[Freeipa-users] Can't login AD users on FreeIPA client

Michael Solodovnikov via FreeIPA-users Tue, 18 Feb 2020 23:28:43 -0800

I have a fresh installed FreeIPA 4.6.5, sssd 1.16.4, krb5 1.15.1-37, samba 
4.9.1-10, on CentOS 7.7.1908, can’t login as AD user.
FreeIPA configured one-way trust AD(win.gtf.kz),AD user have UPN [email protected]. 
FreeIPA realm nix.gtf.kz.


============
Сonfigs on server FreeIPA(dc1.nix.gtf.kz)

# ipa trust-show win.gtf.kz
  Realm name: win.gtf.kz
  Domain NetBIOS name: GTF
  Domain Security Identifier: S-1-5-21-1397031248-555657444-1703228444
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  UPN suffixes: gtf.kz, fgt.kz
  

[root@dc1 ~]# cat /etc/krb5.conf

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = NIX.GTF.KZ
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = true
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 NIX.GTF.KZ = {
  kdc = dc1.nix.gtf.kz:88
  master_kdc = dc1.nix.gtf.kz:88
  admin_server = dc1.nix.gtf.kz:749
  default_domain = nix.gtf.kz
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

[domain_realm]
 .nix.gtf.kz = NIX.GTF.KZ
 nix.gtf.kz = NIX.GTF.KZ
 dc1.nix.gtf.kz = NIX.GTF.KZ

[dbmodules]
  NIX.GTF.KZ = {
    db_library = ipadb.so
  }

[plugins]
 certauth = {
  module = ipakdb:kdb/ipadb.so
  enable_only = ipakdb
 }


[root@dc1 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz

[domain_realm]
.win.gtf.kz = WIN.GTF.KZ
win.gtf.kz = WIN.GTF.KZ
[capaths]
WIN.GTF.KZ = {
  NIX.GTF.KZ = WIN.GTF.KZ
}
NIX.GTF.KZ = {
  WIN.GTF.KZ = WIN.GTF.KZ
}


[root@dc1 ~]# cat /etc/sssd/sssd.conf

[domain/nix.gtf.kz]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.gtf.kz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dc1.nix.gtf.kz
chpass_provider = ipa
ipa_server = dc1.nix.gtf.kz
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = sudo, nss, ifp, pam, ssh

domains = nix.gtf.kz
[nss]
memcache_timeout = 600
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]
allowed_uids = ipaapi, root

[secrets]

[session_recording]

============

AD user.

[root@dc1 ~]# getent passwd [email protected]
[email protected]:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov:

[root@dc1 ~]# kinit [email protected]
Password for [email protected]:
[root@dc1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm
Default principal: [email protected]

Valid starting       Expires              Service principal
02/19/2020 11:05:16  02/19/2020 21:05:16  krbtgt/[email protected]
        renew until 02/20/2020 11:05:10
                
[root@dc1 ~]# kvno -S host dc1.nix.gtf.kz
host/[email protected]: kvno = 2
[root@dc1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm
Default principal: [email protected]

Valid starting       Expires              Service principal
02/19/2020 11:07:34  02/19/2020 21:05:16  host/[email protected]
        renew until 02/20/2020 11:05:10
02/19/2020 11:07:34  02/19/2020 21:05:16  krbtgt/[email protected]
        renew until 02/20/2020 11:05:10
02/19/2020 11:05:16  02/19/2020 21:05:16  krbtgt/[email protected]
        renew until 02/20/2020 11:05:10
                
============

Attempts to login using SSH or su by AD user failed. The error is the same.

[root@dc1 ~]# useradd test
[root@dc1 ~]# su - test
[test@dc1 ~]$ su - [email protected]
Password:
su: Authentication failure


In sssd log:

(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_send] 
(0x0100): Trying to resolve service 'IPA'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): 
Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_port_status] (0x1000): 
Port status of port 0 for server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] 
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): 
Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] 
(0x1000): Saving the first resolved server
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] 
(0x0200): Found address for server dc1.nix.gtf.kz: [192.168.8.7] TTL 7200
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [ipa_resolve_callback] 
(0x0400): Constructed uri 'ldap://dc1.nix.gtf.kz'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] 
[krb5_add_krb5info_offline_callback] (0x4000): Removal callback already 
available for service [IPA].
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [unique_filename_destructor] 
(0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_R9aYcg]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [unlink_dbg] (0x2000): File 
already removed: [/var/lib/sss/pubconf/.krb5info_dummy_R9aYcg]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [sss_domain_get_state] 
(0x1000): Domain win.gtf.kz is Active
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] 
(0x2000): Setting up signal handler up for pid [10883]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] 
(0x2000): Signal handler set up for pid [10883]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] 
(0x0400): All data has been sent!
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): 
Waiting for child [10883].
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): 
child [10883] finished successfully.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): 
EOF received, client finished
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): 
The krb5_child process returned an error. Please inspect the krb5_child.log 
file or the journal for more information
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): 
Wait queue for user [[email protected]] is empty.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] 
(0x1000): krb5_auth_queue request [0x55e915585c80] done.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP 
Request [PAM Authenticate #95]: Request handler finished [0]: Success
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP 
Request [PAM Authenticate #95]: Receiving request data.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): 
DP Request [PAM Authenticate #95]: Request removed.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): 
Number of active DP request: 0
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP 
Request [PAM Authenticate #95]: Sending result [4][win.gtf.kz]


In krb5kdc.log:

Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): AS_REQ (8 etypes {18 17 20 
19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@[email protected] for 
krbtgt/[email protected], Realm not local to KDC
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): closing down fd 11
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,  
host/[email protected] for krbtgt/[email protected], Server not 
found in Kerberos database
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,  
host/[email protected] for krbtgt/[email protected], Server not 
found in Kerberos database
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): AS_REQ (8 etypes {18 17 20 
19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@[email protected] for 
krbtgt/[email protected], Realm not local to KDC
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,  
host/[email protected] for krbtgt/[email protected], Server not 
found in Kerberos database
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,  
host/[email protected] for krbtgt/[email protected], Server not 
found in Kerberos database
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11


============

Сonfigs on client FreeIPA(sqlg.nix.gtf.kz)

[root@sqlg ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@sqlg ~]# ipa --version
VERSION: 4.6.5, API_VERSION: 2.231

[root@sqlg ~]# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = NIX.GTF.KZ
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  NIX.GTF.KZ = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }


[domain_realm]
  .nix.gtf.kz = NIX.GTF.KZ
  nix.gtf.kz = NIX.GTF.KZ
  sqlg.nix.gtf.kz = NIX.GTF.KZ
  

[root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz
[domain_realm]
.win.gtf.kz = WIN.GTF.KZ
win.gtf.kz = WIN.GTF.KZ
[capaths]
WIN.GTF.KZ = {
  NIX.GTF.KZ = WIN.GTF.KZ
}
NIX.GTF.KZ = {
  WIN.GTF.KZ = WIN.GTF.KZ
}


[root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz
[domain_realm]
.win.gtf.kz = WIN.GTF.KZ
win.gtf.kz = WIN.GTF.KZ
[capaths]
WIN.GTF.KZ = {
  NIX.GTF.KZ = WIN.GTF.KZ
}
NIX.GTF.KZ = {
  WIN.GTF.KZ = WIN.GTF.KZ
}




[root@sqlg ~]# cat /etc/sssd/sssd.conf
[domain/nix.gtf.kz]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.gtf.kz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = sqlg.nix.gtf.kz
chpass_provider = ipa
ipa_server = _srv_, dc1.nix.gtf.kz
ldap_tls_cacert = /etc/ipa/ca.crt

# if do not add these options, then does not find the AD user
use_fully_qualified_names = True
re_expression = ((?P<name>.+)@(?P<domain>[^@]+$))

[sssd]
services = nss, sudo, pam, ssh

domains = nix.gtf.kz
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]


[root@sqlg ~]# getent passwd [email protected]
[email protected]:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov:

[root@sqlg ~]# kinit [email protected]
Password for [email protected]:
[root@sqlg ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting       Expires              Service principal
02/19/2020 12:37:47  02/19/2020 22:37:47  krbtgt/[email protected]
        renew until 02/20/2020 12:37:42
[root@sqlg ~]# kvno -S host dc1.nix.gtf.kz
host/[email protected]: kvno = 2
[root@sqlg ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting       Expires              Service principal
02/19/2020 12:38:30  02/19/2020 22:37:47  host/[email protected]
        renew until 02/20/2020 12:37:42
02/19/2020 12:38:30  02/19/2020 22:37:47  krbtgt/[email protected]
        renew until 02/20/2020 12:37:42
02/19/2020 12:37:47  02/19/2020 22:37:47  krbtgt/[email protected]
        renew until 02/20/2020 12:37:42
[root@sqlg ~]#


[root@sqlg ~]# su - test
Last login: Wed Feb 19 11:50:14 +07 2020 on pts/0
[test@sqlg ~]$ su - [email protected]
Password:
su: Authentication failure


In sssd log:

(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [check_failed_login_attempts] 
(0x4000): Failed login attempts [0], allowed failed login attempts [0], failed 
login delay [5].
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [sysdb_cache_auth] (0x0100): 
Cached credentials not available.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [ldb] (0x4000): cancel ldb 
transaction (nesting: 0)
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_cache_creds] 
(0x0020): Offline authentication failed
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): 
Wait queue for user [[email protected]] is empty.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] 
(0x1000): krb5_auth_queue request [0x55b69c74baf0] done.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP 
Request [PAM Authenticate #12]: Request handler finished [0]: Success
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP 
Request [PAM Authenticate #12]: Receiving request data.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): 
DP Request [PAM Authenticate #12]: Request removed.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): 
Number of active DP request: 0
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP 
Request [PAM Authenticate #12]: Sending result [6][win.gtf.kz]

In /var/log/messages

Feb 19 12:40:08 sqlg su: (to test) root on pts/0
Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm 
"FGT.KZ"
Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm 
"FGT.KZ"
Feb 19 12:40:42 sqlg [sssd[krb5_child[6514]]]: Cannot find KDC for realm 
"FGT.KZ"
Feb 19 12:40:42 sqlg [sssd[krb5_child[6514]]]: Cannot find KDC for realm 
"FGT.KZ"
Feb 19 12:40:44 sqlg su: FAILED SU (to [email protected]) root on pts/0


============

If  add to sssd.conf on the server IPA.

[domain/nix.gtf.kz/win.gtf.kz]
subdomain_inherit = ldap_user_principal
ldap_user_principal = nosuchattr

In sssd log:

(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [sbus_dispatch] (0x4000): 
dbus conn: 0x55f84f6f3e70
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [sbus_dispatch] (0x4000): 
Dispatching.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] 
(0x0400): All data has been sent!
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): 
Waiting for child [11773].
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): 
child [11773] finished successfully.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): 
EOF received, client finished
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): 
The krb5_child process returned an error. Please inspect the krb5_child.log 
file or the journal for more information
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): 
Wait queue for user [[email protected]] is empty.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] 
(0x1000): krb5_auth_queue request [0x55f850749870] done.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP 
Request [PAM Authenticate #23]: Request handler finished [0]: Success
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP 
Request [PAM Authenticate #23]: Receiving request data.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): 
DP Request [PAM Authenticate #23]: Request removed.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): 
Number of active DP request: 0
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP 
Request [PAM Authenticate #23]: Sending result [4][win.gtf.kz]

In krb5kdc.log:

Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 16 
23 25 26 20 19}) 192.168.8.7: NEEDED_PREAUTH: host/[email protected] 
for krbtgt/[email protected], Additional pre-authentication required
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 16 
23 25 26 20 19}) 192.168.8.7: ISSUE: authtime 1582092478, etypes {rep=18 tkt=18 
ses=18}, host/[email protected] for krbtgt/[email protected]
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 20 
19 16 23 25 26}) 192.168.8.7: REFERRAL: solodovnikov\@[email protected] for 
krbtgt/[email protected], Realm not local to KDC
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,  
host/[email protected] for krbtgt/[email protected], Server not 
found in Kerberos database
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): TGS_REQ (8 etypes {18 17 
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,  
host/[email protected] for krbtgt/[email protected], Server not 
found in Kerberos database
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11262](info): AS_REQ (8 etypes {18 17 20 
19 16 23 25 26}) 192.168.8.7: REFERRAL: solodovnikov\@[email protected] for 
krbtgt/[email protected], Realm not local to KDC
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11262](info): closing down fd 11
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,  
host/[email protected] for krbtgt/[email protected], Server not 
found in Kerberos database
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,  
host/[email protected] for krbtgt/[email protected], Server not 
found in Kerberos database
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11


On client FreeIPA.

In sssd log:

(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_send] 
(0x0100): Trying to resolve service 'IPA'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): 
Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_port_status] (0x1000): 
Port status of port 389 for server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] 
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [resolve_srv_send] (0x0200): 
The status of SRV lookup is resolved
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): 
Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] 
(0x1000): Saving the first resolved server
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] 
(0x0200): Found address for server dc1.nix.gtf.kz: [192.168.8.7] TTL 1200
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [ipa_resolve_callback] 
(0x0400): Constructed uri 'ldap://dc1.nix.gtf.kz'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] 
[krb5_add_krb5info_offline_callback] (0x4000): Removal callback already 
available for service [IPA].
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [unique_filename_destructor] 
(0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_A8oO7w]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [unlink_dbg] (0x2000): File 
already removed: [/var/lib/sss/pubconf/.krb5info_dummy_A8oO7w]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [sss_domain_get_state] 
(0x1000): Domain win.gtf.kz is Active
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] 
(0x2000): Setting up signal handler up for pid [6709]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] 
(0x2000): Signal handler set up for pid [6709]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] 
(0x0400): All data has been sent!
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): 
Waiting for child [6709].
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): 
child [6709] finished successfully.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): 
EOF received, client finished
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): 
The krb5_child process returned an error. Please inspect the krb5_child.log 
file or the journal for more information
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): 
Wait queue for user [[email protected]] is empty.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] 
(0x1000): krb5_auth_queue request [0x56508c296b50] done.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP 
Request [PAM Authenticate #25]: Request handler finished [0]: Success
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP 
Request [PAM Authenticate #25]: Receiving request data.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): 
DP Request [PAM Authenticate #25]: Request removed.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): 
Number of active DP request: 0
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP 
Request [PAM Authenticate #25]: Sending result [4][win.gtf.kz]

In /var/log/messages

Feb 19 13:19:49 sqlg su: (to test) root on pts/0
Feb 19 13:20:02 sqlg [sssd[krb5_child[6709]]]: Error constructing AP-REQ armor: 
Server krbtgt/[email protected] not found in Kerberos database
Feb 19 13:20:02 sqlg [sssd[krb5_child[6709]]]: Error constructing AP-REQ armor: 
Server krbtgt/[email protected] not found in Kerberos database
Feb 19 13:20:03 sqlg su: FAILED SU (to [email protected]) root on pts/0


Hope this list can provide some pointers.

Thanks in advance.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

[Freeipa-users] Can't login AD users on FreeIPA client

Reply via email to