TransWikia.com

SSSD+Samba+SSH GSSAPI authentication issues

Server Fault Asked by Eroji on February 17, 2021

I am configuring SSSD+Samba+SSH on CentOS 7.6. So far I have managed to get all 3 at least working. SSSD is configured and joined using realm join. Samba is configured and connected to AD via net ads join. However, for some reason I cannot get GSSAPI authentication to work with this combination. SSH would constantly complain about keytab ticket issue. First, I noticed the kvno number became out of sync. SSH is attempting to use kvno 2, whereas the server has kvno 4. This causes GSSAPI authentication to fail and defaults to password login, which works.

secure.log

Apr 13 01:33:17 test-server sshd[10827]: debug1: Unspecified GSS failure.  Minor code may provide more informationnRequest ticket server host/[email protected] kvno 2 not found in keytab; ticket is likely out of daten

klist -kt

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 04/13/2019 01:21:34 [email protected]
   4 04/13/2019 01:21:34 [email protected]
   4 04/13/2019 01:21:34 [email protected]
   4 04/13/2019 01:21:34 [email protected]
   4 04/13/2019 01:21:34 [email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 [email protected]
   5 04/13/2019 01:27:02 [email protected]
   5 04/13/2019 01:27:02 [email protected]
   5 04/13/2019 01:27:02 [email protected]
   5 04/13/2019 01:27:02 [email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]

I determined that this was because I did not delete the computer object out of AD, though I don’t know why SSH does not try to match the current kvno. I verified that AD is returning the correct number. After deleting the computer object, I repeated the steps to join. It re-created the computer object and reset the kvno to 2. However, now SSH complains that the keytab entry is encrypted using aes256-cts and cannot decrypt.

secure.log

Apr 13 02:01:35 test-server sshd[13788]: debug1: Unspecified GSS failure.  Minor code may provide more informationnRequest ticket server host/[email protected] kvno 2 enctype aes256-cts found i   n keytab but cannot decrypt ticketn

klist -kt -e

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 04/13/2019 02:00:54 [email protected] (des-cbc-crc)
   2 04/13/2019 02:00:54 [email protected] (des-cbc-md5)
   2 04/13/2019 02:00:54 [email protected] (arcfour-hmac)
   2 04/13/2019 02:00:54 [email protected] (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 [email protected] (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/[email protected] (des-cbc-crc)
   2 04/13/2019 02:00:54 host/[email protected] (des-cbc-md5)
   2 04/13/2019 02:00:54 host/[email protected] (arcfour-hmac)
   2 04/13/2019 02:00:54 host/[email protected] (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/[email protected] (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/[email protected] (des-cbc-crc)
   2 04/13/2019 02:00:54 host/[email protected] (des-cbc-md5)
   2 04/13/2019 02:00:54 host/[email protected] (arcfour-hmac)
   2 04/13/2019 02:00:54 host/[email protected] (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/[email protected] (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-crc)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-md5)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (arcfour-hmac)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-crc)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-md5)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (arcfour-hmac)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 host/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 host/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 host/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 host/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 host/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/[email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 host/[email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 [email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 [email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 [email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 [email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 [email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (arcfour-hmac)

So what exactly am I doing wrong here? Is SSH supposed always use kvno 2? What encryption is the keytab entry supposed to be for SSH to be able to read it? And how do I configure the encryption?

One Answer

It sounds like you have the domain username and password authentication working, as long as the user enters the name and password. The GSSAPI auth is, as you discovered, a little tricker.

What does kinit -k $( hostname -f )@EXAMPLE.COM return?

For resetting machine password, I like to use msktutil (from EPEL):

kdestroy -A
kinit domainadmin
msktutil -f -s host
msktutil -u -s host
kinit -k "$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )[email protected]"

Source: my blog post: https://bgstack15.wordpress.com/2018/09/06/kerberos-notes-and-sssd-internal-credentials-cache-error/

Answered by bgStack15 on February 17, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP