[Freeipa-devel] pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ilt-gif-ipa01.ipa.preprod.local user=aduser@corp.addomain.com

[rajat gupta]

Hi,


I have done IPA AD trust between IPA and AD server. But trust is showing
offline always. But we are able to get the AD user information. And able to
grant the  KRB ticket.



# wbinfo --online-status
BUILTIN : online
IPA : online
*CORP : offline*


#id adu...@corp.addomain.com
uid=1007656917(adu...@corp.addomain.com) gid=1007656917(
adu...@corp.addomain.com) groups=1007656917(adu...@corp.addomain.com
),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
da-eeg-intra-r...@corp.addomain.com),1007600513(domain
us...@corp.addomain.com)


[root@ilt-gif-ipa01 ~]# kinit  adu...@corp.addomain.com
Password for adu...@corp.addomain.com:
[root@ilt-gif-ipa01 ~]#
[root@ilt-gif-ipa01 ~]#
[root@ilt-gif-ipa01 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: adu...@corp.addomain.com

Valid starting       Expires              Service principal
08/11/2016 13:11:35  08/11/2016 23:11:35  krbtgt/
corp.addomain....@corp.addomain.com
        renew until 08/12/2016 13:11:29
[root@ilt-gif-ipa01 ~]#



Form IPA client server we are able to get the all thinks ( KRB ticket/
user/groups )

[root@ilt-gif-ipa02 ~]# getent passwd adu...@corp.addomain.com
adu...@corp.addomain.com:*:1007656917:1007656917:USER  NAME:/home/
corp.addomain.com/aduser:
[root@ilt-gif-ipa02 ~]#


[root@ilt-gif-ipa02 ~]# getent group adu...@corp.addomain.com
adu...@corp.addomain.com:*:1007656917:
[root@ilt-gif-ipa02 ~]#


[root@ilt-gif-ipa02 ~]# id adu...@corp.addomain.com
uid=1007656917(adu...@corp.addomain.com) gid=1007656917(
adu...@corp.addomain.com) groups=1007656917(adu...@corp.addomain.com
),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
da-eeg-intra-r...@corp.addomain.com),1007600513(domain
us...@corp.addomain.com),1007725088(tfs_us...@corp.addomain.com)


Also we are to ssh  to IPA client on same machine or from some other
machine with gss authentication. But using password authentication it’s
failed to login.

*ERROR:- pam_sss(sshd:auth): authentication failure; logname*


kinit adu...@corp.addomain.com
Password for adu...@corp.addomain.com:



[root@ilt-gif-ipa02 ~]# ssh -vl adu...@corp.addomain.com
ilt-gif-ipa02.ipa.preprod.local
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 60: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
22 ilt-gif-ipa02.ipa.preprod.local
debug1: permanently_set_uid: 0/0
debug1: permanently_drop_suid: 0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com none
debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA
f0:e6:b2:66:c8:41:06:4e:83:a4:a2:c5:5a:57:24:66
debug1: Host 'ilt-gif-ipa02.ipa.preprod.local' is known and matches the
ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
*debug1: Authentication succeeded (gssapi-with-mic).*
Authenticated to ilt-gif-ipa02.ipa.preprod.local (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessi...@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Thu Aug 11 13:17:05 2016 from ilt-gif-ipa02.ipa.preprod.local

RHN kickstart on 2014-10-16

-sh-4.2$ pwd
/home/corp.addomain.com/aduser
-sh-4.2$ who am i
adu...@corp.addomain.com pts/3        2016-08-11 13:19
(ilt-gif-ipa02.ipa.preprod.local)
-sh-4.2$



]# ssh  adu...@corp.addomain.com@ilt-gif-ipa02.ipa.preprod.local
e600...@corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:
Permission denied, please try again.
e600...@corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:


Can you please help me i am not able to login with AD user
password authentication.



/Rajat Gupta

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code