Re: [Freeipa-devel] pam_winbind(sshd:auth): pam_get_item returned a password

Wed, 16 Nov 2016 03:21:39 -0800 

On 11/16/2016 10:41 AM, rajat gupta wrote:


I am using FreeIPA  version 4.4.0 and Active Directory trust setup.  on
Active Directory side I am using UPN suffix.

Following are my  setup.

AD DOMANIN :- corp.addomain.com <http://corp.addomain.com>
UPN suffix :- usern...@mydomain.com <mailto:usern...@mydomain.com>
IPA DOMAIN :- ipa.ipadomain.local
IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain.local


I am able to login with AD user on IPA server. But on IPA clinet i am
not able to login i am getting the login message "Access denied". I have
enabled the debug_level on sssd.conf on ipa client.

below are some logs..
================
/var/log/secure

Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=x.x.x.x user=rg1989
Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): received for
user e600336: 6 (Permission denied)
Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): getting
password (0x00000010)
Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth):
pam_get_item returned a password
Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): internal
module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'rg1989')
Nov 16 09:00:52 ipa-clinet1 sshd[3752]: Failed password for rg1989 from
x.x.x.x. port 48842 ssh2
================

================
krb5_child.log

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [k5c_send_data]
(0x4000): Response sent.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [main] (0x0400):
krb5_child completed successfully
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400):
krb5_child started.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer]
(0x1000): total buffer size: [159]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true]
enterprise principal [false] offline [false] UPN
[rajat.gu...@mydomain.com <mailto:rajat.gu...@mydomain.com>]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname:
[KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds]
(0x0200): Switch user to [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[k5c_check_old_ccache] (0x4000): Ccache_file is
[KEYRING:persistent:1007656917] and is not active and TGT is  valid.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[k5c_precreate_ccache] (0x4000): Recreating ccache
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[find_principal_in_keytab] (0x4000): Trying to find principal
host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL in keytab.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [match_principal]
(0x1000): Principal matched to the sample
(host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL).
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[check_fast_ccache] (0x0200): FAST TGT is still valid.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [become_user]
(0x0200): Trying to become user [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x2000):
Running as [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup]
(0x2000): Running as [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400):
Will perform online auth
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [MYDOMAIN.COM <http://MYDOMAIN.COM>]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.416687: Getting
initial credentials for rajat.gu...@mydomain.com
<mailto:rajat.gu...@mydomain.com>

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418641: FAST armor
ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418698: Retrieving
host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM
<http://MYDOMAIN.COM>\@MYDOMAIN.COM@X-CACHECONF: from
MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result:
-1765328243/Matching credential not found

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418756: Sending
request (164 bytes) to MYDOMAIN.COM <http://MYDOMAIN.COM>

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419718: Retrying
AS request with master KDC

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419752: Getting
initial credentials for rajat.gu...@mydomain.com
<mailto:rajat.gu...@mydomain.com>

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419778: FAST armor
ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419821: Retrieving
host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM
<http://MYDOMAIN.COM>\@MYDOMAIN.COM@X-CACHECONF: from
MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result:
-1765328243/Matching credential not found

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419859: Sending
request (164 bytes) to MYDOMAIN.COM <http://MYDOMAIN.COM> (master)

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [get_and_save_tgt]
(0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM
<http://MYDOMAIN.COM>"]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [map_krb5_error]
(0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM
<http://MYDOMAIN.COM>"]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data]
(0x0200): Received error code 1432158228
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
[pack_response_packet] (0x2000): response packet size: [4]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data]
(0x4000): Response sent.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400):
krb5_child completed successfully
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400):
krb5_child started.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer]
(0x1000): total buffer size: [159]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true]
enterprise principal [false] offline [false] UPN
[rajat.gu...@mydomain.com <mailto:rajat.gu...@mydomain.com>]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname:
[KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds]
(0x0200): Switch user to [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[k5c_check_old_ccache] (0x4000): Ccache_file is
[KEYRING:persistent:1007656917] and is not active and TGT is  valid.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[k5c_precreate_ccache] (0x4000): Recreating ccache
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
[host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[find_principal_in_keytab] (0x4000): Trying to find principal
host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL in keytab.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [match_principal]
(0x1000): Principal matched to the sample
(host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL).
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[check_fast_ccache] (0x0200): FAST TGT is still valid.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [become_user]
(0x0200): Trying to become user [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x2000):
Running as [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup]
(0x2000): Running as [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400):
Will perform online auth
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [MYDOMAIN.COM <http://MYDOMAIN.COM>]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.426870: Getting
initial credentials for rajat.gu...@mydomain.com
<mailto:rajat.gu...@mydomain.com>

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428706: FAST armor
ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428762: Retrieving
host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM
<http://MYDOMAIN.COM>\@MYDOMAIN.COM@X-CACHECONF: from
MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result:
-1765328243/Matching credential not found

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428825: Sending
request (164 bytes) to MYDOMAIN.COM <http://MYDOMAIN.COM>

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429706: Retrying
AS request with master KDC

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429740: Getting
initial credentials for rajat.gu...@mydomain.com
<mailto:rajat.gu...@mydomain.com>

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429767: FAST armor
ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429812: Retrieving
host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM
<http://MYDOMAIN.COM>\@MYDOMAIN.COM@X-CACHECONF: from
MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result:
-1765328243/Matching credential not found

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429854: Sending
request (164 bytes) to MYDOMAIN.COM <http://MYDOMAIN.COM> (master)

(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [get_and_save_tgt]
(0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM
<http://MYDOMAIN.COM>"]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [map_krb5_error]
(0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM
<http://MYDOMAIN.COM>"]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data]
(0x0200): Received error code 1432158228
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
[pack_response_packet] (0x2000): response packet size: [4]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data]
(0x4000): Response sent.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400):
krb5_child completed successfully
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400):
krb5_child started.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer]
(0x1000): total buffer size: [159]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true]
enterprise principal [false] offline [true] UPN
[rajat.gu...@mydomain.com <mailto:rajat.gu...@mydomain.com>]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname:
[KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds]
(0x0200): Switch user to [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]]
[k5c_check_old_ccache] (0x4000): Ccache_file is
[KEYRING:persistent:1007656917] and is not active and TGT is  valid.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user]
(0x0200): Trying to become user [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x2000):
Running as [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user]
(0x0200): Trying to become user [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user]
(0x0200): Already user [1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_setup]
(0x2000): Running as [1007656917][1007656917].
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400):
Will perform offline auth
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]]
[create_empty_ccache] (0x1000): Existing ccache still valid, reusing
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data]
(0x0200): Received error code 0
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]]
[pack_response_packet] (0x2000): response packet size: [53]
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data]
(0x4000): Response sent.
(Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400):
krb5_child completed successfully
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400):
krb5_child started.
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer]
(0x1000): total buffer size: [52]
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer]
(0x0100): cmd [249] uid [1007656917] gid [1007656917] validate [true]
enterprise principal [false] offline [true] UPN
[rajat.gu...@mydomain.com <mailto:rajat.gu...@mydomain.com>]
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user]
(0x0200): Trying to become user [1007656917][1007656917].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x2000):
Running as [1007656917][1007656917].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user]
(0x0200): Trying to become user [1007656917][1007656917].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user]
(0x0200): Already user [1007656917].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_setup]
(0x2000): Running as [1007656917][1007656917].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400):
Will perform pre-auth
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [MYDOMAIN.COM <http://MYDOMAIN.COM>]
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
[sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.766694: Getting
initial credentials for rajat.gu...@mydomain.com
<mailto:rajat.gu...@mydomain.com>

(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
[sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.769074: Sending
request (164 bytes) to MYDOMAIN.COM <http://MYDOMAIN.COM>

(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
[sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770020: Retrying
AS request with master KDC

(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
[sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770051: Getting
initial credentials for rajat.gu...@mydomain.com
<mailto:rajat.gu...@mydomain.com>

(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
[sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770091: Sending
request (164 bytes) to MYDOMAIN.COM <http://MYDOMAIN.COM> (master)

(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [get_and_save_tgt]
(0x0400): krb5_get_init_creds_password returned [-1765328230} during
pre-auth.
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data]
(0x0200): Received error code 0
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
[pack_response_packet] (0x2000): response packet size: [4]
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data]
(0x4000): Response sent.
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400):
krb5_child completed successfully
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400):
krb5_child started.
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer]
(0x1000): total buffer size: [160]
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true]
enterprise principal [false] offline [true] UPN
[rajat.gu...@mydomain.com <mailto:rajat.gu...@mydomain.com>]
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname:
[KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab]
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds]
(0x0200): Switch user to [1007656917][1007656917].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]]
[k5c_check_old_ccache] (0x4000): Ccache_file is
[KEYRING:persistent:1007656917] and is not active and TGT is  valid.
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user]
(0x0200): Trying to become user [1007656917][1007656917].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x2000):
Running as [1007656917][1007656917].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user]
(0x0200): Trying to become user [1007656917][1007656917].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user]
(0x0200): Already user [1007656917].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_setup]
(0x2000): Running as [1007656917][1007656917].
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]]
[set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400):
Will perform offline auth
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]]
[create_empty_ccache] (0x1000): Existing ccache still valid, reusing
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data]
(0x0200): Received error code 0
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]]
[pack_response_packet] (0x2000): response packet size: [53]
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data]
(0x4000): Response sent.
(Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400):
krb5_child completed successfully

=======================

Can you please help me to fix this,

/Rajat




Hi Rajat,


Please subscribe to and use freeipa-us...@redhat.com for requesting 
help/troubleshooting assistance.



freeipa-devel list is focused mainly on technical discussions involving 
FreeIPA developers and community contributors to FreeIPA source code.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code






















					Reply via email to