Hey Guy's,
I've the following scenario:
1) srv-remote01 is behind a firewall. We typically use adcli to add
hosts to AD but in this case port 464 is blocked so we can't use adcli
on srv-remote01 since it errors out on the blocked port. Other ports
are open however so normal sssd function can work once connection is
established and krb5.keytab is generated .
2) Since we can't get through port 464, we run the adcli on another
machine within the same domain (MYDOM.ABC) to generate a keytab and copy
over to the target machine srv-remote01.
3) Computer object in AD is called ad-srv-remote01 . The command we use
is below. Note, --computer-name is set to the AD attribute type
sAMAccountName.
adcli join --host-fqdn=srv-remote01 --domain=mdom.abc
--computer-name=AD-SRV-REMOTE01 --login-user=adsrvacct01 -v -S
rem-addc-01.mdom.abc --domain-ou="OU=Linux,OU=Servers
Group,OU=Servers,OU=MDOM,DC=MDOM,DC=abc" --os-name="CentOS7"
--os-version="6.7" --show-details --show-password
So we try to use another host ( ie srv-local01 ) on the same domain to
create a keytab while ensuring KVNO numbers match. But there's an issue
with that as well. When we run the above, the entries in the
krb5.keytab begin with AD-SRV-REMOTE01.
So we manually use ktutil and addent to add the corresponding
SRV-REMOTE01(a)MDOM.ABC entries etc. Using the same 120 character password
adcli returns ( due to --show-password ) above ensuring our objects in
the keytab all have the same password. All this because when SSSD talks
to AD, it tries to find the true host by using SRV-REMOTE01 not the AD
computer object name AD-SRV-REMOTE01 .
However, when we try to use this keytab, we get the below set of errors.
Tried with SSSD 1.12 and SSSD 1.15. Same result. Assume opening up the
firewall right now is not an option.
Anyway around this? Other then that message, there's very little more
that's printed indicating the real cause of the failure. Is there a way
to print more info around the -1765328360/Preauthentication failed
error? It could be due to a number of things but it's not indicated.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
[sssd[be[MDOM]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14
[Preauthentication failed], expired on [0]
[sssd[be[MDOM]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad
address]
[sssd[be[MDOM]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret
[1432158226](Authentication Failed)
[sssd[be[MDOM]]] [sdap_cli_connect_recv] (0x0040): Unable to establish
connection [13]: Permission denied
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0400):
ldap_child started.
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
context initialized
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): total buffer size: 41
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): realm_str size: 9
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): got realm_str: MDOM.ABC
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): princ_str size: 8
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): got princ_str: SRV-REMOTE01$
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): keytab_name size: 0
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x1000): lifetime: 86400
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [unpack_buffer]
(0x0200): Will run as [0][0].
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[privileged_krb5_setup] (0x2000): Kerberos context initialized
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
Kerberos context initialized
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [become_user]
(0x0200): Trying to become user [0][0].
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [become_user]
(0x0200): Already user [0].
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
Running as [0][0].
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x2000):
getting TGT sync
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[ldap_child_get_tgt_sync] (0x2000): got realm_name: [MDOM.ABC]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[ldap_child_get_tgt_sync] (0x0100): Principal name is:
[SRV-REMOTE01$(a)MDOM.ABC]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803319: Getting
initial credentials for SRV-REMOTE01$(a)MDOM.ABC
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803467: Looked up
etypes in keytab: aes256-cts
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803508: Sending
request (171 bytes) to MDOM.ABC
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.803735:
Initiating TCP connection to stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.805585: Sending
TCP request to stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809430: Received
answer from stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809554: Response
was from master KDC
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809607: Received
error from KDC: -1765328359/Additional pre-authentication required
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809681:
Processing preauth types: 11, 19, 2, 16, 15
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809710: Selected
etype info: etype rc4-hmac, salt "", params ""
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809755: Selected
etype info: etype rc4-hmac, salt "", params ""
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809799:
Retrieving SRV-REMOTE01$(a)MDOM.ABC from MEMORY:/etc/krb5.keytab (vno 0,
enctype rc4-hmac) with result: 0/Success
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809842: AS key
obtained for encrypted timestamp: rc4-hmac/7361
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809932: Encrypted
timestamp (for 1525932937.809866): plain
301AA011180F32303138303531303036313533375AA10502030C5B8A, encrypted
E38D66FB781CE178E10659E2F3770F5109454EE5808B5929B17D113D2621E30DF3C79F819517A1AED46BD734F55092F36B343BCD
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809958: Preauth
module encrypted_timestamp (2) (flags=1) returned: 0/Success
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.809974: Produced
preauth for next request: 2
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.810004: Sending
request (245 bytes) to MDOM.ABC
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.810100:
Initiating TCP connection to stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.811915: Sending
TCP request to stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.819955: Received
answer from stream 123.123.123.123:88
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820056: Response
was from master KDC
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820086: Received
error from KDC: -1765328360/Preauthentication failed
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[sss_child_krb5_trace_cb] (0x4000): [14068] 1525932937.820121: Preauth
tryagain input types: 11, 19, 2, 16, 15
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials:
Preauthentication failed
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[unique_filename_destructor] (0x2000): Unlinking
[/var/lib/sss/db/ccache_MDOM.ABC_1KdDyX]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0020):
ldap_child_get_tgt_sync failed.
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]]
[prepare_response] (0x0400): Building response for result [-1765328360]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [pack_buffer]
(0x2000): response size: 44
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [pack_buffer]
(0x1000): result [14] krberr [-1765328360] msgsize [24] msg
[Preauthentication failed]
(Thu May 10 02:15:37 2018) [[sssd[ldap_child[14068]]]] [main] (0x0400):
ldap_child completed successfully