kerberos local authentication not working

Issues related to applications and software problems and general support
jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/10/30 19:32:45

I doubled checked and indeed there is no difference, both password-auth and system-auth are exactly the same.

By the way thank you for doing this!

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/10/30 21:09:48

I installed sssd-tools and tried the sssctl user-check command and I got this:

sssctl user-checks xxxxxx -a auth


user: xxxxxxx
action: auth
service: system-auth

SSSD nss user lookup result:
- user name: xxxxxx
- user id: xxxxx
- group id: xxxxx
- gecos:
- home directory: /home/xxxxx/xxxxxx
- shell: /bin/bash

SSSD InfoPipe user lookup result:
- name: xxxxxx
- uidNumber: xxxxx
- gidNumber: xxxxx
- gecos: not set
- homeDirectory: /home/xxxxx/xxxxxx
- loginShell: /bin/bash

testing pam_authenticate

Password:
pam_authenticate for user [xxxxxx]: Authentication failure


So it's clearly not only a sudo issue but an overall pam authentication issue. Why it works for ssh and doesn't for anything else is beyond my understanding.

User avatar
jpawlik
Posts: 7
Joined: 2019/09/19 21:36:27

Re: kerberos local authentication not working

Post by jpawlik » 2019/10/30 21:53:49

Looking through a few things to verify:

1) Additional packages installed
"3.2. Prerequisites for Using realmd .... In addition, make sure that the oddjob, oddjob-mkhomedir, sssd, and adcli packages are installed. These packages are required to be able to manage the system using realmd. "

https://access.redhat.com/documentation ... lmd-domain

2) System Time is synced with your AD/IdM (This should be good since ssh works)
#chronyc add server <IP> ##If you want to set up NTP

3) Kerberos join
"3.5 ... If Kerberos is properly configured on a Linux system, joining can also be performed with a Kerberos ticket for authentication. To select a Kerberos principal, use the -U option.
#kinit user
#realm join ad.example.com -U user "



4) This article shows some other methods and packages:
https://access.redhat.com/articles/3023951

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/10/30 22:28:14

Hello,

My NTP is set with the university NTP server, which is also the NTP server for the kerberos server. No issue with that for sure.

For the "realm join -U user" I already tried that with same result: cannot join this realm.

However I think I know why this join realm doesn't work. Our IT told me that the firewall blocks any ldap communication with the exterior of the building so only our own ldap server is providing the authorization but our firewall allows the kerberos port for the authentication with the university server, which is a kerberos/ldap/log server. If we join the university realm we gonna lose our own ldap support, so it's why we always used only the kerberos authentication from this server, not the ldap.

Sorry to say it again but it always worked perfectly with SL6, SL7 and CentOS 7 (using pam_krb5) but with CentOS 8 and sss it works only for ssh (who knows why).

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: kerberos local authentication not working

Post by hunter86_bg » 2019/10/31 03:19:00

Have you opened a bug ?
If no, please open one in bugs.centos.org and then in bugzilla.redhat.com and related RedHat's bug to the CentOS one.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: kerberos local authentication not working

Post by TrevorH » 2019/10/31 15:55:48

My NTP is set with the university NTP server, which is also the NTP server for the kerberos server. No issue with that for sure.
Are you sure about that? There is no ntp in CentOS 8, it's chrony or nothing. Now chrony does talk to ntp servers but it isn't ntpd so if you've tried to install and enable ntpd, it's not there to install or configure.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/11/08 16:20:09

Yes I am using chronyd sorry for the confusion. I compared with my centos 7 system (which is using the same university ntp servers) and the clocks are perfectly synchronized so it works.

gostal
Posts: 71
Joined: 2019/09/23 15:26:45

Re: kerberos local authentication not working

Post by gostal » 2019/11/08 18:51:25

For what it's worth I had a similar problem in OpenSuse Leap 15.0 not long ago. I upgraded from Leap 42.3 to Leap 15.0. My network user was authenticated via LDAP and Kerberos and I also had local users. None of them could log in after the upgrade. It turned out that the upgrade had messed up the order of the lines in the PAM configuration files so that the network authentication disabled local authentication. The network authentication failed because after the upgrade the client was running ldap version 3 and expected the same in the server which was running ldap version 2. Perhaps your problem also has to do with screwed up PAM configuration files. Your setup might be somewhat different but here's the link to my posting on OpenSuse:

https://forums.opensuse.org/showthread ... o-Leap-15!

Cheers,
gostal
Desktop Dell T5810 Intel(R) Xeon(R) CPU E5-1650 v4 @ 3.60GHz, 72 GB RAM, Radeon Pro WX 7100
CentOS 7.9.2009

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos local authentication not working

Post by jgauthier » 2019/11/11 22:02:22

Thank you for the tip. I took a look at your thread and it gave me the idea the compare the pam.d/login with the one on a centos 7 machine and they are identical. Actually nothing in the pam.d files seem to be responsible of this failed local authentication.

And I figured out something else: it seems that sssd-krb5 authentication is not working at all. If I turn off sssd, ssh kerberos authentication still work without any problem but ldap and autofs are off. If I start sssd and change the realm for something that doesn't exist the ssh still work without any problem. So I have absolutely no proof that kerberos authentication actually works with sssd, the ssh one going directly to kerberos without passing by sssd. If I could do the same for sudo and local session my problem would be solved but I don't know how.

Also I noticed something else about sssd. In the sssd.conf, if I put the option

[sssd]
enable_files_domain = false

then no local authentication works at all, not even the local password. It works again is I set it to "true". Is someone can tell me what is going on?

gostal
Posts: 71
Joined: 2019/09/23 15:26:45

Re: kerberos local authentication not working

Post by gostal » 2019/11/13 15:15:37

I can't really tell what's going on in your machine but if Kerberos works then you can perhaps do away with sssd and just do Kerberos and ldap. That's how the network user authentication is done on my machine so if that sounds good to you I can post the relevant config files on my machine which you then probably could adapt to your needs. I cannot say how much server info I can provide, though, save that it's running ldap v 2. A word of warning, though, I seem to remember something about using sssd is more secure than if you skip it. My machine sits behind a pretty stiff firewall so I guess things can be a bit more relaxed on the inside.

Cheers,
gostal
Desktop Dell T5810 Intel(R) Xeon(R) CPU E5-1650 v4 @ 3.60GHz, 72 GB RAM, Radeon Pro WX 7100
CentOS 7.9.2009

Post Reply