I've found the problem, using DEBUG3 into SSH service: --------------------------------------------------------------------------------- Nov 30 08:52:47 myserver sshd[9639]: debug1: Unspecified GSS failure. Minor code may provide more information\nClock skew too great\n Nov 30 08:52:47 myserver sshd[9639]: debug1: Got no client credentials Nov 30 08:52:47 myserver sshd[9639]: debug3: mm_request_send entering: type 45 Nov 30 08:52:47 myserver sshd[9639]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth] Nov 30 08:52:47 myserver sshd[9639]: debug1: Received SSH2_MSG_UNIMPLEMENTED for 7 [preauth]
My client was 4 minutes early than IPA server. After syncing time via ntpdate kerberos ticket authentication works correctly. Thanks for your support, bye. Morgan 2015-11-27 18:38 GMT+01:00 Sumit Bose <[email protected]>: > On Fri, Nov 27, 2015 at 06:16:51PM +0100, Morgan Marodin wrote: > > Yes: > > ------ > > # ls -l /var/lib/sss/pubconf/krb5.include.d/ > > total 8 > > -rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com > > -rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin > > > > So what could I try to do? > > 'getent passwd' should return the same entry for the user name you use > at the login prompt and the Kerberos principal (its the name shown by > klist in the 'Default principal:' line) e.g.: > > # getent passwd [email protected] > [email protected]:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh > # getent passwd [email protected] > [email protected]:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh > > From the logs I guess you used the name '[email protected]' at > the login prompt. > > I assume you use ssh for the Kerberos/GSSAPI login. Please check on the > client with klist if you got a service ticket for your linux client > principal which should look like host/[email protected]. On > Windows there is klist for the cmd shell as well. > > Additionally if there is a service ticket for the linux host sshd debug > logs from the linux host would be useful. For this please set LogLevel to > DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain > confidential keys or passwords). > > bye, > Sumit > > > Thanks, Morgan > > > > 2015-11-27 17:47 GMT+01:00 Sumit Bose <[email protected]>: > > > > > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote: > > > > Hi Sumit. > > > > > > > > I don't know why, but now kerberos ticket authentication is working > on > > > 6.7 > > > > clients. > > > > On 7.2 clients now password authetications with Active Directory > > > > credentials is working ... but not with kerberos ticket. > > > > > > This is most likely due to some issues while mapping the Kerberos > > > principal to the local user name. > > > > > > Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at > > > the beginning of you krb5.conf file? Does > > > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists? > > > > > > bye, > > > Sumit > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
