schkratek
asked on
What is wrong with my FreeIPA configuration
I have a server FreeIPA connected with Windows AD server. Here is some environment data:
freeipaad.schkrat.local (Active Directory , DNS MS Windows Server 2012 R2 Datacenter Evaluation x64)
ipaserver.schkrat.ipa (FreeIPA server, CentOS release 6.6 (Final) x64)
IPA version components:
sssd-ipa-1.11.6-30.el6.x86 _64
ipa-pki-common-theme-9.0.3 -7.el6.noa rch
ipa-server-3.0.0-42.el6.ce ntos.x86_6 4
ipa-pki-ca-theme-9.0.3-7.e l6.noarch
libipa_hbac-python-1.11.6- 30.el6.x86 _64
ipa-admintools-3.0.0-42.el 6.centos.x 86_64
ipa-server-trust-ad-3.0.0- 42.el6.cen tos.x86_64
python-iniparse-0.3.1-2.1. el6.noarch
ipa-client-3.0.0-42.el6.ce ntos.x86_6 4
ipa-server-selinux-3.0.0-4 2.el6.cent os.x86_64
ipa-python-3.0.0-42.el6.ce ntos.x86_6 4
libipa_hbac-1.11.6-30.el6. x86_64
HBAC test works:
ipa hbactest --user=wintest --host=ipbclient.schkrat.i pa --service=sshd
--------------------
Access granted: True
--------------------
Matched rules: access_all
We have a valid TRUST with AD:
[root@ipaserver sssd]# ipa trust-find
---------------
1 trust matched
---------------
Realm name: schkrat.local
Domain NetBIOS name: SCHKRAT
Domain Security Identifier: S-1-5-21-957296299-3555775 235-371949 3031
Trust type: Active Directory domain
-------------------------- --
Number of entries returned 1
The problem is when HBAC rule is set so that under "WHO" we select windows user. Then SSH access stops working:
Before HBAC:
Feb 17 08:21:07 ipbclient sshd[30058]: Accepted password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 34719 ssh2
Feb 17 08:21:07 ipbclient sshd[30058]: pam_unix(sshd:session): session opened for user wintest@SCHKRAT.LOCAL by (uid=0
After HBAC:
Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL
Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:account): Access denied for user wintest@SCHKRAT.LOCAL: 6 (Permission denied)
Feb 17 08:21:55 ipbclient sshd[30089]: Failed password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 34733 ssh2
Feb 17 08:21:55 ipbclient sshd[30091]: fatal: Access denied for user wintest@SCHKRAT.LOCAL by PAM account configuration
So what am i missing ?
freeipaad.schkrat.local (Active Directory , DNS MS Windows Server 2012 R2 Datacenter Evaluation x64)
ipaserver.schkrat.ipa (FreeIPA server, CentOS release 6.6 (Final) x64)
IPA version components:
sssd-ipa-1.11.6-30.el6.x86
ipa-pki-common-theme-9.0.3
ipa-server-3.0.0-42.el6.ce
ipa-pki-ca-theme-9.0.3-7.e
libipa_hbac-python-1.11.6-
ipa-admintools-3.0.0-42.el
ipa-server-trust-ad-3.0.0-
python-iniparse-0.3.1-2.1.
ipa-client-3.0.0-42.el6.ce
ipa-server-selinux-3.0.0-4
ipa-python-3.0.0-42.el6.ce
libipa_hbac-1.11.6-30.el6.
HBAC test works:
ipa hbactest --user=wintest --host=ipbclient.schkrat.i
--------------------
Access granted: True
--------------------
Matched rules: access_all
We have a valid TRUST with AD:
[root@ipaserver sssd]# ipa trust-find
---------------
1 trust matched
---------------
Realm name: schkrat.local
Domain NetBIOS name: SCHKRAT
Domain Security Identifier: S-1-5-21-957296299-3555775
Trust type: Active Directory domain
--------------------------
Number of entries returned 1
The problem is when HBAC rule is set so that under "WHO" we select windows user. Then SSH access stops working:
Before HBAC:
Feb 17 08:21:07 ipbclient sshd[30058]: Accepted password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 34719 ssh2
Feb 17 08:21:07 ipbclient sshd[30058]: pam_unix(sshd:session): session opened for user wintest@SCHKRAT.LOCAL by (uid=0
After HBAC:
Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL
Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:account): Access denied for user wintest@SCHKRAT.LOCAL: 6 (Permission denied)
Feb 17 08:21:55 ipbclient sshd[30089]: Failed password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 34733 ssh2
Feb 17 08:21:55 ipbclient sshd[30091]: fatal: Access denied for user wintest@SCHKRAT.LOCAL by PAM account configuration
So what am i missing ?
So you have oddjob-mkhomedir properly running?
ASKER
I have it running.. What is Properly running ? On the serve and on the client.. So what should i check
Check /var/log/secure, it should tell if something goes amiss in user login.
Basically mkhomedir should be in pam.d/system-auth somewhere around detecting if username and/or password is correct. Like next line after sssd module or so. Almost all pam modules take debug parameter to spit long details in same secure log. Try them one by one from beginning (no damage since it does not work anyway, though keep root session open and original system-auth at hand "just in case")
Basically mkhomedir should be in pam.d/system-auth somewhere around detecting if username and/or password is correct. Like next line after sssd module or so. Almost all pam modules take debug parameter to spit long details in same secure log. Try them one by one from beginning (no damage since it does not work anyway, though keep root session open and original system-auth at hand "just in case")
ASKER
As i said above in my first post /var/log/secure:
Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL
Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:account): Access denied for user wintest@SCHKRAT.LOCAL: 6 (Permission denied)
Feb 17 08:21:55 ipbclient sshd[30089]: Failed password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 34733 ssh2
Feb 17 08:21:55 ipbclient sshd[30091]: fatal: Access denied for user wintest@SCHKRAT.LOCAL by PAM account configuration
and this is my system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL
Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:account): Access denied for user wintest@SCHKRAT.LOCAL: 6 (Permission denied)
Feb 17 08:21:55 ipbclient sshd[30089]: Failed password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 34733 ssh2
Feb 17 08:21:55 ipbclient sshd[30091]: fatal: Access denied for user wintest@SCHKRAT.LOCAL by PAM account configuration
and this is my system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
ASKER
this is the latest secure log with hbac rule enabled for pariculare group:
Mar 20 14:19:04 node1 sshd[10180]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL
Mar 20 14:19:04 node1 sshd[10180]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL
Mar 20 14:19:04 node1 sshd[10180]: pam_sss(sshd:auth): received for user wintest@SCHKRAT.LOCAL: 4 (System error)
Mar 20 14:19:06 node1 sshd[10180]: Failed password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 42614 ssh2
and this is id of my wintest user:
[root@ipbclient ~]# id wintest
uid=969800021(wintest) gid=969800021(wintest) groups=969800021(wintest)
[root@ipbclient ~]# id wintest@schkrat.ipa
uid=969800021(wintest) gid=969800021(wintest) groups=969800021(wintest)
[root@ipbclient ~]# id wintest@SCHKRAT.LOCAL
uid=1968601105(wintest@sch krat.local ) gid=1968601105(wintest@sch krat.local ) groups=1968601105(wintest@ schkrat.lo cal),96980 0013(ad_ad mins)
Mar 20 14:19:04 node1 sshd[10180]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL
Mar 20 14:19:04 node1 sshd[10180]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL
Mar 20 14:19:04 node1 sshd[10180]: pam_sss(sshd:auth): received for user wintest@SCHKRAT.LOCAL: 4 (System error)
Mar 20 14:19:06 node1 sshd[10180]: Failed password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 42614 ssh2
and this is id of my wintest user:
[root@ipbclient ~]# id wintest
uid=969800021(wintest) gid=969800021(wintest) groups=969800021(wintest)
[root@ipbclient ~]# id wintest@schkrat.ipa
uid=969800021(wintest) gid=969800021(wintest) groups=969800021(wintest)
[root@ipbclient ~]# id wintest@SCHKRAT.LOCAL
uid=1968601105(wintest@sch
pam_sss wrongly denies authentication (account section works as seen by id command)
read "man pam_sss" and if it lets you add "debug" parameter to authentication section...
it will give you screenful of information (dont post it, parts are sensitive, like password text user supplied, encoded etc)
ask windows admin for security log originating from your machine around time you test... They may help you a lot.
read "man pam_sss" and if it lets you add "debug" parameter to authentication section...
it will give you screenful of information (dont post it, parts are sensitive, like password text user supplied, encoded etc)
ask windows admin for security log originating from your machine around time you test... They may help you a lot.
ASKER
thank you.. will try that and let you know the result.. might be a late response because tomorrow i am out of office.. Will post as soon as i get some info
Dont worry... Just take care to disable debug output after as it makes logs sensitive data
ASKER
Sorry it takes so long.. Will post some new results today..
ASKER
Hello again..
Nothing specific about raising loglevel.. But i also added higher loglevel to the pam section:
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [wintest@schkrat.local]
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is wintest@schkrat.local
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [wintest@schkrat.local] added to PAM initgroup cache
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: schkrat.local
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): user: wintest@schkrat.local
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.13.40.233
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2633
.. ruser: not set ?
in domain section i have:
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [switch_creds] (0x0200): Switch user to [1968601105][1968601105].
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [sss_krb5_cc_verify_ccache ] (0x2000): TGT not found or expired.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [switch_creds] (0x0200): Switch user to [0][0].
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_send] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_19686011 05_zBp5HR] and is not active and TGT is valid.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'not working'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x0100): Reseting the status of port 0 for server '(no name)'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_activa te_timeout ] (0x2000): Resolve timeout set to 6 seconds
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [resolve_srv_send] (0x0200): The status of SRV lookup is not resolved
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process ] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5)
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process ] (0x1000): Trying with the next one!
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_server_status] (0x1000): Status of server 'ipaserver.schkrat.ipa' is 'name resolved'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipaserver.schkrat.ipa' is 'not working'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x0100): Reseting the status of port 0 for server 'ipaserver.schkrat.ipa'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_activa te_timeout ] (0x2000): Resolve timeout set to 6 seconds
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_server_status] (0x1000): Status of server 'ipaserver.schkrat.ipa' is 'name resolved'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process ] (0x1000): Saving the first resolved server
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process ] (0x0200): Found address for server ipaserver.schkrat.ipa: [10.13.40.234] TTL 3600
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://ipaserver.schkrat. ipa'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_resolve_done] (0x4000): Preparing for offline operation.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_resolve_done] (0x4000): Valid TGT available or ccache file is already in use.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)]
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Sending result [9][schkrat.local]
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Sent result [9][schkrat.local]
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_dispatch] (0x4000): dbus conn: 0xfa3bc0
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_dispatch] (0x4000): Dispatching.
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_handler_got_caller_i d] (0x4000): Received SBUS method [ping]
Nothing specific about raising loglevel.. But i also added higher loglevel to the pam section:
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [wintest@schkrat.local]
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is wintest@schkrat.local
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [wintest@schkrat.local] added to PAM initgroup cache
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: schkrat.local
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): user: wintest@schkrat.local
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.13.40.233
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2633
.. ruser: not set ?
in domain section i have:
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [switch_creds] (0x0200): Switch user to [1968601105][1968601105].
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [sss_krb5_cc_verify_ccache
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [switch_creds] (0x0200): Switch user to [0][0].
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_send] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_19686011
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'not working'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x0100): Reseting the status of port 0 for server '(no name)'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_activa
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [resolve_srv_send] (0x0200): The status of SRV lookup is not resolved
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_server_status] (0x1000): Status of server 'ipaserver.schkrat.ipa' is 'name resolved'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipaserver.schkrat.ipa' is 'not working'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x0100): Reseting the status of port 0 for server 'ipaserver.schkrat.ipa'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_activa
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_server_status] (0x1000): Status of server 'ipaserver.schkrat.ipa' is 'name resolved'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://ipaserver.schkrat.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_resolve_done] (0x4000): Preparing for offline operation.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_resolve_done] (0x4000): Valid TGT available or ccache file is already in use.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)]
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Sending result [9][schkrat.local]
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Sent result [9][schkrat.local]
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_dispatch] (0x4000): dbus conn: 0xfa3bc0
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_dispatch] (0x4000): Dispatching.
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_handler_got_caller_i
You should use AD controller as DNS server in resolv.conf
Currently your IPA cannot connect AD
Currently your IPA cannot connect AD
ASKER
from client:
[root@node1 sssd]# nslookup freeipaad.schkrat.local
Server: 10.13.40.240
Address: 10.13.40.240#53
Name: freeipaad.schkrat.local
Address: 10.13.40.240
from ipaserver:
[root@ipaserver ~]# nslookup freeipaad.schkrat.local
Server: 10.13.40.240
Address: 10.13.40.240#53
Name: freeipaad.schkrat.local
Address: 10.13.40.240
?
[root@node1 sssd]# nslookup freeipaad.schkrat.local
Server: 10.13.40.240
Address: 10.13.40.240#53
Name: freeipaad.schkrat.local
Address: 10.13.40.240
from ipaserver:
[root@ipaserver ~]# nslookup freeipaad.schkrat.local
Server: 10.13.40.240
Address: 10.13.40.240#53
Name: freeipaad.schkrat.local
Address: 10.13.40.240
?
ASKER
resolving works 10.13.40.240 (is the ad server)
Something is strange. It generates kerberos ticket, then does not authenticate to LDAp.
Each host mentioned (kerberos and ldap) should be resolvable using shortest and longest names and in reverse.
e.g
/etc/hosts
10.0.10.2 PDC.domain.home PDC
10.0.10.3 LINUX.domain.home LINUX
$ hostname
LINUX.pdc.local
etc etc.
(kerberos is picky about it)
Each host mentioned (kerberos and ldap) should be resolvable using shortest and longest names and in reverse.
e.g
/etc/hosts
10.0.10.2 PDC.domain.home PDC
10.0.10.3 LINUX.domain.home LINUX
$ hostname
LINUX.pdc.local
etc etc.
(kerberos is picky about it)
ASKER
It seems that the dns and all of that is doing just fine.. I can resolve long/short names from server, client..
This means that somehow it detected presence of kerberos ticket and right after could not use it.
Do you have disk space in /tmp ?
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_resolve_done] (0x4000): Valid TGT available or ccache file is already in use.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)]
Do you have disk space in /tmp ?
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_resolve_done] (0x4000): Valid TGT available or ccache file is already in use.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)]
ASKER
Yes enough space is there.. the ticket is created no problem after i try to connect:
-rw-------. 1 wintest@schkrat.local wintest@schkrat.local 171 Apr 1 10:19 krb5cc_1968601105_bp8dfz
-rw-------. 1 wintest@schkrat.local wintest@schkrat.local 171 Apr 1 10:19 krb5cc_1968601105_bp8dfz
Looks fine for me...
Permissions on /tmp ?
ls -ld /tmp
drwxrwxrwt. 133 root root 2960 Apr 1 10:04 /tmp
aka
# chmod 01777 /tmp
# chown root.root /tmp
If that turns up fine me out of ideas, use request attention link on top of question to get more experts in...
Permissions on /tmp ?
ls -ld /tmp
drwxrwxrwt. 133 root root 2960 Apr 1 10:04 /tmp
aka
# chmod 01777 /tmp
# chown root.root /tmp
If that turns up fine me out of ideas, use request attention link on top of question to get more experts in...
ASKER
The permission is ok, but id does not work.. Will go back to the drawing board..
Thank you for your help..
Thank you for your help..
It is not about drawing board.
you can try authconfig in place of IPA in the meantime.
you can try authconfig in place of IPA in the meantime.
ASKER
How do you mean that ?
All set up correctly according to IPA but not working.
It means that you can easily use more generic approach with winbind joining domain (available since 2000 or so) by using authconfig utility (available since RHEL4)
It means that you can easily use more generic approach with winbind joining domain (available since 2000 or so) by using authconfig utility (available since RHEL4)
ASKER
Ok.. Thank you..
Will do that..
Will do that..
ASKER
Ok..
I have joined client "node1.schkrat.ipa" to windows domain:
samba conf:
[global]
security = ads
realm = schkrat.local
password server = freeipaad.schkrat.local
workgroup = schkrat
# winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
[root@node1 ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- SCHKRAT
Joined 'NODE1' to dns domain 'schkrat.local'
[root@node1 ~]# wbinfo -t
checking the trust secret for domain SCHKRAT via RPC calls succeeded
[root@node1 ~]# wbinfo -u
administrator
guest
krbtgt
wintest
schkraipa$
synctest
habac
grega
gg
I have joined client "node1.schkrat.ipa" to windows domain:
samba conf:
[global]
security = ads
realm = schkrat.local
password server = freeipaad.schkrat.local
workgroup = schkrat
# winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
[root@node1 ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- SCHKRAT
Joined 'NODE1' to dns domain 'schkrat.local'
[root@node1 ~]# wbinfo -t
checking the trust secret for domain SCHKRAT via RPC calls succeeded
[root@node1 ~]# wbinfo -u
administrator
guest
krbtgt
wintest
schkraipa$
synctest
habac
grega
gg
Now configure PAM:
# authconfig --help
Usage: authconfig [options] {--update|--updateall|--te st|--probe |--restore backup <name>|--savebackup <name>|--restorelastbackup }
# authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --test
replace test with updateall to do the damage (keep root console intact while you reach it again)
it may require restart of winbind and oddjob-mkhomedir/messagebu s services before logging in
EXTRA: This adds feature that allows smbclient -k //server/share when set in smb.conf:
winbind refresh tickets = yes
# authconfig --help
Usage: authconfig [options] {--update|--updateall|--te
# authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --test
replace test with updateall to do the damage (keep root console intact while you reach it again)
it may require restart of winbind and oddjob-mkhomedir/messagebu
EXTRA: This adds feature that allows smbclient -k //server/share when set in smb.conf:
winbind refresh tickets = yes
ASKER
Ok..
Now i can connect.. But i guess thru winbind and not IPA ?
[root@node1 ~]# authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --updateall
Starting oddjobd: [ OK ]
Starting Winbind services: [ OK ]
10.13.40.239 is the ipaclient host (node1):
[schkrat@schkrat ~]$ ssh wintest@SCHKRAT.LOCAL@10.1 3.40.239
wintest@SCHKRAT.LOCAL@10.1 3.40.239's password:
Last login: Wed Mar 18 15:02:33 2015 from 10.13.40.233
-sh-4.1$
Now i can connect.. But i guess thru winbind and not IPA ?
[root@node1 ~]# authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --updateall
Starting oddjobd: [ OK ]
Starting Winbind services: [ OK ]
10.13.40.239 is the ipaclient host (node1):
[schkrat@schkrat ~]$ ssh wintest@SCHKRAT.LOCAL@10.1
wintest@SCHKRAT.LOCAL@10.1
Last login: Wed Mar 18 15:02:33 2015 from 10.13.40.233
-sh-4.1$
Yessir. Winbindsir. If you had RedHat support entitlement you could ask them for hotfix with your name on it... CentOS is just copy machine.
You can login, IPA does not work. Is it satisfactory solution to your initial problem?
You can login, IPA does not work. Is it satisfactory solution to your initial problem?
ASKER
Sorry but no..
Must go thru IPA..
Must go thru IPA..
Try downgrades of IPA, samba and kerberos until succesful. It was easier if you could afford support as it looks like software bug, not fault of yours:
Red Hat Enterprise Linux for Desktops or Workstations
Support Levels | Product Information
Desktop
Self-support Subscription (1 year) $49 USD
Red Hat Enterprise Linux for Desktops or Workstations
Support Levels | Product Information
Desktop
Self-support Subscription (1 year) $49 USD
Just an idea - if you can initialize IPA with authconfig command line?
ASKER
I tried:
authconfig --update \
--enablesssd --enablesssdauth \
--enableldap --enablerfc2307bis \
--ldapserver=ldap://ipaser ver.schkra t.ipa \
--ldapbasedn=dc=schkrat,dc =ipa \
--enablekrb5 \
--krb5kdc=ipaserver.schkra t.ipa \
--krb5adminserver=ipaserve r.schkrat. ipa \
--krb5realm=schkrat.ipa
but no luck..
i think the main problem lies in the user..
..because it works if i dont have hbac rule, butwhen i define user access in hbac system does not know how to react..
There is also different user id for uer wintest, that exist in the AD, throi i connected as wintest@SCHKRAT.LOCAL, but when the user was transfered to ipa (automatic update), the user is just wintest..
if is su as user on the ipa server i get:
[root@ipaserver ~]# su - wintest@SCHKRAT.LOCAL
-sh-4.1$ id
uid=1968601105(wintest@sch krat.local ) gid=1968601105(wintest@sch krat.local ) groups=1968601105(wintest@ schkrat.lo cal) context=unconfined_u:uncon fined_r:un confined_t :s0-s0:c0. c1023
-sh-4.1$ exit
logout
[root@ipaserver ~]# su - wintest
[wintest@ipaserver ~]$ id
uid=969800021(wintest) gid=969800021(wintest) groups=969800021(wintest) context=unconfined_u:uncon fined_r:un confined_t :s0-s0:c0. c1023
..so now i am confused..
authconfig --update \
--enablesssd --enablesssdauth \
--enableldap --enablerfc2307bis \
--ldapserver=ldap://ipaser
--ldapbasedn=dc=schkrat,dc
--enablekrb5 \
--krb5kdc=ipaserver.schkra
--krb5adminserver=ipaserve
--krb5realm=schkrat.ipa
but no luck..
i think the main problem lies in the user..
..because it works if i dont have hbac rule, butwhen i define user access in hbac system does not know how to react..
There is also different user id for uer wintest, that exist in the AD, throi i connected as wintest@SCHKRAT.LOCAL, but when the user was transfered to ipa (automatic update), the user is just wintest..
if is su as user on the ipa server i get:
[root@ipaserver ~]# su - wintest@SCHKRAT.LOCAL
-sh-4.1$ id
uid=1968601105(wintest@sch
-sh-4.1$ exit
logout
[root@ipaserver ~]# su - wintest
[wintest@ipaserver ~]$ id
uid=969800021(wintest) gid=969800021(wintest) groups=969800021(wintest) context=unconfined_u:uncon
..so now i am confused..
Remember?
# authconfig --enablewinbind --enablewinbindauth
su uses first, sudo and login uses second.
# authconfig --enablewinbind --enablewinbindauth
su uses first, sudo and login uses second.
ASKER
Hello.. Again..
So here it goes..
Installed new client, used winbind and samba to join domain, installed freeipa client, changed some conf files to use also winbind and now the thing works somehow.. I cant use just winbind,, because HBAC rules are not applied. Winbind must be in combination with pam_sss, even if i get errors in secure log. I am not happy that i must use two additional services (samba, winbind) instead of just freeipa configuration. But it works !
So this is it..
So here it goes..
Installed new client, used winbind and samba to join domain, installed freeipa client, changed some conf files to use also winbind and now the thing works somehow.. I cant use just winbind,, because HBAC rules are not applied. Winbind must be in combination with pam_sss, even if i get errors in secure log. I am not happy that i must use two additional services (samba, winbind) instead of just freeipa configuration. But it works !
So this is it..
You can require group or IP in pam.d/system-auth
Internet is full of guides.
Another way is to use hosts.allow/deny etc.
Internet is full of guides.
Another way is to use hosts.allow/deny etc.
ASKER
Will look into it.
There is some recent krb5 update that may or may not help.
ASKER
Will try with new version.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Am trying with new os version..
Good luck..
ASKER
Ok.. Tried on CentOS Linux release 7.1.1503 (Core) and used FreeIPA 4.1.0.. and it works with minor configuration..
So thank you for all your help..
So thank you for all your help..
ASKER
Many thank.. Sometimes one needs "one" to talk to.