Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server
I've found the problem, using DEBUG3 into SSH service: - Nov 30 08:52:47 myserver sshd[9639]: debug1: Unspecified GSS failure. Minor code may provide more information\nClock skew too great\n Nov 30 08:52:47 myserver sshd[9639]: debug1: Got no client credentials Nov 30 08:52:47 myserver sshd[9639]: debug3: mm_request_send entering: type 45 Nov 30 08:52:47 myserver sshd[9639]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth] Nov 30 08:52:47 myserver sshd[9639]: debug1: Received SSH2_MSG_UNIMPLEMENTED for 7 [preauth] My client was 4 minutes early than IPA server. After syncing time via ntpdate kerberos ticket authentication works correctly. Thanks for your support, bye. Morgan 2015-11-27 18:38 GMT+01:00 Sumit Bose: > On Fri, Nov 27, 2015 at 06:16:51PM +0100, Morgan Marodin wrote: > > Yes: > > -- > > # ls -l /var/lib/sss/pubconf/krb5.include.d/ > > total 8 > > -rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com > > -rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin > > > > So what could I try to do? > > 'getent passwd' should return the same entry for the user name you use > at the login prompt and the Kerberos principal (its the name shown by > klist in the 'Default principal:' line) e.g.: > > # getent passwd tu1@ad.devel > tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh > # getent passwd tu1@AD.DEVEL > tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh > > From the logs I guess you used the name 'morgan.maro...@mydomain.com' at > the login prompt. > > I assume you use ssh for the Kerberos/GSSAPI login. Please check on the > client with klist if you got a service ticket for your linux client > principal which should look like host/linux.client.name@IPA.DOMAIN. On > Windows there is klist for the cmd shell as well. > > Additionally if there is a service ticket for the linux host sshd debug > logs from the linux host would be useful. For this please set LogLevel to > DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain > confidential keys or passwords). > > bye, > Sumit > > > Thanks, Morgan > > > > 2015-11-27 17:47 GMT+01:00 Sumit Bose : > > > > > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote: > > > > Hi Sumit. > > > > > > > > I don't know why, but now kerberos ticket authentication is working > on > > > 6.7 > > > > clients. > > > > On 7.2 clients now password authetications with Active Directory > > > > credentials is working ... but not with kerberos ticket. > > > > > > This is most likely due to some issues while mapping the Kerberos > > > principal to the local user name. > > > > > > Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at > > > the beginning of you krb5.conf file? Does > > > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists? > > > > > > bye, > > > Sumit > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server
On Fri, Nov 27, 2015 at 04:31:49PM +0100, Morgan Marodin wrote: > Hi everyone. > > After updating my FreeIPA server to 7.2 OS version (it's a RHEL like > distribution) I've some problems authenticating with Active Directory > credentials. > > Testing it on 6.7 OS clients it works using Windows password, but using > ticket kerberos it doesn't work. > > Testing it on 7.2 client it doesn't work either with password and kerberos > tickets. Let's first start with password authentication. For this we need SSSD logs. Please see https://fedorahosted.org/sssd/wiki/Troubleshooting how to change the debug levels. The pam and domains logs would be useful. If you prefer you can send the logs to me directly. bye, Sumit > > What could be the problem? > > Please let me know, thanks. > Bye, Morgan > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server
On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote: > Hi Sumit. > > I don't know why, but now kerberos ticket authentication is working on 6.7 > clients. > On 7.2 clients now password authetications with Active Directory > credentials is working ... but not with kerberos ticket. This is most likely due to some issues while mapping the Kerberos principal to the local user name. Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at the beginning of you krb5.conf file? Does /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists? bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server
On Fri, Nov 27, 2015 at 06:16:51PM +0100, Morgan Marodin wrote: > Yes: > -- > # ls -l /var/lib/sss/pubconf/krb5.include.d/ > total 8 > -rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com > -rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin > > So what could I try to do? 'getent passwd' should return the same entry for the user name you use at the login prompt and the Kerberos principal (its the name shown by klist in the 'Default principal:' line) e.g.: # getent passwd tu1@ad.devel tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh # getent passwd tu1@AD.DEVEL tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh >From the logs I guess you used the name 'morgan.maro...@mydomain.com' at the login prompt. I assume you use ssh for the Kerberos/GSSAPI login. Please check on the client with klist if you got a service ticket for your linux client principal which should look like host/linux.client.name@IPA.DOMAIN. On Windows there is klist for the cmd shell as well. Additionally if there is a service ticket for the linux host sshd debug logs from the linux host would be useful. For this please set LogLevel to DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain confidential keys or passwords). bye, Sumit > Thanks, Morgan > > 2015-11-27 17:47 GMT+01:00 Sumit Bose: > > > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote: > > > Hi Sumit. > > > > > > I don't know why, but now kerberos ticket authentication is working on > > 6.7 > > > clients. > > > On 7.2 clients now password authetications with Active Directory > > > credentials is working ... but not with kerberos ticket. > > > > This is most likely due to some issues while mapping the Kerberos > > principal to the local user name. > > > > Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at > > the beginning of you krb5.conf file? Does > > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists? > > > > bye, > > Sumit > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server
Hi Sumit. I don't know why, but now kerberos ticket authentication is working on 6.7 clients. On 7.2 clients now password authetications with Active Directory credentials is working ... but not with kerberos ticket. There are my 7.2 client SSSD logs: --- ==> /var/log/sssd/sssd_nss.log <== (Fri Nov 27 17:12:51 2015) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[0] egid[0] pid[2383]. (Fri Nov 27 17:12:51 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f56192197a0][21] (Fri Nov 27 17:12:51 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Nov 27 17:12:51 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f56192197a0][21] (Fri Nov 27 17:12:51 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Nov 27 17:12:51 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Nov 27 17:12:51 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f56192197a0][21] (Fri Nov 27 17:12:51 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f56192197a0][21] (Fri Nov 27 17:12:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [morgan.maro...@mydomain.com]. (Fri Nov 27 17:12:51 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'morgan.maro...@mydomain.com' matched expression for domain ' mydomain.com', user is morgan.marodin (Fri Nov 27 17:12:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [morgan.marodin] from [mydomain.com] (Fri Nov 27 17:12:51 2015) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/mydomain.com/morgan.marodin] (Fri Nov 27 17:12:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [morgan.maro...@mydomain.com] (Fri Nov 27 17:12:51 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f5619210d40 (Fri Nov 27 17:12:51 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f5619217200 (Fri Nov 27 17:12:51 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x7f5619210d40 "ltdb_callback" (Fri Nov 27 17:12:51 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x7f5619217200 "ltdb_timeout" (Fri Nov 27 17:12:51 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x7f5619210d40 "ltdb_callback" (Fri Nov 27 17:12:51 2015) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Fri Nov 27 17:12:51 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Fri Nov 27 17:12:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [morgan.maro...@mydomain.com] (Fri Nov 27 17:12:51 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f56192197a0][21] ==> /var/log/sssd/sssd.log <== (Fri Nov 27 17:12:52 2015) [sssd] [service_send_ping] (0x0100): Pinging ipa.mydomain.com (Fri Nov 27 17:12:52 2015) [sssd] [sbus_add_timeout] (0x2000): 0x7fad1ed51b10 (Fri Nov 27 17:12:52 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Fri Nov 27 17:12:52 2015) [sssd] [sbus_add_timeout] (0x2000): 0x7fad1ed3c400 ==> /var/log/sssd/sssd_ipa.mydomain.com.log <== (Fri Nov 27 17:12:52 2015) [sssd[be[ipa.mydomain.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x7fc5b4628010 (Fri Nov 27 17:12:52 2015) [sssd[be[ipa.mydomain.com]]] [sbus_dispatch] (0x4000): Dispatching. ==> /var/log/sssd/sssd.log <== (Fri Nov 27 17:12:52 2015) [sssd] [service_send_ping] (0x0100): Pinging sudo ==> /var/log/sssd/sssd_ipa.mydomain.com.log <== (Fri Nov 27 17:12:52 2015) [sssd[be[ipa.mydomain.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Fri Nov 27 17:12:52 2015) [sssd[be[ipa.mydomain.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit ==> /var/log/sssd/sssd_nss.log <== (Fri Nov 27 17:12:52 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x7f5619211cf0 (Fri Nov 27 17:12:52 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. (Fri Nov 27 17:12:52 2015) [sssd[nss]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service ==> /var/log/sssd/sssd.log <== (Fri Nov 27 17:12:52 2015) [sssd] [sbus_add_timeout] (0x2000): 0x7fad1ed51d40 (Fri Nov 27 17:12:52 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Fri Nov 27 17:12:52 2015) [sssd] [sbus_add_timeout] (0x2000): 0x7fad1ed467b0 (Fri Nov 27 17:12:52 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh ==> /var/log/sssd/sssd_ipa.mydomain.com.log <== ==> /var/log/sssd/sssd_nss.log <== (Fri Nov 27 17:12:52 2015) [sssd[nss]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit ==> /var/log/sssd/sssd.log <== (Fri Nov 27 17:12:52 2015) [sssd] [sbus_add_timeout] (0x2000): 0x7fad1ed3fd40 (Fri Nov 27 17:12:52 2015)
Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server
Yes: -- # ls -l /var/lib/sss/pubconf/krb5.include.d/ total 8 -rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com -rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin So what could I try to do? Thanks, Morgan 2015-11-27 17:47 GMT+01:00 Sumit Bose: > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote: > > Hi Sumit. > > > > I don't know why, but now kerberos ticket authentication is working on > 6.7 > > clients. > > On 7.2 clients now password authetications with Active Directory > > credentials is working ... but not with kerberos ticket. > > This is most likely due to some issues while mapping the Kerberos > principal to the local user name. > > Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at > the beginning of you krb5.conf file? Does > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists? > > bye, > Sumit > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem with AD authentication after updating to 7.2 OS server
Hi everyone. After updating my FreeIPA server to 7.2 OS version (it's a RHEL like distribution) I've some problems authenticating with Active Directory credentials. Testing it on 6.7 OS clients it works using Windows password, but using ticket kerberos it doesn't work. Testing it on 7.2 client it doesn't work either with password and kerberos tickets. What could be the problem? Please let me know, thanks. Bye, Morgan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project