Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour: > Hi Sumit, > > I have attached all the files you requested, this test was done with user > usu5 which has its password expired.
Hi, thanks for the new logs. Can you check if adding krb5_use_enterprise_principal = True to the [domain/...] section of sssd.conf make it any better? If this still does not help it would be good if you can record a network trace covering the authentication attempt. bye, Sumit > > > Regards, > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Sumit Bose" <sb...@redhat.com> > To: "Mateo Duffour" <mduff...@fnr.gub.uy> > Cc: "Sumit Bose" <sb...@redhat.com>, "freeipa-users" > <freeipa-users@lists.fedorahosted.org>, "Alexander Bokovoy" > <aboko...@redhat.com> > Sent: Thursday, 10 March, 2022 07:23:11 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Am Tue, Mar 08, 2022 at 01:42:53PM -0300 schrieb Mateo Duffour: > > > Hi, thanks again for the quick reply. > Sorry i did not have the time to test it again until now, i tried your > recomendations. > > Its still behaving the same way than before, so I attached the sssd_pam.log > you requested with the debug set to level 9 on pam section (sssd.conf). > The log attached is from our Ubuntu 20.04 client. > > > > Hi, > > please send the related SSSD backened logs and krb5_child.log as well. > > bye, > Sumit > > > BQ_BEGIN > > We also tested it on our IdM server over Roky Linux, getting the same > behaviour. > > > Best regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Sumit Bose" <sb...@redhat.com> > To: "Mateo Duffour" <mduff...@fnr.gub.uy> > Cc: "Sumit Bose" <sb...@redhat.com>, "freeipa-users" > <freeipa-users@lists.fedorahosted.org>, "Alexander Bokovoy" > <aboko...@redhat.com> > Sent: Monday, 28 February, 2022 06:23:51 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour: > > > Hi, > > I send you attached the files needed, let me know if you need something else. > > > > Hi, > > thanks for the file, they look ok. After looking again at what you send > I came across > > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did > not match expectations > > which typically indicates a canonization of the principal by the > server-side which was not expected by the client. > > While version of SSSD are you using on the Ubuntu client? Recent version > of SSSD already set 'krb5_canonicalize = true' by default for > 'id_provider = ipa'. Maybe your version is a bit older? Please try if it > works better if you explicitly set > > krb5_canonicalize = true > > in the [domain/...] section of sssd.conf and restart SSSD. At least the > 'KDC reply did not match expectations' should be gone now. If the > password change still fails, please set 'debug_level = 9' in the [pam] > and [domain/...] section of sssd.conf, restart SSSD, run the test again > and send the logs from /var/log/sssd. > > bye, > Sumit > > > BQ_BEGIN > > > Thanks again, regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Sumit Bose" <sb...@redhat.com> > To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> > Cc: "Alexander Bokovoy" <aboko...@redhat.com>, "Mateo Duffour" > <mduff...@fnr.gub.uy> > Sent: Friday, 25 February, 2022 03:46:43 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via > FreeIPA-users: > > > Which /etc/pam.d/ config file do you need ? > > > > Hi, > > from the logs below it looks like you are using ssh to log in, so it > would be /etc/pam.d/sshd and all the files which might be referenced in > that file. > > bye, > Sumit > > > BQ_BEGIN > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Mateo Duffour" <mduff...@fnr.gub.uy> > To: "Alexander Bokovoy" <aboko...@redhat.com> > Cc: "freeipa-users" <freeipa-users@lists.fedorahosted.org> > Sent: Wednesday, 23 February, 2022 17:26:49 > Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - > User accounts with passwords expired > > Hi, thank you for the quick reply. > > We were further investigating the issue. > > We were testing with user "usu5" that has its password expired. The log of > IdM server below shows that Samba AD DC is sending "Password has expired" for > user "usu5", thats OK. > So we can suspect that IdM is not behaving as expected, it should prompt a > password expiry to the user and let the user change it, but something is > wrong with our config or scenario because that does not happen. > > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has > expired > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did > not match expectations > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 > user=u...@adtest.fnr.gub.uy > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): > received for user u...@adtest.fnr.gub.uy: 4 (System error) > Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: > Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 > > Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that > shows a login attempt with user "usu6", that is on the same situation as > "usu5". > > ############ > > We have done other tests as well, in this case we are logged on IdM server as > user "usu1", which has a password not expired and working properly. But when > we try to change it with "passwd" it also fails. > > [u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd > Changing password for user u...@adtest.fnr.gub.uy. > Current Password: > Password change failed. Server message: Old password not accepted. > passwd: Authentication token manipulation error > > Log of this test on IdM server: > > Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in > /etc/passwd > Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_sss(passwd:chauthtok): User info message: Password change failed. Server > message: Old password not accepted. > Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_sss(passwd:chauthtok): Authentication failed for user > u...@adtest.fnr.gub.uy: 4 (System error) > > Which pam logs do u need ? we have several files apparently. > > > Thank you guys again and best regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Alexander Bokovoy" <aboko...@redhat.com> > To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> > Cc: "Mateo Duffour" <mduff...@fnr.gub.uy> > Sent: Wednesday, 23 February, 2022 05:14:42 > Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - > User accounts with passwords expired > > Hello, > > On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: > > > Hi, > > We currently have an IdM installation with a trust relationship with a > Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user > accounts on IdM. We are having a problem with Samba user acounts that > have its passwords expired. > > When we try to login with an ubuntu IdM client with one of those > accounts, it fails and asks again for password. The behaviour we are > expecting is that Ubuntu should ask for a password change. > > > > I think you need to look at SSSD troubleshooting guide and investigate a > bit yourself. Without logs it is impossible to tell what's wrong. > > Please see https://sssd.io/troubleshooting/basics.html and > https://sssd.io/troubleshooting/ipa_provider.html for two parts that > would be relevant here. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > BQ_END > > > > BQ_END > > > (Tue Mar 8 13:23:57 2022) [pam] [cache_req_search_done] (0x0400): CR #1: > Returning updated object [u...@adtest.xxx] > (Tue Mar 8 13:23:57 2022) [pam] [cache_req_create_and_add_result] (0x0400): > CR #1: Found 3 entries in domain adtest.xxx > (Tue Mar 8 13:23:57 2022) [pam] [cache_req_done] (0x0400): CR #1: Finished: > Success > (Tue Mar 8 13:23:57 2022) [pam] [pd_set_primary_name] (0x0400): User's > primary name is u...@adtest.xxx > (Tue Mar 8 13:23:57 2022) [pam] [pam_initgr_cache_set] (0x2000): [usu5] added > to PAM initgroup cache > (Tue Mar 8 13:23:57 2022) [pam] [pam_dp_send_req] (0x0100): Sending request > with the following data: > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): command: > SSS_PAM_AUTHENTICATE > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): domain: adtest.xxx > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): user: > u...@adtest.xxx > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): service: > gdm-password > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): tty: /dev/tty1 > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): ruser: not set > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): rhost: not set > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): authtok type: 1 > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 0 > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): priv: 1 > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): cli_pid: 1201 > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): logon name: usu5 > (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): flags: 1 > (Tue Mar 8 13:23:57 2022) [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req > returned 0 > (Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching. > (Tue Mar 8 13:23:57 2022) [pam] [sbus_signal_handler] (0x2000): Received > D-Bus signal org.freedesktop.DBus.NameOwnerChanged on /org/freedesktop/DBus > (Tue Mar 8 13:23:57 2022) [pam] [sbus_name_owner_changed] (0x4000): Name of > owner :1.8 has changed from [] to [:1.8] > (Tue Mar 8 13:23:57 2022) [pam] [sbus_senders_delete] (0x2000): Removing > identity of sender [:1.8] > (Tue Mar 8 13:23:57 2022) [pam] [sbus_issue_request_done] (0x0400): > org.freedesktop.DBus.NameOwnerChanged: Success > (Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching. > (Tue Mar 8 13:23:57 2022) [pam] [sbus_signal_handler] (0x2000): Received > D-Bus signal org.freedesktop.DBus.NameOwnerChanged on /org/freedesktop/DBus > (Tue Mar 8 13:23:57 2022) [pam] [sbus_name_owner_changed] (0x4000): Name of > owner :1.9 has changed from [] to [:1.9] > (Tue Mar 8 13:23:57 2022) [pam] [sbus_senders_delete] (0x2000): Removing > identity of sender [:1.9] > (Tue Mar 8 13:23:57 2022) [pam] [sbus_issue_request_done] (0x0400): > org.freedesktop.DBus.NameOwnerChanged: Success > (Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching. > (Tue Mar 8 13:23:57 2022) [pam] [pam_dp_send_req_done] (0x0200): received: [4 > (System error)][adtest.xxx] > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event > "ldb_kv_callback": 0x559ac166d7a0 > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event > "ldb_kv_timeout": 0x559ac166e450 > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event > 0x559ac166d7a0 "ldb_kv_callback" > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event > 0x559ac166e450 "ldb_kv_timeout" > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event > 0x559ac166d7a0 "ldb_kv_callback" > > (Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x4000): pam_reply initially > called with result [4]: System error. this result might be changed during > processing > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event > "ldb_kv_callback": 0x559ac1668fa0 > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event > "ldb_kv_timeout": 0x559ac166d7a0 > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event > 0x559ac1668fa0 "ldb_kv_callback" > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event > 0x559ac166d7a0 "ldb_kv_timeout" > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event > 0x559ac1668fa0 "ldb_kv_callback" > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event > "ldb_kv_callback": 0x559ac166e260 > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event > "ldb_kv_timeout": 0x559ac1668fa0 > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event > 0x559ac166e260 "ldb_kv_callback" > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event > 0x559ac1668fa0 "ldb_kv_timeout" > > (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event > 0x559ac166e260 "ldb_kv_callback" > > (Tue Mar 8 13:23:57 2022) [pam] [filter_responses] (0x0100): > [pam_response_filter] not available, not fatal. > (Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x0200): blen: 34 > (Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x0200): Returning [4]: System > error to the client > (Tue Mar 8 13:23:59 2022) [pam] [client_recv] (0x0200): Client disconnected! > (Tue Mar 8 13:23:59 2022) [pam] [client_close_fn] (0x2000): Terminated client > [0x559ac1666fa0][19] > (Tue Mar 8 13:24:02 2022) [pam] [pam_initgr_cache_remove] (0x2000): [usu5] > removed from PAM initgroup cache > > > > BQ_END > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure