On Wed, 2014-04-16 at 18:13 -0400, Rob Crittenden wrote: > David Kreuter wrote: > > Yesterday I installed the FreeIPA client on machine and after the > > installation the login with password worked fine. After that I tried to > > login with a valid Kerberos ticket and it failed. First i traced the ssh > > login: > > > > ssh -vvv [email protected] > > ---cut--- > > debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80), > > debug2: key: /home/david/.ssh/id_dsa ((nil)), > > debug2: key: /home/david/.ssh/id_ecdsa ((nil)), > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug3: start over, passed a different list > > publickey,gssapi-keyex,gssapi-with-mic > > debug3: preferred > > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > > debug3: authmethod_lookup gssapi-keyex > > debug3: remaining preferred: > > gssapi-with-mic,publickey,keyboard-interactive,password > > debug3: authmethod_is_enabled gssapi-keyex > > debug1: Next authentication method: gssapi-keyex > > debug1: No valid Key exchange context > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup gssapi-with-mic > > debug3: remaining preferred: publickey,keyboard-interactive,password > > debug3: authmethod_is_enabled gssapi-with-mic > > debug1: Next authentication method: gssapi-with-mic > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug2: we sent a gssapi-with-mic packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup publickey > > debug3: remaining preferred: keyboard-interactive,password > > debug3: authmethod_is_enabled publickey > > debug1: Next authentication method: publickey > > debug1: Offering RSA public key: /home/david/.ssh/id_rsa > > debug3: send_pubkey_test > > debug2: we sent a publickey packet, wait for reply > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic > > debug1: Trying private key: /home/david/.ssh/id_dsa > > debug3: no such identity: /home/david/.ssh/id_dsa: No such file or directory > > debug1: Trying private key: /home/david/.ssh/id_ecdsa > > debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file or > > directory > > debug2: we did not send a packet, disable method > > debug1: No more authentication methods to try. > > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). > > ---cut--- > > > > Then I enabled the log for SSH on the IPA client machine and faced > > following error: > > > > ---cut--- > > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0 > > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for "david" > > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST to > > "10.100.3.2" > > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to "ssh" > > Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for user > > david service ssh-connection method gssapi-with-mic > > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0 > > Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS failure. > > Minor code may provide more information\nNo key table entry found > > matching host/infra01@\n > > ---cut--- > > > > Unspecified GSS failure. Minor code may provide more information.No key > > table entry found matching host/infra01@\n. > > > > After that I tried to receive a ticket on the IPA client machine and > > everything worked fine: > > > > kinit <user> > > klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: david@<realm>.INFO > > > > Valid starting Expires Service principal > > 04/16/14 23:24:51 04/17/14 23:24:47 krbtgt/... > > 04/16/14 23:25:51 04/17/14 23:24:47 host/... > > > > kvno -k /etc/krb5.keytab host/... > > host/...: kvno = 1, keytab entry valid > > > > So the Kerberos setup on the machine seems to be fine, but still the > > login SSH using Keberos is not working. GSSAPI is correctly enabled in > > the sshd configuration file. Any hint is highly appreciated. Thanks. > > > > Seems like sshd looked for the wrong key. Run klist -kt /etc/krb5.keytab > and see what principal is there. sshd didn't look for a FQDN according > to your log.
FYI: If your hosts for some reason has a non qualified name and you can't fix the issue due to some other broken software requiring short, unqualified, hostnames, you can look into setting the following in krb5.conf: ignore_acceptor_hostname = true Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
