Hi all.
I've enrolled linux machine into domain using this tutorial:
http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux
machine, or Windows machine. But I can't login using password anymore.
Although I can obtain user info, can request TGT, and operate on this
server normally, I can't login to it with pwd.
I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir
--update', so all auth should be done in SSSD. I haven't configured
winbind with sssd.
I've managed to workaround it by adding to /etc/pam.d/system-auth this
line:
auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or
maybe I'm wrong?
I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says:
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
(service pings)
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[ssh-username] from [<ALL>]
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[pam]] [pam_cmd_authenticate] (0x0100): entering
pam_cmd_authenticate
[sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
[sssd[pam]] [pam_print_data] (0x0100): domain: not set
[sssd[pam]] [pam_print_data] (0x0100): user: ssh-username
[sssd[pam]] [pam_print_data] (0x0100): service: sshd
[sssd[pam]] [pam_print_data] (0x0100): tty: ssh
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971
[sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username
[sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD_GC'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri
'ldap://AD.domain.local'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC
uri 'ldap://AD.domain.local:3268'
[sssd[be[domain.local]]] [sdap_get_server_opts_from_rootdse] (0x0100):
Setting AD compatibility level to [6]
[sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri
'ldap://AD.domain.local'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC
uri 'ldap://AD.domain.local'
[[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
name is: [hostname$(a)domain.LOCAL]
[[sssd[ldap_child[7973]]]] [ldap_child_get_tgt_sync] (0x0100): Using
keytab [MEMORY:/etc/krb5.keytab]
[sssd[be[domain.local]]] [sdap_cli_auth_step] (0x0100): expire timeout
is 900
[sssd[be[domain.local]]] [sasl_bind_send] (0x0100): Executing sasl bind
mech: gssapi, user: hostname$
[sssd[be[domain.local]]] [child_sig_handler] (0x0100): child [7973]
finished successfully.
[sssd[be[domain.local]]] [fo_set_port_status] (0x0100): Marking port 0
of server 'AD.domain.local' as 'working'
[sssd[be[domain.local]]] [set_server_common_status] (0x0100): Marking
server 'AD.domain.local' as 'working'
[sssd[be[domain.local]]] [acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success
[sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for
[ssh-username(a)domain.local]
[sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the
following data:
[sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
[sssd[pam]] [pam_print_data] (0x0100): domain: domain.local
[sssd[pam]] [pam_print_data] (0x0100): user: ssh-username
[sssd[pam]] [pam_print_data] (0x0100): service: sshd
[sssd[pam]] [pam_print_data] (0x0100): tty: ssh
[sssd[pam]] [pam_print_data] (0x0100): ruser: not set
[sssd[pam]] [pam_print_data] (0x0100): rhost: it-a1867.domain.local
[sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[pam]] [pam_print_data] (0x0100): priv: 1
[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7971
[sssd[pam]] [pam_print_data] (0x0100): logon name: ssh-username
[sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
[sssd[be[domain.local]]] [be_pam_handler] (0x0100): Got request with the
following data
[sssd[be[domain.local]]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
[sssd[be[domain.local]]] [pam_print_data] (0x0100): domain: domain.local
[sssd[be[domain.local]]] [pam_print_data] (0x0100): user: ssh-username
[sssd[be[domain.local]]] [pam_print_data] (0x0100): service: sshd
[sssd[be[domain.local]]] [pam_print_data] (0x0100): tty: ssh
[sssd[be[domain.local]]] [pam_print_data] (0x0100): ruser:
[sssd[be[domain.local]]] [pam_print_data] (0x0100): rhost:
it-a1867.domain.local
[sssd[be[domain.local]]] [pam_print_data] (0x0100): authtok type: 1
[sssd[be[domain.local]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[domain.local]]] [pam_print_data] (0x0100): priv: 1
[sssd[be[domain.local]]] [pam_print_data] (0x0100): cli_pid: 7971
[sssd[be[domain.local]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[domain.local]]] [krb5_auth_send] (0x0100): Home directory for
user [ssh-username] not known.
[sssd[be[domain.local]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed uri
'ldap://AD.domain.local'
[sssd[be[domain.local]]] [ad_resolve_callback] (0x0100): Constructed GC
uri 'ldap://AD.domain.local'
[[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): cmd [241] uid
[704417315] gid [704400513] validate [true] enterprise principal [true]
offline [false] UPN [ssh-username(a)DOMAIN.LOCAL]
[[sssd[krb5_child[7974]]]] [unpack_buffer] (0x0100): ccname:
[FILE:/tmp/krb5cc_704417315_XXXXXX] old_ccname:
[FILE:/tmp/krb5cc_704417315_9XJZwx] keytab: [/etc/krb5.keytab]
[[sssd[krb5_child[7974]]]] [check_use_fast] (0x0100): Not using FAST.
[[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open
the PAC responder socket
[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_LIFETIME] from environment.
[[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100):
SSSD_KRB5_CANONICALIZE is set to [true]
(service pings)
[[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request
failed [-1][2].
[[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed,
group membership for user with principal
[ssh-username\@DOMAIN.LOCAL(a)DOMAIN.LOCAL] might not be correct.
[[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590:
[13][Permission denied]
[[sssd[krb5_child[7974]]]] [get_and_save_tgt] (0x0020): 1029:
[1432158209][Unknown code UUz 1]
[[sssd[krb5_child[7974]]]] [map_krb5_error] (0x0020): 1069:
[1432158209][Unknown code UUz 1]
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Backend
returned: (0, 4, <NULL>) [Success]
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sending
result [4][domain.local]
[sssd[be[domain.local]]] [be_pam_handler_callback] (0x0100): Sent result
[4][domain.local]
[sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][domain.local]
[sssd[be[ssh-username.local]]] [child_sig_handler] (0x0100): child
[7974] finished successfully.
Here's sssd.conf:
[domain/domain.local]
debug_level = 2
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
case_sensitive = false
cache_credentials = false
krb5_auth_timeout = 30
ad_domain = domain.local
ad_hostname = hostname.domain.local
ad_server = ad.domain.local, _srv_, ad2.domain.local
ad_backup_server = 192.168.0.13
ad_gpo_access_control = disabled
ldap_user_ssh_public_key = altSecurityIdentities
[sssd]
debug_level = 2
domains = domain.local
services = nss,pam,ssh
config_file_version = 2
[nss]
filter_users = root
filter_groups = root
default_shell = /bin/bash
override_homedir = /home/%d/%u
debug_level = 2
[pam]
debug_level = 2
offline_credentials_expiration = 7 # days
offline_failed_login_attempts = 6
offline_failed_login_delay = 5 # minutes
pam_pwd_expiration_warning = 5
[ssh]
debug_level=2
Here's nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
Here's krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.LOCAL = {
# using dns lookup, nothing to write here
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL