[Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?
Chris Dagdigian
dag at sonsorol.org
Tue Nov 22 15:50:44 UTC 2016
Following up my own email after realizing my sssd debug info was better
when I ran it via "# sssd -i -d 5" ...
Here are the relevant entries from sssd during a failed login attempt
via SSH using AD credentials from username at nafta.company.com
-Chris
(Tue Nov 22 15:43:27 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
Received client version [0].
(Tue Nov 22 15:43:27 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
Offered version [0].
(Tue Nov 22 15:43:27 2016) [sssd[ssh]] [sss_parse_name_for_domains]
(0x0200): name 't859531 at NAFTA.COMPANY.ORG
<mailto:t859531 at nafta.syngenta.org>' matched expression for domain
'NAFTA.COMPANY.ORG', user is t859531
(Tue Nov 22 15:43:27 2016) [sssd[be[company-idm.org]]]
[be_get_account_info] (0x0200): Got request for [0x1][1][name=t859531]
(Tue Nov 22 15:43:28 2016) [sssd[be[company-idm.org]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Tue Nov 22 15:43:28 2016) [sssd[be[company-idm.org]]]
[sysdb_update_members_ex] (0x0020): Could not add member
[t859531 at NAFTA.COMPANY.ORG <mailto:t859531 at nafta.syngenta.org>] to group
[name=t859531 at NAFTA.COMPANY.ORG
<mailto:t859531 at NAFTA.SYNGENTA.ORG>,cn=groups,cn=NAFTA.COMPANY.ORG,cn=sysdb].
Skipping.
(Tue Nov 22 15:43:28 2016) [sssd[be[company-idm.org]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Tue Nov 22 15:43:28 2016) [sssd[be[company-idm.org]]]
[sysdb_update_members_ex] (0x0020): Could not add member
[t859531 at NAFTA.COMPANY.ORG <mailto:t859531 at nafta.syngenta.org>] to group
[name=t859531 at NAFTA.COMPANY.ORG
<mailto:t859531 at NAFTA.SYNGENTA.ORG>,cn=groups,cn=NAFTA.COMPANY.ORG,cn=sysdb].
Skipping.
(Tue Nov 22 15:43:28 2016) [sssd[be[company-idm.org]]]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Success)
(Tue Nov 22 15:43:28 2016) [sssd[ssh]] [client_recv] (0x0200): Client
disconnected!
(Tue Nov 22 15:43:28 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
Received client version [0].
(Tue Nov 22 15:43:28 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
Offered version [0].
(Tue Nov 22 15:43:28 2016) [sssd[ssh]] [sss_parse_name_for_domains]
(0x0200): name 't859531 at NAFTA.COMPANY.ORG
<mailto:t859531 at nafta.syngenta.org>' matched expression for domain
'NAFTA.COMPANY.ORG', user is t859531
(Tue Nov 22 15:43:28 2016) [sssd[be[company-idm.org]]]
[be_get_account_info] (0x0200): Got request for [0x1][1][name=t859531]
(Tue Nov 22 15:43:28 2016) [sssd[be[company-idm.org]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Tue Nov 22 15:43:28 2016) [sssd[be[company-idm.org]]]
[sysdb_update_members_ex] (0x0020): Could not add member
[t859531 at NAFTA.COMPANY.ORG <mailto:t859531 at nafta.syngenta.org>] to group
[name=t859531 at NAFTA.COMPANY.ORG
<mailto:t859531 at NAFTA.SYNGENTA.ORG>,cn=groups,cn=NAFTA.COMPANY.ORG,cn=sysdb].
Skipping.
(Tue Nov 22 15:43:29 2016) [sssd[be[company-idm.org]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Tue Nov 22 15:43:29 2016) [sssd[be[company-idm.org]]]
[sysdb_update_members_ex] (0x0020): Could not add member
[t859531 at NAFTA.COMPANY.ORG <mailto:t859531 at nafta.syngenta.org>] to group
[name=t859531 at NAFTA.COMPANY.ORG
<mailto:t859531 at NAFTA.SYNGENTA.ORG>,cn=groups,cn=NAFTA.COMPANY.ORG,cn=sysdb].
Skipping.
(Tue Nov 22 15:43:29 2016) [sssd[be[company-idm.org]]]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Success)
(Tue Nov 22 15:43:29 2016) [sssd[ssh]] [client_recv] (0x0200): Client
disconnected!
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Received client version [3].
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Offered version [3].
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_cmd_preauth] (0x0100):
entering pam_cmd_preauth
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 't859531 at NAFTA.COMPANY.ORG
<mailto:t859531 at nafta.syngenta.org>' matched expression for domain
'NAFTA.COMPANY.ORG', user is t859531
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_PREAUTH
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
domain: NAFTA.COMPANY.ORG
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): user:
t859531
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
service: sshd
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
usrelnu4239n3y2.NAFTA.COMPANY.ORG
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 0
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 4180
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): logon
name: t859531 at NAFTA.COMPANY.ORG <mailto:t859531 at nafta.syngenta.org>
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]]
[be_get_account_info] (0x0200): Got request for [0x3][1][name=t859531]
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]]
[sysdb_update_members_ex] (0x0020): Could not add member
[t859531 at NAFTA.COMPANY.ORG <mailto:t859531 at nafta.syngenta.org>] to group
[name=t859531 at NAFTA.COMPANY.ORG
<mailto:t859531 at NAFTA.SYNGENTA.ORG>,cn=groups,cn=NAFTA.COMPANY.ORG,cn=sysdb].
Skipping.
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait: No such object (32)]
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]]
[sysdb_update_members_ex] (0x0020): Could not add member
[t859531 at NAFTA.COMPANY.ORG <mailto:t859531 at nafta.syngenta.org>] to group
[name=t859531 at NAFTA.COMPANY.ORG
<mailto:t859531 at NAFTA.SYNGENTA.ORG>,cn=groups,cn=NAFTA.COMPANY.ORG,cn=sysdb].
Skipping.
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Success)
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [t859531 at NAFTA.COMPANY.ORG
<mailto:t859531 at nafta.syngenta.org>]
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_dp_send_req] (0x0100):
Sending request with the following data:
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_PREAUTH
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
domain: NAFTA.COMPANY.ORG
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): user:
t859531 at NAFTA.COMPANY.ORG <mailto:t859531 at nafta.syngenta.org>
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
service: sshd
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost:
usrelnu4239n3y2.NAFTA.COMPANY.ORG
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 0
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 4180
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_print_data] (0x0100): logon
name: t859531 at NAFTA.COMPANY.ORG <mailto:t859531 at nafta.syngenta.org>
(Tue Nov 22 15:43:32 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [be_pam_handler]
(0x0100): Got request with the following data
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): command: SSS_PAM_PREAUTH
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): domain: NAFTA.COMPANY.ORG
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): user: t859531 at NAFTA.COMPANY.ORG
<mailto:t859531 at nafta.syngenta.org>
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): service: sshd
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): tty: ssh
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): ruser:
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): rhost: usrelnu4239n3y2.NAFTA.COMPANY.ORG
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): authtok type: 0
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): priv: 1
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): cli_pid: 4180
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]] [pam_print_data]
(0x0100): logon name: not set
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Tue Nov 22 15:43:32 2016) [sssd[be[company-idm.org]]]
[be_resolve_server_process] (0x0200): Found address for server
usaeilidmp001.company-idm.org: [10.127.64.11] TTL 1162
(Tue Nov 22 15:43:32 2016) [[sssd[krb5_child[4184]]]] [unpack_buffer]
(0x0100): cmd [249] uid [1843770609] gid [1843770609] validate [true]
enterprise principal [false] offline [false] UPN [t859531 at SYNGENTA.ORG
<mailto:t859531 at SYNGENTA.ORG>]
(Tue Nov 22 15:43:32 2016) [[sssd[krb5_child[4184]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/usaeilvdip001.syngentaaws.org at company-idm.org
<mailto:usaeilvdip001.syngentaaws.org at SYNGENTAIDM.ORG>]
(Tue Nov 22 15:43:32 2016) [[sssd[krb5_child[4184]]]]
[check_fast_ccache] (0x0200): FAST TGT is still valid.
(Tue Nov 22 15:43:32 2016) [sssd[pac]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Tue Nov 22 15:43:32 2016) [sssd[pac]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Tue Nov 22 15:43:32 2016) [[sssd[krb5_child[4184]]]] [become_user]
(0x0200): Trying to become user [1843770609][1843770609].
(Tue Nov 22 15:43:32 2016) [[sssd[krb5_child[4184]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Tue Nov 22 15:43:32 2016) [[sssd[krb5_child[4184]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Tue Nov 22 15:43:32 2016) [[sssd[krb5_child[4184]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Tue Nov 22 15:43:33 2016) [[sssd[krb5_child[4184]]]]
[sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Tue Nov 22 15:43:33 2016) [[sssd[krb5_child[4184]]]] [k5c_send_data]
(0x0200): Received error code 0
(Tue Nov 22 15:43:33 2016) [sssd[pac]] [client_recv] (0x0200): Client
disconnected!
(Tue Nov 22 15:43:33 2016) [sssd[be[company-idm.org]]]
[child_sig_handler] (0x0100): child [4184] finished successfully.
(Tue Nov 22 15:43:33 2016) [sssd[be[company-idm.org]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'usaeilidmp001.company-idm.org' as 'working'
(Tue Nov 22 15:43:33 2016) [sssd[be[company-idm.org]]]
[set_server_common_status] (0x0100): Marking server
'usaeilidmp001.company-idm.org' as 'working'
(Tue Nov 22 15:43:33 2016) [sssd[be[company-idm.org]]]
[krb5_auth_store_creds] (0x0010): unsupported PAM command [249].
(Tue Nov 22 15:43:33 2016) [sssd[be[company-idm.org]]]
[krb5_auth_store_creds] (0x0010): password not available, offline auth
may not work.
(Tue Nov 22 15:43:33 2016) [sssd[be[company-idm.org]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success (Success)]
(Tue Nov 22 15:43:33 2016) [sssd[be[company-idm.org]]]
[be_pam_handler_callback] (0x0100): Sending result [0][NAFTA.COMPANY.ORG]
(Tue Nov 22 15:43:33 2016) [sssd[be[company-idm.org]]]
[be_pam_handler_callback] (0x0100): Sent result [0][NAFTA.COMPANY.ORG]
(Tue Nov 22 15:43:33 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [0 (Success)][NAFTA.COMPANY.ORG]
(Tue Nov 22 15:43:33 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [0]: Success.
(Tue Nov 22 15:43:33 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 35
More information about the Freeipa-users
mailing list