Alexander, > Enable debugging for IPA server framework by creating a file > /etc/ipa/server.conf with the following content: > > -------- > [global] > debug=True > -------- > > Restart httpd and try again. Then collect logs and show that access > attempt. The logs you attached so far only contain Apache modules' > debugging information, not IPA framework's one.
Thanks for your reply. I went ahead and disabled the debug logs via httpd/conf.d/nss.conf to "warn", and now am only using server.conf "debug=True" (which was already set). I've attached the logs generated via a fresh request and `tail -f krb5kdc.log httpd/{access,error}_log dirsrv/slapd-IPA-DOMAIN-COM/{access,error}`, but you'll see that there is much less output. > Other than self-management, you wouldn't achieve anything in FreeIPA 4.6 > for that. Web UI / CLI administration with AD users is only available in > RHEL 8.0 beta. Right. I did see a post suggesting limited AD user access in terms of Web UI and cli, but the post below suggests that ipa cli access was/is available as of FreeIPA 4.5.0: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5OWV3YTPG4ZETKJG2GVP2LDDTUUIAC2D/ > Looks like fine -- the framework actually asked for the ldap/... ticket > on behalf of AD user, so S4U2Proxy did work. Can you see anything in > LDAP server access logs at the same time? Thanks for the suggestion. There is a "SASL(-14) authorization failure" in the dirsrv/INSTANCE/access log, but no entries within the dirsv/INSTANCE/error log; I've attached a copy of the relevant log entries. John DeSantis Il giorno lun 8 apr 2019 alle ore 14:46 Alexander Bokovoy <aboko...@redhat.com> ha scritto: > > On ma, 08 huhti 2019, John Desantis via FreeIPA-users wrote: > >Hello all, > > > >I'm wondering if anyone could help shed light on why IPA CLI commands > >fail for a trusted AD user, and why Web UI logins for the same user > >fail with the message "Your session has expired. Please re-login.", > >despite creating a view for the user via `ipa idoverrideuser-add > >'Default Trust View' ad_user@ad_domain.com`. The symptoms appear > >almost identical to the post [0], except that the cli and Web UI were > >never working previously. > Enable debugging for IPA server framework by creating a file > /etc/ipa/server.conf with the following content: > > -------- > [global] > debug=True > -------- > > Restart httpd and try again. Then collect logs and show that access > attempt. The logs you attached so far only contain Apache modules' > debugging information, not IPA framework's one. > > >I am able to login via SSH (on a host with an HBAC configured), and > >able to `kinit` and obtain the appropriate tickets across the realms. > >I've configured the system accordingly, per the URL: > >https://www.freeipa.org/page/Active_Directory_trust_setup. > > > >I am running FreeIPA version 4.6.4 with a successful AD Trust (one > >way) using the range type "ipa-ad-trust-posix", both nodes completely > >re-provisioned (fresh installation purposes). SELinux is disabled, > >and the configuration IPA-wise is untouched, with the exception of > >enabling debugging and editing krb5.conf per the URL: > >https://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fkrb5.conf > > > >I've attached Apache logs referencing the Web UI and from the console. > >From what I have found online, it should be possible to allow an AD > >user to login to Web UI and ipa CLI commands should function, too. > >All IPA services are running and have been restarted, just in case > >something was "stuck". The interesting entries within the logs: > >(Failed to unseal session data!, GSSapiImpersonate not On) seem to be > >red herrings. > Other than self-management, you wouldn't achieve anything in FreeIPA 4.6 > for that. Web UI / CLI administration with AD users is only available in > RHEL 8.0 beta. > > ># /var/log/krb5kdc.log > > > >Apr 08 12:01:30 IPASERVER1.ipa.domain.com krb5kdc[10297](info): TGS_REQ (8 > >etypes {18 17 20 19 16 23 25 26}) 131.247.188.132: ISSUE: authtime > >1554738690, etypes {rep=18 tkt=18 ses=18}, > >HTTP/ipaserver1.ipa.domain....@ipa.domain.com for > >ldap/ipaserver1.ipa.domain....@ipa.domain.com > >Apr 08 12:01:30 IPASERVER1.ipa.domain.com krb5kdc[10297](info): ... > >CONSTRAINED-DELEGATION s4u-client=desan...@ad.domain.com > >Apr 08 12:01:30 IPASERVER1.ipa.domain.com krb5kdc[10297](info): closing down > >fd 11 > >Apr 08 12:01:31 IPASERVER1.ipa.domain.com krb5kdc[10298](info): TGS_REQ (8 > >etypes {18 17 20 19 16 23 25 26}) 131.247.188.132: ISSUE: authtime > >1554738690, etypes {rep=18 tkt=18 ses=18}, > >HTTP/ipaserver1.ipa.domain....@ipa.domain.com for > >ldap/ipaserver1.ipa.domain....@ipa.domain.com > >Apr 08 12:01:31 IPASERVER1.ipa.domain.com krb5kdc[10298](info): ... > >CONSTRAINED-DELEGATION s4u-client=desan...@ad.domain.com > >Apr 08 12:01:31 IPASERVER1.ipa.domain.com krb5kdc[10298](info): closing down > >fd 11 > Looks like fine -- the framework actually asked for the ldap/... ticket > on behalf of AD user, so S4U2Proxy did work. Can you see anything in > LDAP server access logs at the same time? > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland
==> krb5kdc.log <== Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) IPA.SERVER.IP.ADDRESS: ISSUE: authtime 1554752218, etypes {rep=18 tkt=18 ses=18}, HTTP/ipaserver1.ipa.domain....@ipa.domain.com for ldap/ipaserver1.ipa.domain....@ipa.domain.com Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): ... CONSTRAINED-DELEGATION s4u-client=desan...@ad.domain.com Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): closing down fd 11 Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) IPA.SERVER.IP.ADDRESS: ISSUE: authtime 1554752218, etypes {rep=18 tkt=18 ses=18}, HTTP/ipaserver1.ipa.domain....@ipa.domain.com for ldap/ipaserver1.ipa.domain....@ipa.domain.com Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): ... CONSTRAINED-DELEGATION s4u-client=desan...@ad.domain.com Apr 08 15:39:18 IPASERVER1.ipa.domain.com krb5kdc[10866](info): closing down fd 11 ==> httpd/access_log <== IPA.SERVER.IP.ADDRESS - - [08/Apr/2019:15:39:17 -0400] "POST /ipa/session/json HTTP/1.1" 401 1300 IPA.SERVER.IP.ADDRESS - desan...@ad.domain.com [08/Apr/2019:15:39:17 -0400] "POST /ipa/session/json HTTP/1.1" 401 176 IPA.SERVER.IP.ADDRESS - desan...@ad.domain.com [08/Apr/2019:15:39:18 -0400] "POST /ipa/session/json HTTP/1.1" 401 176 ==> httpd/error_log <== [Mon Apr 08 15:39:17.764712 2019] [auth_gssapi:error] [pid 12016] [client IPA.SERVER.IP.ADDRESS:54134] Failed to unseal session data!, referer: https://IPASERVER1.ipa.domain.com/ipa/xml [Mon Apr 08 15:39:17.764738 2019] [auth_gssapi:error] [pid 12016] [client IPA.SERVER.IP.ADDRESS:54134] NO AUTH DATA Client did not send any authentication headers, referer: https://IPASERVER1.ipa.domain.com/ipa/xml [Mon Apr 08 15:39:18.262416 2019] [:error] [pid 12014] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Apr 08 15:39:18.262515 2019] [:error] [pid 12014] ipa: DEBUG: WSGI jsonserver_session.__call__: [Mon Apr 08 15:39:18.327342 2019] [:error] [pid 12014] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials [Mon Apr 08 15:39:18.370463 2019] [:error] [pid 12012] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Apr 08 15:39:18.370573 2019] [:error] [pid 12012] ipa: DEBUG: WSGI jsonserver_session.__call__: [Mon Apr 08 15:39:18.410750 2019] [:error] [pid 12012] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
[08/Apr/2019:15:58:06.828219899 -0400] conn=151 op=30 SRCH base="cn=ranges,cn=etc,dc=ipa,dc=domain,dc=com" scope=2 filter="(objectClass=ipaIDRange)" attrs="objectClass cn ipaBaseID ipaBaseRID ipaSecondaryBaseRID ipaIDRangeSize ipaNTTrustedDomainSID ipaRangeType" [08/Apr/2019:15:58:06.830419998 -0400] conn=151 op=30 RESULT err=0 tag=101 nentries=6 etime=0.0002352533 [08/Apr/2019:15:58:06.831205283 -0400] conn=151 op=31 SRCH base="cn=certmap,dc=ipa,dc=domain,dc=com" scope=2 filter="(|(&(objectClass=ipaCertMapRule)(ipaEnabledFlag=TRUE))(objectClass=ipaCertMapConfigObject))" attrs="objectClass cn ipaCertMapMapRule ipaCertMapMatchRule ipaCertMapPriority associatedDomain ipaCertMapPromptUsername" [08/Apr/2019:15:58:06.831612673 -0400] conn=151 op=31 RESULT err=0 tag=101 nentries=1 etime=0.0001140551 [08/Apr/2019:15:58:06.953607787 -0400] conn=151 op=32 SRCH base="cn=trusts,dc=ipa,dc=domain,dc=com" scope=2 filter="(objectClass=ipaNTTrustedDomain)" attrs="cn ipaNTFlatName ipaNTTrustedDomainSID ipaNTTrustDirection ipaNTAdditionalSuffixes" [08/Apr/2019:15:58:06.954547478 -0400] conn=151 op=32 RESULT err=0 tag=101 nentries=5 etime=0.0122892026 [08/Apr/2019:15:58:06.955089671 -0400] conn=151 op=33 SRCH base="cn=default,cn=views,cn=accounts,dc=ipa,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaDomainResolutionOrder" [08/Apr/2019:15:58:06.955379816 -0400] conn=151 op=33 RESULT err=32 tag=101 nentries=0 etime=0.0000775039 [08/Apr/2019:15:58:07.011852191 -0400] conn=151 op=34 SRCH base="cn=etc,dc=ipa,dc=domain,dc=com" scope=2 filter="(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" attrs="ipaDomainResolutionOrder" [08/Apr/2019:15:58:07.012207220 -0400] conn=151 op=34 RESULT err=0 tag=101 nentries=1 etime=0.0056788292 [08/Apr/2019:15:58:07.137057125 -0400] conn=151 op=35 SRCH base="cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-150927795-2069884688-1238954376-150296))" attrs=ALL [08/Apr/2019:15:58:07.137432432 -0400] conn=151 op=35 RESULT err=0 tag=101 nentries=1 etime=0.1874822411 [08/Apr/2019:15:58:07.138057552 -0400] conn=151 op=36 SRCH base="cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1174613319-2826275069-309285752-101506))" attrs=ALL [08/Apr/2019:15:58:07.138231939 -0400] conn=151 op=36 RESULT err=0 tag=101 nentries=0 etime=0.0000752359 [08/Apr/2019:15:58:07.138402579 -0400] conn=151 op=37 SRCH base="cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1174613319-2826275069-309285752-512))" attrs=ALL [08/Apr/2019:15:58:07.138585633 -0400] conn=151 op=37 RESULT err=0 tag=101 nentries=0 etime=0.0000313706 [08/Apr/2019:15:58:07.138786172 -0400] conn=151 op=38 SRCH base="cn=accounts,dc=ipa,dc=domain,dc=com" scope=2 filter="(objectClass=ipaexternalgroup)" attrs=ALL [08/Apr/2019:15:58:07.139576830 -0400] conn=151 op=38 RESULT err=0 tag=101 nentries=2 etime=0.0000952709 [08/Apr/2019:15:58:07.203773734 -0400] conn=151 op=39 SRCH base="cn=accounts,dc=ipa,dc=domain,dc=com" scope=2 filter="(&(cn=0f332b96-5629-11e9-a95e-d4ae52a0ecfe)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))" attrs="objectClass posixgroup cn userPassword gidNumber member ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn ipaExternalMember" [08/Apr/2019:15:58:07.203917323 -0400] conn=151 op=39 RESULT err=0 tag=101 nentries=0 etime=0.0064299540 [08/Apr/2019:15:58:07.276938708 -0400] conn=155 fd=127 slot=127 connection from IPA.SERVER.IP.ADDRESS to IPA.SERVER.IP.ADDRESS [08/Apr/2019:15:58:07.279809270 -0400] conn=10 op=81 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/ipa.domain....@ipa.domain.com)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:07.280160057 -0400] conn=10 op=81 RESULT err=0 tag=101 nentries=1 etime=0.0000459257 [08/Apr/2019:15:58:07.280241561 -0400] conn=10 op=82 SRCH base="cn=ipaConfig,cn=etc,dc=ipa,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" [08/Apr/2019:15:58:07.280310207 -0400] conn=10 op=82 RESULT err=0 tag=101 nentries=1 etime=0.0000131027 [08/Apr/2019:15:58:07.280751307 -0400] conn=10 op=83 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/ipaserver.ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=ldap/ipaserver.ipa.domain....@ipa.domain.com)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:07.281006248 -0400] conn=10 op=83 RESULT err=0 tag=101 nentries=1 etime=0.0000681608 [08/Apr/2019:15:58:07.281155696 -0400] conn=10 op=84 SRCH base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [08/Apr/2019:15:58:07.281225859 -0400] conn=10 op=84 RESULT err=0 tag=101 nentries=1 etime=0.0000201664 [08/Apr/2019:15:58:07.281327210 -0400] conn=10 op=85 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/ipaserver.ipa.domain....@ipa.domain.com))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:07.281506338 -0400] conn=10 op=85 RESULT err=0 tag=101 nentries=1 etime=0.0000266785 [08/Apr/2019:15:58:07.281694731 -0400] conn=10 op=86 SRCH base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [08/Apr/2019:15:58:07.281777853 -0400] conn=10 op=86 RESULT err=0 tag=101 nentries=1 etime=0.0000255402 [08/Apr/2019:15:58:07.281943486 -0400] conn=10 op=87 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipaKrb5DelegationACL)(memberPrincipal=HTTP/ipaserver.ipa.domain....@ipa.domain.com))" attrs="objectClass memberPrincipal" [08/Apr/2019:15:58:07.282182397 -0400] conn=10 op=87 RESULT err=0 tag=101 nentries=1 etime=0.0000388963 [08/Apr/2019:15:58:07.282354109 -0400] conn=10 op=88 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=desan...@ad.domain.com))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:07.282447648 -0400] conn=10 op=88 RESULT err=0 tag=101 nentries=0 etime=0.0000250747 [08/Apr/2019:15:58:07.284423370 -0400] conn=155 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO [08/Apr/2019:15:58:07.353126377 -0400] conn=155 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0068903273 - SASL(-14): authorization failure: [08/Apr/2019:15:58:07.353701909 -0400] conn=155 op=1 UNBIND [08/Apr/2019:15:58:07.353733571 -0400] conn=155 op=1 fd=127 closed - U1 [08/Apr/2019:15:58:07.398716676 -0400] conn=156 fd=127 slot=127 connection from IPA.SERVER.IP.ADDRESS to IPA.SERVER.IP.ADDRESS [08/Apr/2019:15:58:07.401613238 -0400] conn=4 op=72 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/ipa.domain....@ipa.domain.com)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:07.401891503 -0400] conn=4 op=72 RESULT err=0 tag=101 nentries=1 etime=0.0000472649 [08/Apr/2019:15:58:07.402014269 -0400] conn=4 op=73 SRCH base="cn=ipaConfig,cn=etc,dc=ipa,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" [08/Apr/2019:15:58:07.402094183 -0400] conn=4 op=73 RESULT err=0 tag=101 nentries=1 etime=0.0000183712 [08/Apr/2019:15:58:07.402495920 -0400] conn=4 op=74 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/ipaserver.ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=ldap/ipaserver.ipa.domain....@ipa.domain.com)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:07.402764935 -0400] conn=4 op=74 RESULT err=0 tag=101 nentries=1 etime=0.0000655408 [08/Apr/2019:15:58:07.402930484 -0400] conn=4 op=75 SRCH base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [08/Apr/2019:15:58:07.403012689 -0400] conn=4 op=75 RESULT err=0 tag=101 nentries=1 etime=0.0000229856 [08/Apr/2019:15:58:07.403148136 -0400] conn=4 op=76 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/ipaserver.ipa.domain....@ipa.domain.com))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:07.403346287 -0400] conn=4 op=76 RESULT err=0 tag=101 nentries=1 etime=0.0000318174 [08/Apr/2019:15:58:07.403463505 -0400] conn=4 op=77 SRCH base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [08/Apr/2019:15:58:07.403532359 -0400] conn=4 op=77 RESULT err=0 tag=101 nentries=1 etime=0.0000169748 [08/Apr/2019:15:58:07.403677946 -0400] conn=4 op=78 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipaKrb5DelegationACL)(memberPrincipal=HTTP/ipaserver.ipa.domain....@ipa.domain.com))" attrs="objectClass memberPrincipal" [08/Apr/2019:15:58:07.403896980 -0400] conn=4 op=78 RESULT err=0 tag=101 nentries=1 etime=0.0000340278 [08/Apr/2019:15:58:07.404098402 -0400] conn=4 op=79 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=desan...@ad.domain.com))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:07.404206745 -0400] conn=4 op=79 RESULT err=0 tag=101 nentries=0 etime=0.0000295269 [08/Apr/2019:15:58:07.406157273 -0400] conn=156 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO [08/Apr/2019:15:58:07.436644735 -0400] conn=156 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0030691229 - SASL(-14): authorization failure: [08/Apr/2019:15:58:07.437259131 -0400] conn=156 op=1 UNBIND [08/Apr/2019:15:58:07.437281332 -0400] conn=156 op=1 fd=127 closed - U1 [08/Apr/2019:15:58:12.872234822 -0400] conn=157 fd=127 slot=127 connection from IPA.SERVER.IP.ADDRESS to IPA.SERVER.IP.ADDRESS [08/Apr/2019:15:58:12.874969578 -0400] conn=157 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO [08/Apr/2019:15:58:12.900792537 -0400] conn=157 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0026012783 - SASL(-14): authorization failure: [08/Apr/2019:15:58:12.901218733 -0400] conn=157 op=1 UNBIND [08/Apr/2019:15:58:12.901234988 -0400] conn=157 op=1 fd=127 closed - U1 [08/Apr/2019:15:58:13.031226604 -0400] conn=158 fd=127 slot=127 connection from IPA.SERVER.IP.ADDRESS to IPA.SERVER.IP.ADDRESS [08/Apr/2019:15:58:13.033671151 -0400] conn=15 op=252 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/ipa.domain....@ipa.domain.com)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:13.034043773 -0400] conn=15 op=252 RESULT err=0 tag=101 nentries=1 etime=0.0000613848 [08/Apr/2019:15:58:13.034181173 -0400] conn=15 op=253 SRCH base="cn=ipaConfig,cn=etc,dc=ipa,dc=domain,dc=com" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" [08/Apr/2019:15:58:13.034264937 -0400] conn=15 op=253 RESULT err=0 tag=101 nentries=1 etime=0.0000197330 [08/Apr/2019:15:58:13.034732741 -0400] conn=15 op=254 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/ipaserver.ipa.domain....@ipa.domain.com)(krbPrincipalName:caseIgnoreIA5Match:=ldap/ipaserver.ipa.domain....@ipa.domain.com)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:13.034973520 -0400] conn=15 op=254 RESULT err=0 tag=101 nentries=1 etime=0.0000692748 [08/Apr/2019:15:58:13.035155432 -0400] conn=15 op=255 SRCH base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [08/Apr/2019:15:58:13.035241734 -0400] conn=15 op=255 RESULT err=0 tag=101 nentries=1 etime=0.0000249691 [08/Apr/2019:15:58:13.035313097 -0400] conn=15 op=256 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/ipaserver.ipa.domain....@ipa.domain.com))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:13.035504910 -0400] conn=15 op=256 RESULT err=0 tag=101 nentries=1 etime=0.0000247683 [08/Apr/2019:15:58:13.035641392 -0400] conn=15 op=257 SRCH base="cn=IPA.DOMAIN.COM,cn=kerberos,dc=ipa,dc=domain,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [08/Apr/2019:15:58:13.035725794 -0400] conn=15 op=257 RESULT err=0 tag=101 nentries=1 etime=0.0000205053 [08/Apr/2019:15:58:13.035923996 -0400] conn=15 op=258 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(objectClass=ipaKrb5DelegationACL)(memberPrincipal=HTTP/ipaserver.ipa.domain....@ipa.domain.com))" attrs="objectClass memberPrincipal" [08/Apr/2019:15:58:13.036179999 -0400] conn=15 op=258 RESULT err=0 tag=101 nentries=1 etime=0.0000438455 [08/Apr/2019:15:58:13.036346934 -0400] conn=15 op=259 SRCH base="dc=ipa,dc=domain,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=desan...@ad.domain.com))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [08/Apr/2019:15:58:13.036456599 -0400] conn=15 op=259 RESULT err=0 tag=101 nentries=0 etime=0.0000260480 [08/Apr/2019:15:58:13.038380044 -0400] conn=158 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO [08/Apr/2019:15:58:13.073816032 -0400] conn=158 op=0 RESULT err=49 tag=97 nentries=0 etime=0.0035617044 - SASL(-14): authorization failure: [08/Apr/2019:15:58:13.074268551 -0400] conn=158 op=1 UNBIND [08/Apr/2019:15:58:13.074291061 -0400] conn=158 op=1 fd=127 closed - U1 ^C
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org