Red Hat Security: Identity Management and Authentication
Troubleshoot, diagnose, and fix issues with an IdM client.
Outcomes
Verify the status of services on an IdM client.
Analyze logs and configuration files to fix issues with an IdM client connection.
As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:
[student@workstation ~]$ lab start maintenance-troubleshoot
Instructions
On the
clientmachine, try to authenticate to IdM as theidmuser01user.Log in to the
clientmachine as thestudentuser. Try to authenticate to IdM as theidmuser01user:[student@workstation ~]$
ssh client[student@client ~]$kinit idmuser01kinit: Cannot find KDC for realm "LAB.EXAMPLE.CON" while getting initial credentialsThe command shows an error trying to find the
LAB.EXAMPLE.CONrealm. This is an incorrect realm; the correct realm isLAB.EXAMPLE.COM.Try specifying the
LAB.EXAMPLE.COMrealm to authenticate:[student@client ~]$
kinit idmuser01@LAB.EXAMPLE.COMkinit: Cannot contact any KDC for realm 'LAB.EXAMPLE.COM' while getting initial credentialsThe command shows an error trying to reach the Key Distribution Center (KDC) in the
LAB.EXAMPLE.COMrealm.
Enable debugging for the authentication process. Review the Kerberos configuration file.
Enable debug messages for the authentication command. Review the output, looking for reasons for the authentication failure:
[student@client ~]$
KRB5_TRACE=/dev/stdout kinit idmuser01@LAB.EXAMPLE.COM[1220] 1688922409.331859: Matching idmuser01@LAB.EXAMPLE.COM in collection with result: 0/Success [1220] 1688922409.331860: Getting initial credentials for idmuser01@LAB.EXAMPLE.COM [1220] 1688922409.331862: Sending unauthenticated request [1220] 1688922409.331863: Sending request (183 bytes) to LAB.EXAMPLE.COM[1220] 1688922409.331864: Resolving hostname idmserver.lab.example.comkinit: Cannot contact any KDC for realm 'LAB.EXAMPLE.COM' while getting initial credentialsThe output shows that the client is trying to contact the
idmserver.lab.example.comIdM server, which is incorrect.Review the definition of the
LAB.EXAMPLE.COMrealm in the Kerberos configuration file:[student@client ~]$
cat /etc/krb5.conf...output omitted... [realms] LAB.EXAMPLE.COM = { kdc = idmserver.lab.example.com:88 master_kdc = idmserver.lab.example.com:88 admin_server = idmserver.lab.example.com:749 kpasswd_server = idmserver.lab.example.com:464 default_domain = lab.example.com ...output omitted...The definition for the IdM server is incorrect for the
LAB.EXAMPLE.COMrealm.Correct the IdM server definition to
idm.lab.example.comin the Kerberos configuration file:...output omitted... [realms] LAB.EXAMPLE.COM = {
kdc = idm.lab.example.com:88master_kdc = idm.lab.example.com:88admin_server = idm.lab.example.com:749kpasswd_server = idm.lab.example.com:464default_domain = lab.example.com ...output omitted...Restart the
sssdservice:[student@client ~]$
sudo systemctl restart sssdJob for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xeu sssd.service" for details.The
sssdservice fails to start.
Review the SSSD log messages and configuration file.
Review the SSSD log messages:
[student@client ~]$
journalctl _SYSTEMD_UNIT=sssd.serviceJul 09 13:43:40 client.lab.example.com sssd[1370]: SSSD couldn't load the configuration database [1432158321]: Unknown error 143215832>The
journalctlcommand shows an error loading the configuration database. The output does not show specific errors.Review the log files in the
/var/log/sssd/directory:[student@client ~]$
sudo less /var/log/sssd/sssd.log...output omitted... [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1432158321]: [File ownership and permissions check failed] [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1432158321]: File ownership and permissions check failed [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1432158321]:File ownership and permissions check failed[sssd] [main] (0x0010): SSSD couldn't load the configuration database.The output shows an issue with the SSSD file ownership and permissions.
Check the ownership and permission on the
/etc/sssd/sssd.conffile. The expected ownership and permissions areroot:rootand 0600, respectively. Fix any mismatches:[student@client ~]$
sudo ls -l /etc/sssd/sssd.conf-rw-r-----. 1 root root 476 Jul 8 21:11 /etc/sssd/sssd.conf [student@client ~]$sudo chmod 0600 /etc/sssd/sssd.confCheck the SSSD configuration file for typographical errors:
[student@client ~]$
sudo sssctl config-checkIssues identified by validators: 1 [rule/allowed_sections]: Section [autoFS] is not allowed. Check for typos. Messages generated during configuration merging: 0 Used configuration snippet files: 0Fix any errors in the SSSD configuration file. Restart the
sssdservice and verify that it starts correctly:[student@client ~]$
sudo vi /etc/sssd/sssd.conf...output omitted...[autofs]...output omitted... [student@client ~]$sudo systemctl restart sssd[student@client ~]$sudo systemctl status sssd● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2023-07-09 14:16:44 EDT; 1min 16s ago ...output omitted... Jul 09 14:16:44 client.lab.example.com systemd[1]: Started System Security Services Daemon. Jul 09 14:17:59 client.lab.example.com sssd_be[1514]: Backend is offline
Try to authenticate to IdM as the
idmuser01user.Try to authenticate to IdM as the
idmuser01, and ensure that you specify theLAB.EXAMPLE.COMrealm:[student@client ~]$
kinit idmuser01@LAB.EXAMPLE.COMPassword for idmuser01@LAB.EXAMPLE.COM:RedHat123^Verify that the
idmuser01user has access to IdM by reviewing the user information:[student@client ~]$
ipa user-show idmuser01User login: idmuser01 First name: idmuser01 Last name: idm Home directory: /home/idmuser01 Login shell: /bin/sh Principal name: idmuser01@LAB.EXAMPLE.COM Principal alias: idmuser01@LAB.EXAMPLE.COM ...output omitted...Destroy the Kerberos ticket and try to authenticate to IdM without specifying the realm:
[student@client ~]$
kdestroy -A[student@client ~]$kinit idmuser01kinit: Cannot find KDC for realm "LAB.EXAMPLE.CON" while getting initial credentialsThe output shows that the client is still trying to read the incorrect realm.
Review the Kerberos configuration file looking for mistakes in the realm definition. Fix any issues and restart the
sssdservice.Review the
/etc/krb5.conffile:[student@client ~]$
cat /etc/krb5.conf#File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults]default_realm = LAB.EXAMPLE.CONdns_lookup_realm = false rdns = false dns_canonicalize_hostname = falseThe
default_realmparameter uses an incorrect value.Fix the typographical error in the configuration file:
...output omitted... [libdefaults] default_realm =
LAB.EXAMPLE.COMdns_lookup_realm = false rdns = false dns_canonicalize_hostname = false ...output omitted...Restart the
sssdservice:[student@client ~]$
sudo systemctl restart sssdAuthenticate to IdM without defining the realm. Verify that you can access IdM services by requesting the user information:
[student@client ~]$
kinit idmuser01Password for idmuser01@LAB.EXAMPLE.COM:RedHat123^[student@client ~]$ipa user-show idmuser01User login: idmuser01 First name: idmuser01 Last name: idm Home directory: /home/idmuser01 Login shell: /bin/sh Principal name: idmuser01@LAB.EXAMPLE.COM Principal alias: idmuser01@LAB.EXAMPLE.COM ...output omitted...Exit from the
clientmachine:[student@client ~]$
exitlogout Connection to client closed.
