Hi Hm, when I'm root, "kinit -k" works:
# kinit -k # Just not as a user. As a user, I get the "kinit: Permission denied while getting initial credentials" error message. Regards, Alexander 2015-10-05 9:00 GMT+02:00 Alexander Skwar < alexanders.mailinglists+nos...@gmail.com>: > Hi > > Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try > to login with SSH and enter a password. > > kinit doesn't work. > > $ kinit -k > kinit: Permission denied while getting initial credentials > > For this test, I was root and then did a "su - user" and then "kinit -k". > Also after the "kinit -k", nothing is in the krb5_child.log. > > Regards, > Alexander > > > 2015-10-02 17:59 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>: > >> On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote: >> > Hello >> > >> > How do I get password authentication to work with freeipa-client >> > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo? >> > >> > Long version follows :) >> > >> > We've got an IPA server with the Red Hat Identity Management server >> > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured >> > users and groups there and would now like to login with SSH. When I >> > store a SSH key for the user account, I can login just fine, using >> > this SSH key. But I'd like/need to use passwords as well. And sudo >> > also doesn't work, when it's asking for passwords - I supposed, >> > it's the same root cause. >> > >> > Let's stick with SSH. >> > >> > Initially, I installed the FreeIPA client with this command line: >> > >> > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \ >> > --enable-dns-updates --unattended \ >> > --principal=admin --password=correctone \ >> > --domain=customer.company.internal \ >> > --server=auth01.customer.company.internal >> > >> > I then try to do a SSH login with: >> > >> > ssh -l ewt@customer.company.internal 192.168.229.143 >> > or: >> > ssh -l ewt 192.168.229.143 >> > >> > Password authentication doesn't work. >> > >> > In the /var/log/syslog on the system where I try to login, I find this: >> > >> > 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]: >> > Key table entry not found >> > >> > After having turned up the debug level of the sssd with "sssd -i -f -d >> > 0x0770 --debug-timestamps=1", I find the following in the system log >> > files: >> > >> > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]: >> > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 >> > tty=ssh ruser= rhost=212.71.117.1 user=ewt >> > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]: >> > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 >> > tty=ssh ruser= rhost=212.71.117.1 user=ewt >> > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]: >> > pam_sss(sshd:auth): received for user ewt: 4 (System error) >> > 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed >> > password for ewt from 212.71.117.1 port 58136 ssh2 >> > >> > TBH, I don't quite understand it. Anyway, in >> > /var/log/sssd/sssd_customer.company.internal.log I noticed: >> > >> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] >> > [read_pipe_handler] (0x0400): EOF received, client finished >> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] >> > [parse_krb5_child_response] (0x0020): message too short. >> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] >> > [krb5_auth_done] (0x0040): Could not parse child response [22]: >> > Invalid argument >> > (Fri Oct 2 15:46:26 2015) [sssd[be[customer.company.internal]]] >> > [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed. >> > >> > Well… What am I doing wrong or what might I have forgotten? >> >> We need to also see the krb5_child.log but please check if the keytab is >> correct (ie kinit -k works). >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > -- > > > Alexander > -- > => *Google+* => http://plus.skwar.me <== > => *Chat* (Jabber/Google Talk) => a.sk...@gmail.com <== > > > -- Alexander -- => *Google+* => http://plus.skwar.me <== => *Chat* (Jabber/Google Talk) => a.sk...@gmail.com <==
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
