Alexander,
> Enable debugging for IPA server framework by creating a file
> /etc/ipa/server.conf with the following content:
>
> --------
> [global]
> debug=True
> --------
>
> Restart httpd and try again. Then collect logs and show that access
> attempt. The logs you attached so far only contain Apache modules'
> debugging information, not IPA framework's one.
Thanks for your reply. I went ahead and disabled the debug logs via
httpd/conf.d/nss.conf to "warn", and now am only using server.conf
"debug=True" (which was already set). I've attached the logs
generated via a fresh request and `tail -f krb5kdc.log
httpd/{access,error}_log dirsrv/slapd-IPA-DOMAIN-COM/{access,error}`,
but you'll see that there is much less output.
> Other than self-management, you wouldn't achieve anything in FreeIPA 4.6
> for that. Web UI / CLI administration with AD users is only available in
> RHEL 8.0 beta.
Right. I did see a post suggesting limited AD user access in terms of
Web UI and cli, but the post below suggests that ipa cli access was/is
available as of FreeIPA 4.5.0:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5OWV3YTPG4ZETKJG2GVP2LDDTUUIAC2D/
> Looks like fine -- the framework actually asked for the ldap/... ticket
> on behalf of AD user, so S4U2Proxy did work. Can you see anything in
> LDAP server access logs at the same time?
Thanks for the suggestion. There is a "SASL(-14) authorization
failure" in the dirsrv/INSTANCE/access log, but no entries within the
dirsv/INSTANCE/error log; I've attached a copy of the relevant log
entries.
John DeSantis
Il giorno lun 8 apr 2019 alle ore 14:46 Alexander Bokovoy
<aboko...@redhat.com> ha scritto:
>
> On ma, 08 huhti 2019, John Desantis via FreeIPA-users wrote:
> >Hello all,
> >
> >I'm wondering if anyone could help shed light on why IPA CLI commands
> >fail for a trusted AD user, and why Web UI logins for the same user
> >fail with the message "Your session has expired. Please re-login.",
> >despite creating a view for the user via `ipa idoverrideuser-add
> >'Default Trust View' ad_user@ad_domain.com`. The symptoms appear
> >almost identical to the post [0], except that the cli and Web UI were
> >never working previously.
> Enable debugging for IPA server framework by creating a file
> /etc/ipa/server.conf with the following content:
>
> --------
> [global]
> debug=True
> --------
>
> Restart httpd and try again. Then collect logs and show that access
> attempt. The logs you attached so far only contain Apache modules'
> debugging information, not IPA framework's one.
>
> >I am able to login via SSH (on a host with an HBAC configured), and
> >able to `kinit` and obtain the appropriate tickets across the realms.
> >I've configured the system accordingly, per the URL:
> >https://www.freeipa.org/page/Active_Directory_trust_setup.
> >
> >I am running FreeIPA version 4.6.4 with a successful AD Trust (one
> >way) using the range type "ipa-ad-trust-posix", both nodes completely
> >re-provisioned (fresh installation purposes). SELinux is disabled,
> >and the configuration IPA-wise is untouched, with the exception of
> >enabling debugging and editing krb5.conf per the URL:
> >https://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fkrb5.conf
> >
> >I've attached Apache logs referencing the Web UI and from the console.
> >From what I have found online, it should be possible to allow an AD
> >user to login to Web UI and ipa CLI commands should function, too.
> >All IPA services are running and have been restarted, just in case
> >something was "stuck". The interesting entries within the logs:
> >(Failed to unseal session data!, GSSapiImpersonate not On) seem to be
> >red herrings.
> Other than self-management, you wouldn't achieve anything in FreeIPA 4.6
> for that. Web UI / CLI administration with AD users is only available in
> RHEL 8.0 beta.
>
> ># /var/log/krb5kdc.log
> >
> >Apr 08 12:01:30 IPASERVER1.ipa.domain.com krb5kdc[10297](info): TGS_REQ (8
> >etypes {18 17 20 19 16 23 25 26}) 131.247.188.132: ISSUE: authtime
> >1554738690, etypes {rep=18 tkt=18 ses=18},
> >HTTP/ipaserver1.ipa.domain....@ipa.domain.com for
> >ldap/ipaserver1.ipa.domain....@ipa.domain.com
> >Apr 08 12:01:30 IPASERVER1.ipa.domain.com krb5kdc[10297](info): ...
> >CONSTRAINED-DELEGATION s4u-client=desan...@ad.domain.com
> >Apr 08 12:01:30 IPASERVER1.ipa.domain.com krb5kdc[10297](info): closing down
> >fd 11
> >Apr 08 12:01:31 IPASERVER1.ipa.domain.com krb5kdc[10298](info): TGS_REQ (8
> >etypes {18 17 20 19 16 23 25 26}) 131.247.188.132: ISSUE: authtime
> >1554738690, etypes {rep=18 tkt=18 ses=18},
> >HTTP/ipaserver1.ipa.domain....@ipa.domain.com for
> >ldap/ipaserver1.ipa.domain....@ipa.domain.com
> >Apr 08 12:01:31 IPASERVER1.ipa.domain.com krb5kdc[10298](info): ...
> >CONSTRAINED-DELEGATION s4u-client=desan...@ad.domain.com
> >Apr 08 12:01:31 IPASERVER1.ipa.domain.com krb5kdc[10298](info): closing down
> >fd 11
> Looks like fine -- the framework actually asked for the ldap/... ticket
> on behalf of AD user, so S4U2Proxy did work. Can you see anything in
> LDAP server access logs at the same time?
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
==> krb5kdc.log <==
Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): TGS_REQ (8
etypes {18 17 20 19 16 23 25 26}) IPA.SERVER.IP.ADDRESS: ISSUE: authtime
1554752218, etypes {rep=18 tkt=18 ses=18},
HTTP/ipaserver1.ipa.domain....@ipa.domain.com for
ldap/ipaserver1.ipa.domain....@ipa.domain.com
Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): ...
CONSTRAINED-DELEGATION s4u-client=desan...@ad.domain.com
Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): closing down fd
11
Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): TGS_REQ (8
etypes {18 17 20 19 16 23 25 26}) IPA.SERVER.IP.ADDRESS: ISSUE: authtime
1554752218, etypes {rep=18 tkt=18 ses=18},
HTTP/ipaserver1.ipa.domain....@ipa.domain.com for
ldap/ipaserver1.ipa.domain....@ipa.domain.com
Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): ...
CONSTRAINED-DELEGATION s4u-client=desan...@ad.domain.com
Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): closing down fd
11
==> httpd/access_log <==
IPA.SERVER.IP.ADDRESS - - [08/Apr/2019:15:39:17 -0400] "POST /ipa/session/json
HTTP/1.1" 401 1300
IPA.SERVER.IP.ADDRESS - desan...@ad.domain.com [08/Apr/2019:15:39:17 -0400]
"POST /ipa/session/json HTTP/1.1" 401 176
IPA.SERVER.IP.ADDRESS - desan...@ad.domain.com [08/Apr/2019:15:39:18 -0400]
"POST /ipa/session/json HTTP/1.1" 401 176
==> httpd/error_log <==
[Mon Apr 08 15:39:17.764712 2019] [auth_gssapi:error] [pid 12016] [client
IPA.SERVER.IP.ADDRESS:54134] Failed to unseal session data!, referer:
https://IPASERVER1.ipa.domain.com/ipa/xml
[Mon Apr 08 15:39:17.764738 2019] [auth_gssapi:error] [pid 12016] [client
IPA.SERVER.IP.ADDRESS:54134] NO AUTH DATA Client did not send any
authentication headers, referer: https://IPASERVER1.ipa.domain.com/ipa/xml
[Mon Apr 08 15:39:18.262416 2019] [:error] [pid 12014] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Mon Apr 08 15:39:18.262515 2019] [:error] [pid 12014] ipa: DEBUG: WSGI
jsonserver_session.__call__:
[Mon Apr 08 15:39:18.327342 2019] [:error] [pid 12014] ipa: INFO: 401
Unauthorized: Insufficient access: Invalid credentials
[Mon Apr 08 15:39:18.370463 2019] [:error] [pid 12012] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Mon Apr 08 15:39:18.370573 2019] [:error] [pid 12012] ipa: DEBUG: WSGI
jsonserver_session.__call__:
[Mon Apr 08 15:39:18.410750 2019] [:error] [pid 12012] ipa: INFO: 401
Unauthorized: Insufficient access: Invalid credentials
[08/Apr/2019:15:58:06.828219899 -0400] conn=151 op=30 SRCH
base="cn=ranges,cn=etc,dc=ipa,dc=domain,dc=com" scope=2
filter="(objectClass=ipaIDRange)" attrs="objectClass cn ipaBaseID ipaBaseRID
ipaSecondaryBaseRID ipaIDRangeSize ipaNTTrustedDomainSID ipaRangeType"
[08/Apr/2019:15:58:06.830419998 -0400] conn=151 op=30 RESULT err=0 tag=101
nentries=6 etime=0.0002352533
[08/Apr/2019:15:58:06.831205283 -0400] conn=151 op=31 SRCH
base="cn=certmap,dc=ipa,dc=domain,dc=com" scope=2
filter="(|(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))(objectClass=ipaCertMapConfigObject))"
attrs="objectClass cn ipaCertMapMapRule ipaCertMapMatchRule ipaCertMapPriority
associatedDomain ipaCertMapPromptUsername"
[08/Apr/2019:15:58:06.831612673 -0400] conn=151 op=31 RESULT err=0 tag=101
nentries=1 etime=0.0001140551
[08/Apr/2019:15:58:06.953607787 -0400] conn=151 op=32 SRCH
base="cn=trusts,dc=ipa,dc=domain,dc=com" scope=2
filter="(objectClass=ipaNTTrustedDomain)" attrs="cn ipaNTFlatName
ipaNTTrustedDomainSID ipaNTTrustDirection ipaNTAdditionalSuffixes"
[08/Apr/2019:15:58:06.954547478 -0400] conn=151 op=32 RESULT err=0 tag=101
nentries=5 etime=0.0122892026
[08/Apr/2019:15:58:06.955089671 -0400] conn=151 op=33 SRCH
base="cn=default,cn=views,cn=accounts,dc=ipa,dc=domain,dc=com" scope=0
filter="(objectClass=*)" attrs="ipaDomainResolutionOrder"
[08/Apr/2019:15:58:06.955379816 -0400] conn=151 op=33 RESULT err=32 tag=101
nentries=0 etime=0.0000775039
[08/Apr/2019:15:58:07.011852191 -0400] conn=151 op=34 SRCH
base="cn=etc,dc=ipa,dc=domain,dc=com" scope=2
filter="(&(cn=ipaConfig)(objectClass=ipaGuiConfig))"
attrs="ipaDomainResolutionOrder"
[08/Apr/2019:15:58:07.012207220 -0400] conn=151 op=34 RESULT err=0 tag=101
nentries=1 etime=0.0056788292
[08/Apr/2019:15:58:07.137057125 -0400] conn=151 op=35 SRCH base="cn=Default
Trust View,cn=views,cn=accounts,dc=ipa,dc=domain,dc=com" scope=2
filter="(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-150927795-2069884688-1238954376-150296))"
attrs=ALL
[08/Apr/2019:15:58:07.137432432 -0400] conn=151 op=35 RESULT err=0 tag=101
nentries=1 etime=0.1874822411
[08/Apr/2019:15:58:07.138057552 -0400] conn=151 op=36 SRCH base="cn=Default
Trust View,cn=views,cn=accounts,dc=ipa,dc=domain,dc=com" scope=2
filter="(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1174613319-2826275069-309285752-101506))"
attrs=ALL
[08/Apr/2019:15:58:07.138231939 -0400] conn=151 op=36 RESULT err=0 tag=101
nentries=0 etime=0.0000752359
[08/Apr/2019:15:58:07.138402579 -0400] conn=151 op=37 SRCH base="cn=Default
Trust View,cn=views,cn=accounts,dc=ipa,dc=domain,dc=com" scope=2
filter="(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1174613319-2826275069-309285752-512))"
attrs=ALL
[08/Apr/2019:15:58:07.138585633 -0400] conn=151 op=37 RESULT err=0 tag=101
nentries=0 etime=0.0000313706
[08/Apr/2019:15:58:07.138786172 -0400] conn=151 op=38 SRCH
base="cn=accounts,dc=ipa,dc=domain,dc=com" scope=2
filter="(objectClass=ipaexternalgroup)" attrs=ALL
[08/Apr/2019:15:58:07.139576830 -0400] conn=151 op=38 RESULT err=0 tag=101
nentries=2 etime=0.0000952709
[08/Apr/2019:15:58:07.203773734 -0400] conn=151 op=39 SRCH
base="cn=accounts,dc=ipa,dc=domain,dc=com" scope=2
filter="(&(cn=0f332b96-5629-11e9-a95e-d4ae52a0ecfe)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
attrs="objectClass posixgroup cn userPassword gidNumber member ipaUniqueID
ipaNTSecurityIdentifier modifyTimestamp entryusn ipaExternalMember"
[08/Apr/2019:15:58:07.203917323 -0400] conn=151 op=39 RESULT err=0 tag=101
nentries=0 etime=0.0064299540
[08/Apr/2019:15:58:07.276938708 -0400] conn=155 fd=127 slot=127 connection from
IPA.SERVER.IP.ADDRESS to IPA.SERVER.IP.ADDRESS
[08/Apr/2019:15:58:07.279809270 -0400] conn=10 op=81 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/ipa.domain....@ipa.domain.com)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:07.280160057 -0400] conn=10 op=81 RESULT err=0 tag=101
nentries=1 etime=0.0000459257
[08/Apr/2019:15:58:07.280241561 -0400] conn=10 op=82 SRCH
base="cn=ipaConfig,cn=etc,dc=ipa,dc=domain,dc=com" scope=0
filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[08/Apr/2019:15:58:07.280310207 -0400] conn=10 op=82 RESULT err=0 tag=101
nentries=1 etime=0.0000131027
[08/Apr/2019:15:58:07.280751307 -0400] conn=10 op=83 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/ipaserver.ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=ldap/ipaserver.ipa.domain....@ipa.domain.com)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:07.281006248 -0400] conn=10 op=83 RESULT err=0 tag=101
nentries=1 etime=0.0000681608
[08/Apr/2019:15:58:07.281155696 -0400] conn=10 op=84 SRCH
base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[08/Apr/2019:15:58:07.281225859 -0400] conn=10 op=84 RESULT err=0 tag=101
nentries=1 etime=0.0000201664
[08/Apr/2019:15:58:07.281327210 -0400] conn=10 op=85 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/ipaserver.ipa.domain....@ipa.domain.com))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:07.281506338 -0400] conn=10 op=85 RESULT err=0 tag=101
nentries=1 etime=0.0000266785
[08/Apr/2019:15:58:07.281694731 -0400] conn=10 op=86 SRCH
base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[08/Apr/2019:15:58:07.281777853 -0400] conn=10 op=86 RESULT err=0 tag=101
nentries=1 etime=0.0000255402
[08/Apr/2019:15:58:07.281943486 -0400] conn=10 op=87 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(objectClass=ipaKrb5DelegationACL)(memberPrincipal=HTTP/ipaserver.ipa.domain....@ipa.domain.com))"
attrs="objectClass memberPrincipal"
[08/Apr/2019:15:58:07.282182397 -0400] conn=10 op=87 RESULT err=0 tag=101
nentries=1 etime=0.0000388963
[08/Apr/2019:15:58:07.282354109 -0400] conn=10 op=88 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=desan...@ad.domain.com))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:07.282447648 -0400] conn=10 op=88 RESULT err=0 tag=101
nentries=0 etime=0.0000250747
[08/Apr/2019:15:58:07.284423370 -0400] conn=155 op=0 BIND dn="" method=sasl
version=3 mech=GSS-SPNEGO
[08/Apr/2019:15:58:07.353126377 -0400] conn=155 op=0 RESULT err=49 tag=97
nentries=0 etime=0.0068903273 - SASL(-14): authorization failure:
[08/Apr/2019:15:58:07.353701909 -0400] conn=155 op=1 UNBIND
[08/Apr/2019:15:58:07.353733571 -0400] conn=155 op=1 fd=127 closed - U1
[08/Apr/2019:15:58:07.398716676 -0400] conn=156 fd=127 slot=127 connection from
IPA.SERVER.IP.ADDRESS to IPA.SERVER.IP.ADDRESS
[08/Apr/2019:15:58:07.401613238 -0400] conn=4 op=72 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/ipa.domain....@ipa.domain.com)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:07.401891503 -0400] conn=4 op=72 RESULT err=0 tag=101
nentries=1 etime=0.0000472649
[08/Apr/2019:15:58:07.402014269 -0400] conn=4 op=73 SRCH
base="cn=ipaConfig,cn=etc,dc=ipa,dc=domain,dc=com" scope=0
filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[08/Apr/2019:15:58:07.402094183 -0400] conn=4 op=73 RESULT err=0 tag=101
nentries=1 etime=0.0000183712
[08/Apr/2019:15:58:07.402495920 -0400] conn=4 op=74 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/ipaserver.ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=ldap/ipaserver.ipa.domain....@ipa.domain.com)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:07.402764935 -0400] conn=4 op=74 RESULT err=0 tag=101
nentries=1 etime=0.0000655408
[08/Apr/2019:15:58:07.402930484 -0400] conn=4 op=75 SRCH
base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[08/Apr/2019:15:58:07.403012689 -0400] conn=4 op=75 RESULT err=0 tag=101
nentries=1 etime=0.0000229856
[08/Apr/2019:15:58:07.403148136 -0400] conn=4 op=76 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/ipaserver.ipa.domain....@ipa.domain.com))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:07.403346287 -0400] conn=4 op=76 RESULT err=0 tag=101
nentries=1 etime=0.0000318174
[08/Apr/2019:15:58:07.403463505 -0400] conn=4 op=77 SRCH
base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[08/Apr/2019:15:58:07.403532359 -0400] conn=4 op=77 RESULT err=0 tag=101
nentries=1 etime=0.0000169748
[08/Apr/2019:15:58:07.403677946 -0400] conn=4 op=78 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(objectClass=ipaKrb5DelegationACL)(memberPrincipal=HTTP/ipaserver.ipa.domain....@ipa.domain.com))"
attrs="objectClass memberPrincipal"
[08/Apr/2019:15:58:07.403896980 -0400] conn=4 op=78 RESULT err=0 tag=101
nentries=1 etime=0.0000340278
[08/Apr/2019:15:58:07.404098402 -0400] conn=4 op=79 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=desan...@ad.domain.com))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:07.404206745 -0400] conn=4 op=79 RESULT err=0 tag=101
nentries=0 etime=0.0000295269
[08/Apr/2019:15:58:07.406157273 -0400] conn=156 op=0 BIND dn="" method=sasl
version=3 mech=GSS-SPNEGO
[08/Apr/2019:15:58:07.436644735 -0400] conn=156 op=0 RESULT err=49 tag=97
nentries=0 etime=0.0030691229 - SASL(-14): authorization failure:
[08/Apr/2019:15:58:07.437259131 -0400] conn=156 op=1 UNBIND
[08/Apr/2019:15:58:07.437281332 -0400] conn=156 op=1 fd=127 closed - U1
[08/Apr/2019:15:58:12.872234822 -0400] conn=157 fd=127 slot=127 connection from
IPA.SERVER.IP.ADDRESS to IPA.SERVER.IP.ADDRESS
[08/Apr/2019:15:58:12.874969578 -0400] conn=157 op=0 BIND dn="" method=sasl
version=3 mech=GSS-SPNEGO
[08/Apr/2019:15:58:12.900792537 -0400] conn=157 op=0 RESULT err=49 tag=97
nentries=0 etime=0.0026012783 - SASL(-14): authorization failure:
[08/Apr/2019:15:58:12.901218733 -0400] conn=157 op=1 UNBIND
[08/Apr/2019:15:58:12.901234988 -0400] conn=157 op=1 fd=127 closed - U1
[08/Apr/2019:15:58:13.031226604 -0400] conn=158 fd=127 slot=127 connection from
IPA.SERVER.IP.ADDRESS to IPA.SERVER.IP.ADDRESS
[08/Apr/2019:15:58:13.033671151 -0400] conn=15 op=252 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/ipa.domain....@ipa.domain.com)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:13.034043773 -0400] conn=15 op=252 RESULT err=0 tag=101
nentries=1 etime=0.0000613848
[08/Apr/2019:15:58:13.034181173 -0400] conn=15 op=253 SRCH
base="cn=ipaConfig,cn=etc,dc=ipa,dc=domain,dc=com" scope=0
filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[08/Apr/2019:15:58:13.034264937 -0400] conn=15 op=253 RESULT err=0 tag=101
nentries=1 etime=0.0000197330
[08/Apr/2019:15:58:13.034732741 -0400] conn=15 op=254 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/ipaserver.ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=ldap/ipaserver.ipa.domain....@ipa.domain.com)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:13.034973520 -0400] conn=15 op=254 RESULT err=0 tag=101
nentries=1 etime=0.0000692748
[08/Apr/2019:15:58:13.035155432 -0400] conn=15 op=255 SRCH
base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[08/Apr/2019:15:58:13.035241734 -0400] conn=15 op=255 RESULT err=0 tag=101
nentries=1 etime=0.0000249691
[08/Apr/2019:15:58:13.035313097 -0400] conn=15 op=256 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/ipaserver.ipa.domain....@ipa.domain.com))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:13.035504910 -0400] conn=15 op=256 RESULT err=0 tag=101
nentries=1 etime=0.0000247683
[08/Apr/2019:15:58:13.035641392 -0400] conn=15 op=257 SRCH
base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[08/Apr/2019:15:58:13.035725794 -0400] conn=15 op=257 RESULT err=0 tag=101
nentries=1 etime=0.0000205053
[08/Apr/2019:15:58:13.035923996 -0400] conn=15 op=258 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(objectClass=ipaKrb5DelegationACL)(memberPrincipal=HTTP/ipaserver.ipa.domain....@ipa.domain.com))"
attrs="objectClass memberPrincipal"
[08/Apr/2019:15:58:13.036179999 -0400] conn=15 op=258 RESULT err=0 tag=101
nentries=1 etime=0.0000438455
[08/Apr/2019:15:58:13.036346934 -0400] conn=15 op=259 SRCH
base="dc=ipa,dc=domain,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=desan...@ad.domain.com))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
[08/Apr/2019:15:58:13.036456599 -0400] conn=15 op=259 RESULT err=0 tag=101
nentries=0 etime=0.0000260480
[08/Apr/2019:15:58:13.038380044 -0400] conn=158 op=0 BIND dn="" method=sasl
version=3 mech=GSS-SPNEGO
[08/Apr/2019:15:58:13.073816032 -0400] conn=158 op=0 RESULT err=49 tag=97
nentries=0 etime=0.0035617044 - SASL(-14): authorization failure:
[08/Apr/2019:15:58:13.074268551 -0400] conn=158 op=1 UNBIND
[08/Apr/2019:15:58:13.074291061 -0400] conn=158 op=1 fd=127 closed - U1
^C
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
