I have a fresh installed FreeIPA 4.6.5, sssd 1.16.4, krb5 1.15.1-37, samba
4.9.1-10, on CentOS 7.7.1908, can’t login as AD user.
FreeIPA configured one-way trust AD(win.gtf.kz),AD user have UPN n.u...@fgt.kz.
FreeIPA realm nix.gtf.kz.
============
Сonfigs on server FreeIPA(dc1.nix.gtf.kz)
# ipa trust-show win.gtf.kz
Realm name: win.gtf.kz
Domain NetBIOS name: GTF
Domain Security Identifier: S-1-5-21-1397031248-555657444-1703228444
Trust direction: Trusting forest
Trust type: Active Directory domain
UPN suffixes: gtf.kz, fgt.kz
[root@dc1 ~]# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = NIX.GTF.KZ
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
NIX.GTF.KZ = {
kdc = dc1.nix.gtf.kz:88
master_kdc = dc1.nix.gtf.kz:88
admin_server = dc1.nix.gtf.kz:749
default_domain = nix.gtf.kz
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.nix.gtf.kz = NIX.GTF.KZ
nix.gtf.kz = NIX.GTF.KZ
dc1.nix.gtf.kz = NIX.GTF.KZ
[dbmodules]
NIX.GTF.KZ = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
[root@dc1 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz
[domain_realm]
.win.gtf.kz = WIN.GTF.KZ
win.gtf.kz = WIN.GTF.KZ
[capaths]
WIN.GTF.KZ = {
NIX.GTF.KZ = WIN.GTF.KZ
}
NIX.GTF.KZ = {
WIN.GTF.KZ = WIN.GTF.KZ
}
[root@dc1 ~]# cat /etc/sssd/sssd.conf
[domain/nix.gtf.kz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.gtf.kz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dc1.nix.gtf.kz
chpass_provider = ipa
ipa_server = dc1.nix.gtf.kz
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh
domains = nix.gtf.kz
[nss]
memcache_timeout = 600
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
allowed_uids = ipaapi, root
[secrets]
[session_recording]
============
AD user.
[root@dc1 ~]# getent passwd solodovni...@win.gtf.kz
solodovni...@win.gtf.kz:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov:
[root@dc1 ~]# kinit solodovni...@win.gtf.kz
Password for solodovni...@win.gtf.kz:
[root@dc1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm
Default principal: solodovni...@win.gtf.kz
Valid starting Expires Service principal
02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/win.gtf...@win.gtf.kz
renew until 02/20/2020 11:05:10
[root@dc1 ~]# kvno -S host dc1.nix.gtf.kz
host/dc1.nix.gtf...@nix.gtf.kz: kvno = 2
[root@dc1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm
Default principal: solodovni...@win.gtf.kz
Valid starting Expires Service principal
02/19/2020 11:07:34 02/19/2020 21:05:16 host/dc1.nix.gtf...@nix.gtf.kz
renew until 02/20/2020 11:05:10
02/19/2020 11:07:34 02/19/2020 21:05:16 krbtgt/nix.gtf...@win.gtf.kz
renew until 02/20/2020 11:05:10
02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/win.gtf...@win.gtf.kz
renew until 02/20/2020 11:05:10
============
Attempts to login using SSH or su by AD user failed. The error is the same.
[root@dc1 ~]# useradd test
[root@dc1 ~]# su - test
[test@dc1 ~]$ su - solodovni...@win.gtf.kz
Password:
su: Authentication failure
In sssd log:
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000):
Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_port_status] (0x1000):
Port status of port 0 for server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000):
Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process]
(0x1000): Saving the first resolved server
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process]
(0x0200): Found address for server dc1.nix.gtf.kz: [192.168.8.7] TTL 7200
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [ipa_resolve_callback]
(0x0400): Constructed uri 'ldap://dc1.nix.gtf.kz'
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]]
[krb5_add_krb5info_offline_callback] (0x4000): Removal callback already
available for service [IPA].
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [unique_filename_destructor]
(0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_R9aYcg]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [unlink_dbg] (0x2000): File
already removed: [/var/lib/sss/pubconf/.krb5info_dummy_R9aYcg]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [sss_domain_get_state]
(0x1000): Domain win.gtf.kz is Active
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [10883]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [10883]
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000):
Waiting for child [10883].
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100):
child [10883] finished successfully.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400):
EOF received, client finished
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040):
The krb5_child process returned an error. Please inspect the krb5_child.log
file or the journal for more information
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000):
Wait queue for user [solodovni...@win.gtf.kz] is empty.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done]
(0x1000): krb5_auth_queue request [0x55e915585c80] done.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP
Request [PAM Authenticate #95]: Request handler finished [0]: Success
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP
Request [PAM Authenticate #95]: Receiving request data.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400):
DP Request [PAM Authenticate #95]: Request removed.
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400):
Number of active DP request: 0
(Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP
Request [PAM Authenticate #95]: Sending result [4][win.gtf.kz]
In krb5kdc.log:
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): AS_REQ (8 etypes {18 17 20
19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@fgt...@nix.gtf.kz for
krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): closing down fd 11
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
found in Kerberos database
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
found in Kerberos database
Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): AS_REQ (8 etypes {18 17 20
19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@fgt...@nix.gtf.kz for
krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
found in Kerberos database
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
found in Kerberos database
Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11
============
Сonfigs on client FreeIPA(sqlg.nix.gtf.kz)
[root@sqlg ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@sqlg ~]# ipa --version
VERSION: 4.6.5, API_VERSION: 2.231
[root@sqlg ~]# cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = NIX.GTF.KZ
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
NIX.GTF.KZ = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.nix.gtf.kz = NIX.GTF.KZ
nix.gtf.kz = NIX.GTF.KZ
sqlg.nix.gtf.kz = NIX.GTF.KZ
[root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz
[domain_realm]
.win.gtf.kz = WIN.GTF.KZ
win.gtf.kz = WIN.GTF.KZ
[capaths]
WIN.GTF.KZ = {
NIX.GTF.KZ = WIN.GTF.KZ
}
NIX.GTF.KZ = {
WIN.GTF.KZ = WIN.GTF.KZ
}
[root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz
[domain_realm]
.win.gtf.kz = WIN.GTF.KZ
win.gtf.kz = WIN.GTF.KZ
[capaths]
WIN.GTF.KZ = {
NIX.GTF.KZ = WIN.GTF.KZ
}
NIX.GTF.KZ = {
WIN.GTF.KZ = WIN.GTF.KZ
}
[root@sqlg ~]# cat /etc/sssd/sssd.conf
[domain/nix.gtf.kz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.gtf.kz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = sqlg.nix.gtf.kz
chpass_provider = ipa
ipa_server = _srv_, dc1.nix.gtf.kz
ldap_tls_cacert = /etc/ipa/ca.crt
# if do not add these options, then does not find the AD user
use_fully_qualified_names = True
re_expression = ((?P<name>.+)@(?P<domain>[^@]+$))
[sssd]
services = nss, sudo, pam, ssh
domains = nix.gtf.kz
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
[root@sqlg ~]# getent passwd solodovni...@win.gtf.kz
solodovni...@win.gtf.kz:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov:
[root@sqlg ~]# kinit solodovni...@win.gtf.kz
Password for solodovni...@win.gtf.kz:
[root@sqlg ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: solodovni...@win.gtf.kz
Valid starting Expires Service principal
02/19/2020 12:37:47 02/19/2020 22:37:47 krbtgt/win.gtf...@win.gtf.kz
renew until 02/20/2020 12:37:42
[root@sqlg ~]# kvno -S host dc1.nix.gtf.kz
host/dc1.nix.gtf...@nix.gtf.kz: kvno = 2
[root@sqlg ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: solodovni...@win.gtf.kz
Valid starting Expires Service principal
02/19/2020 12:38:30 02/19/2020 22:37:47 host/dc1.nix.gtf...@nix.gtf.kz
renew until 02/20/2020 12:37:42
02/19/2020 12:38:30 02/19/2020 22:37:47 krbtgt/nix.gtf...@win.gtf.kz
renew until 02/20/2020 12:37:42
02/19/2020 12:37:47 02/19/2020 22:37:47 krbtgt/win.gtf...@win.gtf.kz
renew until 02/20/2020 12:37:42
[root@sqlg ~]#
[root@sqlg ~]# su - test
Last login: Wed Feb 19 11:50:14 +07 2020 on pts/0
[test@sqlg ~]$ su - solodovni...@win.gtf.kz
Password:
su: Authentication failure
In sssd log:
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [check_failed_login_attempts]
(0x4000): Failed login attempts [0], allowed failed login attempts [0], failed
login delay [5].
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [sysdb_cache_auth] (0x0100):
Cached credentials not available.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [ldb] (0x4000): cancel ldb
transaction (nesting: 0)
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_cache_creds]
(0x0020): Offline authentication failed
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000):
Wait queue for user [solodovni...@win.gtf.kz] is empty.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done]
(0x1000): krb5_auth_queue request [0x55b69c74baf0] done.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP
Request [PAM Authenticate #12]: Request handler finished [0]: Success
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP
Request [PAM Authenticate #12]: Receiving request data.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400):
DP Request [PAM Authenticate #12]: Request removed.
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400):
Number of active DP request: 0
(Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP
Request [PAM Authenticate #12]: Sending result [6][win.gtf.kz]
In /var/log/messages
Feb 19 12:40:08 sqlg su: (to test) root on pts/0
Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm
"FGT.KZ"
Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm
"FGT.KZ"
Feb 19 12:40:42 sqlg [sssd[krb5_child[6514]]]: Cannot find KDC for realm
"FGT.KZ"
Feb 19 12:40:42 sqlg [sssd[krb5_child[6514]]]: Cannot find KDC for realm
"FGT.KZ"
Feb 19 12:40:44 sqlg su: FAILED SU (to solodovni...@win.gtf.kz) root on pts/0
============
If add to sssd.conf on the server IPA.
[domain/nix.gtf.kz/win.gtf.kz]
subdomain_inherit = ldap_user_principal
ldap_user_principal = nosuchattr
In sssd log:
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [sbus_dispatch] (0x4000):
dbus conn: 0x55f84f6f3e70
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000):
Waiting for child [11773].
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100):
child [11773] finished successfully.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400):
EOF received, client finished
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040):
The krb5_child process returned an error. Please inspect the krb5_child.log
file or the journal for more information
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000):
Wait queue for user [solodovni...@win.gtf.kz] is empty.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done]
(0x1000): krb5_auth_queue request [0x55f850749870] done.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP
Request [PAM Authenticate #23]: Request handler finished [0]: Success
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP
Request [PAM Authenticate #23]: Receiving request data.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400):
DP Request [PAM Authenticate #23]: Request removed.
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400):
Number of active DP request: 0
(Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP
Request [PAM Authenticate #23]: Sending result [4][win.gtf.kz]
In krb5kdc.log:
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 16
23 25 26 20 19}) 192.168.8.7: NEEDED_PREAUTH: host/dc1.nix.gtf...@nix.gtf.kz
for krbtgt/nix.gtf...@nix.gtf.kz, Additional pre-authentication required
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 16
23 25 26 20 19}) 192.168.8.7: ISSUE: authtime 1582092478, etypes {rep=18 tkt=18
ses=18}, host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/nix.gtf...@nix.gtf.kz
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 20
19 16 23 25 26}) 192.168.8.7: REFERRAL: solodovnikov\@win.gtf...@nix.gtf.kz for
krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
found in Kerberos database
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): TGS_REQ (8 etypes {18 17
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
found in Kerberos database
Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11262](info): AS_REQ (8 etypes {18 17 20
19 16 23 25 26}) 192.168.8.7: REFERRAL: solodovnikov\@win.gtf...@nix.gtf.kz for
krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11262](info): closing down fd 11
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
found in Kerberos database
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17
20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
found in Kerberos database
Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11
On client FreeIPA.
In sssd log:
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000):
Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_port_status] (0x1000):
Port status of port 389 for server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [resolve_srv_send] (0x0200):
The status of SRV lookup is resolved
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000):
Status of server 'dc1.nix.gtf.kz' is 'working'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process]
(0x1000): Saving the first resolved server
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process]
(0x0200): Found address for server dc1.nix.gtf.kz: [192.168.8.7] TTL 1200
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [ipa_resolve_callback]
(0x0400): Constructed uri 'ldap://dc1.nix.gtf.kz'
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]]
[krb5_add_krb5info_offline_callback] (0x4000): Removal callback already
available for service [IPA].
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [unique_filename_destructor]
(0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_A8oO7w]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [unlink_dbg] (0x2000): File
already removed: [/var/lib/sss/pubconf/.krb5info_dummy_A8oO7w]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [sss_domain_get_state]
(0x1000): Domain win.gtf.kz is Active
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [6709]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [6709]
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000):
Waiting for child [6709].
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100):
child [6709] finished successfully.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400):
EOF received, client finished
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040):
The krb5_child process returned an error. Please inspect the krb5_child.log
file or the journal for more information
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000):
Wait queue for user [solodovni...@win.gtf.kz] is empty.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done]
(0x1000): krb5_auth_queue request [0x56508c296b50] done.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP
Request [PAM Authenticate #25]: Request handler finished [0]: Success
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP
Request [PAM Authenticate #25]: Receiving request data.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400):
DP Request [PAM Authenticate #25]: Request removed.
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400):
Number of active DP request: 0
(Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP
Request [PAM Authenticate #25]: Sending result [4][win.gtf.kz]
In /var/log/messages
Feb 19 13:19:49 sqlg su: (to test) root on pts/0
Feb 19 13:20:02 sqlg [sssd[krb5_child[6709]]]: Error constructing AP-REQ armor:
Server krbtgt/win.gtf...@nix.gtf.kz not found in Kerberos database
Feb 19 13:20:02 sqlg [sssd[krb5_child[6709]]]: Error constructing AP-REQ armor:
Server krbtgt/win.gtf...@nix.gtf.kz not found in Kerberos database
Feb 19 13:20:03 sqlg su: FAILED SU (to solodovni...@win.gtf.kz) root on pts/0
Hope this list can provide some pointers.
Thanks in advance.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
