HI, I haven’t posted in a while, I hope everybody is doing well. I have a problem that I am having a difficult time diagnosing. To start, I want to say that we have a pretty large IPA environment. It generally works good. Most of our servers are of the same flavor RHEL6/7, and pull down their sssd/IPA RPMs from a standard repo. We also deploy sssd/ipa-client from SaltStack, so there’s not much variation on configuration. I have a client that is being very finicky, I am getting a message that says "Malformed representation of principal” in my krb5_child.log (when trying to log in). I’m really kind of an ends with the right way to troubleshoot this further. Here’s what I know;
1) I can kinit -k as root 2) I can kinit user@domain, even for the user in the sssd logs 3) I’ve blown away /var/lib/sss, deleted /etc/krb*, reinstalled sssd-common, sssd, & ipa-client. My logs are below. Would somebody be able to perhaps provide input on the best way to further troubleshoot this issue? (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x0400): krb5_child started. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x1000): total buffer size: [174] (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x0100): cmd [241] uid [339788572] gid [339788572] validate [true] enterprise principal [false] offline [false] UPN [user@domain@DOMAIN] (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x2000): No old ccache (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_339788572_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/server.fqdn@DOMAIN] (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/server.fqdn@DOMAIN in keytab. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [match_principal] (0x1000): Principal matched to the sample (host/server.fqdn@DOMAIN). (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [become_user] (0x0200): Trying to become user [339788572][339788572]. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x2000): Running as [339788572][339788572]. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_setup] (0x2000): Running as [339788572][339788572]. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_setup] (0x0020): 2529: [-1765328250][Malformed representation of principal] (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x0020): krb5_child_setup failed. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x0020): krb5_child failed! (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [parse_krb5_child_response] (0x0020): message too short. (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [krb5_auth_done] (0x0040): Could not parse child response [22]: Invalid argument (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [check_wait_queue] (0x1000): Wait queue for user [user@domain] is empty. (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [krb5_auth_queue_done] (0x0040): krb5_auth_recv failed with: 22 (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [ipa_pam_auth_handler_krb5_done] (0x0040): KRB5 auth failed [22]: Invalid argument I appreciate your help with this. Thank you, Dan Sullivan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
