IPA client, Centos stream, SSH login problem

Support for security such as Firewalls and securing linux
Post Reply
bpranjic
Posts: 1
Joined: 2022/09/14 07:29:45

IPA client, Centos stream, SSH login problem

Post by bpranjic » 2022/09/15 14:53:23

Hi,

I got problem with ssh login with user from AD (someuser@AD.DOM) to IPA-client Centos Stream server (backupsrv.IPA.LAN).
Same configuration on IPA-client RHEL 8.6 works without any problem.

sssd.conf

Code: Select all

[domain/ipa.lan]

id_provider = ipa
ipa_server = _srv_, rh-ipa1.ipa.lan
ipa_domain = ipa.lan
krb5_use_fast = never
krb5_validate = False
krb5_use_enterprise_principal = True
ipa_hostname = backupsrv.ipa.lan
auth_provider = ipa
chpass_provider = ipa
access_provider = permit
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = *
krb5_auth_timeout = 180
debug_level=9
[sssd]
debug_level=9
services = nss, pam, ssh, sudo
domains = ipa.lan
[nss]
homedir_substring = /home
[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[session_recording]
krb5.conf

Code: Select all

#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.LAN
  dns_lookup_realm = true
  rdns = false
  dns_canonicalize_hostname = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  IPA.LAN = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }


[domain_realm]
  .ipa.lan = IPA.LAN
  ipa.lan = IPA.LAN
  backupsrv.ipa.lan = IPA.LAN
krb5_child.log (with debug_level = 9)

Code: Select all

(2022-09-15 16:10:07): [krb5_child[1856]] [main] (0x0400): [RID#12] krb5_child started.
(2022-09-15 16:10:07): [krb5_child[1856]] [unpack_buffer] (0x1000): [RID#12] total buffer size: [96]
(2022-09-15 16:10:07): [krb5_child[1856]] [unpack_buffer] (0x0100): [RID#12] cmd [249 (pre-auth)] uid [1260413281] gid [1260413281] validate [false] enterprise principal [true] offline [false] UPN [someuser@AD.DOM]
(2022-09-15 16:10:07): [krb5_child[1856]] [unpack_buffer] (0x0100): [RID#12] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
(2022-09-15 16:10:07): [krb5_child[1856]] [check_use_fast] (0x0100): [RID#12] Not using FAST.
(2022-09-15 16:10:07): [krb5_child[1856]] [become_user] (0x0200): [RID#12] Trying to become user [1260413281][1260413281].
(2022-09-15 16:10:07): [krb5_child[1856]] [main] (0x2000): [RID#12] Running as [1260413281][1260413281].
(2022-09-15 16:10:07): [krb5_child[1856]] [set_lifetime_options] (0x0100): [RID#12] No specific renewable lifetime requested.
(2022-09-15 16:10:07): [krb5_child[1856]] [set_lifetime_options] (0x0100): [RID#12] No specific lifetime requested.
(2022-09-15 16:10:07): [krb5_child[1856]] [set_canonicalize_option] (0x0100): [RID#12] Canonicalization is set to [true]
(2022-09-15 16:10:07): [krb5_child[1856]] [main] (0x0400): [RID#12] Will perform pre-auth
(2022-09-15 16:10:07): [krb5_child[1856]] [tgt_req_child] (0x1000): [RID#12] Attempting to get a TGT
(2022-09-15 16:10:07): [krb5_child[1856]] [get_and_save_tgt] (0x0400): [RID#12] Attempting kinit for realm [IPA.LAN]
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602172: Getting initial credentials for someuser\@AD.DOM@IPA.LAN

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602174: Sending unauthenticated request

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602175: Sending request (185 bytes) to IPA.LAN

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602176: Initiating TCP connection to stream 10.31.1.152:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602177: Sending TCP request to stream 10.31.1.152:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602178: Received answer (136 bytes) from stream 10.31.1.152:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602179: Terminating TCP connection to stream 10.31.1.152:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602180: Response was from master KDC

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602181: Received error from KDC: -1765328316/Realm not local to KDC

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602182: Following referral to realm AD.DOM

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602184: Sending unauthenticated request

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602185: Sending request (183 bytes) to AD.DOM

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602186: Sending DNS URI query for _kerberos.AD.DOM.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602187: No URI records found

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602188: Sending DNS SRV query for _kerberos._udp.AD.DOM.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602189: SRV answer: 0 100 88 "sdrdc1.ad.dom."

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602190: SRV answer: 0 100 88 "szgdc4.ad.dom."

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602191: SRV answer: 0 100 88 "szgdc3.ad.dom."

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602192: Sending DNS SRV query for _kerberos._tcp.AD.DOM.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602193: SRV answer: 0 100 88 "sdrdc1.ad.dom."

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602194: SRV answer: 0 100 88 "szgdc3.ad.dom."

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602195: SRV answer: 0 100 88 "szgdc4.ad.dom."

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602196: Resolving hostname sdrdc1.ad.dom.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602197: Resolving hostname szgdc4.ad.dom.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602198: Resolving hostname szgdc3.ad.dom.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602199: Resolving hostname sdrdc1.ad.dom.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602200: Initiating TCP connection to stream 10.35.149.101:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602201: Sending TCP request to stream 10.35.149.101:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602202: Received answer (173 bytes) from stream 10.35.149.101:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602203: Terminating TCP connection to stream 10.35.149.101:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602204: Sending DNS URI query for _kerberos.AD.DOM.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602205: No URI records found

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602206: Sending DNS SRV query for _kerberos-master._tcp.AD.DOM.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602207: No SRV records found

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602208: Response was not from master KDC

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602209: Received error from KDC: -1765328359/Additional pre-authentication required

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602212: Preauthenticating using KDC method data

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602213: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602214: Selected etype info: etype aes256-cts, salt "AD.DOMsomeuser", params ""

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_krb5_responder] (0x4000): [RID#12] Got question [password].
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_krb5_prompter] (0x4000): [RID#12] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_krb5_prompter] (0x4000): [RID#12] Prompt [0][Password for someuser\@AD.DOM@AD.DOM].
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_krb5_prompter] (0x0200): [RID#12] Prompter interface isn't used for password prompts by SSSD.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602215: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602216: Retrying AS request with master KDC

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602217: Getting initial credentials for someuser\@AD.DOM@IPA.LAN

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602219: Sending unauthenticated request

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602220: Sending request (185 bytes) to IPA.LAN (master)

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602221: Initiating TCP connection to stream 10.31.1.152:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602222: Sending TCP request to stream 10.31.1.152:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602223: Received answer (136 bytes) from stream 10.31.1.152:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602224: Terminating TCP connection to stream 10.31.1.152:88

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602225: Received error from KDC: -1765328316/Realm not local to KDC

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602226: Following referral to realm AD.DOM

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602228: Sending unauthenticated request

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602229: Sending request (183 bytes) to AD.DOM (master)

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602230: Sending DNS URI query for _kerberos.AD.DOM.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602231: No URI records found

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602232: Sending DNS SRV query for _kerberos-master._udp.AD.DOM.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602233: Sending DNS SRV query for _kerberos-master._tcp.AD.DOM.

(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602234: No SRV records found

(2022-09-15 16:10:07): [krb5_child[1856]] [get_and_save_tgt] (0x0400): [RID#12] krb5_get_init_creds_password returned [-1765328174] during pre-auth.
(2022-09-15 16:10:07): [krb5_child[1856]] [k5c_send_data] (0x0200): [RID#12] Received error code 0
(2022-09-15 16:10:07): [krb5_child[1856]] [pack_response_packet] (0x2000): [RID#12] response packet size: [12]
(2022-09-15 16:10:07): [krb5_child[1856]] [k5c_send_data] (0x4000): [RID#12] Response sent.
(2022-09-15 16:10:07): [krb5_child[1856]] [main] (0x0400): [RID#12] krb5_child completed successfully
krb5_child.log (without debug_level = 9)

Code: Select all

(2022-09-15 16:23:09): [krb5_child[2188]] [validate_tgt] (0x0020): [RID#4] TGT failed verification using key for [someuser@ad.dom].
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [main] (0x0400): [RID#4] krb5_child started.
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [unpack_buffer] (0x1000): [RID#4] total buffer size: [105]
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [unpack_buffer] (0x0100): [RID#4] cmd [241 (auth)] uid [1260413281] gid [1260413281] validate [false] enterprise principal [true] offline [false] UPN [someuser@AD.DOM]
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [unpack_buffer] (0x0100): [RID#4] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [check_use_fast] (0x0100): [RID#4] Not using FAST.
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [switch_creds] (0x0200): [RID#4] Switch user to [1260413281][1260413281].
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [sss_krb5_cc_verify_ccache] (0x2000): [RID#4] TGT not found or expired.
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [switch_creds] (0x0200): [RID#4] Switch user to [0][0].
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [k5c_check_old_ccache] (0x4000): [RID#4] Ccache_file is [KCM:] and is not active and TGT is  valid.
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [k5c_precreate_ccache] (0x4000): [RID#4] Recreating ccache
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [become_user] (0x0200): [RID#4] Trying to become user [1260413281][1260413281].
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [main] (0x2000): [RID#4] Running as [1260413281][1260413281].
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [set_lifetime_options] (0x0100): [RID#4] No specific renewable lifetime requested.
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [set_lifetime_options] (0x0100): [RID#4] No specific lifetime requested.
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [set_canonicalize_option] (0x0100): [RID#4] Canonicalization is set to [true]
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [main] (0x0400): [RID#4] Will perform auth
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [main] (0x0400): [RID#4] Will perform online auth
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [tgt_req_child] (0x1000): [RID#4] Attempting to get a TGT
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [get_and_save_tgt] (0x0400): [RID#4] Attempting kinit for realm [IPA.LAN]
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [sss_krb5_responder] (0x4000): [RID#4] Got question [password].
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [sss_krb5_expire_callback_func] (0x2000): [RID#4] exp_time: [473257496]
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [validate_tgt] (0x2000): [RID#4] Keytab entry with the realm of the credential not found in keytab. Using the last entry.
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [validate_tgt] (0x0020): [RID#4] TGT failed verification using key for [someuser@ad.dom].
********************** BACKTRACE DUMP ENDS HERE *********************************

(2022-09-15 16:23:09): [krb5_child[2188]] [get_and_save_tgt] (0x0020): [RID#4] 2045: [-1765328377][Server not found in Kerberos database]
(2022-09-15 16:23:09): [krb5_child[2188]] [map_krb5_error] (0x0020): [RID#4] 2137: [-1765328377][Server not found in Kerberos database]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [get_and_save_tgt] (0x0020): [RID#4] 2045: [-1765328377][Server not found in Kerberos database]
   *  (2022-09-15 16:23:09): [krb5_child[2188]] [map_krb5_error] (0x0020): [RID#4] 2137: [-1765328377][Server not found in Kerberos database]
********************** BACKTRACE DUMP ENDS HERE *********************************
secure.log

Code: Select all

Sep 15 16:10:06 backupsrv sshd[1852]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.195.154 user=someuser@ad.dom
Sep 15 16:10:06 backupsrv sshd[1852]: pam_sss(sshd:auth): received for user someuser@ad.dom: 4 (System error)
Sep 15 16:10:07 backupsrv sshd[1844]: error: PAM: Authentication failure for someuser@ad.dom from 192.168.195.154

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IPA client, Centos stream, SSH login problem

Post by TrevorH » 2022/09/15 15:57:06

If this works in RHEL of the same major version then I would say you've found a bug. For information on filing bugs against CentOS Linux or CentOS Stream please see https://wiki.centos.org/ReportBugs
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply