Yesterday I installed the FreeIPA client on machine and after the installation the login with password worked fine. After that I tried to login with a valid Kerberos ticket and it failed. First i traced the ssh login:
ssh -vvv [email protected] ---cut--- debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80), debug2: key: /home/david/.ssh/id_dsa ((nil)), debug2: key: /home/david/.ssh/id_ecdsa ((nil)), debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/david/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Trying private key: /home/david/.ssh/id_dsa debug3: no such identity: /home/david/.ssh/id_dsa: No such file or directory debug1: Trying private key: /home/david/.ssh/id_ecdsa debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file or directory debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic). ---cut--- Then I enabled the log for SSH on the IPA client machine and faced following error: ---cut--- Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0 Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for "david" Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST to "10.100.3.2" Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to "ssh" Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for user david service ssh-connection method gssapi-with-mic Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0 Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS failure. Minor code may provide more information\nNo key table entry found matching host/infra01@\n ---cut--- Unspecified GSS failure. Minor code may provide more information.No key table entry found matching host/infra01@\n. After that I tried to receive a ticket on the IPA client machine and everything worked fine: kinit <user> klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: david@<realm>.INFO Valid starting Expires Service principal 04/16/14 23:24:51 04/17/14 23:24:47 krbtgt/... 04/16/14 23:25:51 04/17/14 23:24:47 host/... kvno -k /etc/krb5.keytab host/... host/...: kvno = 1, keytab entry valid So the Kerberos setup on the machine seems to be fine, but still the login SSH using Keberos is not working. GSSAPI is correctly enabled in the sshd configuration file. Any hint is highly appreciated. Thanks. David
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
