On Wed, Jun 19, 2019 at 04:58:32PM +0100, lejeczek via FreeIPA-users wrote:
On 19/06/2019 16:20, Sumit Bose via FreeIPA-users wrote:
> On Wed, Jun 19, 2019 at 12:34:54PM +0100, lejeczek via FreeIPA-users wrote:
>> On 19/06/2019 10:09, Sumit Bose via FreeIPA-users wrote:
>>> On Wed, Jun 19, 2019 at 09:26:30AM +0100, lejeczek via FreeIPA-users wrote:
>>>> On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote:
>>>>> On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users
wrote:
>>>>>> hi guys
>>>>>>
>>>>>> I think it was asked on the list before but I still cannot find
the thread.
>>>>>>
>>>>>> Should AD's users be able to login to IPA's
clients(non-replica) in a
>>>>>> pretty vanilla setup? Those users can login to IPA masters
okey.
>>>>>>
>>>>>> I have not created any HBACs yet, nor added new hostgroups etc.
>>>>>>
>>>>>> When I ssh to IPA's client that client denies that user
& shows:
>>>>>>
>>>>>> pam_sss(sshd:auth): received for user user1@private: 6
(Permission denied)
>>>>> Hi,
>>>>>
>>>>> 'Permission denied' is typically returned during the PAM
access control
>>>>> step 'pam_sss(sshd:account)'. For auth there should be only
a few cases
>>>>> like an expired unser in AD, but in this case login to the IPA
masters
>>>>> shouldn't work as well.
>>>>>
>>>>> Please add 'debug_level=9' at least to the [pam] and
[domain/...]
>>>>> section of sssd.conf on the client, restart SSSD, try to
authentication
>>>>> and send the logs from /var/log/sssd.
>>>>>
>>>>> bye,
>>>>> Sumit
>>>> hi,
>>>>
>>>> before I dump the whole lot of logs this is a snippet at the moment ssh
>>>> auth fails after debug_level=9
>>>>
>>>> ..
>>>>
>>>> k,cn=users,cn=mine.private,cn=sysdb] has set [ts_cache] attrs.
>>>> (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [ldb] (0x4000):
>>>> commit ldb transaction (nesting: 0)
>>>> (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]]
[krb5_auth_done]
>>>> (0x0100): Backend is marked offline, retry later!
>>>> (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]]
>>>> [check_wait_queue] (0x1000): Wait queue for user [pawel(a)mine.private]
is
>>>> empty.
>>>> ..
>>>>
>>>> does the above give out any clues?
>>> Do you see a message like 'Timeout for child [1234] reached. In case
KDC
>>> is distant or network is slow you may consider increasing value of
>>> krb5_auth_timeout.' before the ones you have send? If that's the
case
>>> please add
>>>
>>> krb5_auth_timeout = 30
>>>
>>> to the [domain/...] section of sssd.conf, restart SSSD and try again.
>>> Please note that SSSD does more that just authenticating the user by
>>> requesting a Kerberos ticket, the ticket is validate as well which
>>> causes additional requests to the IPA server and AD DCs. This might need
>>> a bit longer than the default timeout of 6s.
>>>
>>> HTH
>>>
>>> bye,
>>> Sumit
>> both masters & clients are on the same net fabric. I fear it's
something
>> more complex, I've emailed you zipped logs.
> Thanks for the logs. The important message is "Cannot find KDC for realm
> ...". I guess that you have 'dns_lookup_kdc = false' in
/etc/krb5.conf.
> Typically ipa-client-install with set this to 'dns_lookup_kdc = true'
> but there are some conditions where it might leave it on 'false'. Please
> try to set it to 'true' and try again.
>
> If you have set it to 'false' on purpose because you do not want to use
> DNS to resolve KDC from other realms you have to add a section in the
> [realms] section for the realm listed in the error message and add at
> least one 'kdc = fully.qualified.name.or.ip.of.a.kdc.of.the.realm' line
> in this section.
>
> HTH
>
> bye,
> Sumit
Ok, the maybe to make it more bizzare, I've had it:
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MINE.PRIVATE
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MINE.PRIVATE= {
Is this ^^^ the realm that is mentioned in the 'Cannot find KDC for
realm ...' error message in krb5_child.log?
Can you try if kinit from the command line works for the principal shown
in the 'Getting initial credentials for ...' debug message in
krb5_child.log?
Additionally does 'kinit -k' work from the command line with the
principal from the 'Fast principal is set to ...' debug message?
bye,
Sumit
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
kdc = 10.5.5.104
}
[domain_realm]
.MINE.PRIVATE= MINE.PRIVATE
MINE.PRIVATE= MINE.PRIVATE
halfspeed-r.MINE.PRIVATE= MINE.PRIVATE
and even after adding: kdc = 10.5.5.104
I still get permission denied.
I presume you saw in sssd_pam.log
...
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [9 (Authentication service cannot retrieve authentication
info)][ad
.mine.private]
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x56399823af70
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x563998243fe0
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Running timer
event 0x56399823af70 "ltdb_callback"
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Destroying timer
event 0x563998243fe0 "ltdb_timeout"
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Ending timer
event 0x56399823af70 "ltdb_callback"
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [9]: Authentication service cannot retrieve
authentication info.
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_reply] (0x0020): Unknown PAM
call [249].
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x56399823ca30
...
What does that mean?
many thanks, L.
>> To add - putty off the AD DC does ssh to IPA's clients successfully with
>> gssapi, to the same clients which fail when no gssapi but with password
>> is used.
>>
>> many thanks, L.
>>
>>>> many thanks, L.
>>>>
>>>>>> ...
>>>>>>
>>>>>> many thanks, L.
>>>>>>
>>>>>> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>>>>>> 93059F241EEEE1D0769A85F455918ABF21224EBA
>>>>>> uid lejeczek <peljasz(a)yahoo.co.uk>
>>>>>> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
>>>>>> _______________________________________________
>>>>>> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
>>>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
>>>>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
>>>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>>>> 93059F241EEEE1D0769A85F455918ABF21224EBA
>>>> uid lejeczek <peljasz(a)yahoo.co.uk>
>>>> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
>> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
>> 93059F241EEEE1D0769A85F455918ABF21224EBA
>> uid lejeczek <peljasz(a)yahoo.co.uk>
>> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
93059F241EEEE1D0769A85F455918ABF21224EBA
uid lejeczek <peljasz(a)yahoo.co.uk>
sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...