Hi,
I have SSSD setup with AD as auth/id provider in multi domain trust realm, and POSIX
attributes in AD for users.
With this setup users can use short names (short names match sSAMaccount name in AD
user object)) for login and get access to
their homedir ,NFS mounted with Kerberos security.
The "short user names" are unique across domains in realm.
Setup works fine, even after recently made possible sssd upgrade to 1.12.5 (all Linux
clients run Ubuntu LTS).
We would like to establish passwordless ssh between all AD-integrated clients - and have
problems.
The important detail is, that all machines are in one domain, while users can be from
other domains inclusive, machine's domain .
Until now, passwordless ssh is possible when user and machine are from the same domain .
Users from domains other than machines's own domain , are asked for passwd.
All tickets for host and nfs service in user's cache seems to be ok.
After debugging ssh/sshd session it seems that connection ssh< - -> sshd fails on
user authorization.
Any ideas?
Ssh client side debug:
----------------------------------
[9537] 1436450526.619393: Got service principal host/lnx.a.c.realm(a)A.C.REALM
[9537] 1436450526.621139: ccselect can't find appropriate cache for server principal
host/lnx.a.c.realm(a)A.C.REALM
[9537] 1436450526.621254: Getting credentials longina(a)N.C.REALM ->
host/lnx.a.c.realm(a)A.C.REALM using ccache FILE:/tmp/krb5cc_XXXXX_CN76dg
[9537] 1436450526.621355: Retrieving longina(a)N.C.REALM -> host/lnx.a.c.realm(a)A.C.REALM
from FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success
[9537] 1436450526.621490: Creating authenticator for longina(a)N.C.REALM ->
host/lnx.a.c.realm(a)A.C.REALM, seqnum 1059254370, subkey aes256-cts/4255, session key
aes256-cts/2F16
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
[9537] 1436450526.623050: Convert service host (service with host as instance) on host
lnx.a.c.realmto principal
[9537] 1436450526.624716: Remote host after forward canonicalization: lnx.a.c.realm
[9537] 1436450526.624760: Remote host after reverse DNS processing: lnx.a.c.realm
[9537] 1436450526.624793: Got service principal host/lnx.a.c.realm(a)A.C.REALM
[9537] 1436450526.626601: ccselect can't find appropriate cache for server principal
host/lnx.a.c.realm(a)A.C.REALM
[9537] 1436450526.626719: Getting credentials longina(a)N.C.REALM ->
host/lnx.a.c.realm(a)A.C.REALM using ccache FILE:/tmp/krb5cc_XXXXX_CN76dg
[9537] 1436450526.626821: Retrieving longina(a)N.C.REALM -> host/lnx.a.c.realm(a)A.C.REALM
from FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success
[9537] 1436450526.626984: Getting credentials longina(a)N.C.REALM ->
host/lnx.a.c.realm(a)A.C.REALM using ccache FILE:/tmp/krb5cc_XXXXX_CN76dg
[9537] 1436450526.627067: Retrieving longina(a)N.C.REALM -> host/lnx.a.c.realm(a)A.C.REALM
from FILE:/tmp/krb5cc_XXXXX_CN76dg with result: 0/Success
[9537] 1436450526.627162: Creating authenticator for longina(a)N.C.REALM ->
host/lnx.a.c.realm(a)A.C.REALM, seqnum 778106202, subkey aes256-cts/CBE6, session key
aes256-cts/2F16
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
sshd server side debug:
------------------------------------
....
debug2: input_userauth_request: setting up authctxt for longina [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send entering: type 100 [preauth]
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 100
debug1: PAM: initializing for "longina"
debug1: PAM: setting PAM_RHOST to "10.80.8.108"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=, role=
debug2: monitor_read: 4 used once, disabling now
debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic
[preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: mm_request_send entering: type 42 [preauth]
debug3: mm_request_receive_expect entering: type 43 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 42
debug3: mm_request_send entering: type 43
Postponed gssapi-with-mic for longina from 10.80.8.108 port 53479 ssh2 [preauth]
debug3: mm_request_send entering: type 44 [preauth]
debug3: mm_request_receive_expect entering: type 45 [preauth]
debug3: mm_request_send entering: type 47
Failed gssapi-with-mic for longina from 10.80.8.108 port 53479 ssh2
debug3: mm_ssh_gssapi_userok: user not authenticated [preauth]
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic
[preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic
[preauth]
debug1: attempt 3 failures 1 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
debug1: userauth-request for user longina service ssh-connection method gssapi-with-mic
[preauth]
debug1: attempt 4 failures 1 [preauth]
debug2: input_userauth_request: try method gssapi-with-mic [preauth]
debug3: userauth_finish: failure partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
sssd.conf
-------------
[nss]
debug_level = 9
filter_groups = root
filter_users =
root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
#override_home_directory = /home/%u
[sssd]
debug_level = 6
domains = n.c.realm,a.c.realm,c.realm
#default_domain_suffix = c.realm
config_file_version = 2
services = nss,pam,ssh
[pam]
pam_verbosity = 3
debug_level = 9
[domain/n.c.realm]
debug_level = 9
dyndns_update = false
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = n.c.realm
krb5_realm = N.C.REALM
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
ad_hostname = lnx.a.c.realm
ad_gpo_access_control = disabled
[domain/a.c.realm]
debug_level = 9
dyndns_update = false
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = a.c.realm
krb5_realm = A.C.REALM
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
ad_hostname = lnx.a.c.realm
ad_gpo_access_control = disabled
[domain/c.realm]
debug_level = 9
dyndns_update = true
dyndns_update_ptr = false
ad_hostname = lnx.a.c.realm
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = c.realm
krb5_realm = C.REALM
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
ad_gpo_access_control = disabled
best
Longina