Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo:
> On Mon, May 2, 2022 at 2:36 PM Sumit Bose <sb...@redhat.com> wrote:
> >
> > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose <sb...@redhat.com> wrote:
> > > >
> > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > > > > Hi,
> > > > > >
> > > > > > thanks, at least I received your email. Can you run the tests with
> > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" 
> > > > > > again
> > > > > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf.
> > > > > > This will add some additional information into krb5_child.log which
> > > > > > might help to understand why the client does not like the reply 
> > > > > > from the
> > > > > > DC.
> > > > > >
> > > > > > bye,
> > > > > > Sumit
> > > > > >
> > > > >
> > > > > I cleared all the logs and ran the tests again with those parameters.
> > > > > I am sending the logs. Thanks!
> > > >
> > > > Hi,
> > > >
> > > > can you try if you can change the password with 'kapsswd
> > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a
> > > > network trace of this command with tcpdump and send it as well?
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > >
> > > It fails, and with kinit too:
> > >
> > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy
> > > Password for u...@adtest.fnr.gub.uy:
> > > kinit: KDC reply did not match expectations while getting initial 
> > > credentials
> > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy
> > > Password for u...@adtest.fnr.gub.uy:
> > > kpasswd: KDC reply did not match expectations getting initial ticket
> > >
> > > I am sending tcpdump captures while trying with kpasswd. There are
> > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and
> > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied
> > > in this case.
> >
> > Hi,
> >
> > can you send the output of
> >
> >     KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> >
> > as well and your /etc/krb5.conf?

Hi,

thanks. Can you try to remove the krb5-pkinit package and run

    KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy

again while collecting the network trace and the debug output?

bye,
Sumit

> >
> > bye,
> > Sumit
> >
> >
> 
> Output:
> 
> [root@idmt01 tmp]# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> [4732] 1651514884.487540: Getting initial credentials for 
> u...@adtest.fnr.gub.uy
> [4732] 1651514884.487541: Setting initial creds service to kadmin/changepw
> [4732] 1651514884.487543: Sending unauthenticated request
> [4732] 1651514884.487544: Sending request (179 bytes) to ADTEST.FNR.GUB.UY
> [4732] 1651514884.487545: Initiating TCP connection to stream 10.2.100.3:88
> [4732] 1651514884.487546: Sending TCP request to stream 10.2.100.3:88
> [4732] 1651514884.487547: Received answer (314 bytes) from stream 
> 10.2.100.3:88
> [4732] 1651514884.487548: Terminating TCP connection to stream 10.2.100.3:88
> [4732] 1651514884.487549: Response was from master KDC
> [4732] 1651514884.487550: Received error from KDC:
> -1765328359/Additional pre-authentication required
> [4732] 1651514884.487553: Preauthenticating using KDC method data
> [4732] 1651514884.487554: Processing preauth types: PA-PK-AS-REQ (16),
> PA-PK-AS-REP_OLD (15), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2),
> PA-FX-FAST (136), 655, PA-ETYPE-INFO2 (19)
> [4732] 1651514884.487555: Selected etype info: etype aes256-cts, salt
> "ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00"
> [4732] 1651514884.487556: PKINIT client has no configured identity; giving up
> [4732] 1651514884.487557: Preauth module pkinit (147) (info) returned: 
> 0/Success
> [4732] 1651514884.487558: PKINIT client has no configured identity; giving up
> [4732] 1651514884.487559: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> Password for u...@adtest.fnr.gub.uy:
> [4732] 1651514896.851314: AS key obtained for encrypted timestamp:
> aes256-cts/75AC
> [4732] 1651514896.851316: Encrypted timestamp (for 1651514896.949521):
> plain 301AA011180F32303232303530323138303831365AA10502030E7D11,
> encrypted 
> C418DCD1573DF5E07F0578A78FCB73D9A41DB9DF39398EE86AEA12F587FCED5A3D008FF9FB8565A73C29D1AEA9EB089C576D532C11F7BFD4
> [4732] 1651514896.851317: Preauth module encrypted_timestamp (2)
> (real) returned: 0/Success
> [4732] 1651514896.851318: Produced preauth for next request:
> PA-ENC-TIMESTAMP (2)
> [4732] 1651514896.851319: Sending request (257 bytes) to ADTEST.FNR.GUB.UY
> [4732] 1651514896.851320: Initiating TCP connection to stream 10.2.100.3:88
> [4732] 1651514896.851321: Sending TCP request to stream 10.2.100.3:88
> [4732] 1651514896.851322: Received answer (1460 bytes) from stream 
> 10.2.100.3:88
> [4732] 1651514896.851323: Terminating TCP connection to stream 10.2.100.3:88
> [4732] 1651514896.851324: Response was from master KDC
> [4732] 1651514896.851325: Processing preauth types: PA-ETYPE-INFO2 (19)
> [4732] 1651514896.851326: Selected etype info: etype aes256-cts, salt
> "ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00"
> [4732] 1651514896.851327: Produced preauth for next request: (empty)
> [4732] 1651514896.851328: AS key determined by preauth: aes256-cts/75AC
> [4732] 1651514896.851329: Decrypted AS reply; session key is: aes256-cts/6539
> [4732] 1651514896.851330: FAST negotiation: available
> kpasswd: KDC reply did not match expectations getting initial ticket
> 
> I am sending /etc/krb5.conf and
> /var/lib/sss/pubconf/krb5.include.d/domain_realm_idmt_fnr_gub_uy, as
> the latter is included in the former and might be relevant.


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to