[Freeipa-users] Password failing for sudo-ldap authentication only from one host

David Sastre d.sastre.medina at gmail.com
Tue Oct 2 08:39:29 UTC 2012 

On Thu, Sep 27, 2012 at 10:53 AM, David Sastre <d.sastre.medina at gmail.com>wrote:

> On Thu, Sep 27, 2012 at 10:01 AM, Jakub Hrozek wrote:
>
>> On Thu, Sep 27, 2012 at 08:18:21AM +0200, David Sastre wrote:
>> > On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina wrote:
>> > > On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote:
>> > > > David Sastre wrote:
>> > > > > [big snip]
>> > > > Does sssd work on this machine otherwise? getent passwd <foo>, you
>> > > > can log into the console as the user, or perhaps kinit to the user?
>> > >
>> > It looks like sssd is operating correctly
>> > I can also kinit w/o problems:
>>
>> kinit bypasses the SSSD and talks to the KDC directly.
>>  ...however, the ssh should go through the SSSD...
>>
>> Can you check the messages that appear in /var/log/secure during the
>> sudo auth attempt? You should see pam_sss being contacted, what does it
>> say? Is there any error?
>>
>
> Jakub,
>
> Does your comment mean ssh/sshd is misbehaving or bad configured?
>
> There are, indeed, errors regarding pam_sss in /var/log/secure.
>
> This is a successful login+sudo+logout in a host:
>
> Sep 27 10:29:56 panoramix sshd[12913]: Authorized to dsastrem, krb5
> principal dsastrem at SOME.DOMAIN.COM (krb5_kuserok)
> Sep 27 10:29:56 panoramix sshd[12913]: Accepted gssapi-with-mic for
> dsastrem from 172.26.130.101 port 58678 ssh2
> Sep 27 10:29:56 panoramix sshd[12913]: pam_unix(sshd:session): session
> opened for user dsastrem by (uid=0)
> Sep 27 10:30:13 panoramix sudo: pam_unix(sudo:auth): authentication
> failure; logname=dsastrem uid=0 euid=0 tty=/dev/pts/2 ruser=dsastrem
> rhost=  user=dsastrem
> Sep 27 10:30:13 panoramix sudo: pam_sss(sudo:auth): authentication
> success; logname=dsastrem uid=0 euid=0 tty=/dev/pts/2 ruser=dsastrem rhost=
> user=dsastrem
> Sep 27 10:30:13 panoramix sudo: dsastrem : TTY=pts/2 ; PWD=/home/dsastrem
> ; USER=root ; COMMAND=/sbin/ip addr show
> Sep 27 10:30:32 panoramix sshd[12942]: Received disconnect from
> 172.26.130.101: 11: disconnected by user
> Sep 27 10:30:32 panoramix sshd[12913]: pam_unix(sshd:session): session
> closed for user dsastrem
>
> This one a failed attempt to do the same in another host:
>
> Sep 27 10:32:27 obelix sshd[5242]: Authorized to dsastrem, krb5 principal
> dsastrem at SOME.DOMAIN.COM (krb5_kuserok)
> Sep 27 10:32:27 obelix sshd[5242]: Accepted gssapi-with-mic for dsastrem
> from 172.26.130.101 port 38276 ssh2
> Sep 27 10:32:27 obelix sshd[5242]: pam_unix(sshd:session): session opened
> for user dsastrem by (uid=0)
> Sep 27 10:32:50 obelix sudo: pam_unix(sudo:auth): authentication failure;
> logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost=
> user=dsastrem
> Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): system info: [Permission
> denied]
> Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): authentication failure;
> logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost=
> user=dsastrem
> Sep 27 10:32:50 obelix sudo: pam_sss(sudo:auth): received for user
> dsastrem: 4 (System error)
> Sep 27 10:33:13 obelix sudo: pam_unix(sudo:auth): conversation failed
> Sep 27 10:33:13 obelix sudo: pam_unix(sudo:auth): auth could not identify
> password for [dsastrem]
> Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): system info: [Cannot read
> password]
> Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): authentication failure;
> logname=dsastrem uid=0 euid=0 tty=/dev/pts/1 ruser=dsastrem rhost=
> user=dsastrem
> Sep 27 10:33:13 obelix sudo: pam_sss(sudo:auth): received for user
> dsastrem: 4 (System error)
> Sep 27 10:33:13 obelix sudo: dsastrem : 1 incorrect password attempt ;
> TTY=pts/1 ; PWD=/home/dsastrem ; USER=root ; COMMAND=/sbin/ip addr show
> Sep 27 10:33:21 obelix sshd[5281]: Received disconnect from 172.26.130.101:
> 11: disconnected by user
> Sep 27 10:33:21 obelix sshd[5242]: pam_unix(sshd:session): session closed
> for user dsastrem
>
> I can see now where it is failing, but I can't understand why (yet), is
> this PAM related?
>

For the record, and just in case it's useful for others, I solved this.
These were the steps taken:

- add debug_level = 10 to /etc/sssd/sssd.config
- ssh to user and issue a sudo command
- /var/log/sssd/krb5_child.log snippet:

 1 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605]]]]
[krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
  2 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605]]]]
[krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
  3 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605]]]]
[krb5_child_setup] (0x4000): Not using FAST.
  4 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605]]]] [validate_tgt]
(0x4000): Found keytab entry with the realm of the credential.
  5 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605]]]] [validate_tgt]
(0x0200): TGT verified using key for [host/
obelix.some.domain.com at SOME.DOMAIN.COM].
  6 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605]]]] [become_user]
(0x4000): Trying to become user [1543400001][1543400001].
  7 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605]]]]
[create_ccache_file] (0x0020): mkstemp failed [13][Permission denied].
  8 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605]]]]
[get_and_save_tgt] (0x0020): 688: [13][Permission denied]
  9 (Tue Oct  2 10:13:07 2012) [[sssd[krb5_child[28605]]]] [tgt_req_child]
(0x0020): 919: [13][Permission denied]

- verify no AVC denials exist in /var/log/audit/audit.log:

12 type=SYSCALL msg=audit(1349166186.421:6931172): arch=c000003e syscall=2
success=no exit=-13 a0=6235f0 a1=c2 a2=180 a3=7fff58d80dc0 items=1
ppid=28558 pid=30842 auid=500 uid=1543400001 gid=15    43400001
euid=1543400001 suid=1543400001 fsuid=1543400001 egid=1543400001
sgid=1543400001 fsgid=1543400001 tty=(none) ses=17963 comm="krb5_child"
exe="/usr/libexec/sssd/krb5_child" subj=unco    nfined_u:system_r:sssd_t:s0
key="access"
 13 type=PATH msg=audit(1349166186.421:6931172): item=0
name="/tmp/.krb5cc_dummy_hiA8y9" inode=131104 dev=fd:15 mode=040757 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
 14 type=USER_AUTH msg=audit(1349166187.601:6931173): user pid=30807 uid=0
auid=1543400001 ses=17969
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:authentication acct="dsastrem" exe="/usr/bin/sudo" hostname=?
addr=? terminal=/dev/pts/2 res=failed'

- google a bit (
http://www.mail-archive.com/sssd-devel@lists.fedorahosted.org/msg10176.html)
- restore expected /tmp permissions:

# ll -dZ /tmp/
drwxr-xrwx. root root system_u:object_r:tmp_t:s0       /tmp/
# chmod g+w,o+t /tmp/
# ll -dZ /tmp/
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp/

sudo works correctly again, thanks to the people in this list who spend
time looking into this and pointed me in the right direction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121002/9ed72909/attachment.htm>

More information about the Freeipa-users mailing list