Join Log in
Score:0
folow avatar Ubuntu

Kerberos - Basic Workstation Authentication on ubuntu 22.04

ke flag
folow
  1. I have configured Kerberos Server on Linux and it is working fine. Realm name is EXAMPLE.COM
  2. I do NOT have LDAP server at this time!
  3. On Ubuntu 22.04 Desktop I have installed "krb5-user" and "sssd-krb5" packages.
  4. I have tested "kinit user01" and password and TGT ticket is created (I can see it with klist).
  5. Now I would like to configure Ubuntu Desktop 22.04 login process to authenticate to KDC server, but use local system users for user and group information (because I don't have LDAP server).
  6. There is official Ubuntu tutorial on https://ubuntu.com/server/docs/service-kerberos-workstation-auth, but it is for Ubuntu 20.04 Desktop. I could follow instructions to the end without an issue. But when I login into Ubuntu 22.04 Desktop and execute klist, there is no TGT ticket listed, looks like authentication has fall back to local Linux authentication instead of authenticate it using Kerberos.
  7. I have deleted all of the log files from /var/log/sssd/ directory.
  8. Just in case I have rebooted Ubuntu.
  9. Login with user01 that exists in KDC server as [email protected]. On Ubuntu Desktop user name is: user01
  10. Executing klist and there is no TGT ticket created.
  11. Bellow are logs from /var/log/sssd/sssd.log
2023-06-05 15:03:20): [be[example.com]] [server_setup] (0x1f7c0):
Starting with debug level = 0x0070 (2023-06-05 15:03:20):
[be[example.com]] [proxy_resolver_conf] (0x0020): No resolver library
name given
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:    *  [be[example.com]] [become_user] (0x0200): Trying to
become user [0][0].    *  [be[example.com]] [become_user] (0x0200):
Already user [0].    *  [be[example.com]] [ldb] (0x0400):
server_sort:Unable to register control with rootdse!    *  (2023-06-05
15:03:20): [be[example.com]] [server_setup] (0x0400): CONFDB:
/var/lib/sss/db/config.ldb    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
lookup_family_order has value ipv4_first    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
dns_resolver_timeout has value 6    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
dns_resolver_op_timeout has value 3    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
dns_resolver_server_timeout has value 1000    *  (2023-06-05
15:03:20): [be[example.com]] [dp_get_options] (0x0400): Option
dns_discovery_domain has no value    *  (2023-06-05 15:03:20):
[be[example.com]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first
*  (2023-06-05 15:03:20): [be[example.com]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel    *  (2023-06-05 15:03:20):
[be[example.com]] [fo_context_init] (0x0400): Created new fail over
context, retry timeout is 30    *  (2023-06-05 15:03:20):
[be[example.com]] [confdb_get_domain_internal] (0x0400): No
enumeration for [example.com]!    *  (2023-06-05 15:03:20):
[be[example.com]] [confdb_get_domain_internal] (0x0400): Please note
that when enumeration is disabled `getent passwd` does not return all
users by design. See sssd.conf man page for more detailed information 
*  (2023-06-05 15:03:20): [be[example.com]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1   
*  (2023-06-05 15:03:20): [be[example.com]] [sysdb_domain_init_internal] (0x0200): DB File for example.com:
/var/lib/sss/db/cache_example.com.ldb    *  (2023-06-05 15:03:20):
[be[example.com]] [sysdb_domain_init_internal] (0x0200): Timestamp
file for example.com: /var/lib/sss/db/timestamps_example.com.ldb    * 
(2023-06-05 15:03:20): [be[example.com]] [sysdb_ldb_connect] (0x4000):
No ldb module path set in env    *  (2023-06-05 15:03:20):
[be[example.com]] [ldb] (0x0400): asq: Unable to register control with
rootdse!    *  (2023-06-05 15:03:20): [be[example.com]]
[sysdb_ldb_connect] (0x4000): No ldb module path set in env    * 
(2023-06-05 15:03:20): [be[example.com]] [sss_domain_get_state]
(0x1000): Domain example.com is Active    *  (2023-06-05 15:03:20):
[be[example.com]] [sss_names_init_from_args] (0x0100): Using re
[(?P<name>[^@]+)@?(?P<domain>[^@]*$)].    *  (2023-06-05 15:03:20):
[be[example.com]] [sss_fqnames_init] (0x0100): Using fq format
[%1$s@%2$s].    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_client_init] (0x0100): Set-up Backend ID timeout [0x558ece6264a0] 
*  (2023-06-05 15:03:20): [be[example.com]] [dp_load_configuration] (0x0100): Using [proxy] provider for [id]    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_load_configuration] (0x0100): Using [krb5]
provider for [auth]    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_load_configuration] (0x0100): Using [permit] provider for [access]
*  (2023-06-05 15:03:20): [be[example.com]] [dp_load_configuration] (0x0100): Using [krb5] provider for [chpass]    *  (2023-06-05
15:03:20): [be[example.com]] [dp_load_configuration] (0x0100): Using
[proxy] provider for [sudo]    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_load_configuration] (0x0100): Using [proxy]
provider for [autofs]    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_load_configuration] (0x0100): Using [proxy] provider for [selinux]
*  (2023-06-05 15:03:20): [be[example.com]] [dp_load_configuration] (0x0100): Using [proxy] provider for [hostid]    *  (2023-06-05
15:03:20): [be[example.com]] [dp_load_configuration] (0x0100): Using
[proxy] provider for [subdomains]    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_load_configuration] (0x0100): Using [proxy]
provider for [session]    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_load_configuration] (0x0100): Using [proxy] provider for
[resolver]    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [id] with module
[proxy]    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_load_module] (0x0400): About to load module [proxy].    * 
(2023-06-05 15:03:20): [be[example.com]] [dp_module_open_lib]
(0x1000): Loading module [proxy] with path
[/usr/lib/x86_64-linux-gnu/sssd/libsss_proxy.so]    *  (2023-06-05
15:03:20): [be[example.com]] [dp_module_run_constructor] (0x0400):
Executing module [proxy] constructor.    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_target_run_constructor] (0x0400): Executing
target [id] constructor    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [auth] with module
[krb5]    *  (2023-06-05 15:03:20): [be[example.com]] [dp_load_module]
(0x0400): About to load module [krb5].    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_module_open_lib] (0x1000): Loading module [krb5]
with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_krb5.so]    * 
(2023-06-05 15:03:20): [be[example.com]] [dp_module_run_constructor]
(0x0400): Executing module [krb5] constructor.    *  (2023-06-05
15:03:20): [be[example.com]] [dp_get_options] (0x0400): Option
krb5_server has value kerberos.example.com    *  (2023-06-05
15:03:20): [be[example.com]] [dp_get_options] (0x0400): Option
krb5_backup_server has no value    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_realm has
value EXAMPLE.COM    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_get_options] (0x0400): Option krb5_ccachedir has value /tmp    * 
(2023-06-05 15:03:20): [be[example.com]] [dp_get_options] (0x0400):
Option krb5_ccname_template has no value    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_auth_timeout
has value 6
*  (2023-06-05 15:03:20): [be[example.com]] [dp_get_options] (0x0400): Option krb5_keytab has no value    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_validate is
FALSE    *  (2023-06-05 15:03:20): [be[example.com]] [dp_get_options]
(0x0400): Option krb5_kpasswd has value kerberos.example.com    * 
(2023-06-05 15:03:20): [be[example.com]] [dp_get_options] (0x0400):
Option krb5_backup_kpasswd has no value    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
krb5_store_password_if_offline is FALSE    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
krb5_renewable_lifetime has no value    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_lifetime has
no value    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_get_options] (0x0400): Option krb5_renew_interval has no value   
*  (2023-06-05 15:03:20): [be[example.com]] [dp_get_options] (0x0400): Option krb5_use_fast has no value    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
krb5_fast_principal has no value    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_canonicalize
is FALSE    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_get_options] (0x0400): Option krb5_use_enterprise_principal is
FALSE    *  (2023-06-05 15:03:20): [be[example.com]] [dp_get_options]
(0x0400): Option krb5_use_kdcinfo is TRUE    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option
krb5_kdcinfo_lookahead has no value    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_get_options] (0x0400): Option krb5_map_user has
no value    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_get_options] (0x0400): Option krb5_use_subdomain_realm is FALSE   
*  (2023-06-05 15:03:20): [be[example.com]] [krb5_service_new] (0x0100): write_kdcinfo for realm EXAMPLE.COM set to true    * 
(2023-06-05 15:03:20): [be[example.com]] [fo_new_service] (0x0400):
Creating new service 'KERBEROS'    *  (2023-06-05 15:03:20):
[be[example.com]] [fo_add_server_to_list] (0x0400): Inserted primary
server 'kerberos.example.com:0' to service 'KERBEROS'    * 
(2023-06-05 15:03:20): [be[example.com]] [_krb5_servers_init]
(0x0400): Added Server kerberos.example.com    *  (2023-06-05
15:03:20): [be[example.com]] [krb5_service_new] (0x0100):
write_kdcinfo for realm EXAMPLE.COM set to true    *  (2023-06-05
15:03:20): [be[example.com]] [fo_new_service] (0x0400): Creating new
service 'KPASSWD'    *  (2023-06-05 15:03:20): [be[example.com]]
[fo_add_server_to_list] (0x0400): Inserted primary server
'kerberos.example.com:0' to service 'KPASSWD'    *  (2023-06-05
15:03:20): [be[example.com]] [_krb5_servers_init] (0x0400): Added
Server kerberos.example.com    *  (2023-06-05 15:03:20):
[be[example.com]] [check_lifetime] (0x0200): No lifetime configured.  
*  (2023-06-05 15:03:20): [be[example.com]] [check_lifetime] (0x0200): No lifetime configured.    *  (2023-06-05 15:03:20): [be[example.com]]
[parse_krb5_map_user] (0x0100): krb5_map_user is empty!    * 
(2023-06-05 15:03:20): [be[example.com]] [be_fo_set_srv_lookup_plugin]
(0x0400): Trying to set SRV lookup plugin to DNS    *  (2023-06-05
15:03:20): [be[example.com]] [be_fo_set_srv_lookup_plugin] (0x0400):
SRV lookup plugin is now DNS    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_target_run_constructor] (0x0400): Executing
target [auth] constructor    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_target_init] (0x0400): Initializing target
[access] with module [permit]    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_target_init] (0x0400): Initializing target
[chpass] with module [krb5]    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_load_module] (0x0400): Module [krb5] is already
loaded.    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_target_run_constructor] (0x0400): Executing target [chpass]
constructor    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [sudo] with module
[proxy]    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_load_module] (0x0400): Module [proxy] is already loaded.    * 
(2023-06-05 15:03:20): [be[example.com]] [dp_target_init] (0x0100):
Target [sudo] is not supported by module [proxy].    *  (2023-06-05
15:03:20): [be[example.com]] [dp_target_init] (0x0400): Initializing
target [autofs] with module [proxy]    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_load_module] (0x0400): Module [proxy] is already
loaded.    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0100): Target [autofs] is not supported by module
[proxy].    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [selinux] with module
[proxy]    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_load_module] (0x0400): Module [proxy] is already loaded.    * 
(2023-06-05 15:03:20): [be[example.com]] [dp_target_init] (0x0100):
Target [selinux] is not supported by module [proxy].    *  (2023-06-05
15:03:20): [be[example.com]] [dp_target_init] (0x0400): Initializing
target [hostid] with module [proxy]    *  (2023-06-05 15:03:20):
[be[example.com]] [dp_load_module] (0x0400): Module [proxy] is already
loaded.    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0100): Target [hostid] is not supported by module
[proxy].    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [subdomains] with
module [proxy]    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_load_module] (0x0400): Module [proxy] is already loaded.    * 
(2023-06-05 15:03:20): [be[example.com]] [dp_target_init] (0x0100):
Target [subdomains] is not supported by module [proxy].    * 
(2023-06-05 15:03:20): [be[example.com]] [dp_target_init] (0x0400):
Initializing target [session] with module [proxy]  *  (2023-06-05
15:03:20): [be[example.com]] [dp_load_module] (0x0400): Module [proxy]
is already loaded.    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0100): Target [session] is not supported by module
[proxy].    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_target_init] (0x0400): Initializing target [resolver] with module
[proxy]    *  (2023-06-05 15:03:20): [be[example.com]]
[dp_load_module] (0x0400): Module [proxy] is already loaded.    * 
(2023-06-05 15:03:20): [be[example.com]] [dp_target_run_constructor]
(0x0400): Executing target [resolver] constructor    *  (2023-06-05
15:03:20): [be[example.com]] [proxy_resolver_conf] (0x0020): No
resolver library name given
********************** BACKTRACE DUMP ENDS HERE ********************************* (2023-06-05 15:03:20): [be[example.com]] [dp_target_run_constructor] (0x0010): Target
[resolver] constructor failed [95]: Operation not supported
342
1 + 0
Score:0
folow avatar Ubuntu
ke flag
folow

I have found a solution. Problem in my case was that "user01" has the same password for:

  • local Linux and Kerberos and
  • Kerberos.

It looks like in this configuration Ubuntu login process first tries to logon with local Linux user and so it never gets to the Kerberos login if both passwords are the same.

Solution in my case was to change local Linux password:

sudo passwd user01

Now at Ubuntu Desktop login:

  • Type in Kerberos password and Ubuntu authenticates using Kerberos. I can confirm successful Kerberos login with klist command and I see new TGT ticket is created.
  • Type in local Linux password and Ubuntu authenticates using local Linux authentication e.g. /etc/shadow.
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.