"Unknown credential cache type" errors with SSSD

[cuavas]

Hi, I'm trying to configure a FreeBSD 10.2 file server to allow Active Directory user login with SSSD, but I'm encountering some problems. I've got it working on my CentOS 7 and RHEL 7 servers, and I've tried to make the setup on the FreeBSD box as similar as possible in the hope of avoiding issues.

First of all, here's what's working:

• sssd 1.11.7 installed with SMB support and running
• samba41 4.1.22 installed with ACL_SUPPORT, ADS, DNSUPDATE, LDAP and QUOTAS on
  
• cyrus-sasl-gssapi 2.1.26 installed
  
• krb5 1.14 installed
  
• Joined machine to domain using Samba net ads join
  
• net ads info output looks good
• Creating Kerberos tickets works (e.g. kinit Administrator)
• getent passwd and getent group work for AD users/groups

As for what doesn't work:

• When any local user logs on with SSH, a message is printed to the console: sshd[8899]: in openpan_check_error_code(): pam_sm_open_session(): unexpected return value 13
• When any local user logs off from and SSH session, a message is printed to the console: sshd[8899]: in openpan_check_error_code(): pam_sm_close_session(): unexpected return value 13
• Authenticating as an AD user (e.g. via SSH or su) fails and prints a message to the console: [sssd[krb5_child[15238]]]: Unknown credential cache type

I know it's actually validating the password with the AD server, as using an incorrect password results in the message "[sssd[krb5_child[850]]]: Preauthentication failed" being printed to the console, so it's getting as far as checking the password successfully.

I must have something misconfigured but I don't know what. I'd very much appreciate any help/suggestions.

I've included what I think are the relevant config files. As I mentioned before, the SSSD and Samba configuration are taken from a working setup on CentOS/RHEL 7 servers. Sorry if I'm including irrelevant things.

This is my /etc/pam.d/sshd:

#
# $FreeBSD: releng/10.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth  sufficient  pam_opie.so  no_warn no_fake_prompts
auth  requisite  pam_opieaccess.so  no_warn allow_local
auth  sufficient  /usr/local/lib/pam_sss.so
#auth  sufficient  pam_krb5.so  no_warn try_first_pass
#auth  sufficient  pam_ssh.so  no_warn try_first_pass
auth  required  pam_unix.so  no_warn try_first_pass

# account
account  required  /usr/local/lib/pam_sss.so  ignore_unknown_user
account  required  pam_nologin.so
#account  required  pam_krb5.so
account  required  pam_login_access.so
account  required  pam_unix.so

# session
session  optional  /usr/local/lib/pam_sss.so
#session  optional  pam_ssh.so  want_agent
session  required  pam_permit.so

# password
password  sufficient  /usr/local/lib/pam_sss.so  use_authtok
#password  sufficient  pam_krb5.so  no_warn try_first_pass
password  required  pam_unix.so  no_warn try_first_pass

This is my /etc/pam.d/system:

#
# $FreeBSD: releng/10.2/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $
#
# System-wide defaults
#

# auth
auth  sufficient  pam_opie.so  no_warn no_fake_prompts
auth  requisite  pam_opieaccess.so  no_warn allow_local
auth  sufficient  /usr/local/lib/pam_sss.so
#auth  sufficient  pam_krb5.so  no_warn try_first_pass
#auth  sufficient  pam_ssh.so  no_warn try_first_pass
auth  required  pam_unix.so  no_warn try_first_pass nullok

# account
account  required  /usr/local/lib/pam_sss.so  ignore_unknown_user
#account  required  pam_krb5.so
account  required  pam_login_access.so
account  required  pam_unix.so

# session
#session  required  /usr/local/lib/pam_mkhomedir.so mode=0700
session  optional  /usr/local/lib/pam_sss.so
#session  optional  pam_ssh.so  want_agent
session  required  pam_lastlog.so  no_fail

# password
password  sufficient  /usr/local/lib/pam_sss.so  use_authtok
#password  sufficient  pam_krb5.so  no_warn try_first_pass
password  required  pam_unix.so  no_warn try_first_pass

This is my /usr/local/etc/sssd/sssd/conf:

[sssd]
config_file_version = 2
services = nss, pam
domains = au.anteline.com

[nss]

[pam]

[domain/au.anteline.com]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

cache_credentials = true

ldap_schema = ad
ldap_id_mapping = false

default_shell = /usr/local/bin/bash

override_homedir = /pool/nethome/%d/%u

This is my /etc/krb5.conf:

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = true
 default_realm = AU.ANTELINE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 AU.ANTELINE.COM = {
  kdc = alebwdsrv01.au.anteline.com
  admin_server = alebwdsrv01.au.anteline.com
 }

[domain_realm]
 .au.anteline.com = AU.ANTELINE.COM

This is my /usr/local/etc/smb4.conf:

[global]
  log file = /var/log/samba/log.%m
  max log size = 50

  workgroup = ANTELINEAU
  security = ads
  passdb backend = tdbsam
  realm = AU.ANTELINE.COM
  kerberos method = secrets and keytab

  load printers = yes
  cups options = raw

 

[SirDice]

Try turning off the caching of credentials:

cache_credentials = true

That should force SSSD to query AD directly. Hopefully that will provide a better error message. Once you have everything working you can enable caching again.

 

[cuavas]

Thanks for the advice, I set cache_credentials = false and also debug_level = 5 in the [sssd] and restarted sssd. The only additional logging I get with this setting shows the master sssd process pinging its domain, nss and pam children. I'm still not getting anything more useful regarding why login fails, just the same "Unknown credential cache type" message.

As a shot in the dark, is it possible this is caused by an interaction between Hemdal Kerberos and MIT Kerberos in some way? If so, how would I debug it?

 

[SirDice]

Each "section" of the SSSD config can have different debug settings and will provide info specific to that section. Try adding the debug_level to the domain section.

 

[cuavas]

OK, well it gives me some more logging when I enable debug for more parts of SSD. Here's the anatomy of a failed su:

sssd_nss.log:

(Thu Feb 18 22:51:33 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Thu Feb 18 22:51:33 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Thu Feb 18 22:51:33 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'vas.crabb@au.anteline.com' matched expression for domain 'au.anteline.com', user is vas.crabb
(Thu Feb 18 22:51:33 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [vas.crabb] from [au.anteline.com]
(Thu Feb 18 22:51:33 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [vas.crabb@au.anteline.com]
(Thu Feb 18 22:51:33 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'vas.crabb@au.anteline.com' matched expression for domain 'au.anteline.com', user is vas.crabb
(Thu Feb 18 22:51:33 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [vas.crabb] from [au.anteline.com]
(Thu Feb 18 22:51:33 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [vas.crabb@au.anteline.com]
(Thu Feb 18 22:51:33 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'vas.crabb@au.anteline.com' matched expression for domain 'au.anteline.com', user is vas.crabb
(Thu Feb 18 22:51:33 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [vas.crabb] from [au.anteline.com]
(Thu Feb 18 22:51:33 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [vas.crabb@au.anteline.com]
(Thu Feb 18 22:51:37 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'vas.crabb@au.anteline.com' matched expression for domain 'au.anteline.com', user is vas.crabb
(Thu Feb 18 22:51:37 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [vas.crabb] from [au.anteline.com]
(Thu Feb 18 22:51:37 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [vas.crabb@au.anteline.com]
(Thu Feb 18 22:51:46 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!

sssd_pam.log:

(Thu Feb 18 22:51:36 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'vas.crabb@au.anteline.com' matched expression for domain 'au.anteline.com', user is vas.crabb
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: au.anteline.com
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_print_data] (0x0100): user: vas.crabb
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: kaisheng.liu
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Thu Feb 18 22:51:36 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1379
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [vas.crabb@au.anteline.com]
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: au.anteline.com
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_print_data] (0x0100): user: vas.crabb
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_print_data] (0x0100): service: su
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: kaisheng.liu
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 0
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1379
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][au.anteline.com]
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4].
(Thu Feb 18 22:51:37 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 32
(Thu Feb 18 22:51:46 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected!

sssd_au.anteline.com.log:

(Thu Feb 18 22:51:36 2016) [sssd[be[au.anteline.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=vas.crabb]
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [be_pam_handler] (0x0100): Got request with the following data
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [pam_print_data] (0x0100): domain: au.anteline.com
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [pam_print_data] (0x0100): user: vas.crabb
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [pam_print_data] (0x0100): service: su
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [pam_print_data] (0x0100): tty: /dev/pts/1
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [pam_print_data] (0x0100): ruser: kaisheng.liu
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [pam_print_data] (0x0100): rhost:
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [pam_print_data] (0x0100): authtok type: 1
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [pam_print_data] (0x0100): priv: 0
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [pam_print_data] (0x0100): cli_pid: 1379
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [krb5_auth_send] (0x0100): Home directory for user [vas.crabb] not known.
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [krb5_auth_send] (0x0100): No ccache file for user [vas.crabb] found.
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [be_resolve_server_process] (0x0200): Found address for server alebwdsrv01.au.anteline.com: [10.1.1.4] TTL 3600
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [be_pam_handler_callback] (0x0100): Sending result [4][au.anteline.com]
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [be_pam_handler_callback] (0x0100): Sent result [4][au.anteline.com]
(Thu Feb 18 22:51:37 2016) [sssd[be[au.anteline.com]]] [child_sig_handler] (0x0100): child [1380] finished successfully.

sssd_krb5_child.log:

(Thu Feb 18 22:51:37 2016) [[sssd[krb5_child[1380]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:110001] keytab: [/etc/krb5.keytab]
(Thu Feb 18 22:51:37 2016) [[sssd[krb5_child[1380]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Thu Feb 18 22:51:37 2016) [[sssd[krb5_child[1380]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Thu Feb 18 22:51:37 2016) [[sssd[krb5_child[1380]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Thu Feb 18 22:51:37 2016) [[sssd[krb5_child[1380]]]] [k5c_setup] (0x0100): Not using FAST.
(Thu Feb 18 22:51:37 2016) [[sssd[krb5_child[1380]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [2][2].
(Thu Feb 18 22:51:37 2016) [[sssd[krb5_child[1380]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [vas.crabb\@AU.ANTELINE.COM@AU.ANTELINE.COM] might not be correct.
(Thu Feb 18 22:51:37 2016) [[sssd[krb5_child[1380]]]] [become_user] (0x0200): Trying to become user [110001][120003].
(Thu Feb 18 22:51:37 2016) [[sssd[krb5_child[1380]]]] [get_and_save_tgt] (0x0020): 1021: [-1765328244][Unknown credential cache type]
(Thu Feb 18 22:51:37 2016) [[sssd[krb5_child[1380]]]] [map_krb5_error] (0x0020): 1043: [-1765328244][Unknown credential cache type]
(Thu Feb 18 22:51:37 2016) [[sssd[krb5_child[1380]]]] [k5c_send_data] (0x0200): Received error code 1432158209

An SSH login attempt shows the same sequence. It looks like the only piece running into trouble is the krb5_child.

The first error is that sss_send_pac fails. The errno values in the square brackets are both 2 = __ENOENT, which I understand is not a problem if you aren't running the PAC responder (which I'm not). The UID and GID are correct on the "Trying to become user" are correct. Then it fails with the "Unknown credential cache type" error.

Is there some chance that there's a corrupt credential cache somewhere that could be causing trouble? Where would such a cache be stored?

 

[SirDice]

Not sure if it's the cause of the problem but your UID and GID look fairly large. You should be able to use a UID/GID above 65535 on FreeBSD but it may cause problems with other software.