Well, I had to resort adding a DEBUG() line to get_and_save_tgt() to print out the realm and princ, and it turned out there was a typo on the UPN in my Samba 4 directory entry for the user. I sort of expected it to be something stupid. On that note, do you have any suggestions on where more debugging could be added? If I have the cycles I was thinking of submitting a patch to make these issues easier to figure out.
Thanks! cs On Mon, Jan 28, 2013 at 2:56 AM, Jakub Hrozek <[email protected]> wrote: > On Sun, Jan 27, 2013 at 02:23:03PM -0800, C. S. wrote: > > Hi folks, > > > > Any help here would be appreciated, I don't seem to see what the issue > is. > > I can login using kinit just fine, > > Right, kinit bypasses the PAM stacks and talks directly to the libkrb5 > and the kdc. > > > but sssd fails when using ssh. It seems > > like it has something to do with the files in /var/lib/sss/pubconf going > > missing, which causes sssd-krb5 to fail with: Cannot find KDC for > requested > > realm. > > Yes, I think so too, but what puzzles me is that resolving went OK, then > the > kdcinfo files are written. Unfortunately there is no debug output unless > there is an error, so we can't see the realm etc.. The "No such file or > directory" errors indicate that the krb5info files are indeed missing. > > Are there perhaps any AVC denials when the SSSD is attempting to write > the kdcinfo files? > > Are you sure there is no typo in the realm name? Can you also kinit on the > client machine, in other words, if you were testing by ssh > testuser@testhost, > can you kinit on testhost? What also seems strange to me is that if > krb5.conf > was configured correctly on the client machine, then I would expect the > krb5 child process to use the KDC info from the krb5.conf file..by the > time we reach the child process, it's mostly standard krb5 library calls. > > > > > This is CentOS 6, sssd-1.8.0-32.el6.x86_64. > > > > e.g. kinit logins works: > > [testuser@test01 ~]$ kinit > > Password for [email protected]: > > Warning: Your password will expire in 41 days on Sun Mar 10 19:01:44 2013 > > [testuser@test01 ~]$ klist > > Ticket cache: FILE:/tmp/krb5cc_501 > > Default principal: [email protected] > > > > Valid starting Expires Service principal > > 01/27/13 22:13:00 01/28/13 08:13:00 krbtgt/[email protected] > > renew until 02/03/13 22:12:53 > > [testuser@test01 ~]$ > > > > > > But over ssh: > > > > /var/log/secure: > > Jan 27 21:57:03 test1 sshd[2882]: pam_unix(sshd:auth): authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39 > > user=testuser > > Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): system info: > [Cannot > > find KDC for requested realm] > > Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39 > > user=testuser > > Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): received for user > > testuser: 4 (System error) > > Jan 27 21:57:05 test1 sshd[2882]: Failed password for testuser from > > 10.74.34.39 port 55143 ssh2 > > Jan 27 21:57:11 test1 sshd[2883]: Connection closed by 10.74.34.39 > > > > sssd -i -d9 + SSSD_KRB5_LOCATOR_DEBUG=1 output: > > Thank you for providing the detailed debug logs. > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users >
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
