Re: [Freeipa-users] pam_winbind(sshd:auth): pam_get_item returned a password
On Wed, Nov 16, 2016 at 01:01:59PM +0100, Sumit Bose wrote: > On Wed, Nov 16, 2016 at 12:49:59PM +0100, rajat gupta wrote: > > I am using FreeIPA version 4.4.0 Active Directory trust setup. And on > > Active Directory side I am using UPN suffix. > > Following are my domain setup. > > > > AD DOMANIN :- corp.addomain.com > > UPN suffix :- usern...@mydomain.com > > IPA DOMAIN :- ipa.ipadomain.local > > IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain.local > > When you call 'ipa trust-find' on the IPA server do you see the > mydomain.com UPN suffix listed, like e.g.: > > # ipa trust-find > --- > 1 trust matched > --- > Realm-Name: ad.devel > Domain NetBIOS name: AD > Domain Security Identifier: S-1-5-21-3692237560-1981608775-3610128199 > Trust type: Active Directory domain > UPN suffixes: alt.alt, alt.upn.suffix > > SSSD 1.14 and above on the IPA client should enable enterprise principal > support automatically if UPN suffixes are found on the server but according > to > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > enterprise principal [false] offline [false] UPN [rajat.gu...@mydomain.com] > > it is not. If the UPN suffixes are not know on the server, calling 'ipa > trust-fetch-domains' might help to get them. If there are still no UPN > suffixes > available on the server you can switch on enterprise principal on the client > manually by adding 'krb5_use_enterprise_principal = True' in the [domain/...] > section of sssd.conf. You have to set it manually as well if you are using > older versions of SSSD. > > HTH > > bye, > Sumit > > > > > > > I am able to login with AD user on IPA server. But on IPA clinet i am not > > able to login i am getting the login message "Access denied". I have > > enabled the debug_level on sssd.conf on ipa clinet. > > > > below are some logs.. > > > > /var/log/secure > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=rg1989 > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): received for > > user e600336: 6 (Permission denied) > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): getting > > password (0x0010) By the way, why do you have pam_winbind in the PAM configuration? bye, Sumit > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): > > pam_get_item returned a password > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): internal > > module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'rg1989') > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: Failed password for e600336 from > > x.x.x.x. port 48842 ssh2 > > > > > > > > krb5_child.log > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836 [k5c_send_data] > > (0x4000): Response sent. > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836 [main] (0x0400): > > krb5_child completed successfully > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [main] (0x0400): > > krb5_child started. > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer] > > (0x1000): total buffer size: [159] > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer] > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > > enterprise principal [false] offline [false] UPN [rajat.gu...@mydomain.com] > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer] > > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [switch_creds] > > (0x0200): Switch user to [1007656917][1007656917]. > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 > > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [switch_creds] > > (0x0200): Switch user to [0][0]. > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 > > [k5c_check_old_ccache] (0x4000): Ccache_file is > > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 > > [k5c_precreate_ccache] (0x4000): Recreating ccache > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [k5c_setup_fast] > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > > [host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL] > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 > > [find_principal_in_keytab] (0x4000): Trying to find principal > > host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL in keytab. > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [match_principal] > > (0x1000): Principal matched to the sample > > (host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL). > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [check_fast_ccache] > > (0x0200): FAST TGT is
Re: [Freeipa-users] pam_winbind(sshd:auth): pam_get_item returned a password
On Wed, Nov 16, 2016 at 12:49:59PM +0100, rajat gupta wrote: > I am using FreeIPA version 4.4.0 Active Directory trust setup. And on > Active Directory side I am using UPN suffix. > Following are my domain setup. > > AD DOMANIN :- corp.addomain.com > UPN suffix :- usern...@mydomain.com > IPA DOMAIN :- ipa.ipadomain.local > IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain.local When you call 'ipa trust-find' on the IPA server do you see the mydomain.com UPN suffix listed, like e.g.: # ipa trust-find --- 1 trust matched --- Realm-Name: ad.devel Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-3692237560-1981608775-3610128199 Trust type: Active Directory domain UPN suffixes: alt.alt, alt.upn.suffix SSSD 1.14 and above on the IPA client should enable enterprise principal support automatically if UPN suffixes are found on the server but according to (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [false] UPN [rajat.gu...@mydomain.com] it is not. If the UPN suffixes are not know on the server, calling 'ipa trust-fetch-domains' might help to get them. If there are still no UPN suffixes available on the server you can switch on enterprise principal on the client manually by adding 'krb5_use_enterprise_principal = True' in the [domain/...] section of sssd.conf. You have to set it manually as well if you are using older versions of SSSD. HTH bye, Sumit > > > I am able to login with AD user on IPA server. But on IPA clinet i am not > able to login i am getting the login message "Access denied". I have > enabled the debug_level on sssd.conf on ipa clinet. > > below are some logs.. > > /var/log/secure > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=rg1989 > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): received for > user e600336: 6 (Permission denied) > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): getting > password (0x0010) > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): > pam_get_item returned a password > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): internal > module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'rg1989') > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: Failed password for e600336 from > x.x.x.x. port 48842 ssh2 > > > > krb5_child.log > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836 [k5c_send_data] > (0x4000): Response sent. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836 [main] (0x0400): > krb5_child completed successfully > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [main] (0x0400): > krb5_child started. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer] > (0x1000): total buffer size: [159] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer] > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > enterprise principal [false] offline [false] UPN [rajat.gu...@mydomain.com] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer] > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [switch_creds] > (0x0200): Switch user to [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [switch_creds] > (0x0200): Switch user to [0][0]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 > [k5c_check_old_ccache] (0x4000): Ccache_file is > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 > [k5c_precreate_ccache] (0x4000): Recreating ccache > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL] > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 > [find_principal_in_keytab] (0x4000): Trying to find principal > host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL in keytab. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [match_principal] > (0x1000): Principal matched to the sample > (host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL). > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [become_user] > (0x0200): Trying to become user [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [main] (0x2000): > Running as [1007656917][1007656917]. > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [k5c_setup] (0x2000): > Running as [100765
[Freeipa-users] pam_winbind(sshd:auth): pam_get_item returned a password
I am using FreeIPA version 4.4.0 Active Directory trust setup. And on Active Directory side I am using UPN suffix. Following are my domain setup. AD DOMANIN :- corp.addomain.com UPN suffix :- usern...@mydomain.com IPA DOMAIN :- ipa.ipadomain.local IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain.local I am able to login with AD user on IPA server. But on IPA clinet i am not able to login i am getting the login message "Access denied". I have enabled the debug_level on sssd.conf on ipa clinet. below are some logs.. /var/log/secure Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=rg1989 Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): received for user e600336: 6 (Permission denied) Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): getting password (0x0010) Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): pam_get_item returned a password Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'rg1989') Nov 16 09:00:52 ipa-clinet1 sshd[3752]: Failed password for e600336 from x.x.x.x. port 48842 ssh2 krb5_child.log (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836 [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836 [main] (0x0400): krb5_child completed successfully (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [main] (0x0400): krb5_child started. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer] (0x1000): total buffer size: [159] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer] (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [false] UPN [rajat.gu...@mydomain.com] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [switch_creds] (0x0200): Switch user to [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [switch_creds] (0x0200): Switch user to [0][0]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:1007656917] and is not active and TGT is valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [k5c_precreate_ccache] (0x4000): Recreating ccache (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL in keytab. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [match_principal] (0x1000): Principal matched to the sample (host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL). (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [main] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [k5c_setup] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [main] (0x0400): Will perform online auth (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [tgt_req_child] (0x1000): Attempting to get a TGT (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [get_and_save_tgt] (0x0400): Attempting kinit for realm [MYDOMAIN.COM] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.416687: Getting initial credentials for rajat.gu...@mydomain.com (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418641: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837 [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418698: Retrieving host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL -> krb5