[SSSD-users] Re: ldap_access_filter failure possibly caused by credentials/principle not found in Kerberos database

[Sumit Bose]

On Mon, Sep 19, 2016 at 05:38:05AM -, klin...@gmail.com wrote:
> Hi all,
> 
> I am configuring AD authentication by using SSSD+kerberos on our CentOS 6.7 
> cluster. The solution works fine so far except that we could not use 
> ldap_access_filter.
> 
> Whenever I enabled ldap_access_filter (add filter to ldap_access_order), all 
> SSH logins are denied. And the error messages are:
> 
> ==> /var/log/sssd/ldap_child.log <==
> (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437 
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
> 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
> (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437 [main] (0x0020): 
> ldap_child_get_tgt_sync failed.
> (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438 
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
> 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
> (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438 [main] (0x0020): 
> ldap_child_get_tgt_sync failed.
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501 
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
> 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501 [main] (0x0020): 
> ldap_child_get_tgt_sync failed.
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502 
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
> 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502 [main] (0x0020): 
> ldap_child_get_tgt_sync failed.
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503 
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
> 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
> (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503 [main] (0x0020): 
> ldap_child_get_tgt_sync failed.
> 
> But I believe the entry is in the keytab file already:

The message is coming from the KDC and since you are using AD
'NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU' whould be the right principal to use
becasue AD makes a difference between user-principal-names which can be
used for kinit and service-principal-names which can be only used for
services.

Do you have 'ldap_sasl_authid = NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU' set in
the domain section of your sssd.conf? If not please try if it works
after adding it.

> 
> [root@nerv-geofront ~]# klist -ke
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>  
> --
>5 host/nerv-geofront.lo...@ad.example.edu.au (des-cbc-crc)
>5 host/nerv-geofront.lo...@ad.example.edu.au (des-cbc-md5)
>5 host/nerv-geofront.lo...@ad.example.edu.au (aes128-cts-hmac-sha1-96)
>5 host/nerv-geofront.lo...@ad.example.edu.au (aes256-cts-hmac-sha1-96)
>5 host/nerv-geofront.lo...@ad.example.edu.au (arcfour-hmac)
>5 host/nerv-geofr...@ad.example.edu.au (des-cbc-crc)
>5 host/nerv-geofr...@ad.example.edu.au (des-cbc-md5)
>5 host/nerv-geofr...@ad.example.edu.au (aes128-cts-hmac-sha1-96)
>5 host/nerv-geofr...@ad.example.edu.au (aes256-cts-hmac-sha1-96)
>5 host/nerv-geofr...@ad.example.edu.au (arcfour-hmac)
>5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-crc)
>5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-md5)
>5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96)
>5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96)
>5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (arcfour-hmac)
> 
> The error messages above appear only when I enabled ldap_access_filter, so I 
> think this is related to the kerberos keytab.

The ldap_access_filter based check is evaluated by the access_provider
in SSSD which can be configured independently of e.g. the id_provider.
If e.g. you use the ad id_provider, it will figure out the right
principal automatically. The ldap access_provider must be configured
explicitly to use it because it will pick the first entry from the
keytab which matches the realm.

HTH

bye,
Sumit

> 
> I am testing on sssd 1.12.4, samba 3.6.23.
> 
> Any idea will be appreciated.
> 
> Cheers,
> Derrick
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: ldap_access_filter failure possibly caused by credentials/principle not found in Kerberos database

[Lukas Slebodnik]

On (19/09/16 05:38), klin...@gmail.com wrote:
>Hi all,
>
>I am configuring AD authentication by using SSSD+kerberos on our CentOS 6.7 
>cluster. The solution works fine so far except that we could not use 
>ldap_access_filter.
>
>Whenever I enabled ldap_access_filter (add filter to ldap_access_order), all 
>SSH logins are denied. And the error messages are:
>
>==> /var/log/sssd/ldap_child.log <==
>(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437 
>[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
>'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
>(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437 [main] (0x0020): 
>ldap_child_get_tgt_sync failed.
>(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438 
>[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
>'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
>(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438 [main] (0x0020): 
>ldap_child_get_tgt_sync failed.
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501 
>[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
>'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501 [main] (0x0020): 
>ldap_child_get_tgt_sync failed.
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502 
>[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
>'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502 [main] (0x0020): 
>ldap_child_get_tgt_sync failed.
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503 
>[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
>'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503 [main] (0x0020): 
>ldap_child_get_tgt_sync failed.
>
>But I believe the entry is in the keytab file already:
>
>[root@nerv-geofront ~]# klist -ke
>Keytab name: FILE:/etc/krb5.keytab
>KVNO Principal
> --
>   5 host/nerv-geofront.lo...@ad.example.edu.au (des-cbc-crc)
>   5 host/nerv-geofront.lo...@ad.example.edu.au (des-cbc-md5)
>   5 host/nerv-geofront.lo...@ad.example.edu.au (aes128-cts-hmac-sha1-96)
>   5 host/nerv-geofront.lo...@ad.example.edu.au (aes256-cts-hmac-sha1-96)
>   5 host/nerv-geofront.lo...@ad.example.edu.au (arcfour-hmac)
>   5 host/nerv-geofr...@ad.example.edu.au (des-cbc-crc)
>   5 host/nerv-geofr...@ad.example.edu.au (des-cbc-md5)
>   5 host/nerv-geofr...@ad.example.edu.au (aes128-cts-hmac-sha1-96)
>   5 host/nerv-geofr...@ad.example.edu.au (aes256-cts-hmac-sha1-96)
>   5 host/nerv-geofr...@ad.example.edu.au (arcfour-hmac)
>   5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-crc)
>   5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-md5)
>   5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96)
>   5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96)
>   5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (arcfour-hmac)
>
>The error messages above appear only when I enabled ldap_access_filter, so I 
>think this is related to the kerberos keytab.
>
>I am testing on sssd 1.12.4, samba 3.6.23.
>
Can you reproduce on CentOS 6.8? There is sssd 1.13.x.

BTW is there a reason for using ldap_access_filter.
Try to look into simple acces provider (man sssd-simple)

LS
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org