On Wed, Dec 07, 2016 at 06:19:06PM +0000, James Harrison wrote: > Hi all, > > I am trying to authenticate an ubuntu Precise (12.06) fully patched system. > Its enrolled into a FreeIPA server. The following trace is the output of > syslog auth sssd/*.log and full debug (-ddd) from the sshd service. > > I am getting a PAM error at the end of the procedure. Also I cant seem to > authenticate against the public ssh key from the id override user. > > I appreciate any help you can send my way. > > Best regards, > > James Harrison > Below is more information > > > root@jamesprecise:~# kinit x_james.harrison@AD.DOMAIN.LOCAL > Password for x_james.harrison@AD.DOMAIN.LOCAL: > > root@jamesprecise:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: x_james.harrison@AD.DOMAIN.LOCAL > > Valid starting Expires Service principal > 07/12/16 17:56:30 08/12/16 03:56:30 krbtgt/AD.DOMAIN.LOCAL@AD.DOMAIN.LOCAL > renew until 08/12/16 17:56:23 > > root@jamesprecise:~# id x_james.harrison@AD.DOMAIN.LOCAL > uid=1039812876(x_james.harrison@ad.domain.local) > gid=1039812876(x_james.harrison@ad.domain.local) > groups=1039812876(x_james.harrison@ad.domain.local)
HBAC denied the login, which is probably related to the supplementary groups not being resolved. This ancient SSSD version doesn't support returning supplementary groups unless you log in -- during the login attempt, the PAC responder should be able to decode the group memberships from the PAC and store the groups. So I'd look if the PAC responder is enabled and running and see if the krb5_child resolves the SIDs during password authentication (or if PAC responder is contacted during password-less authentication). > root@pul-lv-ipa-02 ~]# ipa idoverrideuser-show External_AD_views > x_james.harrison@ad.domain.local > Anchor to override: x_james.harrison@ad.domain.local > User login: x_james.harrison > Login shell: /bin/bash > SSH public key: ssh-rsa > > AAAAB3NzaC1yc2EAAAADAQABAAABAQDK1pj2U7H9olLs1xKmcmZVEBMWpaHjxF2LttsdfqfQxm810qMru/WsvzHqu0m5Ugu0FYsPxRLQrAEB8WPsPoh5Y0q5qYPgm5aDOZZEXfCPyuRwdQ+XLfQJ3gnGjW4r/XLEiNVpO9eKsFs0ifspNAJ1ndddddddddddddddd7h40rlHlOIqV/z8Omg6XnFBh9dIfiXtpYDOxe+512RpjtHE98s+NfIpUTT7MGNLHB5o/DqFXEJPH7Pp1bKwxWNvfCb5a71vcE695dQ31QYVYwpSwFmFogewgpV/OCb+S4SUdUq1xg0fmkhYr3d4UXFr91MDimyOBWk9Aai7NkOHPszmHJp > JamesHarrison Overrides are not supported with this version. > > > Here are the software versions: > > root@jamesprecise:# dpkg -l | grep -i freeipa > ii freeipa-client 3.3.4-0ubuntu3.1~precise0.1 > FreeIPA centralized identity framework -- client > ii libipa-hbac0 1.11.5-1ubuntu3~precise1 > FreeIPA HBAC Evaluator library > ii python-freeipa 3.3.4-0ubuntu3.1~precise0.1 > FreeIPA centralized identity framework -- python modules > ii python-libipa-hbac 1.11.5-1ubuntu3~precise1 > Python bindings for the FreeIPA HBAC Evaluator library > > root@jamesprecise:# dpkg -l | grep -i openssh-server > ii openssh-server 1:5.9p1-5ubuntu1.10 > secure shell (SSH) server, for secure access from remote machines > > > root@jamesprecise:/var/log# dpkg -l | grep -i sssd > ii libsss-idmap0 1.11.5-1ubuntu3~precise1 > ID mapping library for SSSD > ii sssd 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- metapackage > ii sssd-ad 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- Active Directory back end > ii sssd-ad-common 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- PAC responder > ii sssd-common 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- common files > ii sssd-ipa 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- IPA back end > ii sssd-krb5 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- Kerberos back end > ii sssd-krb5-common 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- Kerberos helpers > ii sssd-ldap 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- LDAP back end > ii sssd-proxy 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- proxy back end > ii sudo 1.8.9p5-1ubuntu1.1~sssd1 > Provide limited super user privileges to specific users All is all, I would suggest to upgrade to something more recent.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
