0

I cant login to my root and any other account which im not owner with kerberos and ~/.k5login (ksu is working). Here is presentation of problem:

root@gwhost:~# ssh user@freeipa01
user@freeipa01's password: 
Last login: Tue Sep  8 15:46:20 2015 from 172.16.0.31
-bash-4.2$ klist
Ticket cache: KEYRING:persistent:1570800003:krb_ccache_HGjE46r
Default principal: user@DOMAIN.LOCAL

Valid starting       Expires              Service principal
09/08/2015 17:12:09  09/09/2015 17:12:08  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
-bash-4.2$ ssh freeipa02
Last login: Tue Sep  8 09:34:04 2015 from freeipa02.domain.local
-bash-4.2$ ksu
Authenticated user@DOMAIN.LOCAL
Account root: authorization for user@DOMAIN.LOCAL successful
[Last failed login: Tue Sep  8 06:25:15 PDT 2015 from freeipa01.domain.local on ssh:notty]
[There was 1 failed login attempt since the last successful login.]
Changing uid to root (0)
[root@freeipa02 user]# cat /root/.k5login 
user@DOMAIN.LOCAL
[root@freeipa02 user]# exit
-bash-4.2$ logout
Connection to freeipa02 closed.
-bash-4.2$ ssh root@freeipa02
root@freeipa02's password: 
Permission denied, please try again.
root@freeipa02's password: 

-bash-4.2$
  1. Login to first kerberized server and receive krb ticket.
  2. Login to second kerberized server with ticket (no password) and use ksu and .k5login file to login as root (no password required) - everything succeed.
  3. Get back to first server and trying to login directly as root (with krb ticket and root .k5login file) - fail (is asking for root password).

What could be reason of such behavior? What could i check/change to fix it?

user3069488
  • 159
  • 2
  • 3
  • 18
  • I believe `root` user is handled by IPA in different way than other users. I was solving similar problem today. The others users should work for you, but maybe there is some other switch in freeIPA – Jakuje Sep 08 '15 at 19:26
  • What does your auth/secure log say ? – Andy Sep 09 '15 at 09:24
  • @Andy if im trying to connect like described above to root account with my user credentials and i get prompt for root password. In log is only something like this: `Sep 15 03:14:25 freeipa02 sshd[11715]: Connection closed by 172.16.1.176 [preauth]` – user3069488 Sep 15 '15 at 10:17

1 Answers1

1

I believe this is due to a missing condition for a root user in SSSD's implementation of localauth plugin for MIT Kerberos. localauth plugin controls how Kerberos library maps authenticated principals into local user names. Originally, MIT Kerberos had only 'local_to_auth' set of rules and '.k5login' to provide this mapping. FreeIPA team asked MIT Kerberos developers to extend this mechanism to avoid manual rules in the environments with thousands and millions users (think of specifying local_to_auth rules on each machine for several hundreds of trusted realms).

SSH server will call krb5_kuserok() after successful authentication to transform the authenticated principals' name to local user name and check whether it is allowed to login. SSSD implements localauth plugin that provides a userok() implementation but it does not take root user case into account. It needs to return KRB5_PLUGIN_NO_HANDLE error code for this case so that a default check in ~/.k5login would continue.

I've filed a ticket for SSSD to correct the implementation: https://fedorahosted.org/sssd/ticket/2788

abbra
  • 1,025
  • 5
  • 8