I removed the stanza, but anyway I found one problem was the DNS. I needed
to setup the nameserver in resolv.conf with the ip of the ipa server. I can
kinit now but ssh is still failing, connection gets closed instead of
letting me in:

secure.log says:

Jul 10 13:19:01 ip-10-237-186-172 sshd[5581]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.61.205.107  user=apantano@ad.tweek
Jul 10 13:19:02 ip-10-237-186-172 sshd[5581]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.61.205.107 user=apantano@ad.tweek
Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: pam_ldap: ldap_starttls_s:
Can't contact LDAP server
Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: Failed password for
apantano@ad.tweek from 10.61.205.107 port 61833 ssh2
Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: fatal: Access denied for user
apantano@ad.tweek by PAM account configuration [preauth]

That's odd in so many ways, I got both a failure from pam_unix and a
success from pam_sss...


On Fri, Jul 10, 2015 at 12:50 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Fri, 10 Jul 2015, Angelo Pantano wrote:
>
>> I am using sssd and from ipa clients the authentication is not working
>> (works fine if I ssh on the ipa-server). I thought it could be due to the
>> external groups being empty and not mapping the AD users.
>>
>> Anyway this is the krb5.conf on the ipa client:
>>
>> #File modified by ipa-client-install
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [libdefaults]
>>  default_realm = IPA.TWEEK
>>  dns_lookup_realm = true
>>  dns_lookup_kdc = true
>>  rdns = false
>>  ticket_lifetime = 24h
>>  forwardable = yes
>>  udp_preference_limit = 0
>>  default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>>  IPA.TWEEK = {
>>    kdc = centos.ipa.tweek:88
>>    master_kdc = centos.ipa.tweek:88
>>    admin_server = centos.ipa.tweek:749
>>    default_domain = ipa.tweek
>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>    auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/
>>    auth_to_local = DEFAULT
>>  }
>>  AD.TWEEK = {
>>    kdc = centos.ipa.tweek:88
>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>  }
>>
> Why did you override AD.TWEEK KDC to point to FreeIPA?
>
> Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and
> 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records.
>
>
>
>> [domain_realm]
>>  .ipa.tweek = IPA.TWEEK
>>  ipa.tweek = IPA.TWEEK
>>  .ad.tweek = AD.TWEEK
>>  ad.tweek = AD.TWEEK
>>
>>
>> and this is the error I see in krb5_child.log
>>
>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400):
>> Will perform online auth
>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
>> (0x0400): Attempting kinit for realm [AD.TWEEK]
>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
>> (0x0020): 996: [-1765328378][Client 'freeipa@AD.TWEEK' not found in
>> Kerberos database]
>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error]
>> (0x0020): 1065: [-1765328378][Client 'freeipa@AD.TWEEK' not found in
>> Kerberos database]
>>
>>
>> also
>>
>> # kinit freeipa@AD.TWEEK
>> kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial
>> credentials
>>
>> any idea what's the problem? It seems kerberos cannot find users in the AD
>> subdomain
>>
>>
>> this is my sssd.conf
>>
>> [domain/ipa.tweek]
>> debug_level = 6
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = ipa.tweek
>> id_provider = ipa
>> auth_provider = ipa
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> ipa_hostname = someaddress_here
>> chpass_provider = ipa
>> ipa_server = _srv_, centos.ipa.tweek
>> dns_discovery_domain = ipa.tweek
>> cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek
>> subdomains_provider = ipa
>> [sssd]
>> services = nss, pam, pac, ssh
>> config_file_version = 2
>> debud_level = 6
>> domains = ipa.tweek
>>
>> On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>>
>>  On Fri, 10 Jul 2015, Angelo Pantano wrote:
>>>
>>>  I have a freeipa server trusting an active directory domain, if I ssh to
>>>> the ipa server everything works, but if I try to ssh on an ipa client
>>>> the
>>>> authentication fails.
>>>>
>>>> I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing:
>>>>
>>>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>>>>
>>>> Also in the logs I see:
>>>>
>>>> log.winbindd-dc-connect:  get_sorted_dc_list: attempting lookup for name
>>>> ad.local (sitename NULL)
>>>>
>>>> everything else works though, I can getent users and group just fine.
>>>>
>>>> Can you please help me?
>>>>
>>>>  We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at
>>> least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed
>>> on those platforms, SSSD is used to resolve users, not winbindd.
>>> Winbindd is only used to manage forest topology.
>>>
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
>  --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to