Hello,

I've set up a one-way trust to an Active Directory domain.  Things
seem to roughly work, but something's missing.

Can any kind soul spot a problem with my configuration, or advise on
how to further troubleshoot?

Facts:

- An AD user gets 'Access denied' when SSH'ing by password to the
  FreeIPA host.  This is my concern.

- This AD user has not been locked out.

- getent passwd succeeds for the AD user

- A FreeIPA user can successfully SSH by password to the same FreeIPA
  host.

- That FreeIPA user can then successfully kinit as the AD user (the
  same AD user denied above)

- HBAC is set to the default allow_all rule, which is enabled.
  Running the HBAC Test tool on the AD user confirms that they are
  authorized for sshd.

This tells me something is awry in sssd.conf or sshd_config or pam.d
or HBAC.

Thanks,
Erik

I've got sssd debug to 9.  Here's some output:


(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_fo_reset_svc] (0x1000): Resetting all servers in service
na.bazzlegroup.com
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[set_srv_data_status] (0x0100): Marking SRV lookup of service
'na.bazzlegroup.com' as 'neutra
l'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[set_server_common_status] (0x0100): Marking server
'deda9w1004.na.bazzlegroup.com' as 'name
not resolved'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'deda9w1004.na.bazzlegroup.com' as
'neutral'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server
'deda9w1004.na.bazzlegrou
p.com' as 'neutral'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[set_srv_data_status] (0x0100): Marking SRV lookup of service
'na.bazzlegroup.com' as 'neutra
l'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[set_server_common_status] (0x0100): Marking server
'usbe9w2003.na.bazzlegroup.com' as 'name
not resolved'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'usbe9w2003.na.bazzlegroup.com' as
'neutral'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server
'usbe9w2003.na.bazzlegrou
p.com' as 'neutral'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com
offline
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_mark_subdom_offline] (0x4000): Subdomain already inactive
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed:
[1432158262]: Subdoma
in is inactive.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed:
1432158262
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sdap_id_op_destroy] (0x4000): releasing operation connection
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ipa_account_info_error_text] (0x0020): Bug: dp_error is OK on failed
request
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[acctinfo_callback] (0x0100): Request processed. Returned
3,1432158262,Account info lookup f
ailed
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sbus_dispatch] (0x4000): dbus conn: 0x7f3bf48f92c0
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sbus_dispatch] (0x4000): Dispatching.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.pamH
andler on path /org/freedesktop/sssd/dataprovider
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_req_set_domain] (0x0400): Changing request domain from
[platform.schlitz] to [na.bazzlegroup.com]
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_pam_handler] (0x0100): Got request with the following data
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): domain: na.bazzlegroup.com
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): user: mr...@na.bazzlegroup.com
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): service: sshd
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): tty: ssh
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): ruser:
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): rhost: 172.27.246.142
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): authtok type: 1
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): newauthtok type: 0
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): priv: 1
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): cli_pid: 9864
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[pam_print_data] (0x0100): logon name: not set
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[krb5_auth_queue_send] (0x1000): Wait queue of user
[mr...@na.bazzlegroup.com] is empty, ru
nning request [0x7f3bf4928fb0] immediately.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_setup]
(0x4000): No mapping for: mr...@na.bazzlegroup.com
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_callback": 0x7f3bf48ff0a0

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_timeout": 0x7f3bf498a870

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Running timer event 0x7f3bf48ff0a0 "ltdb_callback"

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Destroying timer event 0x7f3bf498a870 "ltdb_timeout"
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Ending timer event 0x7f3bf48ff0a0 "ltdb_callback"

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[get_server_status] (0x1000): Status of server
'ipafour.platform.schlitz' is 'working'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[get_port_status] (0x1000): Port status of port 0 for server
'ipafour.platform.schlitz' i
s 'working'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to
6 seconds
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[get_server_status] (0x1000): Status of server
'ipafour.platform.schlitz' is 'working'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_resolve_server_process] (0x0200): Found address for server
ipafour.platform.schlitz:
[172.30.8.119] TTL 7200
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[ipa_resolve_callback] (0x0400): Constructed uri
'ldap://ipafour.platform.schlitz'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[krb5_auth_resolve_done] (0x2000): Subdomain na.bazzlegroup.com is
inactive, will proceed off
line
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[child_handler_setup] (0x2000): Setting up signal handler up for pid
[9892]
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[child_handler_setup] (0x2000): Signal handler set up for pid [9892]
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[write_pipe_handler] (0x0400): All data has been sent!
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[child_sig_handler] (0x1000): Waiting for child [9892].
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[child_sig_handler] (0x0100): child [9892] finished successfully.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[read_pipe_handler] (0x0400): EOF received, client finished
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[parse_krb5_child_response] (0x1000): child response [0][3][40].
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[_be_fo_set_port_status] (0x8000): Setting status: PORT_WORKING.
Called from: src/providers/
krb5/krb5_auth.c: krb5_auth_done: 1039
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0100): Marking port 0 of server
'ipafour.platform.schlitz' as 'wo
rking'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[set_server_common_status] (0x0100): Marking server
'ipafour.platform.schlitz' as 'workin
g'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[fo_set_port_status] (0x0400): Marking port 0 of duplicate server
'ipafour.platform.infochim
ps' as 'working'
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:456139433]
for user [MRFUN@na.
bazzlegroup.com].
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): start ldb transaction (nesting: 0)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): start ldb transaction (nesting: 1)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_callback": 0x7f3bf498c360

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_timeout": 0x7f3bf498c420

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Running timer event 0x7f3bf498c360 "ltdb_callback"

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Destroying timer event 0x7f3bf498c420 "ltdb_timeout"

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Ending timer event 0x7f3bf498c360 "ltdb_callback"

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): commit ldb transaction (nesting: 1)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): commit ldb transaction (nesting: 0)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): start ldb transaction (nesting: 0)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_callback": 0x7f3bf498c130

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Added timed event "ltdb_timeout": 0x7f3bf491f660

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Running timer event 0x7f3bf498c130 "ltdb_callback"

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Destroying timer event 0x7f3bf491f660 "ltdb_timeout"

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): Ending timer event 0x7f3bf498c130 "ltdb_callback"

(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sysdb_cache_auth] (0x4000): Offline credentials expiration is [0]
days.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[check_failed_login_attempts] (0x4000): Failed login attempts [0],
allowed failed login atte
mpts [0], failed login delay [5].
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[sysdb_cache_auth] (0x0100): Cached credentials not available.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb]
(0x4000): cancel ldb transaction (nesting: 0)
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[krb5_auth_cache_creds] (0x0020): Offline authentication failed
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[check_wait_queue] (0x1000): Wait queue for user
[mr...@na.bazzlegroup.com] is empty.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[krb5_auth_queue_done] (0x1000): krb5_auth_queue request
[0x7f3bf4928fb0] done.
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>)
[Success (Permission de
nied)]
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_pam_handler_callback] (0x0100): Sending result
[6][na.bazzlegroup.com]
(Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]]
[be_pam_handler_callback] (0x0100): Sent result
[6][na.bazzlegroup.com]



My sssd.conf:

[domain/platform.schlitz]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = platform.schlitz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipafour.platform.schlitz
chpass_provider = ipa
ipa_server = ipafour.platform.schlitz
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
[sssd]
services = nss, sudo, pam, ssh, pac
config_file_version = 2
debug_level = 9

domains = platform.schlitz
[nss]
memcache_timeout = 600
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

sshd_config:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPICleanupCredentials no
X11Forwarding yes
UsePrivilegeSeparation sandbox          # Default for new installations.
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem sftp  /usr/libexec/openssh/sftp-server

KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
GSSAPIAuthentication yes


/etc/pam.d/sshd
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be
executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare


/etc/pam.d/password-auth:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so
nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to