On 5/11/2018 4:21 AM, Sumit Bose wrote:
On Thu, May 10, 2018 at 09:03:42AM -0400, TomK wrote:
Hey Guy's,
I've the following scenario:
1) srv-remote01 is behind a firewall. We typically use adcli to add hosts
to AD but in this case port 464 is blocked so we can't use adcli on
srv-remote01 since it errors out on the blocked port. Other ports are open
however so normal sssd function can work once connection is established and
krb5.keytab is generated .
464 is the kpasswd port and adcli uses it to set the machine account
password, so it is crucial for joining with adcli.
2) Since we can't get through port 464, we run the adcli on another machine
within the same domain (MYDOM.ABC) to generate a keytab and copy over to the
target machine srv-remote01.
3) Computer object in AD is called ad-srv-remote01 . The command we use is
below. Note, --computer-name is set to the AD attribute type
sAMAccountName.
Why is 'srv-remote01' used as the hostname but the AD object is called
'ad-srv-remote01'? It would make things easier if the same name would be
used.
It's an older inherited SSSD setup that wasn't done right. Hence the
ask. Before things get cleaned up, which may take time, we need the
functionality in the interim.
adcli join --host-fqdn=srv-remote01 --domain=mdom.abc
--computer-name=AD-SRV-REMOTE01 --login-user=adsrvacct01 -v -S
rem-addc-01.mdom.abc --domain-ou="OU=Linux,OU=Servers
Group,OU=Servers,OU=MDOM,DC=MDOM,DC=abc" --os-name="CentOS7"
--os-version="6.7" --show-details --show-password
So we try to use another host ( ie srv-local01 ) on the same domain to
create a keytab while ensuring KVNO numbers match. But there's an issue
with that as well. When we run the above, the entries in the krb5.keytab
begin with AD-SRV-REMOTE01.
So we manually use ktutil and addent to add the corresponding
[email protected] entries etc. Using the same 120 character password
adcli returns ( due to --show-password ) above ensuring our objects in the
keytab all have the same password. All this because when SSSD talks to AD,
it tries to find the true host by using SRV-REMOTE01 not the AD computer
object name AD-SRV-REMOTE01 .
You can use
ldap_sasl_authid = [email protected]
Thank you for this. Going to give it a shot.
to tell SSSD to use a different principal. By default SSSD will take the
hostname (see above) and add the realm (and the '$' sign for AD).
Iirc AD uses different type of salt for user and computer objects in the
keys and unfortunately ktutil has no option to change the salt. But if
you call 'list -k' in ktutil it will show you the key and you can
create new entries with this key with the -key option of addent. (Btw,
this underlines why it is important to restrict access to keytab files,
they are as good as passwords).
I'm not sure which fix would be best for your environment but I hope one
is suitable for you.
bye,
Sumit
However, when we try to use this keytab, we get the below set of errors.
Tried with SSSD 1.12 and SSSD 1.15. Same result. Assume opening up the
firewall right now is not an option.
Anyway around this? Other then that message, there's very little more
that's printed indicating the real cause of the failure. Is there a way to
print more info around the -1765328360/Preauthentication failed error? It
could be due to a number of things but it's not indicated.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
[sssd[be[MDOM]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14
[Preauthentication failed], expired on [0]
[sssd[be[MDOM]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad
address]
[sssd[be[MDOM]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret
[1432158226](Authentication Failed)
[sssd[be[MDOM]]] [sdap_cli_connect_recv] (0x0040): Unable to establish
connection [13]: Permission denied
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0400):
ldap_child started.
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
context initialized
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): total buffer size: 41
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): realm_str size: 9
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): got realm_str: MDOM.ABC
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): princ_str size: 8
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): got princ_str: SRV-REMOTE01$
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): keytab_name size: 0
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): lifetime: 86400
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x0200): Will run as [0][0].
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[privileged_krb5_setup] (0x2000): Kerberos context initialized
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
Kerberos context initialized
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [become_user]
(0x0200): Trying to become user [0][0].
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [become_user]
(0x0200): Already user [0].
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
Running as [0][0].
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
getting TGT sync
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[ldap_child_get_tgt_sync] (0x2000): got realm_name: [MDOM.ABC]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[ldap_child_get_tgt_sync] (0x0100): Principal name is:
[[email protected]]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803319: Getting
initial credentials for [email protected]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803467: Looked up
etypes in keytab: aes256-cts
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803508: Sending
request (171 bytes) to MDOM.ABC
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803735: Initiating
TCP connection to stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.805585: Sending TCP
request to stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809430: Received
answer from stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809554: Response was
from master KDC
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809607: Received
error from KDC: -1765328359/Additional pre-authentication required
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809681: Processing
preauth types: 11, 19, 2, 16, 15
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809710: Selected
etype info: etype rc4-hmac, salt "", params ""
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809755: Selected
etype info: etype rc4-hmac, salt "", params ""
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809799: Retrieving
[email protected] from MEMORY:/etc/krb5.keytab (vno 0, enctype
rc4-hmac) with result: 0/Success
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809842: AS key
obtained for encrypted timestamp: rc4-hmac/7361
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809932: Encrypted
timestamp (for 1525932937.809866): plain
301AA011180F32303138303531303036313533375AA10502030C5B8A, encrypted
E38D66FB781CE178E10659E2F3770F5109454EE5808B5929B17D113D2621E30DF3C79F819517A1AED46BD734F55092F36B343BCD
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809958: Preauth
module encrypted_timestamp (2) (flags=1) returned: 0/Success
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809974: Produced
preauth for next request: 2
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.810004: Sending
request (245 bytes) to MDOM.ABC
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.810100: Initiating
TCP connection to stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.811915: Sending TCP
request to stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.819955: Received
answer from stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820056: Response was
from master KDC
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820086: Received
error from KDC: -1765328360/Preauthentication failed
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820121: Preauth
tryagain input types: 11, 19, 2, 16, 15
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials:
Preauthentication failed
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[unique_filename_destructor] (0x2000): Unlinking
[/var/lib/sss/db/ccache_MDOM.ABC_1KdDyX]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0020):
ldap_child_get_tgt_sync failed.
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [prepare_response]
(0x0400): Building response for result [-1765328360]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [pack_buffer]
(0x2000): response size: 44
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [pack_buffer]
(0x1000): result [14] krberr [-1765328360] msgsize [24] msg
[Preauthentication failed]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0400):
ldap_child completed successfully
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
