Exactly, this was the issue. After fixing the etc hosts configuration kerberos authentication works fine for this machine without having this special krb option set. Thanks!
On 18 April 2014 15:49:50 CEST, Simo Sorce <[email protected]> wrote: >On Fri, 2014-04-18 at 10:14 +0200, David Kreuter wrote: >> klist -kt /etc/krb5.keytab showing me the right principals: >> >> >> >> KVNO Timestamp Principal >> ---- ----------------- >-------------------------------------------------------- >> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> >> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos realm> 1 04/16/14 23:12:58 >host/<FQDN>@<kerberos realm> 1 04/16/14 23:12:58 host/<FQDN>@<kerberos >realm> >> >> >> The principal for the machine are displayed with the right FQDN. Also >the machine has the right hostname containing the right domain and the >machine can be resolved correctly via DNS. >> >> >> I have added the mentioned option to kerberos configuration and the >login with Kerberos authentication is working now: >> >> >> >> [libdefaults] >> ignore_acceptor_hostname = true >> >> >> I'm still wondering what is wrong with the machine's configuration. > >Do you have the shortname as first entry in /etc/hosts ? >If so put it second or remove it. > >Simo. > > >> ----- Original Message ----- >> >> From: "Rob Crittenden" <[email protected]> >> To: "David Kreuter" <[email protected]>, >[email protected] >> Sent: Thursday, 17 April, 2014 12:13:48 AM >> Subject: Re: [Freeipa-users] Keberos authentication - Unspecified GSS >failure >> >> David Kreuter wrote: >> > Yesterday I installed the FreeIPA client on machine and after the >> > installation the login with password worked fine. After that I >tried to >> > login with a valid Kerberos ticket and it failed. First i traced >the ssh >> > login: >> > >> > ssh -vvv [email protected] >> > ---cut--- >> > debug2: key: /home/david/.ssh/id_rsa (0x7f2ad3112d80), >> > debug2: key: /home/david/.ssh/id_dsa ((nil)), >> > debug2: key: /home/david/.ssh/id_ecdsa ((nil)), >> > debug1: Authentications that can continue: >> > publickey,gssapi-keyex,gssapi-with-mic >> > debug3: start over, passed a different list >> > publickey,gssapi-keyex,gssapi-with-mic >> > debug3: preferred >> > >gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password >> > debug3: authmethod_lookup gssapi-keyex >> > debug3: remaining preferred: >> > gssapi-with-mic,publickey,keyboard-interactive,password >> > debug3: authmethod_is_enabled gssapi-keyex >> > debug1: Next authentication method: gssapi-keyex >> > debug1: No valid Key exchange context >> > debug2: we did not send a packet, disable method >> > debug3: authmethod_lookup gssapi-with-mic >> > debug3: remaining preferred: >publickey,keyboard-interactive,password >> > debug3: authmethod_is_enabled gssapi-with-mic >> > debug1: Next authentication method: gssapi-with-mic >> > debug2: we sent a gssapi-with-mic packet, wait for reply >> > debug1: Authentications that can continue: >> > publickey,gssapi-keyex,gssapi-with-mic >> > debug2: we sent a gssapi-with-mic packet, wait for reply >> > debug1: Authentications that can continue: >> > publickey,gssapi-keyex,gssapi-with-mic >> > debug2: we sent a gssapi-with-mic packet, wait for reply >> > debug1: Authentications that can continue: >> > publickey,gssapi-keyex,gssapi-with-mic >> > debug2: we sent a gssapi-with-mic packet, wait for reply >> > debug1: Authentications that can continue: >> > publickey,gssapi-keyex,gssapi-with-mic >> > debug2: we did not send a packet, disable method >> > debug3: authmethod_lookup publickey >> > debug3: remaining preferred: keyboard-interactive,password >> > debug3: authmethod_is_enabled publickey >> > debug1: Next authentication method: publickey >> > debug1: Offering RSA public key: /home/david/.ssh/id_rsa >> > debug3: send_pubkey_test >> > debug2: we sent a publickey packet, wait for reply >> > debug1: Authentications that can continue: >> > publickey,gssapi-keyex,gssapi-with-mic >> > debug1: Trying private key: /home/david/.ssh/id_dsa >> > debug3: no such identity: /home/david/.ssh/id_dsa: No such file or >directory >> > debug1: Trying private key: /home/david/.ssh/id_ecdsa >> > debug3: no such identity: /home/david/.ssh/id_ecdsa: No such file >or >> > directory >> > debug2: we did not send a packet, disable method >> > debug1: No more authentication methods to try. >> > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). >> > ---cut--- >> > >> > Then I enabled the log for SSH on the IPA client machine and faced >> > following error: >> > >> > ---cut--- >> > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 0 failures 0 >> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: initializing for >"david" >> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_RHOST >to >> > "10.100.3.2" >> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: PAM: setting PAM_TTY to >"ssh" >> > Apr 16 23:43:18 infra01 sshd[9941]: debug1: userauth-request for >user >> > david service ssh-connection method gssapi-with-mic >> > Apr 16 23:43:18 infra01 sshd[9941]: debug1: attempt 1 failures 0 >> > Apr 16 23:43:18 infra01 sshd[9940]: debug1: Unspecified GSS >failure. >> > Minor code may provide more information\nNo key table entry found >> > matching host/infra01@\n >> > ---cut--- >> > >> > Unspecified GSS failure. Minor code may provide more information.No >key >> > table entry found matching host/infra01@\n. >> > >> > After that I tried to receive a ticket on the IPA client machine >and >> > everything worked fine: >> > >> > kinit <user> >> > klist >> > Ticket cache: FILE:/tmp/krb5cc_0 >> > Default principal: david@<realm>.INFO >> > >> > Valid starting Expires Service principal >> > 04/16/14 23:24:51 04/17/14 23:24:47 krbtgt/... >> > 04/16/14 23:25:51 04/17/14 23:24:47 host/... >> > >> > kvno -k /etc/krb5.keytab host/... >> > host/...: kvno = 1, keytab entry valid >> > >> > So the Kerberos setup on the machine seems to be fine, but still >the >> > login SSH using Keberos is not working. GSSAPI is correctly enabled >in >> > the sshd configuration file. Any hint is highly appreciated. >Thanks. >> > >> >> Seems like sshd looked for the wrong key. Run klist -kt >/etc/krb5.keytab >> and see what principal is there. sshd didn't look for a FQDN >according >> to your log. >> >> rob >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >-- >Simo Sorce * Red Hat, Inc * New York
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
