Turns out, krb5.conf permissions were incorrect.
Before:
ls -l /etc/krb5.conf
-rw-------. 1 root root 719 May 12 14:09 /etc/krb5.conf
After:
ls -l /etc/krb5.conf
-rw-r--r--. 1 root root 719 May 12 14:09 /etc/krb5.conf
After making this change, user's are now able to authenticate successfully.
Thanks,
~ abhi
Sent from my iPhone
> On May 12, 2017, at 1:22 PM, Abhijit Tikekar <abhijittike...@gmail.com> wrote:
>
> We are still unable to make SSSD work with RODC.
>
> While checking few other logs, came across the following under
> krb5_child.log. Does this help in isolating the issue in any way?
>
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [validate_tgt]
> (0x0400): TGT verified using key for [host/hostname.x.y.local@X.Y.LOCAL].
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]]
> [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656134: Retrieving
> first.last@X.Y.LOCAL -> host/hostname.x.y.local@X.Y.LOCAL from MEMORY:rd_req2
> with result: 0/Success
>
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]]
> [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656242: Retrieving
> host/hostname.x.y.local@X.Y.LOCAL from MEMORY:/etc/krb5.keytab (vno 5,
> enctype rc4-hmac) with result: 0/Success
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_send_pac]
> (0x0040): sss_pac_make_request failed [-1][2].
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [validate_tgt]
> (0x0040): sss_send_pac failed, group membership for user with principal
> [first.last\@ABC@X.Y.LOCAL] might not be correct.
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]]
> [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656339: Destroying
> ccache MEMORY:rd_req2
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]]
> [sss_get_ccache_name_for_principal] (0x4000): Location:
> [FILE:/var/tmp/krb5cc_233006683]
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]]
> [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed:
> [-1765328243][Can't find client principal first.last@X.Y.LOCAL in cache
> collection]
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [create_ccache]
> (0x0020): 733: [13][Permission denied]
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [map_krb5_error]
> (0x0020): 1301: [1432158209][Unknown code UUz 1]
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [k5c_send_data]
> (0x0200): Received error code 1432158209
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [pack_response_packet]
> (0x2000): response packet size: [20]
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [k5c_send_data]
> (0x4000): Response sent.
> (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [main] (0x0400):
> krb5_child completed successfully
>
>
> Although, the file /var/tmp/krb5cc_233006683 doesn't exist.
>
>
>
> Under /var/log/secure, we are still getting the same error message when
> access is denied.
>
> May 12 12:12:07 hostname sshd[51001]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abcd.x.y.local
> user=first.last
> May 12 12:12:07 hostname sshd[51001]: pam_sss(sshd:auth): received for user
> first.last: 4 (System error)
>
>
> Thanks,
>
> ~ Abhi
>
>
> Sent from my iPhone
>
>> On Feb 21, 2017, at 9:48 AM, Abhijit Tikekar <abhijittike...@gmail.com>
>> wrote:
>>
>> Hi,
>>
>> I tried replacing KEYRING with a FILE option but same results.
>>
>> #default_ccache_name = KEYRING:persistent:%{uid}
>> default_ccache_name = FILE:/var/tmp/krb5cc_%{uid}
>>
>>
>> When I try using kinit -E, it asks for the principal password. But the
>> keytab was created using a "rndpass" option so I am not really sure what to
>> put as a password.
>>
>> ]# kinit -E
>> Password for host/hostname.x.y.local@X.Y.LOCAL:
>>
>> Here is the complete krb5.conf file:
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>> [libdefaults]
>> default_realm = X.Y.LOCAL
>> #dns_lookup_realm = true
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> rdns = false
>> forwardable = true
>> #default_ccache_name = KEYRING:persistent:%{uid}
>> default_ccache_name = FILE:/var/tmp/krb5cc_%{uid}
>> default_keytab_name = /etc/krb5.keytab
>> [realms]
>> X.Y.LOCAL = {
>> kdc = RODC.x.y.local:88
>> admin_server = RODC.x.y.local:749
>> default_domain = x.y.local
>> }
>> [domain_realm]
>> .x.y.local = X.Y.LOCAL
>> x.y.local = X.Y.LOCAL
>>
>>
>>
>>
>> Thanks,
>>
>> ~ Abhi
>>
>>
>>> On Tue, Feb 21, 2017 at 2:22 AM, Lukas Slebodnik <lsleb...@redhat.com>
>>> wrote:
>>> On (20/02/17 11:33), Abhijit Tikekar wrote:
>>> >Hi Jakub,
>>> >
>>> >ldap_id_mapping was set to "false" on this server. Once I set it to "true",
>>> >both id and getent started working. But the user authentication via SSH
>>> >still does not go through.
>>> >
>>> >We see the following in SSSD logs(Debug level set to 5)
>>> >
>>> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_get_account_info]
>>> >(0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=first.last]
>>> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send]
>>> >(0x0100): Trying to resolve service 'AD_GC'
>>> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]]
>>> >[be_resolve_server_process] (0x0200): Found address for server
>>> >RODC.x.y.local: [RODC IP] TTL 7200
>>> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
>>> >(0x0100): Constructed uri 'ldap://RODC.x.y.local'
>>> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
>>> >(0x0100): Constructed GC uri 'ldap://RODC.x.y.local:3268'
>>> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]]
>>> >[sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility
>>> >level to [6]
>>> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send]
>>> >(0x0100): Trying to resolve service 'AD'
>>> >(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]]
>>> >[be_resolve_server_process] (0x0200): Found address for server
>>> >RODC.x.y.local: [RODC IP] TTL 7200
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_cli_auth_step]
>>> >(0x0100): expire timeout is 900
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sasl_bind_send] (0x0100):
>>> >Executing sasl bind mech: GSSAPI, user: host/server_hostname.x.y.local
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler]
>>> >(0x0100): child [17466] finished successfully.
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_set_port_status]
>>> >(0x0100): Marking port 0 of server 'RODC.x.y.local' as 'working'
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [set_server_common_status]
>>> >(0x0100): Marking server 'RODC.x.y.local' as 'working'
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]]
>>> >[sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for
>>> >SID S-1-5-21-<....ID....>
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [acctinfo_callback]
>>> >(0x0100): Request processed. Returned 0,0,Success
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler] (0x0100):
>>> >Got request with the following data
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >command: SSS_PAM_AUTHENTICATE
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >domain: x.y.local
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >user: first.last
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >service: sshd
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >tty: ssh
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >ruser:
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >rhost: remote_host.x.y.local
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >authtok type: 1
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >newauthtok type: 0
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >priv: 1
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >cli_pid: 17465
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100):
>>> >logon name: not set
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [krb5_auth_send] (0x0100):
>>> >Home directory for user [first.last] not known.
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send]
>>> >(0x0100): Trying to resolve service 'AD'
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]]
>>> >[be_resolve_server_process] (0x0200): Found address for server
>>> >RODC.x.y.local: [RODC IP] TTL 7200
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
>>> >(0x0100): Constructed uri 'ldap://RODC.x.y.local'
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback]
>>> >(0x0100): Constructed GC uri 'ldap://RODC.x.y.local'
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback]
>>> >(0x0100): Backend returned: (0, 4, <NULL>) [Success]
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback]
>>> >(0x0100): Sending result [4][x.y.local]
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback]
>>> >(0x0100): Sent result [4][x.y.local]
>>> >(Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler]
>>> >(0x0100): child [17467] finished successfully.
>>> >
>>> >
>>> >
>>> >*And the following under /var/log/secure*
>>> >
>>> >Feb 20 11:15:30 hostname sshd[17499]: pam_unix(sshd:auth): authentication
>>> >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local
>>> >user=first.last
>>> >Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): authentication
>>> >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local
>>> >user=first.last
>>> >Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): received for user
>>> >first.last: 4 (System error)
>>> >Feb 20 11:15:37 hostname sshd[17496]: error: PAM: Authentication failure
>>> >for first.last from remote_host.x.y.local
>>> >
>>> >
>>> >*Under krb5_child.log*
>>> >
>>> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer]
>>> >(0x0100): cmd [241] uid [xxxxxxxx] gid [yyyyyyyy] validate [true]
>>> >enterprise principal [true] offline [false] UPN [first.l...@company.com]
>>> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer]
>>> >(0x0100): ccname: [KEYRING:persistent:xxxxxxxx] old_ccname: [not set]
>>> >keytab: [/etc/krb5.keytab]
>>> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [check_use_fast]
>>> >(0x0100): Not using FAST.
>>> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
>>> >[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
>>> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [become_user]
>>> >(0x0200): Trying to become user [xxxxxxxx][yyyyyyyy].
>>> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
>>> >[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
>>> >from environment.
>>> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
>>> >[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
>>> >environment.
>>> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]]
>>> >[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
>>> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [sss_send_pac]
>>> >(0x0040): sss_pac_make_request failed [-1][2].
>>> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [validate_tgt]
>>> >(0x0040): sss_send_pac failed, group membership for user with principal
>>> >[first.last\@COMPANY.COM@x.y.local] might not be correct.
>>> >(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [create_ccache]
>>> >(0x0020): 733: [13][Permission denied]
>>> Here is the problem.
>>>
>>> sssd failed to initialize krb5 context for some reason.
>>>
>>> kerr = krb5_init_context(&kctx);
>>>
>>> I can see that it tried to use keyring ccache. "ccname:
>>> [KEYRING:persistent:xxxxxxxx]". Does it work with FILE cache?
>>> Becasue IIRC there is KEYRING ccache in rhel6 but it does not support
>>> collections ccache as in el7.
>>>
>>> Are you able to kinit from command line?
>>>
>>> I can also see that it tried to kinit with enterprise principal.
>>>
>>> Are you able to kinit with it? "kinit -E"
>>>
>>> Could you share your krb5.conf?
>>>
>>> LS
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>>
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
