subject:"\[Freeipa\-users\] Problem with AD authentication after updating to 7.2 OS server"

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

2015-11-30 Thread Morgan Marodin

I've found the problem, using DEBUG3 into SSH service:
-
Nov 30 08:52:47 myserver sshd[9639]: debug1: Unspecified GSS failure.
Minor code may provide more information\nClock skew too great\n
Nov 30 08:52:47 myserver sshd[9639]: debug1: Got no client credentials
Nov 30 08:52:47 myserver sshd[9639]: debug3: mm_request_send entering: type
45
Nov 30 08:52:47 myserver sshd[9639]: debug3: userauth_finish: failure
partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password"
[preauth]
Nov 30 08:52:47 myserver sshd[9639]: debug1: Received
SSH2_MSG_UNIMPLEMENTED for 7 [preauth]

My client was 4 minutes early than IPA server. After syncing time via
ntpdate kerberos ticket authentication works correctly.

Thanks for your support, bye.
Morgan

2015-11-27 18:38 GMT+01:00 Sumit Bose :

> On Fri, Nov 27, 2015 at 06:16:51PM +0100, Morgan Marodin wrote:
> > Yes:
> > --
> > # ls -l /var/lib/sss/pubconf/krb5.include.d/
> > total 8
> > -rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com
> > -rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin
> >
> > So what could I try to do?
>
> 'getent passwd' should return the same entry for the user name you use
> at the login prompt and the Kerberos principal (its the name shown by
> klist in the 'Default principal:' line) e.g.:
>
> # getent passwd tu1@ad.devel
> tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh
> # getent passwd tu1@AD.DEVEL
> tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh
>
> From the logs I guess you used the name 'morgan.maro...@mydomain.com' at
> the login prompt.
>
> I assume you use ssh for the Kerberos/GSSAPI login. Please check on the
> client with klist if you got a service ticket for your linux client
> principal which should look like host/linux.client.name@IPA.DOMAIN. On
> Windows there is klist for the cmd shell as well.
>
> Additionally if there is a service ticket for the linux host sshd debug
> logs from the linux host would be useful. For this please set LogLevel to
> DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain
> confidential keys or passwords).
>
> bye,
> Sumit
>
> > Thanks, Morgan
> >
> > 2015-11-27 17:47 GMT+01:00 Sumit Bose :
> >
> > > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote:
> > > > Hi Sumit.
> > > >
> > > > I don't know why, but now kerberos ticket authentication is working
> on
> > > 6.7
> > > > clients.
> > > > On 7.2 clients now password authetications with Active Directory
> > > > credentials is working ... but not with kerberos ticket.
> > >
> > > This is most likely due to some issues while mapping the Kerberos
> > > principal to the local user name.
> > >
> > > Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at
> > > the beginning of you krb5.conf file? Does
> > > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists?
> > >
> > > bye,
> > > Sumit
> > >
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

2015-11-27 Thread Sumit Bose

On Fri, Nov 27, 2015 at 04:31:49PM +0100, Morgan Marodin wrote:
> Hi everyone.
> 
> After updating my FreeIPA server to 7.2 OS version (it's a RHEL like
> distribution) I've some problems authenticating with Active Directory
> credentials.
> 
> Testing it on 6.7 OS clients it works using Windows password, but using
> ticket kerberos it doesn't work.
> 
> Testing it on 7.2 client it doesn't work either with password and kerberos
> tickets.

Let's first start with password authentication. For this we need SSSD
logs. Please see https://fedorahosted.org/sssd/wiki/Troubleshooting how
to change the debug levels. The pam and domains logs would be useful. If
you prefer you can send the logs to me directly.

bye,
Sumit

> 
> What could be the problem?
> 
> Please let me know, thanks.
> Bye, Morgan

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

2015-11-27 Thread Sumit Bose

On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote:
> Hi Sumit.
> 
> I don't know why, but now kerberos ticket authentication is working on 6.7
> clients.
> On 7.2 clients now password authetications with Active Directory
> credentials is working ... but not with kerberos ticket.

This is most likely due to some issues while mapping the Kerberos
principal to the local user name.

Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at
the beginning of you krb5.conf file? Does
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists?

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

2015-11-27 Thread Sumit Bose

On Fri, Nov 27, 2015 at 06:16:51PM +0100, Morgan Marodin wrote:
> Yes:
> --
> # ls -l /var/lib/sss/pubconf/krb5.include.d/
> total 8
> -rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com
> -rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin
> 
> So what could I try to do?

'getent passwd' should return the same entry for the user name you use
at the login prompt and the Kerberos principal (its the name shown by
klist in the 'Default principal:' line) e.g.:

# getent passwd tu1@ad.devel
tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh
# getent passwd tu1@AD.DEVEL
tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh

>From the logs I guess you used the name 'morgan.maro...@mydomain.com' at
the login prompt.

I assume you use ssh for the Kerberos/GSSAPI login. Please check on the
client with klist if you got a service ticket for your linux client
principal which should look like host/linux.client.name@IPA.DOMAIN. On
Windows there is klist for the cmd shell as well.

Additionally if there is a service ticket for the linux host sshd debug
logs from the linux host would be useful. For this please set LogLevel to
DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain
confidential keys or passwords).

bye,
Sumit

> Thanks, Morgan
> 
> 2015-11-27 17:47 GMT+01:00 Sumit Bose :
> 
> > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote:
> > > Hi Sumit.
> > >
> > > I don't know why, but now kerberos ticket authentication is working on
> > 6.7
> > > clients.
> > > On 7.2 clients now password authetications with Active Directory
> > > credentials is working ... but not with kerberos ticket.
> >
> > This is most likely due to some issues while mapping the Kerberos
> > principal to the local user name.
> >
> > Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at
> > the beginning of you krb5.conf file? Does
> > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists?
> >
> > bye,
> > Sumit
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

2015-11-27 Thread Morgan Marodin

Hi Sumit.

I don't know why, but now kerberos ticket authentication is working on 6.7
clients.
On 7.2 clients now password authetications with Active Directory
credentials is working ... but not with kerberos ticket.

There are my 7.2 client SSSD logs:
---
==> /var/log/sssd/sssd_nss.log <==
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [get_client_cred] (0x4000): Client
creds: euid[0] egid[0] pid[2383].
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x7f56192197a0][21]
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client
connected!
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x7f56192197a0][21]
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x7f56192197a0][21]
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x7f56192197a0][21]
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [17] with input [morgan.maro...@mydomain.com].
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'morgan.maro...@mydomain.com' matched expression for domain '
mydomain.com', user is morgan.marodin
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [morgan.marodin] from [mydomain.com]
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/mydomain.com/morgan.marodin]
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [morgan.maro...@mydomain.com]
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x7f5619210d40

(Fri Nov 27 17:12:51 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x7f5619217200

(Fri Nov 27 17:12:51 2015) [sssd[nss]] [ldb] (0x4000): Running timer event
0x7f5619210d40 "ltdb_callback"

(Fri Nov 27 17:12:51 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer
event 0x7f5619217200 "ltdb_timeout"

(Fri Nov 27 17:12:51 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x7f5619210d40 "ltdb_callback"

(Fri Nov 27 17:12:51 2015) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a
LOCAL view, continuing with provided values.
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry
is valid, returning..
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400):
Returning info for user [morgan.maro...@mydomain.com]
(Fri Nov 27 17:12:51 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x7f56192197a0][21]

==> /var/log/sssd/sssd.log <==
(Fri Nov 27 17:12:52 2015) [sssd] [service_send_ping] (0x0100): Pinging
ipa.mydomain.com
(Fri Nov 27 17:12:52 2015) [sssd] [sbus_add_timeout] (0x2000):
0x7fad1ed51b10
(Fri Nov 27 17:12:52 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Fri Nov 27 17:12:52 2015) [sssd] [sbus_add_timeout] (0x2000):
0x7fad1ed3c400

==> /var/log/sssd/sssd_ipa.mydomain.com.log <==
(Fri Nov 27 17:12:52 2015) [sssd[be[ipa.mydomain.com]]] [sbus_dispatch]
(0x4000): dbus conn: 0x7fc5b4628010
(Fri Nov 27 17:12:52 2015) [sssd[be[ipa.mydomain.com]]] [sbus_dispatch]
(0x4000): Dispatching.

==> /var/log/sssd/sssd.log <==
(Fri Nov 27 17:12:52 2015) [sssd] [service_send_ping] (0x0100): Pinging sudo

==> /var/log/sssd/sssd_ipa.mydomain.com.log <==
(Fri Nov 27 17:12:52 2015) [sssd[be[ipa.mydomain.com]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Fri Nov 27 17:12:52 2015) [sssd[be[ipa.mydomain.com]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit

==> /var/log/sssd/sssd_nss.log <==
(Fri Nov 27 17:12:52 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn:
0x7f5619211cf0
(Fri Nov 27 17:12:52 2015) [sssd[nss]] [sbus_dispatch] (0x4000):
Dispatching.
(Fri Nov 27 17:12:52 2015) [sssd[nss]] [sbus_message_handler] (0x2000):
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service

==> /var/log/sssd/sssd.log <==
(Fri Nov 27 17:12:52 2015) [sssd] [sbus_add_timeout] (0x2000):
0x7fad1ed51d40
(Fri Nov 27 17:12:52 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Fri Nov 27 17:12:52 2015) [sssd] [sbus_add_timeout] (0x2000):
0x7fad1ed467b0
(Fri Nov 27 17:12:52 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh

==> /var/log/sssd/sssd_ipa.mydomain.com.log <==

==> /var/log/sssd/sssd_nss.log <==
(Fri Nov 27 17:12:52 2015) [sssd[nss]] [sbus_get_sender_id_send] (0x2000):
Not a sysbus message, quit

==> /var/log/sssd/sssd.log <==
(Fri Nov 27 17:12:52 2015) [sssd] [sbus_add_timeout] (0x2000):
0x7fad1ed3fd40
(Fri Nov 27 17:12:52 2015)

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

2015-11-27 Thread Morgan Marodin

Yes:
--
# ls -l /var/lib/sss/pubconf/krb5.include.d/
total 8
-rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com
-rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin

So what could I try to do?
Thanks, Morgan

2015-11-27 17:47 GMT+01:00 Sumit Bose :

> On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote:
> > Hi Sumit.
> >
> > I don't know why, but now kerberos ticket authentication is working on
> 6.7
> > clients.
> > On 7.2 clients now password authetications with Active Directory
> > credentials is working ... but not with kerberos ticket.
>
> This is most likely due to some issues while mapping the Kerberos
> principal to the local user name.
>
> Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at
> the beginning of you krb5.conf file? Does
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists?
>
> bye,
> Sumit
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

2015-11-27 Thread Morgan Marodin

Hi everyone.

After updating my FreeIPA server to 7.2 OS version (it's a RHEL like
distribution) I've some problems authenticating with Active Directory
credentials.

Testing it on 6.7 OS clients it works using Windows password, but using
ticket kerberos it doesn't work.

Testing it on 7.2 client it doesn't work either with password and kerberos
tickets.

What could be the problem?

Please let me know, thanks.
Bye, Morgan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

[Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

7 matches

Site Navigation

Mail list logo

Footer information