I have a fresh installed FreeIPA 4.6.5, sssd 1.16.4, krb5 1.15.1-37, samba 4.9.1-10, on CentOS 7.7.1908, can’t login as AD user. FreeIPA configured one-way trust AD(win.gtf.kz),AD user have UPN n.u...@fgt.kz. FreeIPA realm nix.gtf.kz.
============ Сonfigs on server FreeIPA(dc1.nix.gtf.kz) # ipa trust-show win.gtf.kz Realm name: win.gtf.kz Domain NetBIOS name: GTF Domain Security Identifier: S-1-5-21-1397031248-555657444-1703228444 Trust direction: Trusting forest Trust type: Active Directory domain UPN suffixes: gtf.kz, fgt.kz [root@dc1 ~]# cat /etc/krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = NIX.GTF.KZ dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] NIX.GTF.KZ = { kdc = dc1.nix.gtf.kz:88 master_kdc = dc1.nix.gtf.kz:88 admin_server = dc1.nix.gtf.kz:749 default_domain = nix.gtf.kz pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .nix.gtf.kz = NIX.GTF.KZ nix.gtf.kz = NIX.GTF.KZ dc1.nix.gtf.kz = NIX.GTF.KZ [dbmodules] NIX.GTF.KZ = { db_library = ipadb.so } [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } [root@dc1 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz [domain_realm] .win.gtf.kz = WIN.GTF.KZ win.gtf.kz = WIN.GTF.KZ [capaths] WIN.GTF.KZ = { NIX.GTF.KZ = WIN.GTF.KZ } NIX.GTF.KZ = { WIN.GTF.KZ = WIN.GTF.KZ } [root@dc1 ~]# cat /etc/sssd/sssd.conf [domain/nix.gtf.kz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nix.gtf.kz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = dc1.nix.gtf.kz chpass_provider = ipa ipa_server = dc1.nix.gtf.kz ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = sudo, nss, ifp, pam, ssh domains = nix.gtf.kz [nss] memcache_timeout = 600 homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] allowed_uids = ipaapi, root [secrets] [session_recording] ============ AD user. [root@dc1 ~]# getent passwd solodovni...@win.gtf.kz solodovni...@win.gtf.kz:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov: [root@dc1 ~]# kinit solodovni...@win.gtf.kz Password for solodovni...@win.gtf.kz: [root@dc1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm Default principal: solodovni...@win.gtf.kz Valid starting Expires Service principal 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/win.gtf...@win.gtf.kz renew until 02/20/2020 11:05:10 [root@dc1 ~]# kvno -S host dc1.nix.gtf.kz host/dc1.nix.gtf...@nix.gtf.kz: kvno = 2 [root@dc1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm Default principal: solodovni...@win.gtf.kz Valid starting Expires Service principal 02/19/2020 11:07:34 02/19/2020 21:05:16 host/dc1.nix.gtf...@nix.gtf.kz renew until 02/20/2020 11:05:10 02/19/2020 11:07:34 02/19/2020 21:05:16 krbtgt/nix.gtf...@win.gtf.kz renew until 02/20/2020 11:05:10 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/win.gtf...@win.gtf.kz renew until 02/20/2020 11:05:10 ============ Attempts to login using SSH or su by AD user failed. The error is the same. [root@dc1 ~]# useradd test [root@dc1 ~]# su - test [test@dc1 ~]$ su - solodovni...@win.gtf.kz Password: su: Authentication failure In sssd log: (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_port_status] (0x1000): Port status of port 0 for server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x0200): Found address for server dc1.nix.gtf.kz: [192.168.8.7] TTL 7200 (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://dc1.nix.gtf.kz' (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_add_krb5info_offline_callback] (0x4000): Removal callback already available for service [IPA]. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_R9aYcg] (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_R9aYcg] (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [sss_domain_get_state] (0x1000): Domain win.gtf.kz is Active (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [10883] (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [10883] (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): Waiting for child [10883]. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): child [10883] finished successfully. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovni...@win.gtf.kz] is empty. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x55e915585c80] done. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #95]: Request handler finished [0]: Success (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #95]: Receiving request data. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #95]: Request removed. (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Wed Feb 19 11:52:02 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #95]: Sending result [4][win.gtf.kz] In krb5kdc.log: Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@fgt...@nix.gtf.kz for krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): closing down fd 11 Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not found in Kerberos database Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11 Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not found in Kerberos database Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@fgt...@nix.gtf.kz for krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not found in Kerberos database Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not found in Kerberos database Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11 ============ Сonfigs on client FreeIPA(sqlg.nix.gtf.kz) [root@sqlg ~]# cat /etc/redhat-release CentOS Linux release 7.7.1908 (Core) [root@sqlg ~]# ipa --version VERSION: 4.6.5, API_VERSION: 2.231 [root@sqlg ~]# cat /etc/krb5.conf #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = NIX.GTF.KZ dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] NIX.GTF.KZ = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .nix.gtf.kz = NIX.GTF.KZ nix.gtf.kz = NIX.GTF.KZ sqlg.nix.gtf.kz = NIX.GTF.KZ [root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz [domain_realm] .win.gtf.kz = WIN.GTF.KZ win.gtf.kz = WIN.GTF.KZ [capaths] WIN.GTF.KZ = { NIX.GTF.KZ = WIN.GTF.KZ } NIX.GTF.KZ = { WIN.GTF.KZ = WIN.GTF.KZ } [root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz [domain_realm] .win.gtf.kz = WIN.GTF.KZ win.gtf.kz = WIN.GTF.KZ [capaths] WIN.GTF.KZ = { NIX.GTF.KZ = WIN.GTF.KZ } NIX.GTF.KZ = { WIN.GTF.KZ = WIN.GTF.KZ } [root@sqlg ~]# cat /etc/sssd/sssd.conf [domain/nix.gtf.kz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nix.gtf.kz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = sqlg.nix.gtf.kz chpass_provider = ipa ipa_server = _srv_, dc1.nix.gtf.kz ldap_tls_cacert = /etc/ipa/ca.crt # if do not add these options, then does not find the AD user use_fully_qualified_names = True re_expression = ((?P<name>.+)@(?P<domain>[^@]+$)) [sssd] services = nss, sudo, pam, ssh domains = nix.gtf.kz [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording] [root@sqlg ~]# getent passwd solodovni...@win.gtf.kz solodovni...@win.gtf.kz:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov: [root@sqlg ~]# kinit solodovni...@win.gtf.kz Password for solodovni...@win.gtf.kz: [root@sqlg ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: solodovni...@win.gtf.kz Valid starting Expires Service principal 02/19/2020 12:37:47 02/19/2020 22:37:47 krbtgt/win.gtf...@win.gtf.kz renew until 02/20/2020 12:37:42 [root@sqlg ~]# kvno -S host dc1.nix.gtf.kz host/dc1.nix.gtf...@nix.gtf.kz: kvno = 2 [root@sqlg ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: solodovni...@win.gtf.kz Valid starting Expires Service principal 02/19/2020 12:38:30 02/19/2020 22:37:47 host/dc1.nix.gtf...@nix.gtf.kz renew until 02/20/2020 12:37:42 02/19/2020 12:38:30 02/19/2020 22:37:47 krbtgt/nix.gtf...@win.gtf.kz renew until 02/20/2020 12:37:42 02/19/2020 12:37:47 02/19/2020 22:37:47 krbtgt/win.gtf...@win.gtf.kz renew until 02/20/2020 12:37:42 [root@sqlg ~]# [root@sqlg ~]# su - test Last login: Wed Feb 19 11:50:14 +07 2020 on pts/0 [test@sqlg ~]$ su - solodovni...@win.gtf.kz Password: su: Authentication failure In sssd log: (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [check_failed_login_attempts] (0x4000): Failed login attempts [0], allowed failed login attempts [0], failed login delay [5]. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [sysdb_cache_auth] (0x0100): Cached credentials not available. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0) (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_cache_creds] (0x0020): Offline authentication failed (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovni...@win.gtf.kz] is empty. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x55b69c74baf0] done. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #12]: Request handler finished [0]: Success (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #12]: Receiving request data. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #12]: Request removed. (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #12]: Sending result [6][win.gtf.kz] In /var/log/messages Feb 19 12:40:08 sqlg su: (to test) root on pts/0 Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm "FGT.KZ" Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm "FGT.KZ" Feb 19 12:40:42 sqlg [sssd[krb5_child[6514]]]: Cannot find KDC for realm "FGT.KZ" Feb 19 12:40:42 sqlg [sssd[krb5_child[6514]]]: Cannot find KDC for realm "FGT.KZ" Feb 19 12:40:44 sqlg su: FAILED SU (to solodovni...@win.gtf.kz) root on pts/0 ============ If add to sssd.conf on the server IPA. [domain/nix.gtf.kz/win.gtf.kz] subdomain_inherit = ldap_user_principal ldap_user_principal = nosuchattr In sssd log: (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [sbus_dispatch] (0x4000): dbus conn: 0x55f84f6f3e70 (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [sbus_dispatch] (0x4000): Dispatching. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): Waiting for child [11773]. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): child [11773] finished successfully. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovni...@win.gtf.kz] is empty. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x55f850749870] done. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #23]: Request handler finished [0]: Success (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #23]: Receiving request data. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #23]: Request removed. (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Wed Feb 19 13:08:09 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #23]: Sending result [4][win.gtf.kz] In krb5kdc.log: Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 192.168.8.7: NEEDED_PREAUTH: host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/nix.gtf...@nix.gtf.kz, Additional pre-authentication required Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11 Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 192.168.8.7: ISSUE: authtime 1582092478, etypes {rep=18 tkt=18 ses=18}, host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/nix.gtf...@nix.gtf.kz Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11 Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: solodovnikov\@win.gtf...@nix.gtf.kz for krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11 Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not found in Kerberos database Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11 Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not found in Kerberos database Feb 19 13:07:58 dc1.nix.gtf.kz krb5kdc[11263](info): closing down fd 11 Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11262](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: solodovnikov\@win.gtf...@nix.gtf.kz for krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11262](info): closing down fd 11 Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not found in Kerberos database Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11 Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not found in Kerberos database Feb 19 13:08:09 dc1.nix.gtf.kz krb5kdc[11265](info): closing down fd 11 On client FreeIPA. In sssd log: (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [get_server_status] (0x1000): Status of server 'dc1.nix.gtf.kz' is 'working' (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [be_resolve_server_process] (0x0200): Found address for server dc1.nix.gtf.kz: [192.168.8.7] TTL 1200 (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://dc1.nix.gtf.kz' (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_add_krb5info_offline_callback] (0x4000): Removal callback already available for service [IPA]. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_A8oO7w] (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_A8oO7w] (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [sss_domain_get_state] (0x1000): Domain win.gtf.kz is Active (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [6709] (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [6709] (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x1000): Waiting for child [6709]. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [child_sig_handler] (0x0100): child [6709] finished successfully. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] (0x1000): Wait queue for user [solodovni...@win.gtf.kz] is empty. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x56508c296b50] done. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #25]: Request handler finished [0]: Success (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #25]: Receiving request data. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #25]: Request removed. (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Wed Feb 19 13:20:02 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #25]: Sending result [4][win.gtf.kz] In /var/log/messages Feb 19 13:19:49 sqlg su: (to test) root on pts/0 Feb 19 13:20:02 sqlg [sssd[krb5_child[6709]]]: Error constructing AP-REQ armor: Server krbtgt/win.gtf...@nix.gtf.kz not found in Kerberos database Feb 19 13:20:02 sqlg [sssd[krb5_child[6709]]]: Error constructing AP-REQ armor: Server krbtgt/win.gtf...@nix.gtf.kz not found in Kerberos database Feb 19 13:20:03 sqlg su: FAILED SU (to solodovni...@win.gtf.kz) root on pts/0 Hope this list can provide some pointers. Thanks in advance. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org