On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote: > Hello > > How do I get password authentication to work with freeipa-client > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo? > > Long version follows :) > > We've got an IPA server with the Red Hat Identity Management server > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured > users and groups there and would now like to login with SSH. When I > store a SSH key for the user account, I can login just fine, using > this SSH key. But I'd like/need to use passwords as well. And sudo > also doesn't work, when it's asking for passwords - I supposed, > it's the same root cause. > > Let's stick with SSH. > > Initially, I installed the FreeIPA client with this command line: > > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \ > --enable-dns-updates --unattended \ > --principal=admin --password=correctone \ > --domain=customer.company.internal \ > --server=auth01.customer.company.internal > > I then try to do a SSH login with: > > ssh -l email@example.com 192.168.229.143 > or: > ssh -l ewt 192.168.229.143 > > Password authentication doesn't work. > > In the /var/log/syslog on the system where I try to login, I find this: > > 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child]]: > Key table entry not found > > After having turned up the debug level of the sssd with "sssd -i -f -d > 0x0770 --debug-timestamps=1", I find the following in the system log > files: > > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd: > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 > tty=ssh ruser= rhost=188.8.131.52 user=ewt > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd: > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 > tty=ssh ruser= rhost=184.108.40.206 user=ewt > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd: > pam_sss(sshd:auth): received for user ewt: 4 (System error) > 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd: Failed > password for ewt from 220.127.116.11 port 58136 ssh2 > > TBH, I don't quite understand it. Anyway, in > /var/log/sssd/sssd_customer.company.internal.log I noticed: > > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] > [read_pipe_handler] (0x0400): EOF received, client finished > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] > [parse_krb5_child_response] (0x0020): message too short. > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] > [krb5_auth_done] (0x0040): Could not parse child response : > Invalid argument > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] > [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed. > > Well… What am I doing wrong or what might I have forgotten?
We need to also see the krb5_child.log but please check if the keytab is correct (ie kinit -k works). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project