On Sat, Nov 17, 2018 at 03:24:29AM -0000, Sergei Gerasenko wrote: > Hi, > > I've run into a dead end debugging a case of passwordless authentication > between two IPA'd hosts. Running `sshd -p 5000 -d` on the receiving host > (let's call it HOST_B), I see this: > > ``` > Postponed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 [preauth] > debug1: Received some client credentials > debug1: ssh_gssapi_k5login_exists: Checking existence of file > /home/USER/.k5login > Failed gssapi-with-mic for postgres from x.x.x.x port 57607 ssh2 > ``` > > The client then gets an interactive password prompt. Here are some facts and > things I've tried: > > * If I put the user into `.k5login` on the receiving host and it works.
Does .k5login for the user on the receiving host contain other entries as well? In this case you might want to set 'k5login_authoritative= false' in krb5.conf (see man krb5.conf) for details. If typically .k5login does not exist there might be an issue mapping the Kerberos principal to the local user name. SSSD should create /var/lib/sss/pubconf/krb5.include.d/localauth_plugin which configures SSSD's localauth plugin. To be able to read this libkrb5 needs and entry like 'includedir /var/lib/sss/pubconf/krb5.include.d/' in /etc/krb5.conf. HTH bye, Sumit > * The receiving host is correctly enrolled into IPA. I can ssh from it to > other hosts using GSSAPI. > * I can issue `kvno host/HOST_B` on the connecting host and I get a service > ticket. > * It looks like all this happens before any pam stuff kicks in (?). So I'm > ruling PAM issues out. > * No errors in the logs of the KDCs. > * The ticket from the connecting host is not expired. > * The sssd version is 1.16.0. > * Turning up the debugging in sssd with `debug_level = 7` for the domain > section doesn't reveal anything obvious. > > What else could I check? > > Thanks for any ideas, > SG > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
