Hi folks,

some colleagues have to enter their password 3 times (or even
more) to authenticate. krb5_child.log shows

(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): 
Switch user to [657][100].
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): 
Switch user to [0][0].
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [check_fast_ccache] 
(0x0200): FAST TGT is still valid.
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [become_user] (0x0200): 
Trying to become user [657][100].
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [get_and_save_tgt] 
(0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [map_krb5_error] 
(0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [k5c_send_data] (0x0200): 
Received error code 1432158221
(Mon Apr  3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): 
Switch user to [657][100].
(Mon Apr  3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): 
Switch user to [0][0].
(Mon Apr  3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [check_fast_ccache] 
(0x0200): FAST TGT is still valid.
(Mon Apr  3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [become_user] (0x0200): 
Trying to become user [657][100].
(Mon Apr  3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [get_and_save_tgt] 
(0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [map_krb5_error] 
(0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [k5c_send_data] (0x0200): 
Received error code 1432158221
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): 
Switch user to [657][100].
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): 
Switch user to [0][0].
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [check_fast_ccache] 
(0x0200): FAST TGT is still valid.
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [become_user] (0x0200): 
Trying to become user [657][100].
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [get_and_save_tgt] 
(0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [map_krb5_error] 
(0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [k5c_send_data] (0x0200): 
Received error code 1432158221
(Mon Apr  3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): 
Switch user to [657][100].
(Mon Apr  3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): 
Switch user to [0][0].
(Mon Apr  3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [check_fast_ccache] 
(0x0200): FAST TGT is still valid.
(Mon Apr  3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [become_user] (0x0200): 
Trying to become user [657][100].
(Mon Apr  3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [k5c_send_data] (0x0200): 
Received error code 0

sssd_pam.log:

(Mon Apr  3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received 
client version [3].
(Mon Apr  3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered 
version [3].
(Mon Apr  3 10:45:20 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): 
name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:20 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [8 (Insufficient credentials to access authentication 
data)][example.com]
(Mon Apr  3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called 
with result [8]: Insufficient credentials to access authentication data.
(Mon Apr  3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr  3 10:45:22 2017) [sssd[pam]] [client_recv] (0x0200): Client 
disconnected!
(Mon Apr  3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received 
client version [3].
(Mon Apr  3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered 
version [3].
(Mon Apr  3 10:45:27 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): 
name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:28 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [8 (Insufficient credentials to access authentication 
data)][example.com]
(Mon Apr  3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called 
with result [8]: Insufficient credentials to access authentication data.
(Mon Apr  3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr  3 10:45:30 2017) [sssd[pam]] [client_recv] (0x0200): Client 
disconnected!
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received 
client version [3].
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered 
version [3].
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): 
name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [8 (Insufficient credentials to access authentication 
data)][example.com]
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called 
with result [8]: Insufficient credentials to access authentication data.
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr  3 10:45:35 2017) [sssd[pam]] [client_recv] (0x0200): Client 
disconnected!
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received 
client version [3].
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered 
version [3].
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): 
name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [0 (Success)][example.com]
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called 
with result [0]: Success.
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sysdb_set_entry_attr] (0x0200): Entry 
[name=juppschm...@example.com,cn=users,cn=example.com,cn=sysdb] has set [cache, 
ts_cache] attrs.
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called 
with result [0]: Success.
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 73
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): 
name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [0 (Success)][example.com]
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called 
with result [0]: Success.
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): 
name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [0 (Success)][example.com]
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called 
with result [0]: Success.
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [client_recv] (0x0200): Client 
disconnected!


Did they enter just a bad password? What can I do to make authentication
more reliable?

sssd version is 1.15.0-3, backported from Debian Testing
to Jessie.

Every helpful hint is highly appreciated
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to