Am Mon, Apr 25, 2022 at 01:23:05PM -0300 schrieb tizo via FreeIPA-users:
> On Mon, Apr 25, 2022 at 12:23 PM tizo <tiz...@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > thanks for the logs. The issue does not happen during Kerberos ticket
> > > validation, as I thought but while trying to establish the FAST tunnel.
> > >
> > > There should be two way to solve this. The first is setting
> > >
> > >     krb5_use_fast = never
> > >
> > > in the [domain/...] section of sssd.conf on every IPA client. The second
> > > is to reestablish the trust as two-way trust with the '--two-way=True'
> > > option of 'ipa trust-add'. I would recommend the latter.
> > >
> > > HTH
> > >
> > > bye,
> > > Sumit
> > >
> >
> > Hi Sumit,
> >
> > I'm taking Mateo's place here because he's busy with other things.
> > Sorry for the delay.
> >
> > We tried two-way trust on a brand new IdM server for a new IdM domain
> > (since the old server was giving others errors - we probably messed it
> > up at some point), and we're back to square one: AD users without
> > expiring password can login on the new IdM server with ssh, and for
> > those with expired passwords journalctl gives:
> >
> > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: Password has 
> > expired
> > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: KDC reply
> > did not match expectations
> >
> > I really don't know if behind the scenes it's exactly the same problem
> > as the first time, but it shouldn't since we updated the Samba servers
> > to version 4.16.0 which has FAST support (as was noted in the Samba
> > users list). I'm wondering at the moment if the samba-client package
> > on the IdM server, that is version 4.14.5, could affect it or if it
> > doesn't matter.
> >
> > How do you think I can continue from here?
> >
> > Thank you very much,
> >
> > tizo
> 
> Just for the records, If I add krb5_use_fast = never in the
> [domain/...] section of sssd.conf, I get the same in journalctl, but
> something different in krb5_child.log:
> 
> (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] (0x0020):
> 1724: [-1765328361][Password has expired]
> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
> BACKTRACE:
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400):
> krb5_child started.
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
> (0x1000): total buffer size: [115]
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
> (0x0100): cmd [241 (auth)] uid [10101] gid [10101] validate [true]
> enterprise principal [false] offline [false] UPN
> [u...@adtest.fnr.gub.uy]

Hi,

can you try if adding

    krb5_use_enterprise_principal = True

help? If not, please send full SSSD logs (everything in /var/log/sssd)
next time.

bye,
Sumit

>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
> (0x2000): No old ccache
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
> (0x0100): ccname: [KCM:] old_ccname: [not set] keytab:
> [/etc/krb5.keytab]
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [check_use_fast]
> (0x0100): Not using FAST.
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [k5c_precreate_ccache]
> (0x4000): Recreating ccache
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [become_user]
> (0x0200): Trying to become user [10101][10101].
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x2000):
> Running as [10101][10101].
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options]
> (0x0100): No specific renewable lifetime requested.
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options]
> (0x0100): No specific lifetime requested.
>    *  (2022-04-25 13:17:05): [krb5_child[2000]]
> [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will
> perform auth
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will
> perform online auth
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [ADTEST.FNR.GUB.UY]
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder]
> (0x4000): Got question [password].
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt]
> (0x0020): 1724: [-1765328361][Password has expired]
> ********************** BACKTRACE DUMP ENDS HERE
> *********************************
> 
> (2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error] (0x0020):
> 1853: [-1765328237][KDC reply did not match expectations]
> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
> BACKTRACE:
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child]
> (0x1000): Password was expired
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder]
> (0x4000): Got question [password].
>    *  (2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error]
> (0x0020): 1853: [-1765328237][KDC reply did not match expectations]
> ********************** BACKTRACE DUMP ENDS HERE
> *********************************
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to