On Thu, May 10, 2018 at 09:03:42AM -0400, TomK wrote: > Hey Guy's, > > I've the following scenario: > > 1) srv-remote01 is behind a firewall. We typically use adcli to add hosts > to AD but in this case port 464 is blocked so we can't use adcli on > srv-remote01 since it errors out on the blocked port. Other ports are open > however so normal sssd function can work once connection is established and > krb5.keytab is generated .
464 is the kpasswd port and adcli uses it to set the machine account password, so it is crucial for joining with adcli. > > 2) Since we can't get through port 464, we run the adcli on another machine > within the same domain (MYDOM.ABC) to generate a keytab and copy over to the > target machine srv-remote01. > > 3) Computer object in AD is called ad-srv-remote01 . The command we use is > below. Note, --computer-name is set to the AD attribute type > sAMAccountName. Why is 'srv-remote01' used as the hostname but the AD object is called 'ad-srv-remote01'? It would make things easier if the same name would be used. > > adcli join --host-fqdn=srv-remote01 --domain=mdom.abc > --computer-name=AD-SRV-REMOTE01 --login-user=adsrvacct01 -v -S > rem-addc-01.mdom.abc --domain-ou="OU=Linux,OU=Servers > Group,OU=Servers,OU=MDOM,DC=MDOM,DC=abc" --os-name="CentOS7" > --os-version="6.7" --show-details --show-password > > > So we try to use another host ( ie srv-local01 ) on the same domain to > create a keytab while ensuring KVNO numbers match. But there's an issue > with that as well. When we run the above, the entries in the krb5.keytab > begin with AD-SRV-REMOTE01. > > So we manually use ktutil and addent to add the corresponding > [email protected] entries etc. Using the same 120 character password > adcli returns ( due to --show-password ) above ensuring our objects in the > keytab all have the same password. All this because when SSSD talks to AD, > it tries to find the true host by using SRV-REMOTE01 not the AD computer > object name AD-SRV-REMOTE01 . You can use ldap_sasl_authid = [email protected] to tell SSSD to use a different principal. By default SSSD will take the hostname (see above) and add the realm (and the '$' sign for AD). Iirc AD uses different type of salt for user and computer objects in the keys and unfortunately ktutil has no option to change the salt. But if you call 'list -k' in ktutil it will show you the key and you can create new entries with this key with the -key option of addent. (Btw, this underlines why it is important to restrict access to keytab files, they are as good as passwords). I'm not sure which fix would be best for your environment but I hope one is suitable for you. bye, Sumit > > However, when we try to use this keytab, we get the below set of errors. > > Tried with SSSD 1.12 and SSSD 1.15. Same result. Assume opening up the > firewall right now is not an option. > > Anyway around this? Other then that message, there's very little more > that's printed indicating the real cause of the failure. Is there a way to > print more info around the -1765328360/Preauthentication failed error? It > could be due to a number of things but it's not indicated. > > -- > Cheers, > Tom K. > ------------------------------------------------------------------------------------- > > > > > > [sssd[be[MDOM]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 > [Preauthentication failed], expired on [0] > [sssd[be[MDOM]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad > address] > [sssd[be[MDOM]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret > [1432158226](Authentication Failed) > [sssd[be[MDOM]]] [sdap_cli_connect_recv] (0x0040): Unable to establish > connection [13]: Permission denied > > > > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0400): > ldap_child started. > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000): > context initialized > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer] > (0x1000): total buffer size: 41 > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer] > (0x1000): realm_str size: 9 > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer] > (0x1000): got realm_str: MDOM.ABC > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer] > (0x1000): princ_str size: 8 > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer] > (0x1000): got princ_str: SRV-REMOTE01$ > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer] > (0x1000): keytab_name size: 0 > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer] > (0x1000): lifetime: 86400 > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer] > (0x0200): Will run as [0][0]. > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [privileged_krb5_setup] (0x2000): Kerberos context initialized > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000): > Kerberos context initialized > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [become_user] > (0x0200): Trying to become user [0][0]. > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [become_user] > (0x0200): Already user [0]. > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000): > Running as [0][0]. > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000): > getting TGT sync > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [ldap_child_get_tgt_sync] (0x2000): got realm_name: [MDOM.ABC] > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: > [[email protected]] > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803319: Getting > initial credentials for [email protected] > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803467: Looked up > etypes in keytab: aes256-cts > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803508: Sending > request (171 bytes) to MDOM.ABC > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803735: Initiating > TCP connection to stream 123.123.123.123:88 > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.805585: Sending TCP > request to stream 123.123.123.123:88 > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809430: Received > answer from stream 123.123.123.123:88 > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809554: Response was > from master KDC > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809607: Received > error from KDC: -1765328359/Additional pre-authentication required > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809681: Processing > preauth types: 11, 19, 2, 16, 15 > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809710: Selected > etype info: etype rc4-hmac, salt "", params "" > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809755: Selected > etype info: etype rc4-hmac, salt "", params "" > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809799: Retrieving > [email protected] from MEMORY:/etc/krb5.keytab (vno 0, enctype > rc4-hmac) with result: 0/Success > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809842: AS key > obtained for encrypted timestamp: rc4-hmac/7361 > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809932: Encrypted > timestamp (for 1525932937.809866): plain > 301AA011180F32303138303531303036313533375AA10502030C5B8A, encrypted > E38D66FB781CE178E10659E2F3770F5109454EE5808B5929B17D113D2621E30DF3C79F819517A1AED46BD734F55092F36B343BCD > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809958: Preauth > module encrypted_timestamp (2) (flags=1) returned: 0/Success > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809974: Produced > preauth for next request: 2 > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.810004: Sending > request (245 bytes) to MDOM.ABC > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.810100: Initiating > TCP connection to stream 123.123.123.123:88 > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.811915: Sending TCP > request to stream 123.123.123.123:88 > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.819955: Received > answer from stream 123.123.123.123:88 > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820056: Response was > from master KDC > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820086: Received > error from KDC: -1765328360/Preauthentication failed > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820121: Preauth > tryagain input types: 11, 19, 2, 16, 15 > > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: > Preauthentication failed > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] > [unique_filename_destructor] (0x2000): Unlinking > [/var/lib/sss/db/ccache_MDOM.ABC_1KdDyX] > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0020): > ldap_child_get_tgt_sync failed. > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [prepare_response] > (0x0400): Building response for result [-1765328360] > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [pack_buffer] > (0x2000): response size: 44 > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [pack_buffer] > (0x1000): result [14] krberr [-1765328360] msgsize [24] msg > [Preauthentication failed] > (Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0400): > ldap_child completed successfully > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
