New IPA install of Fedora 23 with FreeIPA 4.2.3.  Client is Ubuntu
Desktop 15.10 (nuc) with IPA client 4.1.4.

ipa-client-install was successful.  Host object created, DNS updated, etc.

I am not able to log into the Ubuntu client with any user aside from
Admin.  I get inconsistent password prompting behavior.  It doesn't
always prompt.  Most of the time, it just gives the client not found
message.   kinit works with all users on the IPA server directly.

root@nuc0:/var/lib/sss# kinit admin
Password for ad...@mrjester.net:
root@nuc0:/var/lib/sss# kinit jon
kinit: Client 'j...@mrjester.net' not found in Kerberos database while
getting initial credentials
root@nuc0:/var/lib/sss# kinit jon-test
Password for jon-t...@mrjester.net:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password change failed while getting initial credentials
root@nuc0:/var/lib/sss# kinit jon-test
kinit: Client 'jon-t...@mrjester.net' not found in Kerberos database
while getting initial credentials
root@nuc0:/var/lib/sss#

I am able to do GSSAPI auth from the client.

/usr/bin/ldapsearch -LLL -H ldap://dir0.mrjester.net/ -Y GSSAPI -N -b
"dc=mrjester,dc=net" cn

Some various messages I see that stand out as possibly related. SSSD
debug level 8

[parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty!


[sssd[be[mrjester.net]]] [sdap_get_tgt_recv] (0x0400): Child
responded: 14 [Decrypt integrity check failed], expired on [0]


[sssd[be[mrjester.net]]] [sdap_kinit_done] (0x0100): Could not get
TGT: 14 [Bad address]
[sssd[be[mrjester.net]]] [sdap_cli_kinit_done] (0x0400): Cannot get a
TGT: ret [1432158219](Authentication Failed)
[sssd[be[mrjester.net]]] [fo_set_port_status] (0x0100): Marking port
389 of server 'dir0.mrjester.net' as 'not working'
[sssd[be[mrjester.net]]] [fo_set_port_status] (0x0400): Marking port
389 of duplicate server 'dir0.mrjester.net' as 'not working'


[sssd[be[mrjester.net]]] [sbus_get_sender_id_send] (0x2000): Not a
sysbus message, quit
[sssd[be[mrjester.net]]] [be_get_account_info] (0x0200): Got request
for [0x1001][1][name=*]
[sssd[be[mrjester.net]]] [be_req_set_domain] (0x0400): Changing
request domain from [mrjester.net] to [mrjester.net]
[sssd[be[mrjester.net]]] [sdap_idmap_domain_has_algorithmic_mapping]
(0x0080): Could not parse domain SID from [(null)]
[sssd[be[mrjester.net]]] [sdap_search_user_next_base] (0x0400):
Searching for users with base [cn=accounts,dc=mrjester,dc=net]
[sssd[be[mrjester.net]]] [sdap_print_server] (0x2000): Searching 10.8.10.40
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(uid=\2a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=mrjester,dc=net].
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [objectClass]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [uid]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [userPassword]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [uidNumber]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [gidNumber]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [gecos]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [homeDirectory]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [loginShell]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [krbPrincipalName]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [cn]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [memberOf]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaUniqueID]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaNTSecurityIdentifier]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [modifyTimestamp]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [entryUSN]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowLastChange]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowMin]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowMax]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowWarning]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowInactive]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowExpire]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowFlag]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [krbLastPwdChange]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [krbPasswordExpiration]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [pwdAttribute]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [authorizedService]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [accountExpires]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [userAccountControl]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [nsAccountLock]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [host]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [loginDisabled]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [loginExpirationTime]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [loginAllowedTimeMap]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaSshPubKey]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaUserAuthType]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x2000):
ldap_search_ext called, msgid = 12
[sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace:
sh[0x1b6d100], connected[1], ops[0x1b6e810], ldap[0x1b7a970]
[sssd[be[mrjester.net]]] [sdap_get_generic_op_finished] (0x0400):
Search result: Success(0), no errmsg set
[sssd[be[mrjester.net]]] [sdap_search_user_process] (0x0400): Search
for users, returned 0 results.
[sssd[be[mrjester.net]]] [sdap_get_users_done] (0x0040): Failed to
retrieve users
[sssd[be[mrjester.net]]] [sysdb_search_by_name] (0x0400): No such entry
[sssd[be[mrjester.net]]] [sysdb_search_groups] (0x2000): Search groups
with filter: (&(objectclass=group)(ghost=\2a))
[sssd[be[mrjester.net]]] [sysdb_search_groups] (0x2000): No such entry
[sssd[be[mrjester.net]]] [sysdb_delete_user] (0x0400): Error: 2 (No
such file or directory)
[sssd[be[mrjester.net]]] [sysdb_search_by_name] (0x0400): No such entry
[sssd[be[mrjester.net]]] [ipa_id_get_account_info_orig_done] (0x0080):
Object not found, ending request
[sssd[be[mrjester.net]]] [acctinfo_callback] (0x0100): Request
processed. Returned 3,0,Account info lookup failed
[sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace:
sh[0x1b6d100], connected[1], ops[(nil)], ldap[0x1b7a970]
[sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace:
ldap_result found nothing!



What additional information can I provide or things I can try?

Thanks

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to