Hi folks, some colleagues have to enter their password 3 times (or even more) to authenticate. krb5_child.log shows
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): Switch user to [657][100]. (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [become_user] (0x0200): Trying to become user [657][100]. (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed] (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed] (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [k5c_send_data] (0x0200): Received error code 1432158221 (Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): Switch user to [657][100]. (Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [become_user] (0x0200): Trying to become user [657][100]. (Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed] (Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed] (Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [k5c_send_data] (0x0200): Received error code 1432158221 (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): Switch user to [657][100]. (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [become_user] (0x0200): Trying to become user [657][100]. (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed] (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed] (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [k5c_send_data] (0x0200): Received error code 1432158221 (Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): Switch user to [657][100]. (Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [become_user] (0x0200): Trying to become user [657][100]. (Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [k5c_send_data] (0x0200): Received error code 0 sssd_pam.log: (Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz (Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com] (Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data. (Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26 (Mon Apr 3 10:45:22 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz (Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com] (Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data. (Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26 (Mon Apr 3 10:45:30 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz (Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com] (Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data. (Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26 (Mon Apr 3 10:45:35 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com] (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sysdb_set_entry_attr] (0x0200): Entry [name=juppschm...@example.com,cn=users,cn=example.com,cn=sysdb] has set [cache, ts_cache] attrs. (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 73 (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com] (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26 (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com] (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26 (Mon Apr 3 10:45:39 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! Did they enter just a bad password? What can I do to make authentication more reliable? sssd version is 1.15.0-3, backported from Debian Testing to Jessie. Every helpful hint is highly appreciated Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
