Aloha Sumit, Jakub, and Lukas,
Thank you for helping out with this. Up against compliance race to get this working and
its looking more and more bleak. I really appreciate you folks taking another look.
The 'Response was not form master KDC' is just an info
message not an error message. Using a secondary domain controller is completely ok during
authentication, additionally AD does not use the 'master KDC'
concept at all.
Since there is a trust relationship between parent and subdomain it is
sufficient to have a keytab entry for only one domain. And as you can see during the kinit
call the keytab isn't used at all. SSSD will use it after the >TGT is received to
validate the ticket but even here keys from one domain are sufficient.
Authentication is sent through PAM which runs a custom script auth.py that was provided by
authlite (vendor for MFA using yubikey). Authlite believes that 'ad_server'
preference is not working. He has recreated the scenario in his lab. From the log
snippet from secure.log you can see unsuccessful to child domain but success to parent.
Below the logs you can see the feedback from Authlite. TDI Consoleworks is the user front
end application running on centos which is set for external authentication using PAM.
Sumit, I suspect you are right about the wrong password. I had them reset it just be sure
but still same result. Could auth.py script be passing the password incorrectly to child
domain?
<<<<<Child domain>>>>
Mar 6 15:21:22 SERVER01 /usr/lib64/security/auth.py[30366]: Traceback (most recent call
last):
Mar 6 15:21:22 SERVER01 /usr/lib64/security/auth.py[30366]: File
"/usr/lib64/security/auth.py", line 156, in pam_sm_authenticate
Mar 6 15:21:22 SERVER01 /usr/lib64/security/auth.py[30366]: update_password(pamh)
Mar 6 15:21:22 SERVER01 /usr/lib64/security/auth.py[30366]: File
"/usr/lib64/security/auth.py", line 146, in update_password
Mar 6 15:21:22 SERVER01 /usr/lib64/security/auth.py[30366]: pwd.getpwnam(domain + sep
+ res['OTP'])
Mar 6 15:21:22 SERVER01 /usr/lib64/security/auth.py[30366]: KeyError: getpwnam(): name
not found: jufgkdildfnkjvceveehvtfnckjleingkbgujrbcfjcuiifbfngndnurhdnhluce
Mar 6 15:21:26 SERVER01 cw[30366]: pam_sss(conwrks:auth): authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost= user=username(a)a.abc.com
Mar 6 15:21:26 SERVER01 cw[30366]: pam_sss(conwrks:auth): received for user
username(a)a.abc.com: 4 (System error)
<<<<parent domain>>>>>
Mar 6 15:22:44 SERVER01 /usr/lib64/security/auth.py[30366]: Traceback (most recent call
last):
Mar 6 15:22:44 SERVER01 /usr/lib64/security/auth.py[30366]: File
"/usr/lib64/security/auth.py", line 163, in pam_sm_authenticate
Mar 6 15:22:44 SERVER01 /usr/lib64/security/auth.py[30366]: update_password(pamh)
Mar 6 15:22:44 SERVER01 /usr/lib64/security/auth.py[30366]: File
"/usr/lib64/security/auth.py", line 152, in update_password
Mar 6 15:22:44 SERVER01 /usr/lib64/security/auth.py[30366]: pwd.getpwnam(domain + sep
+ res['OTP'])
Mar 6 15:22:44 SERVER01 /usr/lib64/security/auth.py[30366]: KeyError: getpwnam(): name
not found: jufgkdildfnkjvceveehvtfnckjleinggliiedlfdknhtlhjjkdhhbjgvigvrhkf
Mar 6 15:22:46 SERVER01 cw[30366]: pam_sss(conwrks:auth): authentication success;
logname= uid=0 euid=0 tty= ruser= rhost= user=username
<<<PAM>>>>>
##################################################
system-auth
[root@server01 pam.d]# more system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth optional pam_python.so /usr/lib64/security/auth.py
auth sufficient pam_sss.so use_first_pass forward_pass
#auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3
authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
<<<<<<<From authlite>>>>>>>>>
OK guys, I have been working on this all weekend in a lab with 2 domains and 2 DCs each
like your scenario.
To review: we absolutely need SSSD to honor the "ad_server" order. The only way
to do this is to chuck the whole forest/trust thing and just look at the joined domain.
A machine can only be joined to one domain. This means there would need to be two
separate CentOS/Consoleworks machines, one for parent domain and one for child domain.
Users would need to go to the server that matches their domain, instead of all funneling
into one Consoleworks URL.
Other possibilities:
1)
I could make an auth.py that was *way* more complex: It could try to parse what domain was
being requested by the authentication, and then spray the OTP sequentially to both DC in
that domain over LDAP. That way affinity wouldn't matter so much.
I would consider this to be an exceedingly fraught/fragile solution. It would need:
* hardcoded domain list
* a hardcoded list of DCs for each domain
* an LDAP service account for each domain, with the passwords hardcoded into the auth.py
file.
2)
If you totally abandon domain joining, then maybe it could be possible to use a raw krb5
configuration to join 2 separate realms, but I have no idea how to make that configuration
work. It would take more hours of research and testing. I think it also requires
certificate trust of some nature with the DCs (which is automagically done by the AD
module).
3)
It could also be possible to use a raw ldap configuration, but that requires things you
don't have, such as LDAP-S enabled on your DCs, punched through the firewall, and
CentOS would need to trust the TLS certificates of the DCs. This would, obviously, also
be many more hours of research and configuration.
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team
3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503
Sonia.Gilbert(a)HawaiianAir.com
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: Monday, February 27, 2017 11:53 PM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: account not authenticating in child domain
On Tue, Feb 28, 2017 at 02:31:08AM +0000, Gilbert, Sonia wrote:
Update:
Uninstalled and re-installed all realmd components. Performed a realm join to parent
domain. Authentication to parent domain is restored but authentication to subdomain is
still not working.
Even though sssd is trying to authenticate to the correct domain controller it fails. I
suspect it is because sssd does not know about principal in child domain and keytab does
not have entries for child domain host.
What do I need to do to point sssd to the master kdc in child domain and authenticate
users? Do we need to create a computer object for the server in child domain?
When you kinit to child domain (
a.abc.com) - it fails "Response was not form master
KDC" - it does go to the secondary domain controller in the child domain.
The 'Response was not form master KDC' is just an info message not an error
message. Using a secondary domain controller is completely ok during authentication,
additionally AD does not use the 'master KDC'
concept at all.
Since there is a trust relationship between parent and subdomain it is sufficient to have
a keytab entry for only one domain. And as you can see during the kinit call the keytab
isn't used at all. SSSD will use it after the TGT is received to validate the ticket
but even here keys from one domain are sufficient.
See output of KRB5_TRACE=/dev/stdout below.
Other configs and logs below:
Secure.log
Krb5.log
Output of realm list
Output of klist -k
Sssd.conf
Krb5.conf
Output of pam.d system-auth
[root@server01 log]# KRB5_TRACE=/dev/stdout kinit -V
username(a)a.abc.com Using default cache: /tmp/krb5cc_0 Using principal:
username(a)a.abc.com [21234] 1488228264.116970: Getting initial
credentials for username(a)a.abc.com [21234] 1488228264.117539: Sending
request (209 bytes) to
a.abc.com [21234] 1488228264.246215: Resolving
hostname
sdc01.a.abc.com.
[21234] 1488228264.313399: Sending initial UDP request to dgram
x.x.166.251:88 [21234] 1488228264.383772: Received answer (219 bytes)
from dgram x.x.166.251:88 [21234] 1488228264.448453: Response was not
from master KDC [21234] 1488228264.448519: Received error from KDC:
-1765328359/Additional pre-authentication required [21234]
1488228264.448584: Processing preauth types: 16, 15, 19, 2 [21234] 1488228264.448622:
Selected etype info: etype aes256-cts, salt "a.abc.comusername", params
""
Password for username(a)a.abc.com:
[21234] 1488228274.851028: AS key obtained for encrypted timestamp:
aes256-cts/D574 [21234] 1488228274.851105: Encrypted timestamp (for
1488228256.665529): plain
301AA011180F32303137303232373230343431365AA10502030A27B9,
encrypted
6818747034DA70128C9E22CF1A56A1815E14509E91693BB286BB899BBAE65F32114140
5718086D119447EB82A34498D0E16EA8E2F5FF71CA
[21234] 1488228274.851138: Preauth module encrypted_timestamp (2)
(real) returned: 0/Success [21234] 1488228274.851170: Produced preauth
for next request: 2 [21234] 1488228274.851208: Sending request (289
bytes) to
a.abc.com [21234] 1488228274.982261: Resolving hostname
infsdcpci02.a.abc.com.
[21234] 1488228275.48986: Sending initial UDP request to dgram
x.x.166.252:88 [21234] 1488228275.118201: Received answer (186 bytes)
from dgram x.x.166.252:88 [21234] 1488228275.182721: Response was not
from master KDC [21234] 1488228275.182772: Received error from KDC:
-1765328360/Preauthentication failed [21234] 1488228275.182830:
Preauth tryagain input types: 16, 15, 19, 2 [21234] 1488228275.182862:
Retrying AS request with master KDC [21234] 1488228275.182889: Getting
initial credentials for username(a)a.abc.com [21234] 1488228275.182963:
Sending request (209 bytes) to
a.abc.com (master)
kinit: Preauthentication failed while getting initial credentials
The most probable reason for a 'Preauthentication failed' error is a wrong
password. Did you change the password for 'username(a)a.abc.com'
recently? Maybe there are replication issues between the AD domain controllers and the
password was not updated correctly on some controllers?
A different reason might be different times on the DCs and the client, but I would expect
different error codes in this case.
bye,
Sumit
######################################################################
###
secure.log - because we are using authlite for two-factor
authentication, system-auth points to the auth.py script (note that it
uses the same script for parent domain and successfully authenticates
using two factor)
Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: Traceback (most recent call
last):
Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: File
"/usr/lib64/security/auth.py", line 163, in pam_sm_authenticate
Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: update_password(pamh)
Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: File
"/usr/lib64/security/auth.py", line 152, in update_password
Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: pwd.getpwnam(domain + sep
+ res['OTP'])
Feb 27 17:45:30 server01 /usr/lib64/security/auth.py[30366]: KeyError:
getpwnam(): name not found:
a.abc.com
\jufgkdildfnkjvceveehvtfnckjleingtneevlgugrdhngrccjuirirnhckltihb
Feb 27 17:45:34 server01 cw[30366]: pam_sss(conwrks:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=username(a)a.abc.com Feb 27 17:45:34 server01 cw[30366]:
pam_sss(conwrks:auth): received for user username(a)a.abc.com: 4 (System
error)
######################################################################
###############
Krb5.log (In ther krb5.log, sssd authenticates to the parent domain "Attempting
kinit for realm [ABC.COM" and gets "KDC policy rejects" error.
(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [main] (0x0400): krb5_child
started.
(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [unpack_buffer]
(0x1000): total buffer size: [145] (Mon Feb 27 14:45:33 2017)
[[sssd[krb5_child[29102]]]] [unpack_buffer] (0x0100): cmd [241] uid
[1915601461] gid [1915601461] validate [true] enterprise principal
[true] offline [false] UPN [username(a)a.abc.com] (Mon Feb 27 14:45:33 2017)
[[sssd[krb5_child[29102]]]] [unpack_buffer] (0x2000): No old ccache (Mon Feb 27 14:45:33
2017) [[sssd[krb5_child[29102]]]] [unpack_buffer] (0x0100): ccname:
[FILE:/tmp/krb5cc_1915601461_XXXXXX] old_ccname:
[not set] keytab: [/etc/krb5.keytab]
(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [check_use_fast] (0x0100): Not
using FAST.
(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon Feb 27
14:45:33 2017) [[sssd[krb5_child[29102]]]] [become_user] (0x0200): Trying to become user
[1915601461][1915601461].
(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [main] (0x2000): Running as
[1915601461][1915601461].
(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [k5c_setup] (0x2000): Running as
[1915601461][1915601461].
(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from
environment.
(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
[true] (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]] [main]
(0x0400): Will perform online auth (Mon Feb 27 14:45:33 2017)
[[sssd[krb5_child[29102]]]] [tgt_req_child] (0x1000): Attempting to
get a TGT (Mon Feb 27 14:45:33 2017) [[sssd[krb5_child[29102]]]]
[get_and_save_tgt] (0x0400): Attempting kinit for realm [
ABC.COM] (Mon
Feb 27 14:45:34 2017) [[sssd[krb5_child[29102]]]] [get_and_save_tgt]
(0x0020): 1234: [-1765328372][KDC policy rejects request] (Mon Feb 27
14:45:34 2017) [[sssd[krb5_child[29102]]]] [map_krb5_error] (0x0020):
1303: [-1765328372][KDC policy rejects request] (Mon Feb 27 14:45:34
2017) [[sssd[krb5_child[29102]]]] [k5c_send_data] (0x0200): Received
error code 1432158209 (Mon Feb 27 14:45:34 2017)
[[sssd[krb5_child[29102]]]] [pack_response_packet] (0x2000): response
packet size: [4] (Mon Feb 27 14:45:34 2017)
[[sssd[krb5_child[29102]]]] [main] (0x0400): krb5_child completed
successfully
[root@server01 etc]# realm list -all (shouldn't this output show both realms?)
abc.com
type: kerberos
realm-name:
ABC.COM
domain-name:
abc.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups: Remote Access Users(a)abc.com, Remote Access
Users(a)a.abc.com
######################################################
[root@SERVER01 pam.d]# klist -k (keytab only has entries for parent domain)
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/server01.abc.com(a)ABC.COM
2 host/server01.abc.com(a)ABC.COM
2 host/server01.abc.com(a)ABC.COM
2 host/server01.abc.com(a)ABC.COM
2 host/server01.abc.com(a)ABC.COM
2 host/server01(a)ABC.COM
2 host/server01(a)ABC.COM
2 host/server01(a)ABC.COM
2 host/server01(a)ABC.COM
2 host/server01(a)ABC.COM
2 SERVER01$(a)ABC.COM
2 SERVER01$(a)ABC.COM
2 SERVER01$(a)ABC.COM
2 SERVER01$(a)ABC.COM
2 SERVER01$(a)ABC.COM
[root@SERVER01 pam.d]#
#############################################################
[root@server01 etc]# more /etc/sssd/sssd.conf
[sssd]
domains =
abc.com
config_file_version = 2
services = nss, pam
[
domain/abc.com]
ad_domain =
abc.com
krb5_realm =
ABC.COM
ad_server = dc01.abc.com,dc02.abc.com,_srv_ realmd_tags =
manages-system joined-with-samba cache_credentials = True id_provider
= ad krb5_store_password_if_offline = True default_shell = /bin/bash
ldap_id_mapping = True use_fully_qualified_names = False
fallback_homedir = /home/%u@%d access_provider = simple debug_level =
8 simple_allow_groups = TDI Remote Access Users(a)abc.com, TDI Remote
Access Users(a)a.abc.com
########################################################
[root@server01 etc]# more /etc/krb5.conf [logging] default =
FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
# forwardable = true
rdns = false
default_realm =
ABC.COM
# default_ccache_name = KEYRING:persistent:%{uid} # kdc_timesync = 1
[realms]
ABC.COM = {
kdc =
dc01.abc.com
kdc =
dc02.abc.com
admin_server =
dc01.abc.com
}
[domain_realm]
.abc.com =
ABC.COM
abc.com =
ABC.COM
##################################################
system-auth
[root@server01 pam.d]# more system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth optional pam_python.so /usr/lib64/security/auth.py
auth sufficient pam_sss.so use_first_pass forward_pass
#auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3
authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team
3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503
Sonia.Gilbert@HawaiianAir.com<mailto:Sonia.Gilbert@HawaiianAir.com>
[HA Email Signature Logo]
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email
to sssd-users-leave(a)lists.fedorahosted.org