Well, I had to resort adding a DEBUG() line to get_and_save_tgt() to print out the realm and princ, and it turned out there was a typo on the UPN in my Samba 4 directory entry for the user. I sort of expected it to be something stupid.  On that note, do you have any suggestions on where more debugging could be added? If I have the cycles I was thinking of submitting a patch to make these issues easier to figure out.



On Mon, Jan 28, 2013 at 2:56 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Sun, Jan 27, 2013 at 02:23:03PM -0800, C. S. wrote:
> Hi folks,
> Any help here would be appreciated, I don't seem to see what the issue is.
> I can login using kinit just fine,

Right, kinit bypasses the PAM stacks and talks directly to the libkrb5
and the kdc.

> but sssd fails when using ssh. It seems
> like it has something to do with the files in /var/lib/sss/pubconf going
> missing, which causes sssd-krb5 to fail with: Cannot find KDC for requested
> realm.

Yes, I think so too, but what puzzles me is that resolving went OK, then the
kdcinfo files are written. Unfortunately there is no debug output unless
there is an error, so we can't see the realm etc.. The "No such file or
directory" errors indicate that the krb5info files are indeed missing.

Are there perhaps any AVC denials when the SSSD is attempting to write
the kdcinfo files?

Are you sure there is no typo in the realm name? Can you also kinit on the
client machine, in other words, if you were testing by ssh testuser@testhost,
can you kinit on testhost? What also seems strange to me is that if krb5.conf
was configured correctly on the client machine, then I would expect the
krb5 child process to use the KDC info from the krb5.conf file..by the
time we reach the child process, it's mostly standard krb5 library calls.

> This is CentOS 6, sssd-1.8.0-32.el6.x86_64.
> e.g. kinit logins works:
> [testuser@test01 ~]$ kinit
> Password for testuser@MYREALM.COM:
> Warning: Your password will expire in 41 days on Sun Mar 10 19:01:44 2013
> [testuser@test01 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_501
> Default principal: testuser@MYREALM.COM
> Valid starting     Expires            Service principal
> 01/27/13 22:13:00  01/28/13 08:13:00  krbtgt/MYREALM.COM@MYREALM.COM
>         renew until 02/03/13 22:12:53
> [testuser@test01 ~]$
> But over ssh:
> /var/log/secure:
> Jan 27 21:57:03 test1 sshd[2882]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
>  user=testuser
> Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): system info: [Cannot
> find KDC for requested realm]
> Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
> user=testuser
> Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): received for user
> testuser: 4 (System error)
> Jan 27 21:57:05 test1 sshd[2882]: Failed password for testuser from
> port 55143 ssh2
> Jan 27 21:57:11 test1 sshd[2883]: Connection closed by
> sssd -i -d9 + SSSD_KRB5_LOCATOR_DEBUG=1 output:

Thank you for providing the detailed debug logs.
sssd-users mailing list