I made a mistake and copied other log, the log of the test mentioned is: Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: Password has expired Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: KDC reply did not match expectations Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 user=u...@adtest.xxx.xxx.xx Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth): received for user u...@adtest.xxx.xxx.xx: 4 (System error) Mar 10 18:08:10 idmsrvpru.idmpru.xxx.xxx.xx sshd[45683]: error: PAM: Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4
Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Mateo Duffour" <mduff...@fnr.gub.uy> To: "Sumit Bose" <sb...@redhat.com> Cc: "freeipa-users" <freeipa-users@lists.fedorahosted.org>, "Alexander Bokovoy" <aboko...@redhat.com> Sent: Thursday, 10 March, 2022 17:48:17 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, We also tried with krb5_use_enterprise_principal with no success. With the intention of simplifying our scenario we are now testing (with the same configurations that you suggested) an ssh of the user to IdM server. On our IdM server we are getting the same error: ssh u...@adtest.xxx.xx.xx@idmsrvpru.idmpru.xxx.xx.xx Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: Password has expired Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: KDC reply did not match expectations Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 user=usu5 Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): received for user usu5: 4 (System error) Mar 10 16:50:14 idmsrvpru.idmpru.xxx.xxx.xx sshd[45293]: error: PAM: Authentication failure for usu5 from 10.9.9.4 Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" <sb...@redhat.com> To: "Mateo Duffour" <mduff...@fnr.gub.uy> Cc: "Sumit Bose" <sb...@redhat.com>, "freeipa-users" <freeipa-users@lists.fedorahosted.org>, "Alexander Bokovoy" <aboko...@redhat.com> Sent: Thursday, 10 March, 2022 14:01:29 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour: Hi Sumit, I have attached all the files you requested, this test was done with user usu5 which has its password expired. Hi, thanks for the new logs. Can you check if adding krb5_use_enterprise_principal = True to the [domain/...] section of sssd.conf make it any better? If this still does not help it would be good if you can record a network trace covering the authentication attempt. bye, Sumit BQ_BEGIN Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" <sb...@redhat.com> To: "Mateo Duffour" <mduff...@fnr.gub.uy> Cc: "Sumit Bose" <sb...@redhat.com>, "freeipa-users" <freeipa-users@lists.fedorahosted.org>, "Alexander Bokovoy" <aboko...@redhat.com> Sent: Thursday, 10 March, 2022 07:23:11 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Tue, Mar 08, 2022 at 01:42:53PM -0300 schrieb Mateo Duffour: Hi, thanks again for the quick reply. Sorry i did not have the time to test it again until now, i tried your recomendations. Its still behaving the same way than before, so I attached the sssd_pam.log you requested with the debug set to level 9 on pam section (sssd.conf). The log attached is from our Ubuntu 20.04 client. Hi, please send the related SSSD backened logs and krb5_child.log as well. bye, Sumit BQ_BEGIN We also tested it on our IdM server over Roky Linux, getting the same behaviour. Best regards. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" <sb...@redhat.com> To: "Mateo Duffour" <mduff...@fnr.gub.uy> Cc: "Sumit Bose" <sb...@redhat.com>, "freeipa-users" <freeipa-users@lists.fedorahosted.org>, "Alexander Bokovoy" <aboko...@redhat.com> Sent: Monday, 28 February, 2022 06:23:51 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour: Hi, I send you attached the files needed, let me know if you need something else. Hi, thanks for the file, they look ok. After looking again at what you send I came across Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not match expectations which typically indicates a canonization of the principal by the server-side which was not expected by the client. While version of SSSD are you using on the Ubuntu client? Recent version of SSSD already set 'krb5_canonicalize = true' by default for 'id_provider = ipa'. Maybe your version is a bit older? Please try if it works better if you explicitly set krb5_canonicalize = true in the [domain/...] section of sssd.conf and restart SSSD. At least the 'KDC reply did not match expectations' should be gone now. If the password change still fails, please set 'debug_level = 9' in the [pam] and [domain/...] section of sssd.conf, restart SSSD, run the test again and send the logs from /var/log/sssd. bye, Sumit BQ_BEGIN Thanks again, regards. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" <sb...@redhat.com> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> Cc: "Alexander Bokovoy" <aboko...@redhat.com>, "Mateo Duffour" <mduff...@fnr.gub.uy> Sent: Friday, 25 February, 2022 03:46:43 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via FreeIPA-users: Which /etc/pam.d/ config file do you need ? Hi, from the logs below it looks like you are using ssh to log in, so it would be /etc/pam.d/sshd and all the files which might be referenced in that file. bye, Sumit BQ_BEGIN Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Mateo Duffour" <mduff...@fnr.gub.uy> To: "Alexander Bokovoy" <aboko...@redhat.com> Cc: "freeipa-users" <freeipa-users@lists.fedorahosted.org> Sent: Wednesday, 23 February, 2022 17:26:49 Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, thank you for the quick reply. We were further investigating the issue. We were testing with user "usu5" that has its password expired. The log of IdM server below shows that Samba AD DC is sending "Password has expired" for user "usu5", thats OK. So we can suspect that IdM is not behaving as expected, it should prompt a password expiry to the user and let the user change it, but something is wrong with our config or scenario because that does not happen. Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has expired Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not match expectations Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 user=u...@adtest.fnr.gub.uy Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): received for user u...@adtest.fnr.gub.uy: 4 (System error) Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that shows a login attempt with user "usu6", that is on the same situation as "usu5". ############ We have done other tests as well, in this case we are logged on IdM server as user "usu1", which has a password not expired and working properly. But when we try to change it with "passwd" it also fails. [u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd Changing password for user u...@adtest.fnr.gub.uy. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error Log of this test on IdM server: Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in /etc/passwd Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Old password not accepted. Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_sss(passwd:chauthtok): Authentication failed for user u...@adtest.fnr.gub.uy: 4 (System error) Which pam logs do u need ? we have several files apparently. Thank you guys again and best regards. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Alexander Bokovoy" <aboko...@redhat.com> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> Cc: "Mateo Duffour" <mduff...@fnr.gub.uy> Sent: Wednesday, 23 February, 2022 05:14:42 Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hello, On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: Hi, We currently have an IdM installation with a trust relationship with a Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user accounts on IdM. We are having a problem with Samba user acounts that have its passwords expired. When we try to login with an ubuntu IdM client with one of those accounts, it fails and asks again for password. The behaviour we are expecting is that Ubuntu should ask for a password change. I think you need to look at SSSD troubleshooting guide and investigate a bit yourself. Without logs it is impossible to tell what's wrong. Please see https://sssd.io/troubleshooting/basics.html and https://sssd.io/troubleshooting/ipa_provider.html for two parts that would be relevant here. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure BQ_END BQ_END (Tue Mar 8 13:23:57 2022) [pam] [cache_req_search_done] (0x0400): CR #1: Returning updated object [u...@adtest.xxx] (Tue Mar 8 13:23:57 2022) [pam] [cache_req_create_and_add_result] (0x0400): CR #1: Found 3 entries in domain adtest.xxx (Tue Mar 8 13:23:57 2022) [pam] [cache_req_done] (0x0400): CR #1: Finished: Success (Tue Mar 8 13:23:57 2022) [pam] [pd_set_primary_name] (0x0400): User's primary name is u...@adtest.xxx (Tue Mar 8 13:23:57 2022) [pam] [pam_initgr_cache_set] (0x2000): [usu5] added to PAM initgroup cache (Tue Mar 8 13:23:57 2022) [pam] [pam_dp_send_req] (0x0100): Sending request with the following data: (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): domain: adtest.xxx (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): user: u...@adtest.xxx (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): service: gdm-password (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): tty: /dev/tty1 (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): ruser: not set (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): rhost: not set (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): authtok type: 1 (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): priv: 1 (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): cli_pid: 1201 (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): logon name: usu5 (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): flags: 1 (Tue Mar 8 13:23:57 2022) [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching. (Tue Mar 8 13:23:57 2022) [pam] [sbus_signal_handler] (0x2000): Received D-Bus signal org.freedesktop.DBus.NameOwnerChanged on /org/freedesktop/DBus (Tue Mar 8 13:23:57 2022) [pam] [sbus_name_owner_changed] (0x4000): Name of owner :1.8 has changed from [] to [:1.8] (Tue Mar 8 13:23:57 2022) [pam] [sbus_senders_delete] (0x2000): Removing identity of sender [:1.8] (Tue Mar 8 13:23:57 2022) [pam] [sbus_issue_request_done] (0x0400): org.freedesktop.DBus.NameOwnerChanged: Success (Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching. (Tue Mar 8 13:23:57 2022) [pam] [sbus_signal_handler] (0x2000): Received D-Bus signal org.freedesktop.DBus.NameOwnerChanged on /org/freedesktop/DBus (Tue Mar 8 13:23:57 2022) [pam] [sbus_name_owner_changed] (0x4000): Name of owner :1.9 has changed from [] to [:1.9] (Tue Mar 8 13:23:57 2022) [pam] [sbus_senders_delete] (0x2000): Removing identity of sender [:1.9] (Tue Mar 8 13:23:57 2022) [pam] [sbus_issue_request_done] (0x0400): org.freedesktop.DBus.NameOwnerChanged: Success (Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching. (Tue Mar 8 13:23:57 2022) [pam] [pam_dp_send_req_done] (0x0200): received: [4 (System error)][adtest.xxx] (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x559ac166d7a0 (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x559ac166e450 (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event 0x559ac166d7a0 "ldb_kv_callback" (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event 0x559ac166e450 "ldb_kv_timeout" (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event 0x559ac166d7a0 "ldb_kv_callback" (Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x4000): pam_reply initially called with result [4]: System error. this result might be changed during processing (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x559ac1668fa0 (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x559ac166d7a0 (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event 0x559ac1668fa0 "ldb_kv_callback" (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event 0x559ac166d7a0 "ldb_kv_timeout" (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event 0x559ac1668fa0 "ldb_kv_callback" (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x559ac166e260 (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x559ac1668fa0 (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event 0x559ac166e260 "ldb_kv_callback" (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event 0x559ac1668fa0 "ldb_kv_timeout" (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event 0x559ac166e260 "ldb_kv_callback" (Tue Mar 8 13:23:57 2022) [pam] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x0200): blen: 34 (Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x0200): Returning [4]: System error to the client (Tue Mar 8 13:23:59 2022) [pam] [client_recv] (0x0200): Client disconnected! (Tue Mar 8 13:23:59 2022) [pam] [client_close_fn] (0x2000): Terminated client [0x559ac1666fa0][19] (Tue Mar 8 13:24:02 2022) [pam] [pam_initgr_cache_remove] (0x2000): [usu5] removed from PAM initgroup cache BQ_END BQ_END
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure