It looks like I have a replication issue. What process manages replication?
root@nuc0:/var/log/sssd# KRB5_TRACE=/dev/stderr kinit jon [6175] 1456260239.45010: Resolving unique ccache of type KEYRING [6175] 1456260239.45131: Getting initial credentials for j...@mrjester.net [6175] 1456260239.45497: Sending request (157 bytes) to MRJESTER.NET [6175] 1456260239.47271: Resolving hostname dir1.mrjester.net. [6175] 1456260239.48927: Sending initial UDP request to dgram 10.8.10.41:88 [6175] 1456260239.330215: Received answer (162 bytes) from dgram 10.8.10.41:88 [6175] 1456260239.330749: Response was from master KDC [6175] 1456260239.330781: Received error from KDC: -1765328378/Client not found in Kerberos database kinit: Client 'j...@mrjester.net' not found in Kerberos database while getting initial credentials root@nuc0:/var/log/sssd# KRB5_TRACE=/dev/stderr kinit jon [6176] 1456260254.528974: Resolving unique ccache of type KEYRING [6176] 1456260254.529030: Getting initial credentials for j...@mrjester.net [6176] 1456260254.529189: Sending request (157 bytes) to MRJESTER.NET [6176] 1456260254.530384: Resolving hostname dir1.mrjester.net. [6176] 1456260254.531265: Sending initial UDP request to dgram 10.8.10.41:88 [6176] 1456260254.533058: Received answer (162 bytes) from dgram 10.8.10.41:88 [6176] 1456260254.533548: Response was from master KDC [6176] 1456260254.533598: Received error from KDC: -1765328378/Client not found in Kerberos database kinit: Client 'j...@mrjester.net' not found in Kerberos database while getting initial credentials root@nuc0:/var/log/sssd# KRB5_TRACE=/dev/stderr kinit jon [6177] 1456260255.920994: Resolving unique ccache of type KEYRING [6177] 1456260255.921053: Getting initial credentials for j...@mrjester.net [6177] 1456260255.921216: Sending request (157 bytes) to MRJESTER.NET [6177] 1456260255.922335: Resolving hostname dir0.mrjester.net. [6177] 1456260255.923163: Sending initial UDP request to dgram 10.8.10.40:88 [6177] 1456260255.924918: Received answer (164 bytes) from dgram 10.8.10.40:88 [6177] 1456260255.925408: Response was from master KDC [6177] 1456260255.925452: Received error from KDC: -1765328361/Password has expired [6177] 1456260255.925471: Principal expired; getting changepw ticket [6177] 1456260255.925481: Getting initial credentials for j...@mrjester.net [6177] 1456260255.925502: Setting initial creds service to kadmin/changepw [6177] 1456260255.925531: Sending request (156 bytes) to MRJESTER.NET (master) [6177] 1456260255.926385: Resolving hostname dir0.mrjester.net. [6177] 1456260255.926895: Sending initial UDP request to dgram 10.8.10.40:88 [6177] 1456260256.927253: Received answer (243 bytes) from dgram 10.8.10.40:88 [6177] 1456260256.927330: Received error from KDC: -1765328359/Additional pre-authentication required [6177] 1456260256.927382: Processing preauth types: 136, 19, 2, 133 [6177] 1456260256.927410: Selected etype info: etype aes256-cts, salt "v7Avt65hL<W[tX9W", params "" [6177] 1456260256.927421: Received cookie: MIT Password for j...@mrjester.net: [6177] 1456260270.337075: AS key obtained for encrypted timestamp: aes256-cts/5367 [6177] 1456260270.337171: Encrypted timestamp (for 1456260270.339584): plain 301AA011180F32303136303232333230343433305AA1050203052E80, encrypted 3B8ECD496410D61EE4E22E9D990F1B9A78BB60D5C552612E87FAC17B3F0D95762F181315E2788EA60C12290D1887DFFDA1A01E67BB8DAC4F [6177] 1456260270.337201: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [6177] 1456260270.337211: Produced preauth for next request: 133, 2 [6177] 1456260270.337240: Sending request (249 bytes) to MRJESTER.NET (master) [6177] 1456260270.338678: Resolving hostname dir1.mrjester.net. [6177] 1456260270.339289: Sending initial UDP request to dgram 10.8.10.41:88 [6177] 1456260270.340389: Received answer (161 bytes) from dgram 10.8.10.41:88 [6177] 1456260270.340438: Received error from KDC: -1765328378/Client not found in Kerberos database kinit: Client 'j...@mrjester.net' not found in Kerberos database while getting initial credentials On Tue, Feb 23, 2016 at 3:42 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Tue, Feb 23, 2016 at 03:33:31PM -0500, Jester wrote: >> Made no changes to the system between posting. Only tried a couple of >> kinits to generate some logs. >> >> Set sssd debug to 9, restarted, did a few kinits. > > kinit doesn't hit sssd, but goes directly to the KDC. > >> >> root@nuc0:/var/log/sssd# service sssd start >> root@nuc0:/var/log/sssd# kinit admin >> Password for ad...@mrjester.net: >> root@nuc0:/var/log/sssd# kinit jon >> kinit: Client 'j...@mrjester.net' not found in Kerberos database while > > Again, if you're sure the principal 'jon' exists on the server, then I > would suggest to try: > KRB5_TRACE=/dev/stderr kinit jon > and see if you talk to the KDC you expect. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project