Am Thu, Nov 14, 2024 at 06:08:43PM +0200 schrieb Chagai Nota: > I tried to add it under the domain/ section but it didn't help. > > krb5_child.log - not modified for a few hours even though I tried to log in > many times, the log has not changed, how can I increase log level for > kerbros?
Hi, you can get detailed logs by adding 'debug_level = 9' to the [domain/...] section of sssd.conf and restart SSSD. > > What do you mean by backend logs? It is the logs sssd_your.domain.name.log. You can find additional information at https://sssd.io/troubleshooting/basics.html. bye, Sumit > > > On Thu, 14 Nov 2024 at 16:51, Sumit Bose <[email protected]> wrote: > > > Am Thu, Nov 14, 2024 at 12:35:06PM -0000 schrieb chagai nota via > > FreeIPA-users: > > > Hi > > > I'm new to here hope to ask the question in correct way. > > > > > > We are trying use IPA to replace our NIS and it works great, now we also > > enable integration with our AD and I have some question regard it. > > > The structure of the AD domain is like the follow: exmaple.com > > a.exmaple.com b.exmaple.com etc, but all users upn is only exmaple.com. > > > samaccoutname and upn are not the same. > > > so user can be [email protected] but its samaccountname will be 1234 or > > something else > > > > > > we create one way forest trust with IPA and samaccountname works for all > > users from all subdomains, but when I'm trying to use upn it works only for > > the root domain, > > > when I'm trying to authenticate with user from a.exmaple.com domain but > > his UPN its exmaple.com ([email protected]) it success to understand who is > > the user > > > but failed to authenticate, PAM trying to perform authentication with > > wrong domain it goes to exmaple.com domain instead of a.exmaple.com. > > > > > > the bottom line: > > > search user perform with multi domain search and success but > > authentication goes to wrong domain and failed > > > > > > can you assist with this? can it work? > > > > Hi, > > > > krb5_child.log and the backend logs would be useful as well. > > > > A typical issue in this area is that SSSD fails to detect that the IPA > > server supports enterprise principals, so please try to add > > > > krb5_use_enterprise_principal = True > > > > manually to the [domain/...] section of sssd.conf, restart SSSD and try > > again. > > > > HTH > > > > bye, > > Sumit > > > > > > > > error message: > > > (2024-11-14 14:03:13): [pam] [sss_domain_get_state] (0x1000): [CID#6] > > Domain example.com is Active > > > (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] > > CR #11: Looking up [[email protected]] in cache > > > (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] > > CR #11: Object [[email protected]] was not found in cache > > > (2024-11-14 14:03:13): [pam] [cache_req_search_ncache_add_to_domain] > > (0x0400): [CID#6] CR #11: Adding [[email protected]] to negative cache > > > (2024-11-14 14:03:13): [pam] [sss_ncache_set_str] (0x0400): [CID#6] > > Adding [NCE/USER/example.com/[email protected]] to negative cache > > > (2024-11-14 14:03:13): [pam] [cache_req_set_plugin] (0x2000): [CID#6] CR > > #11: Setting "Initgroups by UPN" plugin > > > (2024-11-14 14:03:13): [pam] [cache_req_set_name] (0x0400): [CID#6] CR > > #11: Setting name [[email protected]] > > > (2024-11-14 14:03:13): [pam] [cache_req_assume_upn] (0x0400): [CID#6] CR > > #11: Assuming UPN [[email protected]] > > > (2024-11-14 14:03:13): [pam] [cache_req_select_domains] (0x0400): > > [CID#6] CR #11: Performing a multi-domain search > > > (2024-11-14 14:03:13): [pam] [cache_req_search_domains] (0x0400): > > [CID#6] CR #11: Search will bypass the cache and check the data provider > > > (2024-11-14 14:03:13): [pam] [cache_req_validate_domain_type] (0x2000): > > [CID#6] Request type POSIX-only for domain a.example.com type POSIX is > > valid > > > (2024-11-14 14:03:13): [pam] [cache_req_set_domain] (0x0400): [CID#6] CR > > #11: Using domain [a.example.com] > > > (2024-11-14 14:03:13): [pam] [cache_req_prepare_domain_data] (0x0400): > > [CID#6] CR #11: Preparing input data for domain [a.example.com] rules > > > (2024-11-14 14:03:13): [pam] [cache_req_search_send] (0x0400): [CID#6] > > CR #11: Looking up [email protected] > > > (2024-11-14 14:03:13): [pam] [cache_req_search_ncache] (0x0400): [CID#6] > > CR #11: Checking negative cache for [[email protected]] > > > (2024-11-14 14:03:13): [pam] [sss_ncache_check_str] (0x2000): [CID#6] > > Checking negative cache for [NCE/USER/a.example.com/@[email protected]] > > > (2024-11-14 14:03:13): [pam] [cache_req_search_ncache] (0x0400): [CID#6] > > CR #11: [[email protected]] is not present in negative cache > > > (2024-11-14 14:03:13): [pam] [cache_req_search_dp] (0x0400): [CID#6] CR > > #11: Looking up [[email protected]] in data provider > > > (2024-11-14 14:03:13): [pam] [sss_dp_get_account_send] (0x0400): [CID#6] > > Creating request for [a.example.com > > ][0x3][BE_REQ_INITGROUPS][[email protected]:U] > > > (2024-11-14 14:03:13): [pam] [sbus_dispatch] (0x4000): Dispatching. > > > (2024-11-14 14:03:13): [pam] [sss_domain_get_state] (0x1000): [CID#6] > > Domain a.example.com is Active > > > (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] > > CR #11: Looking up [[email protected]] in cache > > > (2024-11-14 14:03:13): [pam] [cache_req_search_ncache_filter] (0x0400): > > [CID#6] CR #11: This request type does not support filtering result by > > negative cache > > > (2024-11-14 14:03:13): [pam] [cache_req_search_done] (0x0400): [CID#6] > > CR #11: Returning updated object [[email protected]] > > > (2024-11-14 14:03:13): [pam] [cache_req_create_and_add_result] (0x0400): > > [CID#6] CR #11: Found 3 entries in domain a.example.com > > > (2024-11-14 14:03:13): [pam] [cache_req_done] (0x0400): [CID#6] CR #11: > > Finished: Success > > > (2024-11-14 14:03:13): [pam] [pd_set_primary_name] (0x0400): [CID#6] > > User's primary name is [email protected] > > > (2024-11-14 14:03:13): [pam] [pam_initgr_check_timeout] (0x4000): > > [CID#6] User [[email protected]] not found in PAM cache. > > > (2024-11-14 14:03:13): [pam] [pam_initgr_cache_set] (0x2000): [CID#6] [ > > [email protected]] added to PAM initgroup cache > > > (2024-11-14 14:03:13): [pam] [pam_dp_send_req] (0x0100): [CID#6] Sending > > request with the following data: > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] command: > > SSS_PAM_AUTHENTICATE > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] domain: > > exmaple.com > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] user: > > [email protected] > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] service: > > sshd > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] tty: ssh > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] ruser: > > not set > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] rhost: > > 192.168.1.15 > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] authtok > > type: 1 (Password) > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] > > newauthtok type: 0 (No authentication token available) > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] priv: 1 > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] cli_pid: > > 8350 > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] logon > > name: [email protected] > > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] flags: 1 > > > (2024-11-14 14:03:13): [pam] [pam_dom_forwarder] (0x0100): [CID#6] > > pam_dp_send_req returned 0 > > > (2024-11-14 14:03:13): [pam] [sbus_dispatch] (0x4000): Dispatching. > > > (2024-11-14 14:03:13): [pam] [pam_dp_send_req_done] (0x0200): [CID#6] > > received: [4 (System error)][exmaple.com] > > > (2024-11-14 14:03:13): [pam] [pam_reply] (0x4000): [CID#6] pam_reply > > initially called with result [4]: System error. this result might be > > changed during processing > > > (2024-11-14 14:03:13): [pam] [pam_reply] (0x0200): [CID#6] blen: 30 > > > (2024-11-14 14:03:13): [pam] [pam_reply] (0x0200): [CID#6] Returning > > [4]: System error to the client > > > (2024-11-14 14:03:16): [pam] [client_recv] (0x0200): [CID#6] Client > > disconnected! > > > (2024-11-14 14:03:16): [pam] [client_close_fn] (0x2000): Terminated > > client [0x5bcfb8a297c0][19] > > > (2024-11-14 14:03:18): [pam] [pam_initgr_cache_remove] (0x2000): [CID#6] > > [[email protected]] removed from PAM initgroup cache > > > -- > > > _______________________________________________ > > > FreeIPA-users mailing list -- [email protected] > > > To unsubscribe send an email to > > [email protected] > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
