1034958 – RHEL7 IPA AD Trusted user ssh gssapi failed and user prompted for password

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1034958 - RHEL7 IPA AD Trusted user ssh gssapi failed and user prompted for password

Summary: RHEL7 IPA AD Trusted user ssh gssapi failed and user prompted for password

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	doc-Windows_Integration_Guide
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Aneta Šteflová Petrová
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1035254
TreeView+	depends on / blocked

Reported:	2013-11-26 18:43 UTC by Scott Poore
Modified:	2019-03-06 02:09 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-10 12:06:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
tcpdump during ssh attempt (5.01 KB, application/octet-stream) 2013-11-26 20:32 UTC, Scott Poore	no flags	Details
var log files (6.45 MB, application/x-tar) 2013-11-26 20:46 UTC, Scott Poore	no flags	Details
View All

Description Scott Poore 2013-11-26 18:43:55 UTC

Description of problem:

In an IPA Environment with AD Trust setup, I'm trying to ssh as AD user with GSSAPI for passwordless login.  This had previously worked but, now is not:

[root@rhel7-1 ~]# kinit aduser.TEST
Password for aduser.TEST: 

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: aduser.TEST

Valid starting       Expires              Service principal
11/26/2013 12:31:38  11/26/2013 22:31:38  krbtgt/AD2.EXAMPLE.TEST.TEST
	renew until 11/27/2013 12:31:36

[root@rhel7-1 ~]# ssh -K -l aduser.TEST $(hostname)
aduser.TEST.com's password: 


Version-Release number of selected component (if applicable):
ipa-server-3.3.3-5.el7.x86_64
sssd-1.11.2-1.el7.x86_64
openssh-6.4p1-1.el7.x86_64
krb5-server-1.11.3-31.el7.x86_64


How reproducible:
Unknown.  This recently worked in automation but, is failing when run manually.

Steps to Reproduce:
1.  Setup AD server with aduser 
2.  Setup IPA server with trust to AD
3.  kinit aduser
4.  ssh -K -l aduser $(hostname)

Actual results:
prompts for password

Expected results:
no prompt.  just logs in.

Additional info:

With sshd_config having LogLevel set to DEBUG, I see this in /var/log/secure for the connection:

Nov 26 12:35:40 rhel7-1 sshd[4204]: debug1: Forked child 5249.
Nov 26 12:35:40 rhel7-1 sshd[5249]: Set /proc/self/oom_score_adj to 0
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: inetd sockets after dupping: 3, 3
Nov 26 12:35:40 rhel7-1 sshd[5249]: Connection from 192.168.122.71 port 56926
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: Client protocol version 2.0; client software version OpenSSH_6.4
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: match: OpenSSH_6.4 pat OpenSSH*
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: Enabling compatibility mode for protocol 2.0
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: Local version string SSH-2.0-OpenSSH_6.4
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: SELinux support enabled [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: permanently_set_uid: 74/74 [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: list_hostkey_types: ssh-rsa [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: SSH2_MSG_KEXINIT received [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: kex: client->server aes128-ctr hmac-md5-etm none [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: kex: server->client aes128-ctr hmac-md5-etm none [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: KEX done [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: userauth-request for user aduser.TEST service ssh-connection method none [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: attempt 0 failures 0 [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: PAM: initializing for "aduser.TEST"
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: PAM: setting PAM_RHOST to "rhel7-1.testrelm.com"
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: PAM: setting PAM_TTY to "ssh"
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: userauth-request for user aduser.TEST service ssh-connection method gssapi-with-mic [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: attempt 1 failures 0 [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: Postponed gssapi-with-mic for aduser.TEST from 192.168.122.71 port 56926 ssh2 [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: Received some client credentials
Nov 26 12:35:40 rhel7-1 sshd[5249]: Failed gssapi-with-mic for aduser.TEST from 192.168.122.71 port 56926 ssh2
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: userauth-request for user aduser.TEST service ssh-connection method gssapi-with-mic [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: attempt 2 failures 1 [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: userauth-request for user aduser.TEST service ssh-connection method gssapi-with-mic [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: attempt 3 failures 1 [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: userauth-request for user aduser.TEST service ssh-connection method gssapi-with-mic [preauth]
Nov 26 12:35:40 rhel7-1 sshd[5249]: debug1: attempt 4 failures 1 [preauth]
Nov 26 12:35:43 rhel7-1 sshd[5249]: Connection closed by 192.168.122.71 [preauth]
Nov 26 12:35:43 rhel7-1 sshd[5249]: debug1: do_cleanup [preauth]
Nov 26 12:35:43 rhel7-1 sshd[5249]: debug1: monitor_read_log: child log fd closed
Nov 26 12:35:43 rhel7-1 sshd[5249]: debug1: do_cleanup
Nov 26 12:35:43 rhel7-1 sshd[5249]: debug1: PAM: cleanup
Nov 26 12:35:43 rhel7-1 sshd[5249]: debug1: Killing privsep child 5250

Comment 2 Sumit Bose 2013-11-26 19:31:30 UTC

Can you re-check with a different credential cache type, e.g. FILE:, to make sure it is not related to the recent KEYRING related issues?

Comment 3 Scott Poore 2013-11-26 20:00:10 UTC

No luck.

[root@rhel7-1 pam.d]# export KRB5CCNAME=/tmp/krb5cc_$(id -u)

[root@rhel7-1 pam.d]# kdestroy

[root@rhel7-1 pam.d]# export KRB5CCNAME=/tmp/krb5cc_$(id -u)

[root@rhel7-1 pam.d]# kinit aduser.TEST
Password for aduser.TEST: 

[root@rhel7-1 pam.d]# ssh -K -l aduser.TEST rhel7-1.testrelm.com
aduser.TEST.com's password: 

[root@rhel7-1 pam.d]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: aduser.TEST

Valid starting       Expires              Service principal
11/26/2013 13:57:52  11/26/2013 23:57:52  krbtgt/AD2.EXAMPLE.TEST.TEST
	renew until 11/27/2013 13:57:50
11/26/2013 13:58:08  11/26/2013 23:57:52  krbtgt/TESTRELM.COM.TEST
	renew until 11/27/2013 13:57:50
11/26/2013 13:58:08  11/26/2013 23:57:52  host/rhel7-1.testrelm.com
	renew until 11/27/2013 13:57:50

Comment 4 Scott Poore 2013-11-26 20:32:00 UTC

Created attachment 829460 [details]
tcpdump during ssh attempt

Comment 5 Scott Poore 2013-11-26 20:46:03 UTC

Created attachment 829466 [details]
var log files

Comment 6 Scott Poore 2013-11-26 21:38:55 UTC

I just realized that I hadn't setup the .k5login for the user.

So, before I close this as not a bug, I've got a question:

Could something have changed to start enforcing this?  

This had previously worked without a .k5login in automation test script:

Password for aduser1: 
:: [   PASS   ] :: Running 'echo Secret123|kinit aduser1' (Expected 0, got 0)

Could not chdir to home directory /home/aduser1: No such file or directory
login successful
:: [   PASS   ] :: Running 'timeout 20s             ssh -K -l aduser1 ipaqa64vmi.spoore11250932.test 'echo login successful'' (Expected 0, got 0)

thanks,
Scott

Comment 7 Martin Kosek 2013-11-27 07:38:24 UTC

Sumit or Alexander, can you please answer to Scott?

Comment 8 Alexander Bokovoy 2013-11-27 07:51:24 UTC

Using .k5login bypasses pam_sss authentication. We really need to solve the issue on ssshd or sssd side with GSSAPI not being accepted somehow.

Comment 9 Martin Kosek 2013-11-27 07:58:03 UTC

Alexander, does the Scott's scenario work in you environment? If not, maybe Scott could prepare an env with reproduction that you or Sumit could look at.

Comment 10 Sumit Bose 2013-11-27 08:26:22 UTC

Scott, you always have to either set auth_to_local in krb5.conf or create a .k5login file. I guess if it worked before without .k5login auth_to_local was configured.

Alexander, .5login does not bypass the PAM authentication step, it's the GSSAPI authentication itself that bypasses it. .k5login is only needed to see if the Kerberos principal is allowed to access the system as the corresponding local user. The sssd side of making this more reliable is already tracked by  https://fedorahosted.org/sssd/ticket/1835 , we are just waiting for for MIT krb5-1.12 be be released :-)

Martin, if both .k5login file and auth_to_local entries are missing the failure is expected.

Comment 11 Martin Kosek 2013-11-27 08:59:58 UTC

Right, adding needsinfo for Scott to confirm that he has auth_to_local set correctly.

Comment 12 Scott Poore 2013-11-27 15:01:23 UTC

Yes, I have auth_to_local set like this in krb5.conf:

  auth_to_local = RULE:[1:$1@$0](^.*@AD2.EXAMPLE.TEST$)s/@AD2.EXAMPLE.TEST/@ad2.example.test/
  auth_to_local = DEFAULT

And that's what automation was doing.  At the moment, I'm having an issue (unrelated) with my test env where I first saw this.  I'm trying to setup another for further testing.

Thanks,
Scott

Comment 13 Scott Poore 2013-11-27 15:07:45 UTC

Maybe my other issue isn't unrelated.  I think I was confusing things.

Last night, I re-ran ipa-adtrust-install on the server that was already set up.  Selected yes for everything and was NOT prompted for NETBIOS name.  So looked good for the test I was running. 

Now, I think I'm seeing the same thing even with .k5login for a user so not sure what's happening.

Comment 14 Alexander Bokovoy 2013-11-27 15:13:35 UTC

Sumit filed bug today for OpenSSH making wrong selection of the primary ccache in the ccache collection: bug #1035254. I get the same behavior in F19, it looks like F20 and RHEL7 are affected too.

Comment 15 Scott Poore 2013-11-27 15:51:49 UTC

Yes, Sumit confirmed that this is indeed bug #1035254.  

I'm switching this over to openssh.  A note that Sumit pointed out for a workaround:

Run "kdestroy -A"

And, because auth_to_local is translating to lower case, use -l aduser.test in lower case to match that. 

FYI, results of testing showing bug #1035254:

[root@rhel7-1 log]# klist -l
Principal name                 Cache name
--------------                 ----------
aduser2.TEST       KEYRING:persistent:0:krb_ccache_P9dvtt8
admin             KEYRING:persistent:0:krb_ccache_IX4v52E
aduser.TEST        KEYRING:persistent:0:0 (Expired)

[root@rhel7-1 log]# klist -A
Ticket cache: KEYRING:persistent:0:krb_ccache_P9dvtt8
Default principal: aduser2.TEST

Valid starting       Expires              Service principal
11/27/2013 09:04:03  11/27/2013 19:04:03  krbtgt/AD2.EXAMPLE.TEST.TEST
	renew until 11/28/2013 09:04:01

klist: No credentials cache found while retrieving principal name

Ticket cache: KEYRING:persistent:0:krb_ccache_IX4v52E
Default principal: admin

Valid starting       Expires              Service principal
11/26/2013 20:37:32  11/27/2013 20:35:06  host/rhel7-1.testrelm.com
11/26/2013 20:35:06  11/27/2013 20:35:06  krbtgt/TESTRELM.COM

Ticket cache: KEYRING:persistent:0:0
Default principal: aduser.TEST

Valid starting       Expires              Service principal
11/26/2013 22:22:35  11/27/2013 08:22:35  krbtgt/AD2.EXAMPLE.TEST.TEST
	renew until 11/27/2013 22:22:33

[root@rhel7-1 log]# kdestroy -A

[root@rhel7-1 log]# klist -A

[root@rhel7-1 log]# kinit aduser.TEST
Password for aduser.TEST: 

[root@rhel7-1 log]# klist -A
Ticket cache: KEYRING:persistent:0:krb_ccache_P9dvtt8
Default principal: aduser.TEST

Valid starting       Expires              Service principal
11/27/2013 09:24:32  11/27/2013 19:24:24  host/rhel7-1.testrelm.com
	renew until 11/28/2013 09:24:22
11/27/2013 09:24:32  11/27/2013 19:24:24  krbtgt/TESTRELM.COM.TEST
	renew until 11/28/2013 09:24:22
11/27/2013 09:24:24  11/27/2013 19:24:24  krbtgt/AD2.EXAMPLE.TEST.TEST
	renew until 11/28/2013 09:24:22

[root@rhel7-1 ~]# ssh -l aduser.test $(hostname)
Last login: Wed Nov 27 09:26:09 2013 from rhel7-1.testrelm.com
-sh-4.2$  exit
logout

[root@rhel7-1 ~]# ssh -K -l aduser.test $(hostname)
Last login: Wed Nov 27 09:27:37 2013 from rhel7-1.testrelm.com
-sh-4.2$

Comment 16 Alexander Bokovoy 2013-11-27 17:15:39 UTC

I've done some dicussion with Simo and he pointed out that this is expected behavior for Kerberos credentials cache collections as described at http://k5wiki.kerberos.org/wiki/Projects/Client_principal_selection

What we need to do is to convert this bug into documentation bug for Kerberos. At the very least, this change of the behavior due to introduction of the ccache collections should go to release notes (Fedora 20 and RHEL7).

Comment 17 Simo Sorce 2013-11-27 17:16:41 UTC

I don't think this is an openssh bug, this is expected behavior when a user has 2 TGTs.
The one matching the REALM of the target server is chosen. The GSSAPI libraries have no way to know that the 2 realms have a trust, moreover the library has no way to read the user's mind and guess that he want's to use the "farthest" identity even if it knows the 2 realms have a trust relationship.

Please read here how principal selection operates with collection caches:
 http://k5wiki.kerberos.org/wiki/Projects/Client_principal_selection

I think this is just a documentation bug and should be moved back to the ipa component.

Comment 18 Alexander Bokovoy 2013-11-27 17:18:24 UTC

Regarding QE test, it need to be modified to clean up credentials before testing trust configurations to ensure this behaviour isn't triggered.

Comment 19 Martin Kosek 2013-12-03 09:48:22 UTC

Ok. Changing to doc component for IPA to let Deon drive the documentation change.

Comment 23 Steeve Goveas 2015-02-12 19:06:45 UTC

Document verified

Note You need to log in before you can comment on or make changes to this bug.