Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

Tiemen Ruiten Tue, 02 May 2017 10:46:43 -0700

It's a CentOS 7.3 host, the version of sssd is 1.14.0, so there's no need
for mapping. However on the AD host:


Microsoft Windows [Version 6.3.9600]

(c) 2013 Microsoft Corporation. All rights reserved.


adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen>klist


Current LogonId is 0:0x603b58


Cached Tickets: (0)


adm.tiemen@VM-WIN-01 C:\Users\adm.tiemen>

Note that this is the domain controller and I'm logged in using the
experimental Win32-OpenSSH server. Not sure if that makes a difference. I
am not currently in the office, so unfortunately can't turn on the only
joined laptop in this domain.

How can I ensure a proper ticket is generated?

On 2 May 2017 at 18:25, Sumit Bose <sb...@redhat.com> wrote:

> On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote:
> > I think I just realised that my expectation may be wrong: GSSAPI login
> with
> > a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
> > correct to also expect passwordless login with an AD user to a FreeIPA
> host?
>
> The AD user case should work as well.
>
> First please send the SSSD version you use on the IPA client,
> alternatively you can check if
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists or not. This
> would tell if SSSD can map the user name to the Kerberos principal of if
> additional configuration is needed.
>
> On the AD host please check after trying to connect with ssh if there is
> a proper service ticket for the IPA client by calling 'klist' in cmd.exe
> or PowerShell.
>
> bye,
> Sumit
>
> >
> > On 2 May 2017 at 17:40, Jason B. Nance <ja...@tresgeek.net> wrote:
> >
> > > Hi Tiemen,
> > >
> > > To be clear, what I'm trying to do: log in from an AD account
> > > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA
> > > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I
> > > expect to be logged in through GSSAPI, instead I get a password prompt.
> > >
> > > I'm assuming that you are coming from a Windows client that is domain
> > > joined and logged into that Windows client with the same domain
> credentials
> > > that you are using to connect to the IPA-joined host.  Do you also have
> > > your SSH client configured to attempt GSSAPI?  It appears that you do
> from
> > > the logs you provided but I'm just double-checking.
> > >
> > > In my setup I've found that this feature does not work all of the time.
> > > I've not yet been able to track it down and I'm assuming it has
> something
> > > to do with connections to domain controllers timing out, but at this
> point
> > > that is speculation.
> > >
> > > So to answer your question, yes, that should work.  Sorry I don't have
> > > more information for you, I guess I'm basically "me too"ing your post.
> > >
> > > Regards,
> > >
> > > j
> > >
> > > Is this supposed to work? Did I miss something?
> > >
> > > Below the SSH log from the FreeIPA host with LogLevel DEBUG3:
> > >
> > > May  2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
> > > May  2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
> > > May  2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state:
> entering fd
> > > = 8 config len 922
> > > May  2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0
> > > May  2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done
> > > May  2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore
> > > May  2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0
> > > May  2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5
> > > newsock 5 pipe 7 sock 8
> > > May  2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after
> dupping:
> > > 3, 3
> > > May  2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155
> port
> > > 53106 on 192.168.50.63 port 22
> > > May  2 17:10:32 neodymium sshd[752]: debug1: Client protocol version
> 2.0;
> > > client software version PuTTY_KiTTY
> > > May  2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY
> > > May  2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility
> mode
> > > for protocol 2.0
> > > May  2 17:10:32 neodymium sshd[752]: debug1: Local version string
> > > SSH-2.0-OpenSSH_6.6.1
> > > May  2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK
> > > May  2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init:
> preparing
> > > rlimit sandbox
> > > May  2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid
> 753
> > > May  2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor
> started
> > > May  2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types:
> > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 42 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
> > > entering: type 43 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > May  2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
> > > request 42
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 43
> > > May  2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-
> toWM5Slw5Ew8Mqkay+
> > > al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve
> > > 25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-
> > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
> > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
> > > group14-sha1,diffie-hellman-group1-sha1 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> > > 28-...@openssh.com,aes256-...@openssh.com,chacha20-poly1305@
> openssh.com
> > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
> > > aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> > > 28-...@openssh.com,aes256-...@openssh.com,chacha20-poly1305@
> openssh.com
> > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
> > > aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-e
> t...@openssh.com
> > > ,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac
> -sha2-512-etm@
> > > openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-etm@
> openssh.com,
> > > hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com
> ,umac-
> > > 1...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h
> > > mac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-e
> t...@openssh.com
> > > ,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac
> -sha2-512-etm@
> > > openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-etm@
> openssh.com,
> > > hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com
> ,umac-
> > > 1...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h
> > > mac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,
> > > z...@openssh.com [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,
> > > z...@openssh.com [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > first_kex_follows 0  [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> reserved 0
> > >  [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-
> > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
> > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
> > > group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
> > > ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se,aes192-
> > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1...@openssh.com
> > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se,aes192-
> > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1...@openssh.com
> > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-
> > > 256-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha1-96-e
> t...@openssh.com
> > > ,hmac-md5-...@openssh.com [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-
> > > 256-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha1-96-e
> t...@openssh.com
> > > ,hmac-md5-...@openssh.com [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> none,zlib
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> none,zlib
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> > > first_kex_follows 0  [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> reserved 0
> > >  [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup
> > > hmac-sha2-256 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug1: kex: client->server
> > > aes256-ctr hmac-sha2-256 none [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup
> > > hmac-sha2-256 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug1: kex: server->client
> > > aes256-ctr hmac-sha2-256 none [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug1: kex:
> > > curve25519-sha...@libssh.org need=32 dh_need=32 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 120 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
> > > entering: type 121 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > May  2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
> > > request 120
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 121
> > > May  2 17:10:32 neodymium sshd[752]: debug1: kex:
> > > curve25519-sha...@libssh.org need=32 dh_need=32 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 120 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
> > > entering: type 121 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > May  2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
> > > request 120
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 121
> > > May  2 17:10:32 neodymium sshd[752]: debug1: expecting
> > > SSH2_MSG_KEX_ECDH_INIT [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering
> [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 6 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for
> > > MONITOR_ANS_SIGN [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
> > > entering: type 7 [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > May  2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
> > > request 6
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature
> > > 0x7f7ea34ed250(83)
> > > May  2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 7
> > > May  2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once,
> > > disabling now
> > > May  2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1
> [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent
> > > [preauth]
> > > May  2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS
> > > [preauth]
> > > May  2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0
> [preauth]
> > > May  2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received
> > > [preauth]
> > > May  2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
> > > adm.tie...@clients.rdmedia.com service ssh-connection method none
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0
> [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 8 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting
> for
> > > MONITOR_ANS_PWNAM [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
> > > entering: type 9 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > May  2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> > > request 8
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow
> > > May  2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map
> address
> > > 192.168.10.155.
> > > May  2 17:10:42 neodymium sshd[752]: debug2: parse_server_config:
> config
> > > reprocess config len 922
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow:
> sending
> > > MONITOR_ANS_PWNAM: 1
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 9
> > > May  2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once,
> > > disabling now
> > > May  2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request:
> > > setting up authctxt for adm.tie...@clients.rdmedia.com [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 100 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv
> entering
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 4 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole
> entering
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 80 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request:
> try
> > > method none [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure
> > > partial=0 next methods="publickey,gssapi-keye
> x,gssapi-with-mic,password,keyboard-interactive"
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > May  2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> > > request 100
> > > May  2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for "
> > > adm.tie...@clients.rdmedia.com"
> > > May  2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to
> > > "192.168.10.155"
> > > May  2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to
> "ssh"
> > > May  2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used
> once,
> > > disabling now
> > > May  2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
> > > adm.tie...@clients.rdmedia.com service ssh-connection method
> > > gssapi-with-mic [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0
> [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request:
> try
> > > method gssapi-with-mic [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 42 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
> > > entering: type 43 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > May  2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> > > request 4
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv:
> > > service=ssh-connection, style=
> > > May  2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once,
> > > disabling now
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > May  2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> > > request 80
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role=
> > > May  2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used
> once,
> > > disabling now
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > May  2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> > > request 42
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 43
> > > May  2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for
> > > adm.tie...@clients.rdmedia.com from 192.168.10.155 port 53106 ssh2
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
> > > adm.tie...@clients.rdmedia.com service ssh-connection method
> > > keyboard-interactive [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0
> [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request:
> try
> > > method keyboard-interactive [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs
> > >  [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user=
> > > adm.tie...@clients.rdmedia.com devs= [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices
> 'pam'
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start:
> > > devices pam [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device:
> devices
> > > <empty> [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start:
> trying
> > > authentication method 'pam' [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx
> [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 104 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx:
> waiting
> > > for MONITOR_ANS_PAM_INIT_CTX [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
> > > entering: type 105 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > May  2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> > > request 104
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx
> > > May  2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx
> entering
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 105
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 106 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting
> for
> > > MONITOR_ANS_PAM_QUERY [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
> > > entering: type 107 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> entering
> > > May  2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> > > request 106
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query
> > > May  2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering
> > > May  2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering
> > > May  2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv
> > > entering, 1 messages
> > > May  2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1
> > > May  2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> > > type 107
> > > May  2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query
> > > returned 0 [preauth]
> > > May  2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for
> > > adm.tie...@clients.rdmedia.com from 192.168.10.155 port 53106 ssh2
> > > [preauth]
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Tiemen Ruiten
> > > Systems Engineer
> > > R&D Media
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > >
> > >
> > >
> >
> >
> > --
> > Tiemen Ruiten
> > Systems Engineer
> > R&D Media
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
Tiemen Ruiten
Systems Engineer
R&D Media

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] GSSAPI authentication from trusted AD domain

Reply via email to