On Sat, Nov 22, 2014 at 02:05:19PM -0800, Michael Lasevich wrote: > I got some extra log output: seems that FAST IS being used. I am running > SSSD 1.11.6, which is supposed to have above mentioned issues fixed: > > Log: > ================= > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [find_principal_in_keytab] (0x4000): Trying to find principal host/ > [email protected] in keytab. > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [match_principal] > (0x1000): Principal matched to the sample (host/ > [email protected]). > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361296: Retrieving > host/[email protected] -> krbtgt/ > [email protected] from FILE:/var/lib/sss/db/ > fast_ccache_MY.DOMAIN.COM with result: 0/Success > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [main] (0x0400): Will > perform online auth > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [MY.DOMAIN.COM] > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361440: Getting > initial credentials for [email protected] > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361508: FAST armor > ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361575: Retrieving > host/[email protected] -> > krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM > \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ > fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not > found > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361648: Sending > request (188 bytes) to MY.DOMAIN.COM > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361842: Sending > initial UDP request to dgram 1.1.1.2:88 > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365901: Received > answer from dgram 1.1.1.2:88 > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365981: Response was > from master KDC > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366020: Received > error from KDC: -1765328359/Additional pre-authentication required > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366051: Upgrading to > FAST due to presence of PA_FX_FAST in reply > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366075: Restarting to > upgrade to FAST > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366102: FAST armor > ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366161: Retrieving > host/[email protected] -> > krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM > \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ > fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not > found > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366191: Upgrading to > FAST due to presence of PA_FX_FAST in reply > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366215: FAST armor > ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366267: Retrieving > host/[email protected] -> > krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM > \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ > fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not > found > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366322: Getting > credentials host/[email protected] -> krbtgt/ > [email protected] using ccache FILE:/var/lib/sss/db/ > fast_ccache_MY.DOMAIN.COM > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366380: Retrieving > host/[email protected] -> krbtgt/ > [email protected] from FILE:/var/lib/sss/db/ > fast_ccache_MY.DOMAIN.COM with result: 0/Success > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366425: Armor ccache > sesion key: aes256-cts/9082 > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366476: Creating > authenticator for host/[email protected] -> krbtgt/ > [email protected], seqnum 0, subkey aes256-cts/F5B0, session key > aes256-cts/9082 > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366562: FAST armor > key: aes256-cts/0D88 > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366605: Encoding > request body and padata into FAST request > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366675: Sending > request (1089 bytes) to MY.DOMAIN.COM > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366752: Sending > initial UDP request to dgram 1.1.1.2:88 > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370122: Received > answer from dgram 1.1.1.2:88 > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370193: Response was > from master KDC > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370232: Received > error from KDC: -1765328359/Additional pre-authentication required > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370262: Decoding FAST > response > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370333: Processing > preauth types: 136, 141, 133, 137 > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370364: Received > cookie: MIT > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] > [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370404: Produced > preauth for next request: 133 > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [get_and_save_tgt] > (0x0020): 981: [-1765328174][Generic preauthentication failure] > (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [map_krb5_error] > (0x0020): 1043: [-1765328174][Generic preauthentication failure]
Could you try authenticating with the OTP without SSSD, just using kinit? You need to create the FAST ccache first: $ sudo kinit -c FILE:/tmp/armor_ccache -k $ sudo KRB5_TRACE=/dev/stderr kinit -T /tmp/armor_ccache [email protected] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
