Am Mon, Apr 25, 2022 at 01:23:05PM -0300 schrieb tizo via FreeIPA-users: > On Mon, Apr 25, 2022 at 12:23 PM tizo <tiz...@gmail.com> wrote: > > > > > Hi, > > > > > > thanks for the logs. The issue does not happen during Kerberos ticket > > > validation, as I thought but while trying to establish the FAST tunnel. > > > > > > There should be two way to solve this. The first is setting > > > > > > krb5_use_fast = never > > > > > > in the [domain/...] section of sssd.conf on every IPA client. The second > > > is to reestablish the trust as two-way trust with the '--two-way=True' > > > option of 'ipa trust-add'. I would recommend the latter. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > Hi Sumit, > > > > I'm taking Mateo's place here because he's busy with other things. > > Sorry for the delay. > > > > We tried two-way trust on a brand new IdM server for a new IdM domain > > (since the old server was giving others errors - we probably messed it > > up at some point), and we're back to square one: AD users without > > expiring password can login on the new IdM server with ssh, and for > > those with expired passwords journalctl gives: > > > > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: Password has > > expired > > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: KDC reply > > did not match expectations > > > > I really don't know if behind the scenes it's exactly the same problem > > as the first time, but it shouldn't since we updated the Samba servers > > to version 4.16.0 which has FAST support (as was noted in the Samba > > users list). I'm wondering at the moment if the samba-client package > > on the IdM server, that is version 4.14.5, could affect it or if it > > doesn't matter. > > > > How do you think I can continue from here? > > > > Thank you very much, > > > > tizo > > Just for the records, If I add krb5_use_fast = never in the > [domain/...] section of sssd.conf, I get the same in journalctl, but > something different in krb5_child.log: > > (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] (0x0020): > 1724: [-1765328361][Password has expired] > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING > BACKTRACE: > * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): > krb5_child started. > * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] > (0x1000): total buffer size: [115] > * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] > (0x0100): cmd [241 (auth)] uid [10101] gid [10101] validate [true] > enterprise principal [false] offline [false] UPN > [u...@adtest.fnr.gub.uy]
Hi, can you try if adding krb5_use_enterprise_principal = True help? If not, please send full SSSD logs (everything in /var/log/sssd) next time. bye, Sumit > * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] > (0x2000): No old ccache > * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] > (0x0100): ccname: [KCM:] old_ccname: [not set] keytab: > [/etc/krb5.keytab] > * (2022-04-25 13:17:05): [krb5_child[2000]] [check_use_fast] > (0x0100): Not using FAST. > * (2022-04-25 13:17:05): [krb5_child[2000]] [k5c_precreate_ccache] > (0x4000): Recreating ccache > * (2022-04-25 13:17:05): [krb5_child[2000]] [become_user] > (0x0200): Trying to become user [10101][10101]. > * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x2000): > Running as [10101][10101]. > * (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options] > (0x0100): No specific renewable lifetime requested. > * (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options] > (0x0100): No specific lifetime requested. > * (2022-04-25 13:17:05): [krb5_child[2000]] > [set_canonicalize_option] (0x0100): Canonicalization is set to [true] > * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will > perform auth > * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will > perform online auth > * (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child] > (0x1000): Attempting to get a TGT > * (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [ADTEST.FNR.GUB.UY] > * (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder] > (0x4000): Got question [password]. > * (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] > (0x0020): 1724: [-1765328361][Password has expired] > ********************** BACKTRACE DUMP ENDS HERE > ********************************* > > (2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error] (0x0020): > 1853: [-1765328237][KDC reply did not match expectations] > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING > BACKTRACE: > * (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child] > (0x1000): Password was expired > * (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder] > (0x4000): Got question [password]. > * (2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error] > (0x0020): 1853: [-1765328237][KDC reply did not match expectations] > ********************** BACKTRACE DUMP ENDS HERE > ********************************* > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure