[Freeipa-users] Re: krb5_child.log - Internal credentials cache error

[Sumit Bose via FreeIPA-users]

Am Mon, Aug 16, 2021 at 10:49:18PM +0000 schrieb Dungan, Scott A. via 
FreeIPA-users:
> Hello.
> 
> We have a client system (client1) that refuses login and throws an error in 
> the krb5_child.log only when a particular account tries to log in (user1). 
> The same account can log into other ipa domain client machines just fine. 
> Other ipa accounts can log in to this machine, just not the user1 account. In 
> /var/log/secure we see:
> 
> Aug 16 15:16:56 client1 sshd[13173]: pam_sss(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=user1
> Aug 16 15:16:56 client1 sshd[13173]: pam_sss(sshd:auth): received for user 
> user1: 4 (System error)
> Aug 16 15:16:59 client1 sshd[13171]: error: PAM: Authentication failure for 
> user1 from xxx.xxx.xxx.xxx
> 
> sssd_domain_withheld.log:
> 
> (2021-08-16 15:16:56): [be[id.gps.caltech.edu]] [krb5_auth_done] (0x0040): 
> The krb5_child process returned an error. Please inspect the krb5_child.log 
> file or the journal for more information
> 
> krb5_child.log:
> 
> (2021-08-16 15:16:56): [krb5_child[13176]] [create_ccache] (0x0020): 1039: 
> [-1765328188][Internal credentials cache error]
> (2021-08-16 15:16:56): [krb5_child[13176]] [map_krb5_error] (0x0020): 1849: 
> [-1765328188][Internal credentials cache error]

Hi,

can you add 'debug_level = 9' to the [domain/...] section of sssd.conf,
restart SSSD and try again to get more debug information into the logs?
If possible please send the full log of the failed krb5_child run.

> 
> Sometimes we see this in krb5_child.log as well:
> 
> (2021-08-16 12:32:13): [krb5_child[6232]] [get_and_save_tgt] (0x0020): 1720: 
> [-1765328360][Preauthentication failed]
> (2021-08-16 12:32:13): [krb5_child[6232]] [map_krb5_error] (0x0020): 1849: 
> [-1765328360][Preauthentication failed]

This typically indicates a wrong password.

bye,
Sumit

> 
> Steps taken to clear the issue with no results:
> 
> 1. sss_cache -E
> 
> 2. systemctl stop sssd
>     rm -rf /var/lib/sss/db/*
>     systemctl start sssd
> 
> 3. ipa-client-install -uninstall and then rejoin
> 
> Environment:
> 
> RHEL8.4 - 4.18.0-305.12.1.el8_4.x86_64
> ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64
> 
> Contents of /etc/krb5.conf:
> 
> #File modified by ipa-client-install
> 
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [libdefaults]
>   default_realm = DOMAIN.WITHHELD.LOCAL
>   dns_lookup_realm = true
>   rdns = false
>   dns_canonicalize_hostname = false
>   dns_lookup_kdc = true
>   ticket_lifetime = 24h
>   forwardable = true
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
>   DOMAIN.WITHHELD.LOCAL = {
>     pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
>     pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
> 
>   }
> 
> [domain_realm]
>   .domain.withheld.local = DOMAIN.WITHHELD.LOCAL
>   domain.withheld.local = DOMAIN.WITHHELD.LOCAL
>   client1.domain.withheld.local = DOMAIN.WITHHELD.LOCAL
>   .withheld.local = DOMAIN.WITHHELD.LOCAL
>   withheld.local = DOMAIN.WITHHELD.LOCAL
> 
> 
> Contents of /etc/sssd/sssd.conf:
> 
> [domain/domain.withheld.local]
> 
> id_provider = ipa
> dns_discovery_domain = domain.withheld.local
> ipa_server = _srv_, idm2.domain.withheld.local
> ipa_domain = domain.withheld.local
> ipa_hostname = client1.domain.withheld.local
> auth_provider = ipa
> chpass_provider = ipa
> access_provider = ipa
> cache_credentials = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> krb5_store_password_if_offline = True
> sudo_provider = ipa
> autofs_provider = ipa
> subdomains_provider = ipa
> session_provider = ipa
> hostid_provider = ipa
> ipa_automount_location = default
> [sssd]
> services = nss, pam, ssh, sudo, autofs
> 
> domains = domain.withheld.local
> [nss]
> homedir_substring = /home
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [secrets]
> 
> [session_recording]
> 
> Any help would be appreciated.
> 
> -Scott

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure