Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo: > On Mon, May 2, 2022 at 2:36 PM Sumit Bose <sb...@redhat.com> wrote: > > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo: > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose <sb...@redhat.com> wrote: > > > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > > > > > Hi, > > > > > > > > > > > > thanks, at least I received your email. Can you run the tests with > > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" > > > > > > again > > > > > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf. > > > > > > This will add some additional information into krb5_child.log which > > > > > > might help to understand why the client does not like the reply > > > > > > from the > > > > > > DC. > > > > > > > > > > > > bye, > > > > > > Sumit > > > > > > > > > > > > > > > > I cleared all the logs and ran the tests again with those parameters. > > > > > I am sending the logs. Thanks! > > > > > > > > Hi, > > > > > > > > can you try if you can change the password with 'kapsswd > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a > > > > network trace of this command with tcpdump and send it as well? > > > > > > > > bye, > > > > Sumit > > > > > > > > > > It fails, and with kinit too: > > > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy > > > Password for u...@adtest.fnr.gub.uy: > > > kinit: KDC reply did not match expectations while getting initial > > > credentials > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy > > > Password for u...@adtest.fnr.gub.uy: > > > kpasswd: KDC reply did not match expectations getting initial ticket > > > > > > I am sending tcpdump captures while trying with kpasswd. There are > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied > > > in this case. > > > > Hi, > > > > can you send the output of > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > > > as well and your /etc/krb5.conf?
Hi, thanks. Can you try to remove the krb5-pkinit package and run KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy again while collecting the network trace and the debug output? bye, Sumit > > > > bye, > > Sumit > > > > > > Output: > > [root@idmt01 tmp]# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > [4732] 1651514884.487540: Getting initial credentials for > u...@adtest.fnr.gub.uy > [4732] 1651514884.487541: Setting initial creds service to kadmin/changepw > [4732] 1651514884.487543: Sending unauthenticated request > [4732] 1651514884.487544: Sending request (179 bytes) to ADTEST.FNR.GUB.UY > [4732] 1651514884.487545: Initiating TCP connection to stream 10.2.100.3:88 > [4732] 1651514884.487546: Sending TCP request to stream 10.2.100.3:88 > [4732] 1651514884.487547: Received answer (314 bytes) from stream > 10.2.100.3:88 > [4732] 1651514884.487548: Terminating TCP connection to stream 10.2.100.3:88 > [4732] 1651514884.487549: Response was from master KDC > [4732] 1651514884.487550: Received error from KDC: > -1765328359/Additional pre-authentication required > [4732] 1651514884.487553: Preauthenticating using KDC method data > [4732] 1651514884.487554: Processing preauth types: PA-PK-AS-REQ (16), > PA-PK-AS-REP_OLD (15), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), > PA-FX-FAST (136), 655, PA-ETYPE-INFO2 (19) > [4732] 1651514884.487555: Selected etype info: etype aes256-cts, salt > "ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00" > [4732] 1651514884.487556: PKINIT client has no configured identity; giving up > [4732] 1651514884.487557: Preauth module pkinit (147) (info) returned: > 0/Success > [4732] 1651514884.487558: PKINIT client has no configured identity; giving up > [4732] 1651514884.487559: Preauth module pkinit (16) (real) returned: > 22/Invalid argument > Password for u...@adtest.fnr.gub.uy: > [4732] 1651514896.851314: AS key obtained for encrypted timestamp: > aes256-cts/75AC > [4732] 1651514896.851316: Encrypted timestamp (for 1651514896.949521): > plain 301AA011180F32303232303530323138303831365AA10502030E7D11, > encrypted > C418DCD1573DF5E07F0578A78FCB73D9A41DB9DF39398EE86AEA12F587FCED5A3D008FF9FB8565A73C29D1AEA9EB089C576D532C11F7BFD4 > [4732] 1651514896.851317: Preauth module encrypted_timestamp (2) > (real) returned: 0/Success > [4732] 1651514896.851318: Produced preauth for next request: > PA-ENC-TIMESTAMP (2) > [4732] 1651514896.851319: Sending request (257 bytes) to ADTEST.FNR.GUB.UY > [4732] 1651514896.851320: Initiating TCP connection to stream 10.2.100.3:88 > [4732] 1651514896.851321: Sending TCP request to stream 10.2.100.3:88 > [4732] 1651514896.851322: Received answer (1460 bytes) from stream > 10.2.100.3:88 > [4732] 1651514896.851323: Terminating TCP connection to stream 10.2.100.3:88 > [4732] 1651514896.851324: Response was from master KDC > [4732] 1651514896.851325: Processing preauth types: PA-ETYPE-INFO2 (19) > [4732] 1651514896.851326: Selected etype info: etype aes256-cts, salt > "ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00" > [4732] 1651514896.851327: Produced preauth for next request: (empty) > [4732] 1651514896.851328: AS key determined by preauth: aes256-cts/75AC > [4732] 1651514896.851329: Decrypted AS reply; session key is: aes256-cts/6539 > [4732] 1651514896.851330: FAST negotiation: available > kpasswd: KDC reply did not match expectations getting initial ticket > > I am sending /etc/krb5.conf and > /var/lib/sss/pubconf/krb5.include.d/domain_realm_idmt_fnr_gub_uy, as > the latter is included in the former and might be relevant. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure