2

I am configuring SSSD+Samba+SSH on CentOS 7.6. So far I have managed to get all 3 at least working. SSSD is configured and joined using realm join. Samba is configured and connected to AD via net ads join. However, for some reason I cannot get GSSAPI authentication to work with this combination. SSH would constantly complain about keytab ticket issue. First, I noticed the kvno number became out of sync. SSH is attempting to use kvno 2, whereas the server has kvno 4. This causes GSSAPI authentication to fail and defaults to password login, which works.

secure.log

Apr 13 01:33:17 test-server sshd[10827]: debug1: Unspecified GSS failure.  Minor code may provide more information\nRequest ticket server host/test-server.example.com@EXAMPLE.COM kvno 2 not found in keytab; ticket is likely out of date\n

klist -kt

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 04/13/2019 01:21:34 TEST-SERVER$@EXAMPLE.COM
   4 04/13/2019 01:21:34 TEST-SERVER$@EXAMPLE.COM
   4 04/13/2019 01:21:34 TEST-SERVER$@EXAMPLE.COM
   4 04/13/2019 01:21:34 TEST-SERVER$@EXAMPLE.COM
   4 04/13/2019 01:21:34 TEST-SERVER$@EXAMPLE.COM
   4 04/13/2019 01:21:34 host/TEST-SERVER@EXAMPLE.COM
   4 04/13/2019 01:21:34 host/TEST-SERVER@EXAMPLE.COM
   4 04/13/2019 01:21:34 host/TEST-SERVER@EXAMPLE.COM
   4 04/13/2019 01:21:34 host/TEST-SERVER@EXAMPLE.COM
   4 04/13/2019 01:21:34 host/TEST-SERVER@EXAMPLE.COM
   4 04/13/2019 01:21:34 host/test-server.example.com@EXAMPLE.COM
   4 04/13/2019 01:21:34 host/test-server.example.com@EXAMPLE.COM
   4 04/13/2019 01:21:34 host/test-server.example.com@EXAMPLE.COM
   4 04/13/2019 01:21:34 host/test-server.example.com@EXAMPLE.COM
   4 04/13/2019 01:21:34 host/test-server.example.com@EXAMPLE.COM
   4 04/13/2019 01:21:34 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM
   4 04/13/2019 01:21:34 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM
   4 04/13/2019 01:21:34 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM
   4 04/13/2019 01:21:34 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM
   4 04/13/2019 01:21:34 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM
   4 04/13/2019 01:21:34 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM
   4 04/13/2019 01:21:34 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM
   4 04/13/2019 01:21:34 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM
   4 04/13/2019 01:21:34 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM
   4 04/13/2019 01:21:34 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 restrictedkrbhost/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 restrictedkrbhost/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 restrictedkrbhost/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 restrictedkrbhost/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 restrictedkrbhost/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 host/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 host/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 host/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 host/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 host/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 host/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 host/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 host/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 host/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 host/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 TEST-SERVER$@EXAMPLE.COM
   5 04/13/2019 01:27:02 TEST-SERVER$@EXAMPLE.COM
   5 04/13/2019 01:27:02 TEST-SERVER$@EXAMPLE.COM
   5 04/13/2019 01:27:02 TEST-SERVER$@EXAMPLE.COM
   5 04/13/2019 01:27:02 TEST-SERVER$@EXAMPLE.COM
   5 04/13/2019 01:27:02 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM
   5 04/13/2019 01:27:02 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM
   5 04/13/2019 01:27:02 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM

I determined that this was because I did not delete the computer object out of AD, though I don't know why SSH does not try to match the current kvno. I verified that AD is returning the correct number. After deleting the computer object, I repeated the steps to join. It re-created the computer object and reset the kvno to 2. However, now SSH complains that the keytab entry is encrypted using aes256-cts and cannot decrypt.

secure.log

Apr 13 02:01:35 test-server sshd[13788]: debug1: Unspecified GSS failure.  Minor code may provide more information\nRequest ticket server host/test-server.example.com@EXAMPLE.COM kvno 2 enctype aes256-cts found i   n keytab but cannot decrypt ticket\n

klist -kt -e

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 04/13/2019 02:00:54 TEST-SERVER$@EXAMPLE.COM (des-cbc-crc)
   2 04/13/2019 02:00:54 TEST-SERVER$@EXAMPLE.COM (des-cbc-md5)
   2 04/13/2019 02:00:54 TEST-SERVER$@EXAMPLE.COM (arcfour-hmac)
   2 04/13/2019 02:00:54 TEST-SERVER$@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 TEST-SERVER$@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/TEST-SERVER@EXAMPLE.COM (des-cbc-crc)
   2 04/13/2019 02:00:54 host/TEST-SERVER@EXAMPLE.COM (des-cbc-md5)
   2 04/13/2019 02:00:54 host/TEST-SERVER@EXAMPLE.COM (arcfour-hmac)
   2 04/13/2019 02:00:54 host/TEST-SERVER@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/TEST-SERVER@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/test-server.example.com@EXAMPLE.COM (des-cbc-crc)
   2 04/13/2019 02:00:54 host/test-server.example.com@EXAMPLE.COM (des-cbc-md5)
   2 04/13/2019 02:00:54 host/test-server.example.com@EXAMPLE.COM (arcfour-hmac)
   2 04/13/2019 02:00:54 host/test-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/test-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (des-cbc-crc)
   2 04/13/2019 02:00:54 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (des-cbc-md5)
   2 04/13/2019 02:00:54 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (arcfour-hmac)
   2 04/13/2019 02:00:54 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (des-cbc-crc)
   2 04/13/2019 02:00:54 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (des-cbc-md5)
   2 04/13/2019 02:00:54 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (arcfour-hmac)
   2 04/13/2019 02:00:54 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/test-server.example.com@EXAMPLE.COM (des-cbc-crc)
   3 04/13/2019 02:01:10 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM (des-cbc-crc)
   3 04/13/2019 02:01:10 restrictedkrbhost/test-server.example.com@EXAMPLE.COM (des-cbc-md5)
   3 04/13/2019 02:01:10 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM (des-cbc-md5)
   3 04/13/2019 02:01:10 restrictedkrbhost/test-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/test-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/test-server.example.com@EXAMPLE.COM (arcfour-hmac)
   3 04/13/2019 02:01:10 restrictedkrbhost/TEST-SERVER@EXAMPLE.COM (arcfour-hmac)
   3 04/13/2019 02:01:10 host/test-server.example.com@EXAMPLE.COM (des-cbc-crc)
   3 04/13/2019 02:01:10 host/TEST-SERVER@EXAMPLE.COM (des-cbc-crc)
   3 04/13/2019 02:01:10 host/test-server.example.com@EXAMPLE.COM (des-cbc-md5)
   3 04/13/2019 02:01:10 host/TEST-SERVER@EXAMPLE.COM (des-cbc-md5)
   3 04/13/2019 02:01:10 host/test-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/TEST-SERVER@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/test-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/TEST-SERVER@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/test-server.example.com@EXAMPLE.COM (arcfour-hmac)
   3 04/13/2019 02:01:10 host/TEST-SERVER@EXAMPLE.COM (arcfour-hmac)
   3 04/13/2019 02:01:10 TEST-SERVER$@EXAMPLE.COM (des-cbc-crc)
   3 04/13/2019 02:01:10 TEST-SERVER$@EXAMPLE.COM (des-cbc-md5)
   3 04/13/2019 02:01:10 TEST-SERVER$@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 TEST-SERVER$@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 TEST-SERVER$@EXAMPLE.COM (arcfour-hmac)
   3 04/13/2019 02:01:10 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (des-cbc-crc)
   3 04/13/2019 02:01:10 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (des-cbc-crc)
   3 04/13/2019 02:01:10 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (des-cbc-md5)
   3 04/13/2019 02:01:10 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (des-cbc-md5)
   3 04/13/2019 02:01:10 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/test-server.example.com@EXAMPLE.COM (arcfour-hmac)
   3 04/13/2019 02:01:10 RestrictedKrbHost/TEST-SERVER@EXAMPLE.COM (arcfour-hmac)

So what exactly am I doing wrong here? Is SSH supposed always use kvno 2? What encryption is the keytab entry supposed to be for SSH to be able to read it? And how do I configure the encryption?

Eroji
  • 203
  • 2
  • 4
  • 8

1 Answers1

0

It sounds like you have the domain username and password authentication working, as long as the user enters the name and password. The GSSAPI auth is, as you discovered, a little tricker.

What does kinit -k $( hostname -f )@EXAMPLE.COM return?

For resetting machine password, I like to use msktutil (from EPEL): 

kdestroy -A
kinit domainadmin
msktutil -f -s host
msktutil -u -s host
kinit -k "$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )\$@MSAD.EXAMPLE.COM"

Source: my blog post: https://bgstack15.wordpress.com/2018/09/06/kerberos-notes-and-sssd-internal-credentials-cache-error/

bgStack15
  • 911
  • 1
  • 9
  • 23