Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10
The "KRB5_TRACE=/dev/stderr kinit jon" command helped out immensely by pointing out that it was failing on dir1, but not dir0. Turns out it was a DNS issue on my second directory server was breaking replication. Thank you for the assistance. On Tue, Feb 23, 2016 at 3:42 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Tue, Feb 23, 2016 at 03:33:31PM -0500, Jester wrote: > > Made no changes to the system between posting. Only tried a couple of > > kinits to generate some logs. > > > > Set sssd debug to 9, restarted, did a few kinits. > > kinit doesn't hit sssd, but goes directly to the KDC. > > > > > root@nuc0:/var/log/sssd# service sssd start > > root@nuc0:/var/log/sssd# kinit admin > > Password for ad...@mrjester.net: > > root@nuc0:/var/log/sssd# kinit jon > > kinit: Client 'j...@mrjester.net' not found in Kerberos database while > > Again, if you're sure the principal 'jon' exists on the server, then I > would suggest to try: > KRB5_TRACE=/dev/stderr kinit jon > and see if you talk to the KDC you expect. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10
It looks like I have a replication issue. What process manages replication? root@nuc0:/var/log/sssd# KRB5_TRACE=/dev/stderr kinit jon [6175] 1456260239.45010: Resolving unique ccache of type KEYRING [6175] 1456260239.45131: Getting initial credentials for j...@mrjester.net [6175] 1456260239.45497: Sending request (157 bytes) to MRJESTER.NET [6175] 1456260239.47271: Resolving hostname dir1.mrjester.net. [6175] 1456260239.48927: Sending initial UDP request to dgram 10.8.10.41:88 [6175] 1456260239.330215: Received answer (162 bytes) from dgram 10.8.10.41:88 [6175] 1456260239.330749: Response was from master KDC [6175] 1456260239.330781: Received error from KDC: -1765328378/Client not found in Kerberos database kinit: Client 'j...@mrjester.net' not found in Kerberos database while getting initial credentials root@nuc0:/var/log/sssd# KRB5_TRACE=/dev/stderr kinit jon [6176] 1456260254.528974: Resolving unique ccache of type KEYRING [6176] 1456260254.529030: Getting initial credentials for j...@mrjester.net [6176] 1456260254.529189: Sending request (157 bytes) to MRJESTER.NET [6176] 1456260254.530384: Resolving hostname dir1.mrjester.net. [6176] 1456260254.531265: Sending initial UDP request to dgram 10.8.10.41:88 [6176] 1456260254.533058: Received answer (162 bytes) from dgram 10.8.10.41:88 [6176] 1456260254.533548: Response was from master KDC [6176] 1456260254.533598: Received error from KDC: -1765328378/Client not found in Kerberos database kinit: Client 'j...@mrjester.net' not found in Kerberos database while getting initial credentials root@nuc0:/var/log/sssd# KRB5_TRACE=/dev/stderr kinit jon [6177] 1456260255.920994: Resolving unique ccache of type KEYRING [6177] 1456260255.921053: Getting initial credentials for j...@mrjester.net [6177] 1456260255.921216: Sending request (157 bytes) to MRJESTER.NET [6177] 1456260255.922335: Resolving hostname dir0.mrjester.net. [6177] 1456260255.923163: Sending initial UDP request to dgram 10.8.10.40:88 [6177] 1456260255.924918: Received answer (164 bytes) from dgram 10.8.10.40:88 [6177] 1456260255.925408: Response was from master KDC [6177] 1456260255.925452: Received error from KDC: -1765328361/Password has expired [6177] 1456260255.925471: Principal expired; getting changepw ticket [6177] 1456260255.925481: Getting initial credentials for j...@mrjester.net [6177] 1456260255.925502: Setting initial creds service to kadmin/changepw [6177] 1456260255.925531: Sending request (156 bytes) to MRJESTER.NET (master) [6177] 1456260255.926385: Resolving hostname dir0.mrjester.net. [6177] 1456260255.926895: Sending initial UDP request to dgram 10.8.10.40:88 [6177] 1456260256.927253: Received answer (243 bytes) from dgram 10.8.10.40:88 [6177] 1456260256.927330: Received error from KDC: -1765328359/Additional pre-authentication required [6177] 1456260256.927382: Processing preauth types: 136, 19, 2, 133 [6177] 1456260256.927410: Selected etype info: etype aes256-cts, salt "v7Avt65hL<W[tX9W", params "" [6177] 1456260256.927421: Received cookie: MIT Password for j...@mrjester.net: [6177] 1456260270.337075: AS key obtained for encrypted timestamp: aes256-cts/5367 [6177] 1456260270.337171: Encrypted timestamp (for 1456260270.339584): plain 301AA011180F32303136303232333230343433305AA1050203052E80, encrypted 3B8ECD496410D61EE4E22E9D990F1B9A78BB60D5C552612E87FAC17B3F0D95762F181315E2788EA60C12290D1887DFFDA1A01E67BB8DAC4F [6177] 1456260270.337201: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [6177] 1456260270.337211: Produced preauth for next request: 133, 2 [6177] 1456260270.337240: Sending request (249 bytes) to MRJESTER.NET (master) [6177] 1456260270.338678: Resolving hostname dir1.mrjester.net. [6177] 1456260270.339289: Sending initial UDP request to dgram 10.8.10.41:88 [6177] 1456260270.340389: Received answer (161 bytes) from dgram 10.8.10.41:88 [6177] 1456260270.340438: Received error from KDC: -1765328378/Client not found in Kerberos database kinit: Client 'j...@mrjester.net' not found in Kerberos database while getting initial credentials On Tue, Feb 23, 2016 at 3:42 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Tue, Feb 23, 2016 at 03:33:31PM -0500, Jester wrote: >> Made no changes to the system between posting. Only tried a couple of >> kinits to generate some logs. >> >> Set sssd debug to 9, restarted, did a few kinits. > > kinit doesn't hit sssd, but goes directly to the KDC. > >> >> root@nuc0:/var/log/sssd# service sssd start >> root@nuc0:/var/log/sssd# kinit admin >> Password for ad...@mrjester.net: >> root@nuc0:/var/log/sssd# kinit jon >> kinit: Client 'j...@mrjester.net' not found in Kerberos database while > > Again, if you're sure the principal 'jon' exists on the server, then I > would suggest to try: > KRB5_TRACE=/dev/stderr kinit jon > and see if you talk to the KDC you expect. -- Manage your subscription for the Free
[Freeipa-users] Client Auth Failing - Ubuntu 15.10
New IPA install of Fedora 23 with FreeIPA 4.2.3. Client is Ubuntu Desktop 15.10 (nuc) with IPA client 4.1.4. ipa-client-install was successful. Host object created, DNS updated, etc. I am not able to log into the Ubuntu client with any user aside from Admin. I get inconsistent password prompting behavior. It doesn't always prompt. Most of the time, it just gives the client not found message. kinit works with all users on the IPA server directly. root@nuc0:/var/lib/sss# kinit admin Password for ad...@mrjester.net: root@nuc0:/var/lib/sss# kinit jon kinit: Client 'j...@mrjester.net' not found in Kerberos database while getting initial credentials root@nuc0:/var/lib/sss# kinit jon-test Password for jon-t...@mrjester.net: Password expired. You must change it now. Enter new password: Enter it again: kinit: Password change failed while getting initial credentials root@nuc0:/var/lib/sss# kinit jon-test kinit: Client 'jon-t...@mrjester.net' not found in Kerberos database while getting initial credentials root@nuc0:/var/lib/sss# I am able to do GSSAPI auth from the client. /usr/bin/ldapsearch -LLL -H ldap://dir0.mrjester.net/ -Y GSSAPI -N -b "dc=mrjester,dc=net" cn Some various messages I see that stand out as possibly related. SSSD debug level 8 [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty! [sssd[be[mrjester.net]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Decrypt integrity check failed], expired on [0] [sssd[be[mrjester.net]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] [sssd[be[mrjester.net]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed) [sssd[be[mrjester.net]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dir0.mrjester.net' as 'not working' [sssd[be[mrjester.net]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'dir0.mrjester.net' as 'not working' [sssd[be[mrjester.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[be[mrjester.net]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=*] [sssd[be[mrjester.net]]] [be_req_set_domain] (0x0400): Changing request domain from [mrjester.net] to [mrjester.net] [sssd[be[mrjester.net]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] [sssd[be[mrjester.net]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=mrjester,dc=net] [sssd[be[mrjester.net]]] [sdap_print_server] (0x2000): Searching 10.8.10.40 [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=\2a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0][cn=accounts,dc=mrjester,dc=net]. [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
