On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote:
> Sumit,
> 
> Raised the debug level to 10 and let it run for about 24 hours.  Uploading
> the last 2000~ lines of the sssd_domain.com.log.  Thanks for your help!

Can you send the related krb5_child log file as well?

bye,
Sumit

> 
> https://pastebin.com/MD6N1Dj7
> 
> Jeff Hallyburton
> Strategic Systems Engineer
> Bloomip Inc.
> Web: http://www.bloomip.com
> 
> Engineering Support: supp...@bloomip.com
> Billing Support: bill...@bloomip.com
> Customer Support Portal:  https://my.bloomip.com <http://my.bloomip.com/>
> 
> On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton <
> jeff.hallybur...@bloomip.com> wrote:
> 
> > Sumit,
> >
> > Raised the debug level to 10 and let it run for about 24 hours.  Uploading
> > the full sssd_domain.com.log.  Thanks for your help!
> >
> > Jeff
> >
> > Jeff Hallyburton
> > Strategic Systems Engineer
> > Bloomip Inc.
> > Web: http://www.bloomip.com
> >
> > Engineering Support: supp...@bloomip.com
> > Billing Support: bill...@bloomip.com
> > Customer Support Portal:  https://my.bloomip.com <http://my.bloomip.com/>
> >
> > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose <sb...@redhat.com> wrote:
> >
> >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote:
> >> > After setting debug_level=8, this is what I see in the sssd_domain_log:
> >>
> >> Unfortunately the domain log and the krb5_child log do not relate to
> >> each other.
> >>
> >> >
> >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]]
> >> [child_handler_setup]
> >> > (0x2000): Setting up signal handler up for pid [32382]
> >> >
> >>
> >> ....
> >>
> >> >
> >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] [k5c_setup_fast]
> >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> >> > jump02.west-2.production.example....@example.com]
> >> >
> >>
> >> ...
> >>
> >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]]
> >> [get_and_save_tgt]
> >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during
> >> > pre-auth.
> >> >
> >> >
> >> > Can you shed any light on this?
> >> >
> >>
> >> In the domain log the child with the pid 32382 is started to run a
> >> pre-authentication request. The request is needed to find out which kind
> >> of authentication types are available for the user, e.g. password or
> >> 2-factor authentication with the OTP token. The request in the child
> >> with the PID 32731 looks like a real authentication request with returns
> >> with an error code -1765328324 which just means 'Generic error' but
> >> might have cause SSSD to go offline.
> >>
> >> I would like to ask you to run the test again with debug_level=10 in the
> >> [domain/...] section of sssd.conf which would enable some low level
> >> Kerberos tracing messages which might help to understand what kind of
> >> 'Generic error' was hit here. Additionally I would like ask you to send
> >> the full log files as attachment or in an archive which would hep be to
> >> better navigate through them.
> >>
> >> bye,
> >> Sumit
> >>
> >
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to