On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> Hello
> 
> How do I get password authentication to work with freeipa-client
> 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
> 
> Long version follows :)
> 
> We've got an IPA server with the Red Hat Identity Management server
> on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> users and groups there and would now like to login with SSH. When I
> store a SSH key for the user account, I can login just fine, using
> this SSH key. But I'd like/need to use passwords as well. And sudo
> also doesn't work, when it's asking for passwords - I supposed,
> it's the same root cause.
> 
> Let's stick with SSH.
> 
> Initially, I installed the FreeIPA client with this command line:
> 
>     ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
>       --enable-dns-updates --unattended \
>       --principal=admin --password=correctone \
>       --domain=customer.company.internal \
>       --server=auth01.customer.company.internal
> 
> I then try to do a SSH login with:
> 
>     ssh -l ewt@customer.company.internal 192.168.229.143
> or:
>     ssh -l ewt 192.168.229.143
> 
> Password authentication doesn't work.
> 
> In the /var/log/syslog on the system where I try to login, I find this:
> 
>     2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
> Key table entry not found
> 
> After having turned up the debug level of the sssd with "sssd -i -f -d
> 0x0770 --debug-timestamps=1", I find the following in the system log
> files:
> 
>     2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=212.71.117.1  user=ewt
>     2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=212.71.117.1 user=ewt
>     2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> pam_sss(sshd:auth): received for user ewt: 4 (System error)
>     2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> password for ewt from 212.71.117.1 port 58136 ssh2
> 
> TBH, I don't quite understand it. Anyway, in
> /var/log/sssd/sssd_customer.company.internal.log I noticed:
> 
>     (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [read_pipe_handler] (0x0400): EOF received, client finished
>     (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [parse_krb5_child_response] (0x0020): message too short.
>     (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [krb5_auth_done] (0x0040): Could not parse child response [22]:
> Invalid argument
>     (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
> 
> Well… What am I doing wrong or what might I have forgotten?

We need to also see the krb5_child.log but please check if the keytab is
correct (ie kinit -k works).

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to