subject:"Re\: \[Freeipa\-users\] ssh and sudo password authentication not working with freeipa\-client 3.3.4\-0ubuntu3.1 on Ubuntu 14.04"

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-07 Thread Sumit Bose

On Tue, Oct 06, 2015 at 03:39:43PM +0200, Alexander Skwar wrote:
> Hello Sumit
> 
> ipa-client-install hasn't set krb5_realm. I did that.
> 
> We're using Chef-Solo to manage our systems and I have /etc/sssd/sssd.conf
> in chef. So it overwrote, whatever ipa-client-install put there. And that's
> how the mistake happened.

Thank you for the details, I was afraid there might be an issue with
ipa-client-install. Btw, please note that there are important
differences in /etc/sssd/sssd.conf for IPA clients and servers.
Additionally if you have multiple IPA servers you should make sure that
suitable server names are used in

 ipa_server = _srv_, ipa-server.ipa.domain

on IPA clients. Although it is only a fallback server name it would
be good to have all IPA servers involved here so that in the case of
issues not all clients will fall back to the same server.

bye,
Sumit
> 
> I think the ipa-client-install discovered everything right. I'm attaching
> the log.

yes, all looks good.

> 
> Best regards,
> Alexander
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-06 Thread Alexander Skwar

Hello Sumit

ipa-client-install hasn't set krb5_realm. I did that.

We're using Chef-Solo to manage our systems and I have /etc/sssd/sssd.conf
in chef. So it overwrote, whatever ipa-client-install put there. And that's
how the mistake happened.

I think the ipa-client-install discovered everything right. I'm attaching
the log.

Best regards,
Alexander




2015-10-06 15:01 GMT+02:00 Sumit Bose :

> On Tue, Oct 06, 2015 at 11:26:42AM +0200, Alexander Skwar wrote:
> > Hi
> >
> > With further debugging, I discovered, that I messed up the
> > /etc/sssd/sssd.conf file. There, I added:
> >
> > …
> > [domain/customer.company.internal]
> >
> > krb5_realm = customer.company.internal
> > …
> >
> >
> >
> > Exactly like that. With "krb5_realm = customer.company.internal"; ie.
> with
> > the realm in lowercase letters.
> >
> > After having changed that to uppercase letters (ie. "krb5_realm =
> > CUSTOMER.COMPANY.INTERNAL"), it works fine.
>
> Thank you for the feedback. Can you check /var/log/ipaclient-install.log
> to see which realm ipa-client-install has discovered? In general
> ipa-client-install should be able to determine the right realm. In your
> case where domain and realm are the same except the case it shouldn't
> have set krb5_realm at all.
>
> bye,
> Sumit
>
> >
> >
> >
> > Thanks for your time and help ;)
> >
> > Cheers,
> > Alexander
> >
> >
> >
> > 2015-10-05 14:07 GMT+02:00 Sumit Bose :
> >
> > > On Mon, Oct 05, 2015 at 09:00:13AM +0200, Alexander Skwar wrote:
> > > > Hi
> > > >
> > > > Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when
> I try
> > > > to login with SSH and enter a password.
> > >
> > > Can you try to increase the debug_level to 0xFFF0?
> > >
> > > >
> > > > kinit doesn't work.
> > > >
> > > > $ kinit -k
> > > > kinit: Permission denied while getting initial credentials
> > > >
> > > > For this test, I was root and then did a "su - user" and then "kinit
> -k".
> > > > Also after the "kinit -k", nothing is in the krb5_child.log.
> > >
> > > The 'kinit -k' has to be done as root. It will only check if the client
> > > can connect to the KDC at all and tries to get a TGT for the host.
> > >
> > > It's expected that during this operation nothing is added to the SSSD
> > > logs because the kinit utility work independent of SSSD.
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > Regards,
> > > > Alexander
> > > >
> > > >
> > > > 2015-10-02 17:59 GMT+02:00 Jakub Hrozek :
> > > >
> > > > > On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> > > > > > Hello
> > > > > >
> > > > > > How do I get password authentication to work with freeipa-client
> > > > > > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
> > > > > >
> > > > > > Long version follows :)
> > > > > >
> > > > > > We've got an IPA server with the Red Hat Identity Management
> server
> > > > > > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I
> configured
> > > > > > users and groups there and would now like to login with SSH.
> When I
> > > > > > store a SSH key for the user account, I can login just fine,
> using
> > > > > > this SSH key. But I'd like/need to use passwords as well. And
> sudo
> > > > > > also doesn't work, when it's asking for passwords - I supposed,
> > > > > > it's the same root cause.
> > > > > >
> > > > > > Let's stick with SSH.
> > > > > >
> > > > > > Initially, I installed the FreeIPA client with this command line:
> > > > > >
> > > > > > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
> > > > > >   --enable-dns-updates --unattended \
> > > > > >   --principal=admin --password=correctone \
> > > > > >   --domain=customer.company.internal \
> > > > > >   --server=auth01.customer.company.internal
> > > > > >
> > > > > > I then try to do a SSH login with:
> > > > > >
> > > > > > ssh -l ewt@customer.company.internal 192.168.229.143
> > > > > > or:
> > > > > > ssh -l ewt 192.168.229.143
> > > > > >
> > > > > > Password authentication doesn't work.
> > > > > >
> > > > > > In the /var/log/syslog on the system where I try to login, I find
> > > this:
> > > > > >
> > > > > > 2015-10-02T15:33:38.771291+02:00 mgmt02
> > > [sssd[krb5_child[14154]]]:
> > > > > > Key table entry not found
> > > > > >
> > > > > > After having turned up the debug level of the sssd with "sssd -i
> -f
> > > -d
> > > > > > 0x0770 --debug-timestamps=1", I find the following in the system
> log
> > > > > > files:
> > > > > >
> > > > > > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> > > > > > pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0
> > > > > > tty=ssh ruser= rhost=212.71.117.1  user=ewt
> > > > > > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> > > > > > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> > > > > > tty=ssh ruser= rhost=212.71.117.1 user=ewt
> > > > > > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> > > > >

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-06 Thread Alexander Skwar

Hi

With further debugging, I discovered, that I messed up the
/etc/sssd/sssd.conf file. There, I added:

…
[domain/customer.company.internal]

krb5_realm = customer.company.internal
…



Exactly like that. With "krb5_realm = customer.company.internal"; ie. with
the realm in lowercase letters.

After having changed that to uppercase letters (ie. "krb5_realm =
CUSTOMER.COMPANY.INTERNAL"), it works fine.



Thanks for your time and help ;)

Cheers,
Alexander



2015-10-05 14:07 GMT+02:00 Sumit Bose :

> On Mon, Oct 05, 2015 at 09:00:13AM +0200, Alexander Skwar wrote:
> > Hi
> >
> > Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try
> > to login with SSH and enter a password.
>
> Can you try to increase the debug_level to 0xFFF0?
>
> >
> > kinit doesn't work.
> >
> > $ kinit -k
> > kinit: Permission denied while getting initial credentials
> >
> > For this test, I was root and then did a "su - user" and then "kinit -k".
> > Also after the "kinit -k", nothing is in the krb5_child.log.
>
> The 'kinit -k' has to be done as root. It will only check if the client
> can connect to the KDC at all and tries to get a TGT for the host.
>
> It's expected that during this operation nothing is added to the SSSD
> logs because the kinit utility work independent of SSSD.
>
> bye,
> Sumit
>
> >
> > Regards,
> > Alexander
> >
> >
> > 2015-10-02 17:59 GMT+02:00 Jakub Hrozek :
> >
> > > On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> > > > Hello
> > > >
> > > > How do I get password authentication to work with freeipa-client
> > > > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
> > > >
> > > > Long version follows :)
> > > >
> > > > We've got an IPA server with the Red Hat Identity Management server
> > > > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> > > > users and groups there and would now like to login with SSH. When I
> > > > store a SSH key for the user account, I can login just fine, using
> > > > this SSH key. But I'd like/need to use passwords as well. And sudo
> > > > also doesn't work, when it's asking for passwords - I supposed,
> > > > it's the same root cause.
> > > >
> > > > Let's stick with SSH.
> > > >
> > > > Initially, I installed the FreeIPA client with this command line:
> > > >
> > > > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
> > > >   --enable-dns-updates --unattended \
> > > >   --principal=admin --password=correctone \
> > > >   --domain=customer.company.internal \
> > > >   --server=auth01.customer.company.internal
> > > >
> > > > I then try to do a SSH login with:
> > > >
> > > > ssh -l ewt@customer.company.internal 192.168.229.143
> > > > or:
> > > > ssh -l ewt 192.168.229.143
> > > >
> > > > Password authentication doesn't work.
> > > >
> > > > In the /var/log/syslog on the system where I try to login, I find
> this:
> > > >
> > > > 2015-10-02T15:33:38.771291+02:00 mgmt02
> [sssd[krb5_child[14154]]]:
> > > > Key table entry not found
> > > >
> > > > After having turned up the debug level of the sssd with "sssd -i -f
> -d
> > > > 0x0770 --debug-timestamps=1", I find the following in the system log
> > > > files:
> > > >
> > > > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> > > > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> > > > tty=ssh ruser= rhost=212.71.117.1  user=ewt
> > > > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> > > > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> > > > tty=ssh ruser= rhost=212.71.117.1 user=ewt
> > > > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> > > > pam_sss(sshd:auth): received for user ewt: 4 (System error)
> > > > 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> > > > password for ewt from 212.71.117.1 port 58136 ssh2
> > > >
> > > > TBH, I don't quite understand it. Anyway, in
> > > > /var/log/sssd/sssd_customer.company.internal.log I noticed:
> > > >
> > > > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > > [read_pipe_handler] (0x0400): EOF received, client finished
> > > > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > > [parse_krb5_child_response] (0x0020): message too short.
> > > > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > > [krb5_auth_done] (0x0040): Could not parse child response [22]:
> > > > Invalid argument
> > > > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > > [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
> > > >
> > > > Well… What am I doing wrong or what might I have forgotten?
> > >
> > > We need to also see the krb5_child.log but please check if the keytab
> is
> > > correct (ie kinit -k works).
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-06 Thread Sumit Bose

On Tue, Oct 06, 2015 at 11:26:42AM +0200, Alexander Skwar wrote:
> Hi
> 
> With further debugging, I discovered, that I messed up the
> /etc/sssd/sssd.conf file. There, I added:
> 
> …
> [domain/customer.company.internal]
> 
> krb5_realm = customer.company.internal
> …
> 
> 
> 
> Exactly like that. With "krb5_realm = customer.company.internal"; ie. with
> the realm in lowercase letters.
> 
> After having changed that to uppercase letters (ie. "krb5_realm =
> CUSTOMER.COMPANY.INTERNAL"), it works fine.

Thank you for the feedback. Can you check /var/log/ipaclient-install.log
to see which realm ipa-client-install has discovered? In general
ipa-client-install should be able to determine the right realm. In your
case where domain and realm are the same except the case it shouldn't
have set krb5_realm at all.

bye,
Sumit

> 
> 
> 
> Thanks for your time and help ;)
> 
> Cheers,
> Alexander
> 
> 
> 
> 2015-10-05 14:07 GMT+02:00 Sumit Bose :
> 
> > On Mon, Oct 05, 2015 at 09:00:13AM +0200, Alexander Skwar wrote:
> > > Hi
> > >
> > > Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try
> > > to login with SSH and enter a password.
> >
> > Can you try to increase the debug_level to 0xFFF0?
> >
> > >
> > > kinit doesn't work.
> > >
> > > $ kinit -k
> > > kinit: Permission denied while getting initial credentials
> > >
> > > For this test, I was root and then did a "su - user" and then "kinit -k".
> > > Also after the "kinit -k", nothing is in the krb5_child.log.
> >
> > The 'kinit -k' has to be done as root. It will only check if the client
> > can connect to the KDC at all and tries to get a TGT for the host.
> >
> > It's expected that during this operation nothing is added to the SSSD
> > logs because the kinit utility work independent of SSSD.
> >
> > bye,
> > Sumit
> >
> > >
> > > Regards,
> > > Alexander
> > >
> > >
> > > 2015-10-02 17:59 GMT+02:00 Jakub Hrozek :
> > >
> > > > On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> > > > > Hello
> > > > >
> > > > > How do I get password authentication to work with freeipa-client
> > > > > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
> > > > >
> > > > > Long version follows :)
> > > > >
> > > > > We've got an IPA server with the Red Hat Identity Management server
> > > > > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> > > > > users and groups there and would now like to login with SSH. When I
> > > > > store a SSH key for the user account, I can login just fine, using
> > > > > this SSH key. But I'd like/need to use passwords as well. And sudo
> > > > > also doesn't work, when it's asking for passwords - I supposed,
> > > > > it's the same root cause.
> > > > >
> > > > > Let's stick with SSH.
> > > > >
> > > > > Initially, I installed the FreeIPA client with this command line:
> > > > >
> > > > > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
> > > > >   --enable-dns-updates --unattended \
> > > > >   --principal=admin --password=correctone \
> > > > >   --domain=customer.company.internal \
> > > > >   --server=auth01.customer.company.internal
> > > > >
> > > > > I then try to do a SSH login with:
> > > > >
> > > > > ssh -l ewt@customer.company.internal 192.168.229.143
> > > > > or:
> > > > > ssh -l ewt 192.168.229.143
> > > > >
> > > > > Password authentication doesn't work.
> > > > >
> > > > > In the /var/log/syslog on the system where I try to login, I find
> > this:
> > > > >
> > > > > 2015-10-02T15:33:38.771291+02:00 mgmt02
> > [sssd[krb5_child[14154]]]:
> > > > > Key table entry not found
> > > > >
> > > > > After having turned up the debug level of the sssd with "sssd -i -f
> > -d
> > > > > 0x0770 --debug-timestamps=1", I find the following in the system log
> > > > > files:
> > > > >
> > > > > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> > > > > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> > > > > tty=ssh ruser= rhost=212.71.117.1  user=ewt
> > > > > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> > > > > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> > > > > tty=ssh ruser= rhost=212.71.117.1 user=ewt
> > > > > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> > > > > pam_sss(sshd:auth): received for user ewt: 4 (System error)
> > > > > 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> > > > > password for ewt from 212.71.117.1 port 58136 ssh2
> > > > >
> > > > > TBH, I don't quite understand it. Anyway, in
> > > > > /var/log/sssd/sssd_customer.company.internal.log I noticed:
> > > > >
> > > > > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > > > [read_pipe_handler] (0x0400): EOF received, client finished
> > > > > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > > > [parse_krb5_child_response] (0x0020): message too short.
> > > > > (Fri Oct  2 15:46:26

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-05 Thread Alexander Skwar

Hi

Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try
to login with SSH and enter a password.

kinit doesn't work.

$ kinit -k
kinit: Permission denied while getting initial credentials

For this test, I was root and then did a "su - user" and then "kinit -k".
Also after the "kinit -k", nothing is in the krb5_child.log.

Regards,
Alexander


2015-10-02 17:59 GMT+02:00 Jakub Hrozek :

> On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> > Hello
> >
> > How do I get password authentication to work with freeipa-client
> > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
> >
> > Long version follows :)
> >
> > We've got an IPA server with the Red Hat Identity Management server
> > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> > users and groups there and would now like to login with SSH. When I
> > store a SSH key for the user account, I can login just fine, using
> > this SSH key. But I'd like/need to use passwords as well. And sudo
> > also doesn't work, when it's asking for passwords - I supposed,
> > it's the same root cause.
> >
> > Let's stick with SSH.
> >
> > Initially, I installed the FreeIPA client with this command line:
> >
> > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
> >   --enable-dns-updates --unattended \
> >   --principal=admin --password=correctone \
> >   --domain=customer.company.internal \
> >   --server=auth01.customer.company.internal
> >
> > I then try to do a SSH login with:
> >
> > ssh -l ewt@customer.company.internal 192.168.229.143
> > or:
> > ssh -l ewt 192.168.229.143
> >
> > Password authentication doesn't work.
> >
> > In the /var/log/syslog on the system where I try to login, I find this:
> >
> > 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
> > Key table entry not found
> >
> > After having turned up the debug level of the sssd with "sssd -i -f -d
> > 0x0770 --debug-timestamps=1", I find the following in the system log
> > files:
> >
> > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> > tty=ssh ruser= rhost=212.71.117.1  user=ewt
> > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> > tty=ssh ruser= rhost=212.71.117.1 user=ewt
> > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> > pam_sss(sshd:auth): received for user ewt: 4 (System error)
> > 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> > password for ewt from 212.71.117.1 port 58136 ssh2
> >
> > TBH, I don't quite understand it. Anyway, in
> > /var/log/sssd/sssd_customer.company.internal.log I noticed:
> >
> > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > [read_pipe_handler] (0x0400): EOF received, client finished
> > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > [parse_krb5_child_response] (0x0020): message too short.
> > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > [krb5_auth_done] (0x0040): Could not parse child response [22]:
> > Invalid argument
> > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
> >
> > Well… What am I doing wrong or what might I have forgotten?
>
> We need to also see the krb5_child.log but please check if the keytab is
> correct (ie kinit -k works).
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 


Alexander
-- 
=>*Google+* => http://plus.skwar.me <==
=> *Chat* (Jabber/Google Talk) => a.sk...@gmail.com <==
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-05 Thread Sumit Bose

On Mon, Oct 05, 2015 at 09:00:13AM +0200, Alexander Skwar wrote:
> Hi
> 
> Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try
> to login with SSH and enter a password.

Can you try to increase the debug_level to 0xFFF0?

> 
> kinit doesn't work.
> 
> $ kinit -k
> kinit: Permission denied while getting initial credentials
> 
> For this test, I was root and then did a "su - user" and then "kinit -k".
> Also after the "kinit -k", nothing is in the krb5_child.log.

The 'kinit -k' has to be done as root. It will only check if the client
can connect to the KDC at all and tries to get a TGT for the host.

It's expected that during this operation nothing is added to the SSSD
logs because the kinit utility work independent of SSSD.

bye,
Sumit

> 
> Regards,
> Alexander
> 
> 
> 2015-10-02 17:59 GMT+02:00 Jakub Hrozek :
> 
> > On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> > > Hello
> > >
> > > How do I get password authentication to work with freeipa-client
> > > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
> > >
> > > Long version follows :)
> > >
> > > We've got an IPA server with the Red Hat Identity Management server
> > > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> > > users and groups there and would now like to login with SSH. When I
> > > store a SSH key for the user account, I can login just fine, using
> > > this SSH key. But I'd like/need to use passwords as well. And sudo
> > > also doesn't work, when it's asking for passwords - I supposed,
> > > it's the same root cause.
> > >
> > > Let's stick with SSH.
> > >
> > > Initially, I installed the FreeIPA client with this command line:
> > >
> > > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
> > >   --enable-dns-updates --unattended \
> > >   --principal=admin --password=correctone \
> > >   --domain=customer.company.internal \
> > >   --server=auth01.customer.company.internal
> > >
> > > I then try to do a SSH login with:
> > >
> > > ssh -l ewt@customer.company.internal 192.168.229.143
> > > or:
> > > ssh -l ewt 192.168.229.143
> > >
> > > Password authentication doesn't work.
> > >
> > > In the /var/log/syslog on the system where I try to login, I find this:
> > >
> > > 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
> > > Key table entry not found
> > >
> > > After having turned up the debug level of the sssd with "sssd -i -f -d
> > > 0x0770 --debug-timestamps=1", I find the following in the system log
> > > files:
> > >
> > > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> > > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> > > tty=ssh ruser= rhost=212.71.117.1  user=ewt
> > > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> > > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> > > tty=ssh ruser= rhost=212.71.117.1 user=ewt
> > > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> > > pam_sss(sshd:auth): received for user ewt: 4 (System error)
> > > 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> > > password for ewt from 212.71.117.1 port 58136 ssh2
> > >
> > > TBH, I don't quite understand it. Anyway, in
> > > /var/log/sssd/sssd_customer.company.internal.log I noticed:
> > >
> > > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > [read_pipe_handler] (0x0400): EOF received, client finished
> > > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > [parse_krb5_child_response] (0x0020): message too short.
> > > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > [krb5_auth_done] (0x0040): Could not parse child response [22]:
> > > Invalid argument
> > > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> > > [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
> > >
> > > Well… What am I doing wrong or what might I have forgotten?
> >
> > We need to also see the krb5_child.log but please check if the keytab is
> > correct (ie kinit -k works).
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> 
> 
> 
> -- 
> 
> 
> Alexander
> -- 
> =>*Google+* => http://plus.skwar.me <==
> => *Chat* (Jabber/Google Talk) => a.sk...@gmail.com <==

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-05 Thread Alexander Skwar

Hi

Hm, when I'm root, "kinit -k" works:

# kinit -k
#

Just not as a user. As a user, I get the "kinit: Permission denied while
getting initial credentials" error message.

Regards,
Alexander



2015-10-05 9:00 GMT+02:00 Alexander Skwar <
alexanders.mailinglists+nos...@gmail.com>:

> Hi
>
> Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try
> to login with SSH and enter a password.
>
> kinit doesn't work.
>
> $ kinit -k
> kinit: Permission denied while getting initial credentials
>
> For this test, I was root and then did a "su - user" and then "kinit -k".
> Also after the "kinit -k", nothing is in the krb5_child.log.
>
> Regards,
> Alexander
>
>
> 2015-10-02 17:59 GMT+02:00 Jakub Hrozek :
>
>> On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
>> > Hello
>> >
>> > How do I get password authentication to work with freeipa-client
>> > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
>> >
>> > Long version follows :)
>> >
>> > We've got an IPA server with the Red Hat Identity Management server
>> > on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
>> > users and groups there and would now like to login with SSH. When I
>> > store a SSH key for the user account, I can login just fine, using
>> > this SSH key. But I'd like/need to use passwords as well. And sudo
>> > also doesn't work, when it's asking for passwords - I supposed,
>> > it's the same root cause.
>> >
>> > Let's stick with SSH.
>> >
>> > Initially, I installed the FreeIPA client with this command line:
>> >
>> > ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
>> >   --enable-dns-updates --unattended \
>> >   --principal=admin --password=correctone \
>> >   --domain=customer.company.internal \
>> >   --server=auth01.customer.company.internal
>> >
>> > I then try to do a SSH login with:
>> >
>> > ssh -l ewt@customer.company.internal 192.168.229.143
>> > or:
>> > ssh -l ewt 192.168.229.143
>> >
>> > Password authentication doesn't work.
>> >
>> > In the /var/log/syslog on the system where I try to login, I find this:
>> >
>> > 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
>> > Key table entry not found
>> >
>> > After having turned up the debug level of the sssd with "sssd -i -f -d
>> > 0x0770 --debug-timestamps=1", I find the following in the system log
>> > files:
>> >
>> > 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
>> > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>> > tty=ssh ruser= rhost=212.71.117.1  user=ewt
>> > 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
>> > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
>> > tty=ssh ruser= rhost=212.71.117.1 user=ewt
>> > 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
>> > pam_sss(sshd:auth): received for user ewt: 4 (System error)
>> > 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
>> > password for ewt from 212.71.117.1 port 58136 ssh2
>> >
>> > TBH, I don't quite understand it. Anyway, in
>> > /var/log/sssd/sssd_customer.company.internal.log I noticed:
>> >
>> > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
>> > [read_pipe_handler] (0x0400): EOF received, client finished
>> > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
>> > [parse_krb5_child_response] (0x0020): message too short.
>> > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
>> > [krb5_auth_done] (0x0040): Could not parse child response [22]:
>> > Invalid argument
>> > (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
>> > [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
>> >
>> > Well… What am I doing wrong or what might I have forgotten?
>>
>> We need to also see the krb5_child.log but please check if the keytab is
>> correct (ie kinit -k works).
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
> --
>
>
> Alexander
> --
> =>*Google+* => http://plus.skwar.me <==
> => *Chat* (Jabber/Google Talk) => a.sk...@gmail.com <==
>
>
>


-- 


Alexander
-- 
=>*Google+* => http://plus.skwar.me <==
=> *Chat* (Jabber/Google Talk) => a.sk...@gmail.com <==
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-02 Thread Sumit Bose

On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> Hello
> 
> How do I get password authentication to work with freeipa-client
> 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
> 
> Long version follows :)
> 
> We've got an IPA server with the Red Hat Identity Management server
> on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> users and groups there and would now like to login with SSH. When I
> store a SSH key for the user account, I can login just fine, using
> this SSH key. But I'd like/need to use passwords as well. And sudo
> also doesn't work, when it's asking for passwords - I supposed,
> it's the same root cause.
> 
> Let's stick with SSH.
> 
> Initially, I installed the FreeIPA client with this command line:
> 
> ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
>   --enable-dns-updates --unattended \
>   --principal=admin --password=correctone \
>   --domain=customer.company.internal \
>   --server=auth01.customer.company.internal
> 
> I then try to do a SSH login with:
> 
> ssh -l ewt@customer.company.internal 192.168.229.143
> or:
> ssh -l ewt 192.168.229.143
> 
> Password authentication doesn't work.
> 
> In the /var/log/syslog on the system where I try to login, I find this:
> 
> 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
> Key table entry not found
> 
> After having turned up the debug level of the sssd with "sssd -i -f -d
> 0x0770 --debug-timestamps=1", I find the following in the system log
> files:
> 
> 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=212.71.117.1  user=ewt
> 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=212.71.117.1 user=ewt
> 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> pam_sss(sshd:auth): received for user ewt: 4 (System error)
> 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> password for ewt from 212.71.117.1 port 58136 ssh2
> 
> TBH, I don't quite understand it. Anyway, in
> /var/log/sssd/sssd_customer.company.internal.log I noticed:
> 
> (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [read_pipe_handler] (0x0400): EOF received, client finished
> (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [parse_krb5_child_response] (0x0020): message too short.
> (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [krb5_auth_done] (0x0040): Could not parse child response [22]:
> Invalid argument
> (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.

looks like krb5_child is not able to process the request. There should
be a krb5_child log as well, maybe it has more details.

bye,
Sumit

> 
> Well… What am I doing wrong or what might I have forgotten?
> 
> Thanks a lot and best regards,
> 
> Alexander
> -- 
> =>Google+ => http://plus.skwar.me <==
> => Chat (Jabber/Google Talk) => a.sk...@gmail.com <==
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-02 Thread Jakub Hrozek

On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote:
> Hello
> 
> How do I get password authentication to work with freeipa-client
> 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo?
> 
> Long version follows :)
> 
> We've got an IPA server with the Red Hat Identity Management server
> on RHEL 7.1 servers; FreeIPA v4.1.0 is being used there. I configured
> users and groups there and would now like to login with SSH. When I
> store a SSH key for the user account, I can login just fine, using
> this SSH key. But I'd like/need to use passwords as well. And sudo
> also doesn't work, when it's asking for passwords - I supposed,
> it's the same root cause.
> 
> Let's stick with SSH.
> 
> Initially, I installed the FreeIPA client with this command line:
> 
> ipa-client-install --force-join --mkhomedir --ssh-trust-dns \
>   --enable-dns-updates --unattended \
>   --principal=admin --password=correctone \
>   --domain=customer.company.internal \
>   --server=auth01.customer.company.internal
> 
> I then try to do a SSH login with:
> 
> ssh -l ewt@customer.company.internal 192.168.229.143
> or:
> ssh -l ewt 192.168.229.143
> 
> Password authentication doesn't work.
> 
> In the /var/log/syslog on the system where I try to login, I find this:
> 
> 2015-10-02T15:33:38.771291+02:00 mgmt02 [sssd[krb5_child[14154]]]:
> Key table entry not found
> 
> After having turned up the debug level of the sssd with "sssd -i -f -d
> 0x0770 --debug-timestamps=1", I find the following in the system log
> files:
> 
> 2015-10-02T15:40:48.756399+02:00 mgmt02 sshd[14194]:
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=212.71.117.1  user=ewt
> 2015-10-02T15:40:48.775896+02:00 mgmt02 sshd[14194]:
> pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=212.71.117.1 user=ewt
> 2015-10-02T15:40:48.775927+02:00 mgmt02 sshd[14194]:
> pam_sss(sshd:auth): received for user ewt: 4 (System error)
> 2015-10-02T15:40:50.988591+02:00 mgmt02 sshd[14194]: Failed
> password for ewt from 212.71.117.1 port 58136 ssh2
> 
> TBH, I don't quite understand it. Anyway, in
> /var/log/sssd/sssd_customer.company.internal.log I noticed:
> 
> (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [read_pipe_handler] (0x0400): EOF received, client finished
> (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [parse_krb5_child_response] (0x0020): message too short.
> (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [krb5_auth_done] (0x0040): Could not parse child response [22]:
> Invalid argument
> (Fri Oct  2 15:46:26 2015) [sssd[be[customer.company.internal]]]
> [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed.
> 
> Well… What am I doing wrong or what might I have forgotten?

We need to also see the krb5_child.log but please check if the keytab is
correct (ie kinit -k works).

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

9 matches

Site Navigation

Mail list logo

Footer information