[SOLVED] SSSD KDC reply did not match expectations

[sir_drinxalot]

Hey everyone,

I am configuring SSSD to authenticate against AD (win 2008r2). Everything is basically working, except for the vital part of authentication. If i log into the server as root, I can successfully run getent passwd <user> and get info back, I can su to any of the AD users, but if I SSH to the server as one of the AD users it gives me an auth fail. I ran a tail on /var/log/auth.log and get the following:

Code:

Feb 10 21:30:51 d7test sshd[2851]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.40  user=testuser
Feb 10 21:30:52 d7test sshd[2851]: pam_sss(sshd:auth): system info: [KDC reply did not match expectations]
Feb 10 21:30:52 d7test sshd[2851]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.40 user=testuser
Feb 10 21:30:52 d7test sshd[2851]: pam_sss(sshd:auth): received for user testuser: 4 (System error)
Feb 10 21:30:54 d7test sshd[2851]: Failed password for testuser from 10.0.0.40 port 41738 ssh2

I am out of ideas on this and have spent many hours googling and got nowhere, so I'm hoping someone has an idea that will help.

I assume that the issue lies with my kerberos config, which at the moment is:

Code:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = XXX.XXX
#dns_lookup_realm = true
#dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
#forwardable = true
default_etypes = arcfour-hmac-md5
default_etypes_des = des-cbc-crc
#default_tkt_enctypes = arcfour-hmac-md5
#default_tgs_enctypes = arcfour-hmac-md5


dns_lookup_realm = false
dns_lookup_kdc = false
#ticket_lifetime = 24h
#forwardable = yes
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96


[realms]
 XXX.XXX = {
  kdc = xxx.xxx.xxx.xxx:88
  admin_server = xxx.xxx.xxx.xxx:464
  default_domain = xxx.xxx.xxx.xxx
 }


[domain_realm]
.xxx.xxx = XXX.XXX
xxx.xxx = XXX.XXX
 

[appdefaults]
 pam = {
   debug = true
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[sir_drinxalot]

further info:

kinit t.user@ADPOC.LOCAL works fine. If I set the user to change their password on next login in AD, kinit recognises that and forces me to change the pw, and the change works fine.

getent passwd <user> works, and returns the correct data. getent group <group> works and returns the correct data.

If i log onto the server with a system user (root) i can su to the AD users without any issues.

Still getting the above errors, and still cannot authenticate by SSH... but still no closer to finding the cause. Any help appreciated.

EDIT: SSSD seems to be recognising if the password is correct or not, as the error changes if I enter the wrong password.

Wrong password error:

Code:

Feb 11 11:25:36 u1204serverBlank sshd[1186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78  user=t.user
Feb 11 11:25:37 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): system info: [Preauthentication failed]
Feb 11 11:25:37 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=t.user
Feb 11 11:25:37 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): received for user t.user: 17 (Failure setting user credentials)
Feb 11 11:25:39 u1204serverBlank sshd[1186]: Failed password for t.user from 192.168.1.78 port 37830 ssh2

Correct password error:

Code:

Feb 11 11:26:02 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): system info: [KDC reply did not match expectations]
Feb 11 11:26:02 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=t.user
Feb 11 11:26:02 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): received for user t.user: 4 (System error)
Feb 11 11:26:05 u1204serverBlank sshd[1186]: Failed password for t.user from 192.168.1.78 port 37830 ssh2

[sir_drinxalot]

solved. The issue was with sssd.conf, in the interest of anyone stumbling on this in the future with a similar issue, here is what I added to the file:

Code:

ldap_user_search_base = cn=Users,dc=xxxx,dc=xxxx
ldap_group_search_base = cn=Users,dc=xxxx,dc=xxxxx
ldap_user_principal = userPrincipalName
ldap_force_upper_case_realm = True

my file config is:

Code:

[sssd]
config_file_version = 2
domains = LDAP
services = nss, pam
debug_level = 10

[nss]

[pam]

[domain/LDAP]
enumerate = true
id_provider = ldap
ldap_uri = ldap://xxx.xxx.xxx.xxx
ldap_search_base = cn=Users,dc=xxx,dc=xxx
ldap_tls_reqcert = demand
ldap_id_use_start_tls = false
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_schema = rfc2307bis
ldap_user_object_class = person
ldap_group_object_class = group
ldap_default_bind_dn = cn=xxx,cn=xxx,dc=xxx,dc=xxx
ldap_default_authtok_type = password
ldap_default_authtok = xxx
ldap_user_gecos = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_search_base = cn=xxx,dc=xxx,dc=xxx
ldap_group_search_base = cn=xxx,dc=xxx,dc=xxx
ldap_user_principal = userPrincipalName
ldap_force_upper_case_realm = True

auth_provider = krb5
chpass_provider = krb5
krb5_server = xxx.xxx.xxx.xxx
krb5_kpasswd = xxx.xxx.xxx.xxx
krb5_realm = XXX.XXX
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
krb5_store_password_if_offline = true
krb5_renewable_lifetime = 14d
krb5_renew_interval = 60
debug_level = 10

Cheers,
SD