No Proxmox 4.4, instalei o Centos 7 VM com o servidor FreeIPA:
ipa-server-install --idstart 10000 --setup-dns
Eu posso usar usuários IPA e fazer login em outras VMs no Proxmox, mas quando eu tento mesmo para o contêiner Centos 7 LXC, recebo erros:
May 6 13:15:50 aaaaaa sshd[424]: Authorized to user, krb5 principal [email protected] (ssh_gssapi_krb5_cmdok)
May 6 13:15:50 aaaaaa sshd[424]: pam_sss(sshd:account): Access denied for user user: 4 (System error)
May 6 13:15:50 aaaaaa sshd[424]: fatal: Access denied for user user by PAM account configuration [preauth]
Mas:
[root@aaaaaa ~]# su - user
Creating home directory for user.
[user@aaaaaa ~]$
E agora existe esse usuário em /etc/passwd
neste servidor, por isso é do IPA.
[user@aaaaaa ~]$ id
uid=10001(user) gid=10000(admins) groups=10000(admins)
[user@aaaaaa ~]$ getent passwd user
user:*:10001:10000:Name Surename:/home/user:/bin/bash
Além disso, não consigo fazer login como usuário root nesse contêiner depois que o inscrevi no servidor FreeIPA.
[root@aaaaaa ~]# kinit admin
Password for [email protected]:
[root@aaaaaa ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_rirBgUU
Default principal: [email protected]
Valid starting Expires Service principal
05/06/2017 14:56:21 05/07/2017 14:56:19 krbtgt/[email protected]
Então, o kerberos funcionou, mas o único problema que tenho é o ssh. Eu mudo em Proxmox /etc/subgid
e /etc/subuid
(como proposto aqui ) para obter mais IDs, mas foi um movimento desesperado. O intervalo de IDs do meu IPA não é alto, começando em 10000 e posso fazer su - user
, então não é o caso.
Acho que verifiquei tudo, incluindo remove sssd db, mas isso não muda nada.
Aqui está meu sssd.conf
:
[domain/homelab.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = homelab.local
id_provider = ipa
auth_provider = ipa
access_provider = permit
ipa_hostname = aaaaaa.homelab.local
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipa.homelab.local
dyndns_iface = eth0
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
domains = homelab.local
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
E meu system-auth
:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
E meu arquivo sshd_config
:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UsePrivilegeSeparation sandbox # Default for new installations.
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
e abaixo é a saída de ssh onde eu posso conectar ao contêiner LXC:
ssh -vvv user@aaaaaa
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 60: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 aaaaaa
debug1: permanently_drop_suid: 10001
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 6 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/home/user/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/var/lib/sss/pubconf/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /var/lib/sss/pubconf/known_hosts:2
debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:4
debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:6
debug3: load_hostkeys: found key type ED25519 in file /var/lib/sss/pubconf/known_hosts:8
debug3: load_hostkeys: loaded 4 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss,
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup [email protected]
debug1: kex: server->client aes128-ctr [email protected] none
debug2: mac_setup: setup [email protected]
debug1: kex: client->server aes128-ctr [email protected] none
debug1: kex: [email protected] need=16 dh_need=16
debug1: kex: [email protected] need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 4f:71:72:5c:46:e5:58:3b:cf:17:75:c9:52:35:38:e9
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/home/user/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "aaaaaa" from file "/var/lib/sss/pubconf/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /var/lib/sss/pubconf/known_hosts:2
debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:4
debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:6
debug3: load_hostkeys: found key type ED25519 in file /var/lib/sss/pubconf/known_hosts:8
debug3: load_hostkeys: loaded 4 keys
debug1: Host 'aaaaaa' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/sss/pubconf/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/user/.ssh/id_rsa ((nil)),
debug2: key: /home/user/.ssh/id_dsa ((nil)),
debug2: key: /home/user/.ssh/id_ecdsa ((nil)),
debug2: key: /home/user/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
Connection closed by UNKNOWN
Claro que no servidor user
não é o login real que eu uso.
Mais algum conselho que posso verificar? Eu luto com isso há alguns dias e não consigo encontrar nenhuma pista sobre como resolver isso. Espero que alguém aqui possa me ajudar.
ATUALIZAÇÃO:
Eu cometi um erro ao escrever que não consigo fazer login como usuário root. Eu posso. Mas ainda não consegue logar via ssh como outro usuário do IPA. Além disso, quando eu su - user
não posso fazer sudo
deste usuário, mas em outras VMs esse usuário do IPA pode executar qualquer comando via sudo
.
UPDATE2:
Eu acho que no container quando executo kinit user
e, em seguida, klist
tenho:
Ticket cache: KEYRING:persistent:0:0
Mas o mesmo na VM se parece com:
Ticket cache: KEYRING:persistent:10001:krb_ccache_K1JScvu