Bug 1182183
Summary: | pam_sss(sshd:auth): authentication failure with user from AD | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | David Spurek <dspurek> |
Component: | sssd | Assignee: | Sumit Bose <sbose> |
Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | CC: | dpal, ebenes, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mupadhye, mzidek, nkarandi, pbrezina, pkis, preichl, sbose |
Target Milestone: | rc | Keywords: | Regression, Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.12.2-43.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-05 10:35:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Spurek
2015-01-14 14:52:03 UTC
Can you prepare a test machine that reproduces the bug or attach log files with a high debug_level? Upstream ticket: https://fedorahosted.org/sssd/ticket/2557 Fixed upstream: master: 576ad637181b80d39a4e136c9afbf34c57f76156 sssd-1-12: 24df1487413d13248dcc70d2548a763930da4c65 Tested with sssd-1.12.2-47.el7.x86_64 1. Install sssd-1.12.2-39.el7.x86_64 on test VM. 2. Configure sssd to authenticate to AD. From /etc/sssd/sssd.conf [domain/sssdad2012.com] ad_domain = sssdad2012.com krb5_realm = SSSDAD2012.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad 3. With ktutil add invalid principle in the keytab file. # klist -ekt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (des-cbc-crc) 2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (des-cbc-md5) 2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (aes128-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (aes256-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (arcfour-hmac) 2 01/27/2015 17:21:36 host/dhcp207-182 (des-cbc-crc) 2 01/27/2015 17:21:36 host/dhcp207-182 (des-cbc-md5) 2 01/27/2015 17:21:36 host/dhcp207-182 (aes128-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 host/dhcp207-182 (aes256-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 host/dhcp207-182 (arcfour-hmac) 2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (des-cbc-crc) 2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (des-cbc-md5) 2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (aes128-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (aes256-cts-hmac-sha1-96) 2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (arcfour-hmac) 3 01/27/2015 17:51:44 host/Test13775 (aes256-cts-hmac-sha1-96) The "host/Test13775" is principle not known to AD. 4. User auth fails. [root@dhcp207-182 ~]# ssh -l kau1 localhost kau1@localhost's password: Permission denied, please try again. kau1@localhost's password: Permission denied, please try again. kau1@localhost's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). From /var/log/secure Jan 27 17:53:20 dhcp207-182 sshd[24774]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=kau1 Jan 27 17:53:20 dhcp207-182 sshd[24774]: pam_sss(sshd:auth): received for user kau1: 4 (System error) Jan 27 17:53:22 dhcp207-182 sshd[24774]: Failed password for kau1 from ::1 port 51693 ssh2 Jan 27 17:53:22 dhcp207-182 sshd[24774]: Connection closed by ::1 [preauth] 5. Update to sssd-1.12.2-47.el7.x86_64.rpm. Try auth with AD user. Login [root@dhcp207-182 ~]# ssh -l kau1 localhost kau1@localhost's password: Last failed login: Tue Jan 27 17:58:56 IST 2015 from localhost on ssh:notty Last login: Tue Jan 27 17:53:56 2015 from localhost Could not chdir to home directory /home/kau1: No such file or directory -sh-4.2$ From /var/log/secure Jan 27 18:02:02 dhcp207-182 sshd[25048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=kau1 Jan 27 18:02:02 dhcp207-182 sssd[be[sssdad2012.com]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode. Jan 27 18:02:02 dhcp207-182 sshd[25048]: Accepted password for kau1 from ::1 port 51748 ssh2 Jan 27 18:02:02 dhcp207-182 sshd[25048]: pam_unix(sshd:session): session opened for user kau1 by (uid=0) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html |