibility mode 
> for protocol 2.0
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: Local version string 
> SSH-2.0-OpenSSH_6.6.1
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SELinux support enabled 
> [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: permanently_set_uid: 74/74 
> [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: list_hostkey_types: 
> ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEXINIT sent 
> [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEXINIT received 
> [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: client->server 
> aes256-ctr hmac-sha2-256 none [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: server->client 
> aes256-ctr hmac-sha2-256 none [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: 
> diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: kex: 
> diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: 
> SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP 
> sent [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: expecting 
> SSH2_MSG_KEX_DH_GEX_INIT [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY 
> sent [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_NEWKEYS sent 
> [preauth]
> Mar 30 08:53:51 mid-ipa-vp01 sshd[12621]: debug1: expecting SSH2_MSG_NEWKEYS 
> [preauth]
> Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: SSH2_MSG_NEWKEYS received 
> [preauth]
> Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: KEX done [preauth]
> Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user 
> adm-faru03@test.osuwmc service ssh-connection method none [preauth]
> Mar 30 08:53:52 mid-ipa-vp01 sshd[12621]: debug1: attempt 0 failures 0 
> [preauth]
> Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: initializing for 
> "adm-faru03@test.osuwmc"
> Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: setting PAM_RHOST to 
> "svr-addc-vt01.test.osuwmc"
> Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: PAM: setting PAM_TTY to 
> "ssh"
> Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user 
> adm-faru03@test.osuwmc service ssh-connection method gssapi-with-mic [preauth]
> Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: debug1: attempt 1 failures 0 
> [preauth]
> Mar 30 08:53:53 mid-ipa-vp01 sshd[12621]: Postponed gssapi-with-mic for 
> adm-faru03@test.osuwmc from 10.80.5.239 port 52982 ssh2 [preauth]
> Mar 30 08:53:58 mid-ipa-vp01 sshd[12621]: debug1: userauth-request for user 
> adm-faru03@test.osuwmc service ssh-connection method password [preauth]
> Mar 30 08:53:58 mid-ipa-vp01 sshd[12621]: debug1: attempt 2 failures 0 
> [preauth]
> Mar 30 08:53:58 mid-ipa-vp01 sshd[12621]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=svr-addc-vt01.test.osuwmc 
>  user=adm-faru03@test.osuwmc
> Mar 30 08:54:00 mid-ipa-vp01 sshd[12621]: pam_sss(sshd:auth): authentication 
> success; logname= uid=0 euid=0 tty=ssh ruser= rhost=svr-addc-vt01.test.osuwmc 
> user=adm-faru03@test.osuwmc
> Mar 30 08:54:00 mid-ipa-vp01 sshd[12621]: debug1: PAM: password 
> authentication accepted for adm-faru03@test.osuwmc
> Mar 30 08:54:00 mid-ipa-vp01 sshd[12621]: debug1: do_pam_account: called

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to