Find the answer to your Linux question:
Results 1 to 3 of 3
Like Tree1Likes
  • 1 Post By sir_drinxalot
Hey everyone, I am configuring SSSD to authenticate against AD (win 2008r2). Everything is basically working, except for the vital part of authentication. If i log into the server as ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2013
    Posts
    3

    SSSD KDC reply did not match expectations


    Hey everyone,

    I am configuring SSSD to authenticate against AD (win 2008r2). Everything is basically working, except for the vital part of authentication. If i log into the server as root, I can successfully run getent passwd <user> and get info back, I can su to any of the AD users, but if I SSH to the server as one of the AD users it gives me an auth fail. I ran a tail on /var/log/auth.log and get the following:

    Code:
    Feb 10 21:30:51 d7test sshd[2851]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.40  user=testuser
    Feb 10 21:30:52 d7test sshd[2851]: pam_sss(sshd:auth): system info: [KDC reply did not match expectations]
    Feb 10 21:30:52 d7test sshd[2851]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.40 user=testuser
    Feb 10 21:30:52 d7test sshd[2851]: pam_sss(sshd:auth): received for user testuser: 4 (System error)
    Feb 10 21:30:54 d7test sshd[2851]: Failed password for testuser from 10.0.0.40 port 41738 ssh2
    I am out of ideas on this and have spent many hours googling and got nowhere, so I'm hoping someone has an idea that will help.

    I assume that the issue lies with my kerberos config, which at the moment is:

    Code:
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
    default_realm = XXX.XXX
    #dns_lookup_realm = true
    #dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    #forwardable = true
    default_etypes = arcfour-hmac-md5
    default_etypes_des = des-cbc-crc
    #default_tkt_enctypes = arcfour-hmac-md5
    #default_tgs_enctypes = arcfour-hmac-md5
    
    
    dns_lookup_realm = false
    dns_lookup_kdc = false
    #ticket_lifetime = 24h
    #forwardable = yes
    default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
    default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
    permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
    
    
    [realms]
     XXX.XXX = {
      kdc = xxx.xxx.xxx.xxx:88
      admin_server = xxx.xxx.xxx.xxx:464
      default_domain = xxx.xxx.xxx.xxx
     }
    
    
    [domain_realm]
    .xxx.xxx = XXX.XXX
    xxx.xxx = XXX.XXX
     
    
    [appdefaults]
     pam = {
       debug = true
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
     }
    Last edited by sir_drinxalot; 02-11-2013 at 03:39 AM.

  2. #2
    Just Joined!
    Join Date
    Feb 2013
    Posts
    3
    further info:

    kinit t.user@ADPOC.LOCAL works fine. If I set the user to change their password on next login in AD, kinit recognises that and forces me to change the pw, and the change works fine.

    getent passwd <user> works, and returns the correct data. getent group <group> works and returns the correct data.

    If i log onto the server with a system user (root) i can su to the AD users without any issues.

    Still getting the above errors, and still cannot authenticate by SSH... but still no closer to finding the cause. Any help appreciated.

    EDIT: SSSD seems to be recognising if the password is correct or not, as the error changes if I enter the wrong password.

    Wrong password error:
    Code:
    Feb 11 11:25:36 u1204serverBlank sshd[1186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78  user=t.user
    Feb 11 11:25:37 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): system info: [Preauthentication failed]
    Feb 11 11:25:37 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=t.user
    Feb 11 11:25:37 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): received for user t.user: 17 (Failure setting user credentials)
    Feb 11 11:25:39 u1204serverBlank sshd[1186]: Failed password for t.user from 192.168.1.78 port 37830 ssh2
    Correct password error:
    Code:
    Feb 11 11:26:02 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): system info: [KDC reply did not match expectations]
    Feb 11 11:26:02 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.78 user=t.user
    Feb 11 11:26:02 u1204serverBlank sshd[1186]: pam_sss(sshd:auth): received for user t.user: 4 (System error)
    Feb 11 11:26:05 u1204serverBlank sshd[1186]: Failed password for t.user from 192.168.1.78 port 37830 ssh2
    Last edited by sir_drinxalot; 02-11-2013 at 12:22 AM. Reason: further info

  3. #3
    Just Joined!
    Join Date
    Feb 2013
    Posts
    3
    solved. The issue was with sssd.conf, in the interest of anyone stumbling on this in the future with a similar issue, here is what I added to the file:

    Code:
    ldap_user_search_base = cn=Users,dc=xxxx,dc=xxxx
    ldap_group_search_base = cn=Users,dc=xxxx,dc=xxxxx
    ldap_user_principal = userPrincipalName
    ldap_force_upper_case_realm = True
    my file config is:

    Code:
    [sssd]
    config_file_version = 2
    domains = LDAP
    services = nss, pam
    debug_level = 10
    
    [nss]
    
    [pam]
    
    [domain/LDAP]
    enumerate = true
    id_provider = ldap
    ldap_uri = ldap://xxx.xxx.xxx.xxx
    ldap_search_base = cn=Users,dc=xxx,dc=xxx
    ldap_tls_reqcert = demand
    ldap_id_use_start_tls = false
    ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
    ldap_schema = rfc2307bis
    ldap_user_object_class = person
    ldap_group_object_class = group
    ldap_default_bind_dn = cn=xxx,cn=xxx,dc=xxx,dc=xxx
    ldap_default_authtok_type = password
    ldap_default_authtok = xxx
    ldap_user_gecos = displayName
    ldap_user_home_directory = unixHomeDirectory
    ldap_user_search_base = cn=xxx,dc=xxx,dc=xxx
    ldap_group_search_base = cn=xxx,dc=xxx,dc=xxx
    ldap_user_principal = userPrincipalName
    ldap_force_upper_case_realm = True
    
    auth_provider = krb5
    chpass_provider = krb5
    krb5_server = xxx.xxx.xxx.xxx
    krb5_kpasswd = xxx.xxx.xxx.xxx
    krb5_realm = XXX.XXX
    krb5_changepw_principle = kadmin/changepw
    krb5_auth_timeout = 15
    krb5_store_password_if_offline = true
    krb5_renewable_lifetime = 14d
    krb5_renew_interval = 60
    debug_level = 10
    Cheers,
    SD
    elija likes this.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •