On Sun, Jan 27, 2013 at 02:23:03PM -0800, C. S. wrote:Right, kinit bypasses the PAM stacks and talks directly to the libkrb5
> Hi folks,
>
> Any help here would be appreciated, I don't seem to see what the issue is.
> I can login using kinit just fine,
and the kdc.
Yes, I think so too, but what puzzles me is that resolving went OK, then the
> but sssd fails when using ssh. It seems
> like it has something to do with the files in /var/lib/sss/pubconf going
> missing, which causes sssd-krb5 to fail with: Cannot find KDC for requested
> realm.
kdcinfo files are written. Unfortunately there is no debug output unless
there is an error, so we can't see the realm etc.. The "No such file or
directory" errors indicate that the krb5info files are indeed missing.
Are there perhaps any AVC denials when the SSSD is attempting to write
the kdcinfo files?
Are you sure there is no typo in the realm name? Can you also kinit on the
client machine, in other words, if you were testing by ssh testuser@testhost,
can you kinit on testhost? What also seems strange to me is that if krb5.conf
was configured correctly on the client machine, then I would expect the
krb5 child process to use the KDC info from the krb5.conf file..by the
time we reach the child process, it's mostly standard krb5 library calls.
Thank you for providing the detailed debug logs.
>
> This is CentOS 6, sssd-1.8.0-32.el6.x86_64.
>
> e.g. kinit logins works:
> [testuser@test01 ~]$ kinit
> Password for testuser@MYREALM.COM:
> Warning: Your password will expire in 41 days on Sun Mar 10 19:01:44 2013
> [testuser@test01 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_501
> Default principal: testuser@MYREALM.COM
>
> Valid starting Expires Service principal
> 01/27/13 22:13:00 01/28/13 08:13:00 krbtgt/MYREALM.COM@MYREALM.COM
> renew until 02/03/13 22:12:53
> [testuser@test01 ~]$
>
>
> But over ssh:
>
> /var/log/secure:
> Jan 27 21:57:03 test1 sshd[2882]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39
> user=testuser
> Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): system info: [Cannot
> find KDC for requested realm]
> Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39
> user=testuser
> Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): received for user
> testuser: 4 (System error)
> Jan 27 21:57:05 test1 sshd[2882]: Failed password for testuser from
> 10.74.34.39 port 55143 ssh2
> Jan 27 21:57:11 test1 sshd[2883]: Connection closed by 10.74.34.39
>
> sssd -i -d9 + SSSD_KRB5_LOCATOR_DEBUG=1 output:
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users