Re: User login issue
HI Roman, On Mi 07 Feb 2024 12:51:11 CET, roman.meier wrote: Hi folks, Yesterday, I came across the following entry in /var/log/auth.log: Feb 6 11:03:38 tjener su: pam_krb5(su:auth): (user roman) credential verification failed: Cannot find key for host/tjener.intern@INTERN kvno 16 in keytab I also had a closer look at the following script: /usr/share/debian-edu-config/tools/copy-host-keytab This then lead me to the solution of my authentication problem. My file /etc/krb5.keytab was missing many entries preventing successful user logins. Executing the script fixed this finally. Kind regards, Roman If you run an old version of TJENER, you might be facing this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002014 Please adjust your gosa-modify-host script in /usr/share/debian-edu-config/tools/ as shown here: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/57d70cb10a902a004ed39da902b6808c36ce1851 Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpBgnFXoTGU7.pgp Description: Digitale PGP-Signatur
Re: User login issue
Hi folks,
Yesterday, I came across the following entry in /var/log/auth.log:
Feb 6 11:03:38 tjener su: pam_krb5(su:auth): (user roman) credential
verification failed: Cannot find key for host/tjener.intern@INTERN kvno 16 in
keytab
I also had a closer look at the following script:
/usr/share/debian-edu-config/tools/copy-host-keytab
This then lead me to the solution of my authentication problem.
My file /etc/krb5.keytab was missing many entries preventing successful user
logins. Executing the script fixed this finally.
Kind regards,
Roman
> On 01/07/2024 11:07 AM GMT roman.me...@gismap.ch wrote:
>
>
> Hi folks,
>
> Maybe the following is helping to narrow things down?
>
> I checked on /var/log/auth.log today and I'm getting the following upon
> trying to login as user mm in the console:
>
> Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25
> 26}) 10.0.2.2: NEEDED_PREAUTH: mm@INTERN for krbtgt/INTERN@INTERN, Additional
> pre-authentication required
> Jan 7 11:04:34 tjener krb5kdc[2232]: preauth (encrypted_timestamp) verify
> failure: Preauthentication failed
> Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25
> 26}) 10.0.2.2: PREAUTH_FAILED: mm@INTERN for krbtgt/INTERN@INTERN,
> Preauthentication failed
> Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25
> 26}) 10.0.2.2: NEEDED_PREAUTH: mm@INTERN for krbtgt/INTERN@INTERN, Additional
> pre-authentication required
> Jan 7 11:04:34 tjener krb5kdc[2232]: preauth (encrypted_timestamp) verify
> failure: Preauthentication failed
> Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25
> 26}) 10.0.2.2: PREAUTH_FAILED: mm@INTERN for krbtgt/INTERN@INTERN,
> Preauthentication failed
> Jan 7 11:04:34 tjener login[17928]: pam_krb5(login:auth): authentication
> failure; logname=mm uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
> Jan 7 11:04:34 tjener login[17928]: pam_unix(login:auth): authentication
> failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=mm
> Jan 7 11:04:38 tjener login[17928]: FAILED LOGIN (1) on '/dev/tty1' FOR
> 'mm', Authentication failure
>
> Kind regards,
> Roman
Re: User login issue
Hi folks,
Maybe the following is helping to narrow things down?
I checked on /var/log/auth.log today and I'm getting the following upon trying
to login as user mm in the console:
Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25
26}) 10.0.2.2: NEEDED_PREAUTH: mm@INTERN for krbtgt/INTERN@INTERN, Additional
pre-authentication required
Jan 7 11:04:34 tjener krb5kdc[2232]: preauth (encrypted_timestamp) verify
failure: Preauthentication failed
Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25
26}) 10.0.2.2: PREAUTH_FAILED: mm@INTERN for krbtgt/INTERN@INTERN,
Preauthentication failed
Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25
26}) 10.0.2.2: NEEDED_PREAUTH: mm@INTERN for krbtgt/INTERN@INTERN, Additional
pre-authentication required
Jan 7 11:04:34 tjener krb5kdc[2232]: preauth (encrypted_timestamp) verify
failure: Preauthentication failed
Jan 7 11:04:34 tjener krb5kdc[2232]: AS_REQ (8 etypes {18 17 20 19 16 23 25
26}) 10.0.2.2: PREAUTH_FAILED: mm@INTERN for krbtgt/INTERN@INTERN,
Preauthentication failed
Jan 7 11:04:34 tjener login[17928]: pam_krb5(login:auth): authentication
failure; logname=mm uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Jan 7 11:04:34 tjener login[17928]: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=mm
Jan 7 11:04:38 tjener login[17928]: FAILED LOGIN (1) on '/dev/tty1' FOR 'mm',
Authentication failure
Kind regards,
Roman
Re: User login issue
Hi Mike, > This very likely means that your Kerberos layer / service stack is broken. > > Do you have libpam-krb5 installed on TJENER? (That would be an easy solution). Nope, it was not installed. Maybe my legacy installation is not needing it? I installed it but things did not improve. > Does the new user object in LDAP have krb* LDAP attributes? Yep, I found 9 entires: krbPrincipalName: mm@INTERN krbPwdPolicyReference: cn=users,cn=INTERN,cn=kerberos,dc=skole,dc=skolelinux,dc=no krbLoginFailedCount: 0 krbTicketFlags: 128 krbPrincipalKey:: AwIBAqMDAgEBpIICPjCCAjowVKAHMAWgAwIBAKFJMEeg[...] krbPasswordExpiration: 1970010100Z krbLastPwdChange: 20240105153122Z krbExtraData:: AALKIJhlcm9vdC9hZG1pbkBJTlRFUk4A krbExtraData:: AAgBAA== > If you launch kadmin.local and then enter "list_principals": do any > Kerberos principals (users and/or hosts and/or services) get shown? Do > the user accounts that fail login get listed by this? Yep, they get all nicely listed. > If the new LDAP users don't get listed, try "add_princ -policy users > " and try login from another tty. > > If the new LDAP users get listed, try to set their password using "cpw ". I did this but the user still can't login. > Please also let me/us know what versions of Debian Edu you have > installed (11 or 12)? This one is my personal debian edu workstation and testserver. It's rather legacy and still on 10 (buster) with GOsa 2.7.4. > If 12, have you upgraded to latest package > versions? There was a bug in Debian Edu 12's debian-edu-config that > only got resolved recently: > > ``` > debian-edu-config (2.12.41~deb12u1) bookworm; urgency=medium > >* Upload to bookworm. > > -- Mike Gabriel Sun, 03 Dec 2023 08:45:42 +0100 > > debian-edu-config (2.12.41) unstable; urgency=medium > >[ Guido Berhoerster ] >* gosa-sync: Decode the user password which GOsa substitutes base64 > encoded. > This fixes a bug where the user password could not be set or changed. > (related to #1052159). > > -- Mike Gabriel Fri, 01 Dec 2023 21:44:38 +0100 > ``` > > This fix in d-e-c goes together with a fix in gosa: d-e-c? > ``` > gosa (2.8~git20230203.10abe45+dfsg-1+deb12u2) bookworm; urgency=medium > >[ Daniel Teichmann ] >* debian/patches: > [...] > + Add 1044_fix-class-ldap-serialization.patch which fixes a few bugs >regarding serialization. This especially fixes setting LDAP > userPassword >attribute types via GOsa². (Closes: #1052159). > + Add 1045_fix-posixaccount-shadowExpire.patch which fixes shadowExpire >always being set to 0. (User can't login then). (Closes: #1053806). > >[ Guido Berhoerster ] >* debian/patches: > [...] > >[ Mike Gabriel ] >* debian/patches: > [...] > > -- Mike Gabriel Sun, 03 Dec 2023 08:16:31 +0100 > > If you Debian Edu 12, simply upgrading d-e-c and gosa to the > referenced versions should help. > > Mike Kind regards, Roman
Re: User login issue
Hi Roman, On Sa 06 Jan 2024 12:16:31 CET, roman.meier wrote: I can create a new user but the behavior is the same: I cannot login on the server. Login into GOsa2 works fine. This very likely means that your Kerberos layer / service stack is broken. Do you have libpam-krb5 installed on TJENER? (That would be an easy solution). Does the new user object in LDAP have krb* LDAP attributes? If you launch kadmin.local and then enter "list_principals": do any Kerberos principals (users and/or hosts and/or services) get shown? Do the user accounts that fail login get listed by this? If the new LDAP users don't get listed, try "add_princ -policy users " and try login from another tty. If the new LDAP users get listed, try to set their password using "cpw ". Please also let me/us know what versions of Debian Edu you have installed (11 or 12)? If 12, have you upgraded to latest package versions? There was a bug in Debian Edu 12's debian-edu-config that only got resolved recently: ``` debian-edu-config (2.12.41~deb12u1) bookworm; urgency=medium * Upload to bookworm. -- Mike Gabriel Sun, 03 Dec 2023 08:45:42 +0100 debian-edu-config (2.12.41) unstable; urgency=medium [ Guido Berhoerster ] * gosa-sync: Decode the user password which GOsa substitutes base64 encoded. This fixes a bug where the user password could not be set or changed. (related to #1052159). -- Mike Gabriel Fri, 01 Dec 2023 21:44:38 +0100 ``` This fix in d-e-c goes together with a fix in gosa: ``` gosa (2.8~git20230203.10abe45+dfsg-1+deb12u2) bookworm; urgency=medium [ Daniel Teichmann ] * debian/patches: [...] + Add 1044_fix-class-ldap-serialization.patch which fixes a few bugs regarding serialization. This especially fixes setting LDAP userPassword attribute types via GOsa². (Closes: #1052159). + Add 1045_fix-posixaccount-shadowExpire.patch which fixes shadowExpire always being set to 0. (User can't login then). (Closes: #1053806). [ Guido Berhoerster ] * debian/patches: [...] [ Mike Gabriel ] * debian/patches: [...] -- Mike Gabriel Sun, 03 Dec 2023 08:16:31 +0100 If you Debian Edu 12, simply upgrading d-e-c and gosa to the referenced versions should help. Mike ``` -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpV3_xtmAr9n.pgp Description: Digitale PGP-Signatur
Re: User login issue
Hi Mike, > One thing caught me at first glance that is strange: why does > ldapsearch try GSS auth although you requested simple_bind > authentication? Hmmm... is that -x in your quoted command really > starting with a '-' dash / minus sign? It looks longer (like an > )... Yep, you were right! Thanks! > If you create a new user account via GOSa can you login with that > account then? I can create a new user but the behavior is the same: I cannot login on the server. Login into GOsa2 works fine. > Greets, > Mike It also came to my mind that GOsa2 requested for a MAC address for tjener when I tried to add a DHCP group, which I did. It felt somehow wrong though since tjener normally has two interfaces. Anyway, I also deleted the entry using commandline which did not improve things. I'm not sure this is related though. Kind regards, Roman
Re: User login issue
On Fr 05 Jan 2024 16:04:10 UTC, roman.meier wrote: Hi folks, I guess I messed up something in my ldap settings using GOsa2. Users can't login on the server any longer with the exception of root. This includes logins via console. The first user however can still login into GOsa2 and things look good at first glance. The following also looks weird to me: root@tjener:~# ldapsearch –x uid=roman SASL/GS2-IAKERB authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GS2 Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0)) root@tjener:~# Any ideas how to fix this? Kind regards One thing caught me at first glance that is strange: why does ldapsearch try GSS auth although you requested simple_bind authentication? Hmmm... is that -x in your quoted command really starting with a '-' dash / minus sign? It looks longer (like an )... If you create a new user account via GOSa can you login with that account then? Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
