On Mon, Mar 30, 2015 at 10:09:00AM -0400, Gould, Joshua wrote: > I configured the .k5login per the RH docs. > > $ cat .k5login > [email protected] > TEST.OSUWMC\adm-faru03
The second line is not needed. Please note that .k5login must only be read-writable for the owner. Can you check by calling klist in a Windows Command window if you got a proper host/... ticket for the IPA host? What version of IPA and SSSD are you using. Can you check if the following works on a IPA host: kinit [email protected] kvno host/[email protected] ssh -v -l [email protected] name.of.the.ipa-client.to.login The error messages return by the ssh -v output might help to see why GSSAPI auth failed. bye, Sumit > $ > > > I upped the debugging to DEBUG3 but I can¹t make sense of the error. Can > you help? I¹m getting better but I can¹t get this one yet. > > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: Connection from 10.80.5.239 port > 50824 on 10.127.26.73 port 22 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Client protocol version > 2.0; client software version PuTTY_Release_0.64 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: no match: > PuTTY_Release_0.64 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Enabling compatibility > mode for protocol 2.0 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: Local version string > SSH-2.0-OpenSSH_6.6.1 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: fd 3 setting O_NONBLOCK > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: ssh_sandbox_init: > preparing rlimit sandbox > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: Network child is on pid > 12794 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: preauth child monitor > started > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SELinux support enabled > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: > ssh_selinux_change_context: setting context from > 'system_u:system_r:sshd_t:s0-s0:c0.c1023' to > 'system_u:system_r:sshd_net_t:s0-s0:c0.c1023' [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: privsep user:group 74:74 > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: permanently_set_uid: > 74/74 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: list_hostkey_types: > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT sent > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_KEXINIT > received [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha > 2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchan > ge-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected] > om,[email protected],[email protected],aes128-cbc,3des-cbc > ,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysato > r.liu.se [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected] > om,[email protected],[email protected],aes128-cbc,3des-cbc > ,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysato > r.liu.se [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > [email protected],[email protected],[email protected], > [email protected],[email protected],hmac-sha2-512-etm@op > enssh.com,[email protected],[email protected],hmac- > [email protected],hmac-md5,hmac-sha1,[email protected],umac-128@open > ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected] > om,hmac-sha1-96,hmac-md5-96 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > [email protected],[email protected],[email protected], > [email protected],[email protected],hmac-sha2-512-etm@op > enssh.com,[email protected],[email protected],hmac- > [email protected],hmac-md5,hmac-sha1,[email protected],umac-128@open > ssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected] > om,hmac-sha1-96,hmac-md5-96 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > none,[email protected] [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > none,[email protected] [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > first_kex_follows 0 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > reserved 0 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,dif > fie-hellman-group14-sha1,diffie-hellman-group1-sha1,rsa2048-sha256,rsa1024- > sha1 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > ssh-rsa,ssh-dss [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc,[email protected],aes192-ctr,aes192-cbc,aes > 128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,a > rcfour128 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc,[email protected],aes192-ctr,aes192-cbc,aes > 128-ctr,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,a > rcfour128 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > none,zlib [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > none,zlib [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > first_kex_follows 0 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_parse_kexinit: > reserved 0 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: mac_setup: setup > hmac-sha2-256 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: kex: client->server > aes256-ctr hmac-sha2-256 none [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: mac_setup: setup > hmac-sha2-256 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: kex: server->client > aes256-ctr hmac-sha2-256 none [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: kex: > diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 120 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: > mm_request_receive_expect entering: type 121 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking > request 120 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 121 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: kex: > diffie-hellman-group-exchange-sha256 need=32 dh_need=32 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 120 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: > mm_request_receive_expect entering: type 121 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking > request 120 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 121 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: > SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 0 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_choose_dh: waiting > for MONITOR_ANS_MODULI [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: > mm_request_receive_expect entering: type 1 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking > request 0 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_moduli: got > parameters: 1024 4096 8192 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 1 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 0 used > once, disabling now > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_choose_dh: remaining > 0 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: > SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: bits set: 2077/4096 > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: expecting > SSH2_MSG_KEX_DH_GEX_INIT [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: bits set: 2021/4096 > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_key_sign entering > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 6 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_key_sign: waiting for > MONITOR_ANS_SIGN [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: > mm_request_receive_expect entering: type 7 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking > request 6 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_sign > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_sign: > signature 0x7f4788d8c440(271) > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 7 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 6 used > once, disabling now > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: > SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: kex_derive_keys [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: set_newkeys: mode 1 > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_NEWKEYS sent > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: expecting > SSH2_MSG_NEWKEYS [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: set_newkeys: mode 0 > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: SSH2_MSG_NEWKEYS > received [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: KEX done [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: userauth-request for > user [email protected] service ssh-connection method none [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: attempt 0 failures 0 > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_getpwnamallow > entering [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 8 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_getpwnamallow: > waiting for MONITOR_ANS_PWNAM [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: > mm_request_receive_expect entering: type 9 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking > request 8 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_pwnamallow > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: Trying to reverse map > address 10.80.5.239. > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: parse_server_config: > config reprocess config len 899 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_pwnamallow: > sending MONITOR_ANS_PWNAM: 1 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 9 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 8 used > once, disabling now > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: input_userauth_request: > setting up authctxt for [email protected] [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_start_pam entering > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 100 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_inform_authserv > entering [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 4 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_inform_authrole > entering [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 80 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: input_userauth_request: > try method none [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: userauth_finish: failure > partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking > request 100 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: PAM: initializing for > "[email protected]" > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: PAM: setting PAM_RHOST > to "svr-addc-vt01.test.osuwmc" > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: PAM: setting PAM_TTY to > "ssh" > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 100 used > once, disabling now > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: userauth-request for > user [email protected] service ssh-connection method gssapi-with-mic > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug1: attempt 1 failures 0 > [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: input_userauth_request: > try method gssapi-with-mic [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 42 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: > mm_request_receive_expect entering: type 43 [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering [preauth] > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking > request 4 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_authserv: > service=ssh-connection, style= > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 4 used > once, disabling now > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking > request 80 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_answer_authrole: role= > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug2: monitor_read: 80 used > once, disabling now > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking > request 42 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 43 > Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: Postponed gssapi-with-mic for > [email protected] from 10.80.5.239 port 50824 ssh2 [preauth] > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug1: userauth-request for > user [email protected] service ssh-connection method password > [preauth] > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug1: attempt 2 failures 0 > [preauth] > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug2: input_userauth_request: > try method password [preauth] > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: mm_auth_password > entering [preauth] > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: mm_request_send > entering: type 12 [preauth] > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: mm_auth_password: > waiting for MONITOR_ANS_AUTHPASSWORD [preauth] > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: > mm_request_receive_expect entering: type 13 [preauth] > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering [preauth] > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: mm_request_receive > entering > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: monitor_read: checking > request 12 > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: PAM: sshpam_passwd_conv > called with 1 messages > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=svr-addc-vt01.test.osuwmc [email protected] > Mar 30 09:57:25 mid-ipa-vp01 sshd[12793]: pam_sss(sshd:auth): > authentication success; logname= uid=0 euid=0 tty=ssh ruser= > rhost=svr-addc-vt01.test.osuwmc [email protected] > Mar 30 09:57:25 mid-ipa-vp01 sshd[12793]: debug1: PAM: password > authentication accepted for [email protected] > > > > On 3/30/15, 9:35 AM, "Sumit Bose" <[email protected]> wrote: > > >assuming you have a valid Kerberos ticket the most probable reason is > >that libkrb5 cannot properly relate the Kerberos principal from the > >ticket to the local user name you use at the login prompt. With DEBUG3 > >you should see some messages containing '*userok*'. If you see failures > >related to these messages it most probable is this case. > > > >Recent versions of SSSD will configure a plugin for libkrb5 which can > >handle this. But for older version you either have to create a .k5login > >file in the users home directory containing the Kerberos principal or > >use auth_to_local directives in /etc/krb5.conf as described in > >https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freeipa.org_page_A > >ctive-5FDirectory-5Ftrust-5Fsetup-23Edit-5F.2Fetc.2Fkrb5.conf&d=AwIDaQ&c=k > >9MF1d71ITtkuJx-PdWme51dKbmfPEvxwt8SFEkBfs4&r=C8H0y1Bn8C6Mf5i9qrqkUDy3xSk8z > >PbIs_SvJwojC24&m=4CkfthdUOBBXSFdkUzW4imHzEchORW-ZPDVNXQlaZ3A&s=a7-Ti-Mlcie > >m4dhsLicRf0Qg6sZDhThV-kMNED2rYug&e= > > > >HTH > > > >bye, > >Sumit > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
