LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-14-2012, 03:18 AM   #1
R09u3Bull
LQ Newbie
 
Registered: Nov 2012
Posts: 15

Rep: Reputation: Disabled
SSSD/Kerberos/LDAP- Permission denied using ssh


Hi,


I am trying to authenticate users on my linux instance with an Active Directory residing on a Winodws 2008 R2 server instance.

I am using the SSSD/Kerberos/LDAP configuration recommended by Red Hat in this guide:

http://in.redhat.com/resourcelibrary...tive-directory

My LDAP searches on this directory are working and I also have NTP synchronized correctly.

But when I try to ssh to user on the Linux instance(named : RHEL-SERV) using the command :

#ssh -vvv test_user@RHEL-SERV.DOMAIN.COM

I am faced with a
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
error.

Following the verbose output for the ssh command :



OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to RHEL-SERV.DOMAIN.COM http://10.0.5.51 port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 837
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 509/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 981
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug2: no key of type 0 for host dev-port-serv.dev.tmobile.com
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug2: no key of type 2 for host rhel-serv.domain.com
The authenticity of host 'rhel-serv.domain.com (10.0.5.51)' can't be established.
RSA key fingerprint is 64:08:f5:90:b7:a7:03:b3:71:fa:9c:4a:c3:04:50:ee.
Are you sure you want to continue connecting (yes/no)? YES
Warning: Permanently added 'rhel-serv.domain.com' (RSA) to the list of known hosts.
debug2: bits set: 510/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 997
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1045
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug3: Wrote 80 bytes for a total of 1125
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.0.5.51.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 1221
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 1317
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 1413
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 1509
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).


This my sssd.conf file :

[domain/default]

cache_credentials = true
enumerate=false


id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/RHEL-SERV.DOMAIN.COM@DOMAIN.COM
ldap_schema = rfc2307bis

ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName

ldap_group_object_class = group

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true

krb5_realm =DOMAIN.COM
krb5_kpasswd = WIN-SERV.DOMAIN.COM

[sssd]
services = nss, pam
config_file_version = 2
domains = default
debul level = 0

[nss]

[pam]

[sudo]

[autofs]

[ssh]
 
Old 11-14-2012, 06:58 AM   #2
R09u3Bull
LQ Newbie
 
Registered: Nov 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Do I need to provide a private key file along with the ssh command?
Like:
ssh -i xyz.pem -vvv test_user@RHEL-SERV.DOMAIN.COM
 
Old 11-14-2012, 08:25 AM   #3
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 749
Blog Entries: 2

Rep: Reputation: 194Reputation: 194
SSH server-side logs may reveal more. What do you get for
Code:
id test_user
on the server?
 
Old 11-14-2012, 10:29 PM   #4
R09u3Bull
LQ Newbie
 
Registered: Nov 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Hi,
Thanks for the reply! This is the output of the id command equivalent- NET USER /DOMAIN in windows:

C:\Users\Administrator>NET USER /DOMAIN test_user
User name test_user
Full Name test_user
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 11/12/2012 12:25:13 PM
Password expires Never
Password changeable 11/13/2012 12:25:13 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships
Global Group memberships *Linux_Users *Domain Users
The command completed successfully.
 
Old 11-14-2012, 10:53 PM   #5
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 749
Blog Entries: 2

Rep: Reputation: 194Reputation: 194
Since you said you were trying to ssh onto a Linux server ("But when I try to ssh to user on the Linux instance(named : RHEL-SERV")
I was expecting you to test using id on that RHEL-SERV .

And what about the server-side logs?
http://www.snailbook.com/faq/general...ging.auto.html
 
Old 11-14-2012, 11:09 PM   #6
R09u3Bull
LQ Newbie
 
Registered: Nov 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Well, the user doesnt have a home directory on RHEL-SERV yet, test_user has to be authenticated from AD and then the oddjobd or pam_mkhomedir will create a direcotry for test_user on RHEL_SERV. As of now id test_user on RHEL-SERV returns "No such user"

this is the error in var/log/messages:

Nov 15 00:01:02 ip-10-0-5-51 sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Matching credential not found)
 
Old 11-16-2012, 01:04 AM   #7
R09u3Bull
LQ Newbie
 
Registered: Nov 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Anyone has any insights on this?
 
  


Reply

Tags
active directory, ldap, ssh access


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring Kerberos - LDAP for use with SSH Amalfy Vargas Linux - Newbie 3 08-03-2012 03:56 PM
ssh - Permission Denied? vendtagain Linux - Newbie 4 11-21-2009 09:28 PM
SSH: Permission denied, please try again. sanatox Linux - Security 3 01-15-2007 09:47 PM
ssh -Permission denied zaphod_es Linux - Networking 4 05-21-2006 01:56 PM
SSH Permission Denied Chimney Linux - Security 1 11-10-2005 06:01 PM


All times are GMT -5. The time now is 06:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration