Enabling the preauthentication flag for the principal does indeed get authentication working again.
The only reason it wasn't enabled was the usual poor reason: it wasn't the default. Thank you for the help and the explanation! ~Dave On Fri, Jul 15, 2016 at 3:21 PM, Sumit Bose <[email protected]> wrote: > On Fri, Jul 15, 2016 at 01:04:17PM -0400, David Wilhelm wrote: >> The NAS is also running Arch, and is the MIT kerberos 1.13.1. The >> client is using 1.13.4 of the same package. >> >> On Fri, Jul 15, 2016 at 12:57 PM, Sumit Bose <[email protected]> wrote: >> > On Fri, Jul 15, 2016 at 04:24:02PM -0000, David Wilhelm wrote: >> >> After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use sudo >> >> for kerberos-authenticated accounts. However, kinit still succeeds and >> >> "getent passwd" still lists all network users. Downgrading to 1.13.4 >> >> (after clearing the credential cache folder) restores normal operation. > > Thanks I was able to reproduce the issue. After discussing it with a > co-worker I opened http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454 > because we think it is originally an issue in the responder interface of > MIT Kerberos. I would like to hear back from MIT before trying to fix > the SSSD side. > > I'm pretty sure that authentication would work again if you enable > pre-authentication for the user principals on the KDC > > # kadmin.local > kadmin.local: modprinc +requires_preauth [email protected] > > Is there a reason why pre-authentication is disabled? If not it is very, > very, very recommended to enable it (not only to make SSSD work), see > e.g. > http://superuser.com/questions/200010/how-does-kerberos-preauthentication-increase-security > for some explanations. > > bye, > Sumit > > >> >> >> >> My setup: >> >> I'm running Arch linux, and have PAM set to use sssd. sssd in turn >> >> authenticates against a kerberos instance running on my NAS, and pulls >> >> user information from an openldap instance. PAM, kerberos, and openldap >> >> were configured by hand as a learning experience, and have been running >> >> for about a year. DNS and NTP are working, ldap is returning users, and >> >> kinit is succeeding on both my local machine and the server. >> > >> > I think I have an idea what is wrong. Can you tell me what kind of KDC >> > you are using on the NAS and which Kerberos library is used on the >> > client so that I can try to reproduce it locally? >> > >> > bye, >> > Sumit >> > >> >> >> >> This appears to be the relevant section of the logs, from krb5_child.log >> >> (with debug_level 10): >> >> >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): >> >> krb5_child started. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] >> >> (0x1000): total buffer size: [147] >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] >> >> (0x0100): cmd [241] uid [1042] gid [1001] validate [false] enterprise >> >> principal [false] offline [false] UPN [[email protected]] >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] >> >> (0x0100): ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname: >> >> [FILE:/tmp/krb5cc_1042_93EyUo] keytab: [/etc/krb5.keytab] >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast] >> >> (0x0100): Not using FAST. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] >> >> (0x0200): Switch user to [1042][1001]. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] >> >> (0x0200): Switch user to [0][0]. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] >> >> [k5c_check_old_ccache] (0x4000): Ccache_file is >> >> [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] >> >> [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] >> >> (0x0200): Trying to become user [1042][1001]. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000): >> >> Running as [1042][1001]. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] >> >> (0x0200): Trying to become user [1042][1001]. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] >> >> (0x0200): Already user [1042]. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] >> >> (0x2000): Running as [1042][1001]. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] >> >> [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] >> >> [set_lifetime_options] (0x0100): Cannot read >> >> [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] >> >> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from >> >> environment. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] >> >> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to >> >> [false] >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): >> >> Will perform online auth >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child] >> >> (0x1000): Attempting to get a TGT >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] >> >> (0x0400): Attempting kinit for realm [LA-LA.LAN] >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] >> >> (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] >> >> EINVAL. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] >> >> (0x0020): Cannot handle password prompts. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] >> >> (0x4000): Prompt [0][Password for [email protected]]. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] >> >> (0x0020): 1296: [-1765328254][Cannot read password] >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error] >> >> (0x0020): 1365: [-1765328254][Cannot read password] >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] >> >> (0x0200): Received error code 1432158218 >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] >> >> [pack_response_packet] (0x2000): response packet size: [4] >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] >> >> (0x4000): Response sent. >> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): >> >> krb5_child completed successfully >> >> >> >> Please let me know if any other logs or configurations are needed. >> >> _______________________________________________ >> >> sssd-users mailing list >> >> [email protected] >> >> https://lists.fedorahosted.org/admin/lists/[email protected] >> > _______________________________________________ >> > sssd-users mailing list >> > [email protected] >> > https://lists.fedorahosted.org/admin/lists/[email protected] >> _______________________________________________ >> sssd-users mailing list >> [email protected] >> https://lists.fedorahosted.org/admin/lists/[email protected] > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
