[Freeipa-users] One Machine not allowing kerberos auth

Jeremy Utley via FreeIPA-users Thu, 19 Oct 2017 10:38:48 -0700

New FreeIPA deployment, and i have one server that is not allowing Kerberos
to handle authentication, but instead is prompting for password with a
valid kerberos ticket.  All other machines are working normally.  I've
double-checked the /etc/ssh/sshd_config file, identical between the one not
working, and the one that is.  Done the same for SSSD and IPA configuration
info.  Entering password on the machine does work, and does result in a
valid ticket being issued.  Below is some debug info, generated with
"KRB5_TRACE=/dev/stdout ssh -vvv {hostname}", and truncated down to only
parts that differ:


On a working machine:

debug1: Next authentication method: gssapi-with-mic
[28004] 1508434137.499258: ccselect can't find appropriate cache for server
principal host/tc-adm01.trustcharge.net@
[28004] 1508434137.499490: Getting credentials jer...@ipa.trustcharge.net
-> host/tc-adm01.trustcharge.net@ using ccache
KEYRING:persistent:1001:krb_ccache_MjbcsDY
[28004] 1508434137.499669: Retrieving jer...@ipa.trustcharge.net ->
host/tc-adm01.trustcharge.net@ from
KEYRING:persistent:1001:krb_ccache_MjbcsDY with result:
-1765328243/Matching credential not found
[28004] 1508434137.499768: Retrying jer...@ipa.trustcharge.net -> host/
tc-adm01.trustcharge....@ipa.trustcharge.net with result:
-1765328243/Matching credential not found
[28004] 1508434137.499778: Server has referral realm; starting with host/
tc-adm01.trustcharge....@ipa.trustcharge.net
[28004] 1508434137.499878: Retrieving jer...@ipa.trustcharge.net -> krbtgt/
ipa.trustcharge....@ipa.trustcharge.net from
KEYRING:persistent:1001:krb_ccache_MjbcsDY with result: 0/Success
[28004] 1508434137.499888: Starting with TGT for client realm:
jer...@ipa.trustcharge.net -> krbtgt/ipa.trustcharge....@ipa.trustcharge.net
[28004] 1508434137.499900: Requesting tickets for host/
tc-adm01.trustcharge....@ipa.trustcharge.net, referrals on
[28004] 1508434137.499961: Generated subkey for TGS request: aes256-cts/B274
[28004] 1508434137.500054: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[28004] 1508434137.500259: Encoding request body and padata into FAST
request
[28004] 1508434137.500374: Sending request (985 bytes) to
IPA.TRUSTCHARGE.NET
[28004] 1508434137.500660: Initiating TCP connection to stream
172.31.92.18:88
[28004] 1508434137.501228: Sending TCP request to stream 172.31.92.18:88
[28004] 1508434137.507122: Received answer (937 bytes) from stream
172.31.92.18:88
[28004] 1508434137.507139: Terminating TCP connection to stream
172.31.92.18:88
[28004] 1508434137.507240: Response was from master KDC
[28004] 1508434137.507273: Decoding FAST response
[28004] 1508434137.507439: FAST reply key: aes256-cts/9BE9
[28004] 1508434137.507497: TGS reply is for jer...@ipa.trustcharge.net ->
host/tc-adm01.trustcharge....@ipa.trustcharge.net with session key
aes256-cts/CD56
[28004] 1508434137.507522: TGS request result: 0/Success
[28004] 1508434137.507529: Received creds for desired service host/
tc-adm01.trustcharge....@ipa.trustcharge.net
[28004] 1508434137.507543: Storing jer...@ipa.trustcharge.net ->
host/tc-adm01.trustcharge.net@ in KEYRING:persistent:1001:krb_ccache_MjbcsDY
[28004] 1508434137.507690: Also storing jer...@ipa.trustcharge.net -> host/
tc-adm01.trustcharge....@ipa.trustcharge.net based on ticket
[28004] 1508434137.507704: Removing jer...@ipa.trustcharge.net -> host/
tc-adm01.trustcharge....@ipa.trustcharge.net from
KEYRING:persistent:1001:krb_ccache_MjbcsDY
[28004] 1508434137.507911: Creating authenticator for
jer...@ipa.trustcharge.net -> host/tc-adm01.trustcharge.net@, seqnum
291429769, subkey aes256-cts/A214, session key aes256-cts/CD56
debug2: we sent a gssapi-with-mic packet, wait for reply
[28004] 1508434137.511804: ccselect can't find appropriate cache for server
principal host/tc-adm01.trustcharge.net@
[28004] 1508434137.511964: Getting credentials jer...@ipa.trustcharge.net
-> host/tc-adm01.trustcharge.net@ using ccache
KEYRING:persistent:1001:krb_ccache_MjbcsDY
[28004] 1508434137.512124: Retrieving jer...@ipa.trustcharge.net ->
host/tc-adm01.trustcharge.net@ from
KEYRING:persistent:1001:krb_ccache_MjbcsDY with result: 0/Success
[28004] 1508434137.512197: Creating authenticator for
jer...@ipa.trustcharge.net -> host/tc-adm01.trustcharge.net@, seqnum
487674855, subkey aes256-cts/0383, session key aes256-cts/CD56
[28004] 1508434137.670683: Read AP-REP, time 1508434137.512205, subkey
aes256-cts/2950, seqnum 529391729
debug1: Authentication succeeded (gssapi-with-mic).

On failing machine:

debug1: Next authentication method: gssapi-with-mic
[23080] 1508434210.54069: ccselect module realm chose cache
FILE:/tmp/krb5cc_1001 with client principal jer...@ipa.trustcharge.net for
server principal host/tc-log01.trustcharge....@ipa.trustcharge.net
[23080] 1508434210.54141: Retrieving jer...@ipa.trustcharge.net ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/krb5cc_1001 with result: -1765328243/Matching credential not found
[23080] 1508434210.54160: Getting credentials jer...@ipa.trustcharge.net ->
host/tc-log01.trustcharge....@ipa.trustcharge.net using ccache
FILE:/tmp/krb5cc_1001
[23080] 1508434210.54207: Retrieving jer...@ipa.trustcharge.net -> host/
tc-log01.trustcharge....@ipa.trustcharge.net from FILE:/tmp/krb5cc_1001
with result: -1765328243/Matching credential not found
[23080] 1508434210.54242: Retrieving jer...@ipa.trustcharge.net -> krbtgt/
ipa.trustcharge....@ipa.trustcharge.net from FILE:/tmp/krb5cc_1001 with
result: 0/Success
[23080] 1508434210.54248: Found cached TGT for service realm:
jer...@ipa.trustcharge.net -> krbtgt/ipa.trustcharge....@ipa.trustcharge.net
[23080] 1508434210.54253: Requesting tickets for host/
tc-log01.trustcharge....@ipa.trustcharge.net, referrals on
[23080] 1508434210.54285: Generated subkey for TGS request: aes256-cts/52BF
[23080] 1508434210.54292: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[23080] 1508434210.54411: Sending request (740 bytes) to IPA.TRUSTCHARGE.NET
[23080] 1508434210.54541: Initiating TCP connection to stream
172.31.92.18:88
[23080] 1508434210.54902: Sending TCP request to stream 172.31.92.18:88
[23080] 1508434210.60311: Received answer from stream 172.31.92.18:88
[23080] 1508434210.60349: Response was from master KDC
[23080] 1508434210.60409: TGS reply is for jer...@ipa.trustcharge.net ->
host/tc-log01.trustcharge....@ipa.trustcharge.net with session key
aes256-cts/98CE
[23080] 1508434210.60438: TGS request result: 0/Success
[23080] 1508434210.60444: Received creds for desired service host/
tc-log01.trustcharge....@ipa.trustcharge.net
[23080] 1508434210.60450: Removing jer...@ipa.trustcharge.net -> host/
tc-log01.trustcharge....@ipa.trustcharge.net from FILE:/tmp/krb5cc_1001
[23080] 1508434210.60455: Storing jer...@ipa.trustcharge.net -> host/
tc-log01.trustcharge....@ipa.trustcharge.net in FILE:/tmp/krb5cc_1001
[23080] 1508434210.60557: Creating authenticator for
jer...@ipa.trustcharge.net -> host/
tc-log01.trustcharge....@ipa.trustcharge.net, seqnum 77295956, subkey
aes256-cts/5E8E, session key aes256-cts/98CE
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 100 bytes for a total of 1417
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
[23080] 1508434210.62494: ccselect module realm chose cache
FILE:/tmp/krb5cc_1001 with client principal jer...@ipa.trustcharge.net for
server principal host/tc-log01.trustcharge....@ipa.trustcharge.net
[23080] 1508434210.62534: Retrieving jer...@ipa.trustcharge.net ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/krb5cc_1001 with result: -1765328243/Matching credential not found
[23080] 1508434210.62542: Getting credentials jer...@ipa.trustcharge.net ->
host/tc-log01.trustcharge....@ipa.trustcharge.net using ccache
FILE:/tmp/krb5cc_1001
[23080] 1508434210.62574: Retrieving jer...@ipa.trustcharge.net -> host/
tc-log01.trustcharge....@ipa.trustcharge.net from FILE:/tmp/krb5cc_1001
with result: 0/Success
[23080] 1508434210.62628: Getting credentials jer...@ipa.trustcharge.net ->
host/tc-log01.trustcharge....@ipa.trustcharge.net using ccache
FILE:/tmp/krb5cc_1001
[23080] 1508434210.62662: Retrieving jer...@ipa.trustcharge.net -> host/
tc-log01.trustcharge....@ipa.trustcharge.net from FILE:/tmp/krb5cc_1001
with result: 0/Success
[23080] 1508434210.62689: Creating authenticator for
jer...@ipa.trustcharge.net -> host/
tc-log01.trustcharge....@ipa.trustcharge.net, seqnum 764360366, subkey
aes256-cts/1570, session key aes256-cts/98CE
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 100 bytes for a total of 1517
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password

Any ideas what could be going wrong?  I'm not real familiar with the
internals of Kerberos/GSSAPI, but it seems that is where it is failing.

Jeremy

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] One Machine not allowing kerberos auth

Reply via email to