[Freeipa-users] Problems joining an Ubuntu client to IPA server and using AD Credentials

Jokinen Eemeli via FreeIPA-users Thu, 05 Sep 2019 06:12:21 -0700

Hi!

I have a problem I could use help on resolving:


We have a working IPA Cluster and I try to join in with Ubuntu 16.04 
freeipa-client. Everything seems to go smoothly, it creates config files that 
look just right. However when I try to login with SSH using AD Credentials I've 
joined the IPA with I can't login and auth.log gives me an error

--
Sep  5 15:46:29 testcomputer2 sshd[1907]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip>  
user=<user>@<ad.domain>
Sep  5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain>
Sep  5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): received for user 
<user>@<ad.domain>: 4 (System error)
Sep  5 15:46:31 testcomputer2 sshd[1907]: Failed password for 
<user>@<ad.domain> from <ip> port 42416 ssh2
--

Couldn't find anything solid but then I turned on debug levels and looked into 
krb5_child.log. Our ipadomain is ipa.company.domain but for some reason it 
tries to find the username from company.domain and of course it can't find the 
username there.

--
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [tgt_req_child] (0x1000): 
Attempting to get a TGT
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] 
(0x0400): Attempting kinit for realm [<company.domain>]
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] 
(0x4000): [1909] 1567687589.927017: Getting initial credentials for 
<user>@<company.domain>
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] 
(0x4000): [1909] 1567687589.927076: FAST armor ccache: 
MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain>
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] 
(0x4000): [1909] 1567687589.927109: Retrieving 
host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/<company.domain>\@<company.domain>@X-CACHECONF:
 from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: 
-1765328243/Matching credential not found
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] 
(0x4000): [1909] 1567687589.927151: Sending request (172 bytes) to 
<company.domain>
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] 
(0x4000): [1909] 1567687589.938377: Retrying AS request with master KDC
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] 
(0x4000): [1909] 1567687589.938418: Getting initial credentials for 
<user>@<company.domain>
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] 
(0x4000): [1909] 1567687589.938442: FAST armor ccache: 
MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain>
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] 
(0x4000): [1909] 1567687589.938467: Retrieving 
host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/<company.domain>\@<company.domain>@X-CACHECONF:
 from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: 
-1765328243/Matching credential not found
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] 
(0x4000): [1909] 1567687589.938511: Sending request (172 bytes) to 
<company.domain> (master)
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] 
(0x0020): 1232: [-1765328230][Cannot find KDC for realm "<company.domain>"]
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [map_krb5_error] 
(0x0020): 1301: [-1765328230][Cannot find KDC for realm "<company.domain>"]
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x0200): 
Received error code 1432158209
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [pack_response_packet] 
(0x2000): response packet size: [4]
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x4000): 
Response sent.
(Thu Sep  5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [main] (0x0400): 
krb5_child completed successfully
--

Seems like it converts ad.domain to company.domain and not to 
ipa.company.domain for some reason. But like I said the configuration on 
/var/lib/sss/pubconf/krb5.include.d seems legit.

--
[domain_realm]
.<ad.domain> = <AD.DOMAIN>
<ad.domain> = <AD.DOMAIN>
[capaths]
<AD.DOMAIN> = {
  <IPA.COMPANY.DOMAIN> = <AD.DOMAIN>
}
<IPA.COMPANY.DOMAIN> = {
  <AD.DOMAIN> = <AD.DOMAIN>
}
--

Any ideas why it's dropping the subdomain out?


Eemeli

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Problems joining an Ubuntu client to IPA server and using AD Credentials

Reply via email to