I got problem with ssh login with user from AD (someuser@AD.DOM) to IPA-client Centos Stream server (backupsrv.IPA.LAN).
Same configuration on IPA-client RHEL 8.6 works without any problem.
sssd.conf
Code: Select all
[domain/ipa.lan]
id_provider = ipa
ipa_server = _srv_, rh-ipa1.ipa.lan
ipa_domain = ipa.lan
krb5_use_fast = never
krb5_validate = False
krb5_use_enterprise_principal = True
ipa_hostname = backupsrv.ipa.lan
auth_provider = ipa
chpass_provider = ipa
access_provider = permit
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = *
krb5_auth_timeout = 180
debug_level=9
[sssd]
debug_level=9
services = nss, pam, ssh, sudo
domains = ipa.lan
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
Code: Select all
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IPA.LAN
dns_lookup_realm = true
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.LAN = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ipa.lan = IPA.LAN
ipa.lan = IPA.LAN
backupsrv.ipa.lan = IPA.LAN
Code: Select all
(2022-09-15 16:10:07): [krb5_child[1856]] [main] (0x0400): [RID#12] krb5_child started.
(2022-09-15 16:10:07): [krb5_child[1856]] [unpack_buffer] (0x1000): [RID#12] total buffer size: [96]
(2022-09-15 16:10:07): [krb5_child[1856]] [unpack_buffer] (0x0100): [RID#12] cmd [249 (pre-auth)] uid [1260413281] gid [1260413281] validate [false] enterprise principal [true] offline [false] UPN [someuser@AD.DOM]
(2022-09-15 16:10:07): [krb5_child[1856]] [unpack_buffer] (0x0100): [RID#12] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
(2022-09-15 16:10:07): [krb5_child[1856]] [check_use_fast] (0x0100): [RID#12] Not using FAST.
(2022-09-15 16:10:07): [krb5_child[1856]] [become_user] (0x0200): [RID#12] Trying to become user [1260413281][1260413281].
(2022-09-15 16:10:07): [krb5_child[1856]] [main] (0x2000): [RID#12] Running as [1260413281][1260413281].
(2022-09-15 16:10:07): [krb5_child[1856]] [set_lifetime_options] (0x0100): [RID#12] No specific renewable lifetime requested.
(2022-09-15 16:10:07): [krb5_child[1856]] [set_lifetime_options] (0x0100): [RID#12] No specific lifetime requested.
(2022-09-15 16:10:07): [krb5_child[1856]] [set_canonicalize_option] (0x0100): [RID#12] Canonicalization is set to [true]
(2022-09-15 16:10:07): [krb5_child[1856]] [main] (0x0400): [RID#12] Will perform pre-auth
(2022-09-15 16:10:07): [krb5_child[1856]] [tgt_req_child] (0x1000): [RID#12] Attempting to get a TGT
(2022-09-15 16:10:07): [krb5_child[1856]] [get_and_save_tgt] (0x0400): [RID#12] Attempting kinit for realm [IPA.LAN]
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602172: Getting initial credentials for someuser\@AD.DOM@IPA.LAN
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602174: Sending unauthenticated request
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602175: Sending request (185 bytes) to IPA.LAN
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602176: Initiating TCP connection to stream 10.31.1.152:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602177: Sending TCP request to stream 10.31.1.152:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602178: Received answer (136 bytes) from stream 10.31.1.152:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602179: Terminating TCP connection to stream 10.31.1.152:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602180: Response was from master KDC
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602181: Received error from KDC: -1765328316/Realm not local to KDC
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602182: Following referral to realm AD.DOM
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602184: Sending unauthenticated request
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602185: Sending request (183 bytes) to AD.DOM
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602186: Sending DNS URI query for _kerberos.AD.DOM.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602187: No URI records found
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602188: Sending DNS SRV query for _kerberos._udp.AD.DOM.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602189: SRV answer: 0 100 88 "sdrdc1.ad.dom."
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602190: SRV answer: 0 100 88 "szgdc4.ad.dom."
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602191: SRV answer: 0 100 88 "szgdc3.ad.dom."
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602192: Sending DNS SRV query for _kerberos._tcp.AD.DOM.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602193: SRV answer: 0 100 88 "sdrdc1.ad.dom."
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602194: SRV answer: 0 100 88 "szgdc3.ad.dom."
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602195: SRV answer: 0 100 88 "szgdc4.ad.dom."
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602196: Resolving hostname sdrdc1.ad.dom.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602197: Resolving hostname szgdc4.ad.dom.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602198: Resolving hostname szgdc3.ad.dom.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602199: Resolving hostname sdrdc1.ad.dom.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602200: Initiating TCP connection to stream 10.35.149.101:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602201: Sending TCP request to stream 10.35.149.101:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602202: Received answer (173 bytes) from stream 10.35.149.101:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602203: Terminating TCP connection to stream 10.35.149.101:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602204: Sending DNS URI query for _kerberos.AD.DOM.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602205: No URI records found
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602206: Sending DNS SRV query for _kerberos-master._tcp.AD.DOM.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602207: No SRV records found
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602208: Response was not from master KDC
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602209: Received error from KDC: -1765328359/Additional pre-authentication required
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602212: Preauthenticating using KDC method data
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602213: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602214: Selected etype info: etype aes256-cts, salt "AD.DOMsomeuser", params ""
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_krb5_responder] (0x4000): [RID#12] Got question [password].
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_krb5_prompter] (0x4000): [RID#12] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_krb5_prompter] (0x4000): [RID#12] Prompt [0][Password for someuser\@AD.DOM@AD.DOM].
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_krb5_prompter] (0x0200): [RID#12] Prompter interface isn't used for password prompts by SSSD.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602215: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602216: Retrying AS request with master KDC
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602217: Getting initial credentials for someuser\@AD.DOM@IPA.LAN
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602219: Sending unauthenticated request
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602220: Sending request (185 bytes) to IPA.LAN (master)
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602221: Initiating TCP connection to stream 10.31.1.152:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602222: Sending TCP request to stream 10.31.1.152:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602223: Received answer (136 bytes) from stream 10.31.1.152:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602224: Terminating TCP connection to stream 10.31.1.152:88
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602225: Received error from KDC: -1765328316/Realm not local to KDC
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602226: Following referral to realm AD.DOM
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602228: Sending unauthenticated request
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602229: Sending request (183 bytes) to AD.DOM (master)
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602230: Sending DNS URI query for _kerberos.AD.DOM.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602231: No URI records found
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602232: Sending DNS SRV query for _kerberos-master._udp.AD.DOM.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602233: Sending DNS SRV query for _kerberos-master._tcp.AD.DOM.
(2022-09-15 16:10:07): [krb5_child[1856]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [1856] 1663251007.602234: No SRV records found
(2022-09-15 16:10:07): [krb5_child[1856]] [get_and_save_tgt] (0x0400): [RID#12] krb5_get_init_creds_password returned [-1765328174] during pre-auth.
(2022-09-15 16:10:07): [krb5_child[1856]] [k5c_send_data] (0x0200): [RID#12] Received error code 0
(2022-09-15 16:10:07): [krb5_child[1856]] [pack_response_packet] (0x2000): [RID#12] response packet size: [12]
(2022-09-15 16:10:07): [krb5_child[1856]] [k5c_send_data] (0x4000): [RID#12] Response sent.
(2022-09-15 16:10:07): [krb5_child[1856]] [main] (0x0400): [RID#12] krb5_child completed successfully
Code: Select all
(2022-09-15 16:23:09): [krb5_child[2188]] [validate_tgt] (0x0020): [RID#4] TGT failed verification using key for [someuser@ad.dom].
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-09-15 16:23:09): [krb5_child[2188]] [main] (0x0400): [RID#4] krb5_child started.
* (2022-09-15 16:23:09): [krb5_child[2188]] [unpack_buffer] (0x1000): [RID#4] total buffer size: [105]
* (2022-09-15 16:23:09): [krb5_child[2188]] [unpack_buffer] (0x0100): [RID#4] cmd [241 (auth)] uid [1260413281] gid [1260413281] validate [false] enterprise principal [true] offline [false] UPN [someuser@AD.DOM]
* (2022-09-15 16:23:09): [krb5_child[2188]] [unpack_buffer] (0x0100): [RID#4] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
* (2022-09-15 16:23:09): [krb5_child[2188]] [check_use_fast] (0x0100): [RID#4] Not using FAST.
* (2022-09-15 16:23:09): [krb5_child[2188]] [switch_creds] (0x0200): [RID#4] Switch user to [1260413281][1260413281].
* (2022-09-15 16:23:09): [krb5_child[2188]] [sss_krb5_cc_verify_ccache] (0x2000): [RID#4] TGT not found or expired.
* (2022-09-15 16:23:09): [krb5_child[2188]] [switch_creds] (0x0200): [RID#4] Switch user to [0][0].
* (2022-09-15 16:23:09): [krb5_child[2188]] [k5c_check_old_ccache] (0x4000): [RID#4] Ccache_file is [KCM:] and is not active and TGT is valid.
* (2022-09-15 16:23:09): [krb5_child[2188]] [k5c_precreate_ccache] (0x4000): [RID#4] Recreating ccache
* (2022-09-15 16:23:09): [krb5_child[2188]] [become_user] (0x0200): [RID#4] Trying to become user [1260413281][1260413281].
* (2022-09-15 16:23:09): [krb5_child[2188]] [main] (0x2000): [RID#4] Running as [1260413281][1260413281].
* (2022-09-15 16:23:09): [krb5_child[2188]] [set_lifetime_options] (0x0100): [RID#4] No specific renewable lifetime requested.
* (2022-09-15 16:23:09): [krb5_child[2188]] [set_lifetime_options] (0x0100): [RID#4] No specific lifetime requested.
* (2022-09-15 16:23:09): [krb5_child[2188]] [set_canonicalize_option] (0x0100): [RID#4] Canonicalization is set to [true]
* (2022-09-15 16:23:09): [krb5_child[2188]] [main] (0x0400): [RID#4] Will perform auth
* (2022-09-15 16:23:09): [krb5_child[2188]] [main] (0x0400): [RID#4] Will perform online auth
* (2022-09-15 16:23:09): [krb5_child[2188]] [tgt_req_child] (0x1000): [RID#4] Attempting to get a TGT
* (2022-09-15 16:23:09): [krb5_child[2188]] [get_and_save_tgt] (0x0400): [RID#4] Attempting kinit for realm [IPA.LAN]
* (2022-09-15 16:23:09): [krb5_child[2188]] [sss_krb5_responder] (0x4000): [RID#4] Got question [password].
* (2022-09-15 16:23:09): [krb5_child[2188]] [sss_krb5_expire_callback_func] (0x2000): [RID#4] exp_time: [473257496]
* (2022-09-15 16:23:09): [krb5_child[2188]] [validate_tgt] (0x2000): [RID#4] Keytab entry with the realm of the credential not found in keytab. Using the last entry.
* (2022-09-15 16:23:09): [krb5_child[2188]] [validate_tgt] (0x0020): [RID#4] TGT failed verification using key for [someuser@ad.dom].
********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-09-15 16:23:09): [krb5_child[2188]] [get_and_save_tgt] (0x0020): [RID#4] 2045: [-1765328377][Server not found in Kerberos database]
(2022-09-15 16:23:09): [krb5_child[2188]] [map_krb5_error] (0x0020): [RID#4] 2137: [-1765328377][Server not found in Kerberos database]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-09-15 16:23:09): [krb5_child[2188]] [get_and_save_tgt] (0x0020): [RID#4] 2045: [-1765328377][Server not found in Kerberos database]
* (2022-09-15 16:23:09): [krb5_child[2188]] [map_krb5_error] (0x0020): [RID#4] 2137: [-1765328377][Server not found in Kerberos database]
********************** BACKTRACE DUMP ENDS HERE *********************************
Code: Select all
Sep 15 16:10:06 backupsrv sshd[1852]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.195.154 user=someuser@ad.dom
Sep 15 16:10:06 backupsrv sshd[1852]: pam_sss(sshd:auth): received for user someuser@ad.dom: 4 (System error)
Sep 15 16:10:07 backupsrv sshd[1844]: error: PAM: Authentication failure for someuser@ad.dom from 192.168.195.154