kerberos local authentication not working

Issues related to applications and software problems and general support
User avatar
jpawlik
Posts: 7
Joined: 2019/09/19 21:36:27

Re: kerberos local authentication not working

Post by jpawlik » 2019/10/28 17:28:56

jgauthier wrote:
2019/10/28 14:32:23

If I want to join realm

# realm join AUTH.TAMU.EDU -U xxxxxx
realm: Cannot join this realm

So it looks like the realm is not configured and I cannot join it because I am not an AD admin user. Do I have to ask my IT people to give me AD admin rights? I never had to do this before despite I installed several OS on so many machines (SL6, Centos 7, Unbutu, etc.).
My environment runs a Windows AD that I join through this method. I have always needed to use an AD Domain Admin account in order for the DC to create the computer object for the Linux machine I am trying to add. It could be a recent change by the IT team to lock down security to the domain if you are no longer able to join machines.

Everything else is the same process I use on my CentOS8 boxes. With CentOS6 we use 'net ads join <domain> -U USER@<domain>', but still requires that same domain admin privilege.

Best,

JP

BShT
Posts: 584
Joined: 2019/10/09 12:31:40

Re: kerberos local authentication not working

Post by BShT » 2019/10/28 18:58:00

same thing here, net ads join... with adm privileges

CentOS7, 8...

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/10/28 21:36:13

I configured another computer with Centos 7 this morning and no issue at all, everything worked just fine as usual. So nothing changed on the AD server. The problem is with CentOS 8 configuration. I have to do something that I didn't have to do with CentOS 7 and I don't know what.

If I use net ads I get this error:

net ads join domain -U user@domain
Enter user@domain's password:
Failed to join domain: failed to find DC for domain SAMBA - {Operation Failed} The requested operation was unsuccessful.

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/10/28 21:49:28

BShT wrote:
2019/10/28 18:58:00
same thing here, net ads join... with adm privileges

CentOS7, 8...
Does it means I need adm privileges on the server machine, not only the client one?

As I said we never had to do that before with pam_krb5. This realm join thing is new for me.

co6user
Posts: 4
Joined: 2019/10/29 04:25:46

Re: kerberos local authentication not working

Post by co6user » 2019/10/29 04:34:44

Maybe it's related to security policy tightening up in CentOS 8. Check what security policy is set for the machine.

Code: Select all

/usr/bin/update-crypto-policies --show
By default, it's set to DEFAULT, which is much more restrict than CentOS 7. If currently set to DEFAULT, try switching to LEGACY. Please note LEGACY mode is less secure than DEFAULT mode. You can temporarily change it to LEGACY for debugging the issue. Security policy can be set per application as well.

Code: Select all

sudo /usr/bin/update-crypto-policies --set legacy

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: kerberos local authentication not working

Post by hunter86_bg » 2019/10/29 04:49:10

There are 2 ways to join an AD.
1: AD admin creates the Computer Object in advance and then you configure the deamons to use the AD as Identity Management & Kerberos KDC
2: There is no object and use 'net ads' (RHEL6/CentOS6) or 'realm' (which is just a 'net ads' wrapper) to create the necessary objects (including DNS) in AD and join the system . Authentication can be - AD user with necessary priviledges, one time password (provided by AD guys) or a kerberos keytab.

As per your words, I'm left with the impression that the AD guys create the DNS record and object - before you join the machine.

You need to clarify that with your AD administrators and check if they can provide you a one time password or user/pass with enough privileges.

Edit: Also,check that necessary ports are allowed on both sides and on any firewall in between.

User avatar
jpawlik
Posts: 7
Joined: 2019/09/19 21:36:27

Re: kerberos local authentication not working

Post by jpawlik » 2019/10/29 13:46:01

jgauthier wrote:
2019/10/28 14:32:23


# realm join XXXX.XXXX.EDU -U xxxxxx
realm: Cannot join this realm

So it looks like the realm is not configured and I cannot join it because I am not an AD admin user. Do I have to ask my IT people to give me AD admin rights? I never had to do this before despite I installed several OS on so many machines (SL6, Centos 7, Unbutu, etc.).
jgauthier wrote:
2019/10/24 22:20:03

The ldap works just fine and people are able to login with their AD credentials with ssh. The autofs also works perfectly and kinit command has no problem to authenticate people. The problem is that neither sudo -i or local login (I mean login directly on the physical computer) works with AD credentials. It's like only ssh is able to use the kerberos authentication. When I try to sudo -i I get those messages in /var/log/secure:

....

Is there any obvious reason why local authentication doesn't work with kerberos? I can post any other config file you may need to help me to resolve this problem. Thank you for your help!

Just to make sure,

Although it seems like you cannot join the domain with the 'realm' command, users are able to log into the machine with ssh?

One part of me wants to compare the /etc/pam.d/sshd and /etc/pam.d/system-auth. If you are able to log in over ssh, you SHOULD be able to log in locally.

For the not finding the domain, I tend to lean towards /etc/resolv.conf and seeing that you can 'nslookup <domain>' and see the correct DCs. However, being able to log in with credentials over ssh and seeing the DC when you do 'realm discover <domain>' takes me away from this. (I bring up resolv.conf because I had issues with NetworkManager resetting it all the time, which broke shares, etc) I'm still getting hung up on the issue with not being able to join the realm.

Try this: While logged into the box from one terminal, 'tail -F /var/log/secure' and try logging in with AD credentials both locally and through another ssh terminal session. Compare the output and maybe we can get a glimpse of what is working for one and not the other.

Let me know what you are thinking and I'll spin up some test machines.

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/10/29 14:53:40

Hi,

Yes indeed ssh works and kinit works also. Only local login doesn't work. So there is communication with the AD server but for some reason it doesn't seem to be able to authenticate beside ssh connection. I did what you suggested and I tailed /var/log/secure while login ssh and local session.

For ssh I get that:

Oct 29 09:18:18 hostxxxx sshd[30301]: Accepted password for userxxxx from xxx.xx.xxx.xx port 38184 ssh2
Oct 29 09:18:18 hostxxxx sshd[30301]: pam_unix(sshd:session): session opened for user userxxxx by (uid=0)

When I try to login directly on the machine with the same user name and password I get:

Oct 29 09:35:53 hostxxxx unix_chkpwd[30492]: password check failed for user (userxxxx)
Oct 29 09:35:53 hostxxxx login[30411]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=userxxxx
Oct 29 09:35:53 hostxxxx login[30411]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=userxxxx
Oct 29 09:35:53 hostxxxx login[30411]: pam_sss(login:auth): received for user userxxx: 9 (Authentication service cannot retrieve authentication info)
Oct 29 09:35:55 hostxxxx login[30411]: FAILED LOGIN 1 FROM tty1 FOR userxxxx, Authentication failure

If I try to login root while on the ssh session:

Oct 29 09:39:31 hostxxxx unix_chkpwd[30551]: password check failed for user (userxxxx)
Oct 29 09:39:31 hostxxxx sudo[30549]: pam_unix(sudo-i:auth): authentication failure; logname=userxxxx uid=xxxxx euid=0 tty=/dev/pts/3 ruser=userxxxx rhost= user=userxxxx
Oct 29 09:39:31 hostxxxx sudo[30549]: pam_sss(sudo-i:auth): authentication failure; logname=userxxxx uid=xxxxx euid=0 tty=/dev/pts/3 ruser=userxxxx rhost= user=userxxxx
Oct 29 09:39:31 hostxxxx sudo[30549]: pam_sss(sudo-i:auth): received for user userxxxx: 9 (Authentication service cannot retrieve authentication info)


So it's exactly like I enter a bad password. It looks like the kerberos authentication is not done, it's like it doesn't even try if the login is not by ssh.

I compared my password-auth and system-auth with the one on a server for which it works (with CentOS 7) and they are the same. I really don't know. Any suggestions or other tests to do will be more than welcome.

edit: nslookup "domain" works and it can find the server and gives the right IPs so the problem is not coming from a bad resolv.conf configuration.

edit2: I tried /usr/bin/update-crypto-policies --set legacy as mentioned above but no change, still cannot login beside ssh.

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/10/30 16:35:16

This morning I tried to replace everything in /etc/pam.d/sudo with the content of /etc/pam.d/sshd (since the authentication works with ssh) but same result: sudo -i works with local password only (and the root login looks exactly the same than a new ssh session, which makes sense since I use the same options in that case). So I put back those files as they were before and I am out of idea again.

Our IT guy told me yesterday that he is trying to set up another machine with CentOS 8 and he has the exact same problem: only ssh authentication works with kerberos. So it means that I am not totally stupid and something is really not working right with CentOS 8 and our system.

Also I took a look at the realmd journal when I execute the realm join command and I see messages saying that it cannot connect to the ldap server.

Oct 30 11:26:47 realmd[13301]: * Performing LDAP DSE lookup on: xxx.xxx.xxx.xx
Oct 30 11:26:47 realmd[13301]: socket closed or error
Oct 30 11:26:47 realmd[13301]: ! Can't contact LDAP server
Oct 30 11:26:47 realmd[13301]: ! Can't contact LDAP server
Oct 30 11:26:47 realmd[13301]: socket closed or error
Oct 30 11:26:47 realmd[13301]: ! Can't contact LDAP server
Oct 30 11:26:47 realmd[13301]: ! Can't contact LDAP server
Oct 30 11:26:47 realmd[13301]: Operation was cancelled
Oct 30 11:26:47 realmd[13301]: client gone away: :1.222
Oct 30 11:26:47 realmd[13301]: released daemon: :1.222


I don't understand why it says it's trying to contact an ldap server. This kerberos server is not a ldap server. Is there another option somewhere that needs to be changed?

We also tried to set up the sudo_provider option in sssd.conf but no change at all.

So I am still waiting for suggestions from you guys. Thank you very much in advance!

User avatar
jpawlik
Posts: 7
Joined: 2019/09/19 21:36:27

Re: kerberos local authentication not working

Post by jpawlik » 2019/10/30 18:44:08

I am looking through https://access.redhat.com/documentation ... g_services to try and find some configuration that may have been missed. I know this states for RHEL7 but I'm comparing with my CentOS8 boxes to see if there are differences.

Looking through my PAM configs, I notice su, sudo, and login point to system-auth, while sshd and gdm-password point to password-auth. However, both my system-auth and password-auth are the same. Were there differences in yours? Looking back I don't think there were but I'm going back and forth a lot.

The main sections I am looking at are:

7.3 Configuring Identity and Authentication Providers for SSSD: https://access.redhat.com/documentation ... ng_domains

7.5 Configuring System Services: https://access.redhat.com/documentation ... g_services

So far I am not seeing anything but I will keep digging through.

Post Reply