subject:"\[Freeipa\-users\] Malformed representation of principal \- krb5

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

2017-04-28 Thread Lukas Slebodnik

On (28/04/17 16:21), Sullivan, Daniel [CRI] wrote:
>Jakub,
>
>Thank you for your email.  We maintain our own repo that we populate from 
>Copr; your question led me to realize that the repo was broken and this 
>particular system was running an older version of sssd.   I upgraded it to 
>1.14.2-2.el6 and the problem was resolved.  Thank you Sumit and Jakub for your 
>help.  Have a nice weekend.
>
Do you really maintain own copr?
Or do you use https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-14/

I am just curious :-)

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

2017-04-28 Thread Sullivan, Daniel [CRI]

Jakub,

Thank you for your email.  We maintain our own repo that we populate from Copr; 
your question led me to realize that the repo was broken and this particular 
system was running an older version of sssd.   I upgraded it to 1.14.2-2.el6 
and the problem was resolved.  Thank you Sumit and Jakub for your help.  Have a 
nice weekend.

Dan

> On Apr 28, 2017, at 10:34 AM, Jakub Hrozek  wrote:
> 
> On Fri, Apr 28, 2017 at 03:28:31PM +, Sullivan, Daniel [CRI] wrote:
>> Hi, Sumit,
>> 
>> Thank you for taking the time to respond to me.  I tried that; it did not 
>> work.  I am using sssd 1.14.0-3.el6.  Any other support you (or anybody 
>> else) could provide would be greatly appreciated.
> 
> Do you remember where did you install this RPM from? I don't think we ever
> released 1.14 for el6 via RHEL.
> 
> (yum info sssd would tell you I think)
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

2017-04-28 Thread Jakub Hrozek

On Fri, Apr 28, 2017 at 03:28:31PM +, Sullivan, Daniel [CRI] wrote:
> Hi, Sumit,
> 
> Thank you for taking the time to respond to me.  I tried that; it did not 
> work.  I am using sssd 1.14.0-3.el6.  Any other support you (or anybody else) 
> could provide would be greatly appreciated.

Do you remember where did you install this RPM from? I don't think we ever
released 1.14 for el6 via RHEL.

(yum info sssd would tell you I think)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

2017-04-28 Thread Sullivan, Daniel [CRI]

Hi, Sumit,

Thank you for taking the time to respond to me.  I tried that; it did not work. 
 I am using sssd 1.14.0-3.el6.  Any other support you (or anybody else) could 
provide would be greatly appreciated.

Dan

> On Apr 28, 2017, at 10:13 AM, Sumit Bose  wrote:
> 
> On Fri, Apr 28, 2017 at 02:54:44PM +, Sullivan, Daniel [CRI] wrote:
>> HI,
>> 
>> I haven’t posted in a while, I hope everybody is doing well.  I have a 
>> problem that I am having a difficult time diagnosing.  To start, I want to 
>> say that we have a pretty large IPA environment.  It generally works good.  
>> Most of our servers are of the same flavor RHEL6/7, and pull down their 
>> sssd/IPA RPMs from a standard repo.  We also deploy sssd/ipa-client from 
>> SaltStack, so there’s not much variation on configuration.  I have a client 
>> that is being very finicky, I am getting a message that says "Malformed 
>> representation of principal” in my krb5_child.log (when trying to log in).  
>> I’m really kind of an ends with the right way to troubleshoot this further.  
>> Here’s what I know;
>> 
>> 1) I can kinit -k as root
>> 2) I can kinit user@domain, even for the user in the sssd logs
>> 3) I’ve blown away /var/lib/sss, deleted /etc/krb*, reinstalled sssd-common, 
>> sssd, & ipa-client.
>> 
>> My logs are below.  Would somebody be able to perhaps provide input on the 
>> best way to further troubleshoot this issue?
>> 
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0400): 
>> krb5_child started.
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] 
>> (0x1000): total buffer size: [174]
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] 
>> (0x0100): cmd [241] uid [339788572] gid [339788572] validate [true] 
>> enterprise principal [false] offline [false] UPN [user@domain@DOMAIN]
> 
> There was an issue in an older version of SSSD which saved a wrong UPN
> in the cache. Please check if the latest version of SSSD for your
> platform installed, stop SSSD, remove the cache file in
> /var/lib/sss/db/, start SSSD and try again.
> 
> If you do not want to remove the cache completely you can use e.g.
> ldbedit to delete the offending entry individually, search for
> user@domain@DOMAIN.
> 
> HTH
> 
> bye,
> Sumit
> 
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] 
>> (0x2000): No old ccache
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] 
>> (0x0100): ccname: [FILE:/tmp/krb5cc_339788572_XX] old_ccname: [not set] 
>> keytab: [/etc/krb5.keytab]
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_precreate_ccache] 
>> (0x4000): Recreating ccache
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup_fast] 
>> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/server.fqdn@DOMAIN]
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 
>> [find_principal_in_keytab] (0x4000): Trying to find principal 
>> host/server.fqdn@DOMAIN in keytab.
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [match_principal] 
>> (0x1000): Principal matched to the sample (host/server.fqdn@DOMAIN).
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [check_fast_ccache] 
>> (0x0200): FAST TGT is still valid.
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [become_user] 
>> (0x0200): Trying to become user [339788572][339788572].
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x2000): 
>> Running as [339788572][339788572].
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x2000): 
>> Running as [339788572][339788572].
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x0020): 
>> 2529: [-1765328250][Malformed representation of principal]
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): 
>> krb5_child_setup failed.
>> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): 
>> krb5_child failed!
>> 
>> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [read_pipe_handler] 
>> (0x0400): EOF received, client finished
>> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] 
>> [parse_krb5_child_response] (0x0020): message too short.
>> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [krb5_auth_done] 
>> (0x0040): Could not parse child response [22]: Invalid argument
>> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [check_wait_queue] 
>> (0x1000): Wait queue for user [user@domain] is empty.
>> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [krb5_auth_queue_done] 
>> (0x0040): krb5_auth_recv failed with: 22
>> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] 
>> [ipa_pam_auth_handler_krb5_done] (0x0040): KRB5 auth failed [22]: Invalid 
>> argument
>> 
>> I appreciate your help with this.
>> 
>> Thank you,
>> 
>> Dan Sullivan
>> 
>> 
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

2017-04-28 Thread Sumit Bose

On Fri, Apr 28, 2017 at 02:54:44PM +, Sullivan, Daniel [CRI] wrote:
> HI,
> 
> I haven’t posted in a while, I hope everybody is doing well.  I have a 
> problem that I am having a difficult time diagnosing.  To start, I want to 
> say that we have a pretty large IPA environment.  It generally works good.  
> Most of our servers are of the same flavor RHEL6/7, and pull down their 
> sssd/IPA RPMs from a standard repo.  We also deploy sssd/ipa-client from 
> SaltStack, so there’s not much variation on configuration.  I have a client 
> that is being very finicky, I am getting a message that says "Malformed 
> representation of principal” in my krb5_child.log (when trying to log in).  
> I’m really kind of an ends with the right way to troubleshoot this further.  
> Here’s what I know;
> 
> 1) I can kinit -k as root
> 2) I can kinit user@domain, even for the user in the sssd logs
> 3) I’ve blown away /var/lib/sss, deleted /etc/krb*, reinstalled sssd-common, 
> sssd, & ipa-client.
> 
> My logs are below.  Would somebody be able to perhaps provide input on the 
> best way to further troubleshoot this issue?
> 
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0400): 
> krb5_child started.
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] 
> (0x1000): total buffer size: [174]
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] 
> (0x0100): cmd [241] uid [339788572] gid [339788572] validate [true] 
> enterprise principal [false] offline [false] UPN [user@domain@DOMAIN]

There was an issue in an older version of SSSD which saved a wrong UPN
in the cache. Please check if the latest version of SSSD for your
platform installed, stop SSSD, remove the cache file in
/var/lib/sss/db/, start SSSD and try again.

If you do not want to remove the cache completely you can use e.g.
ldbedit to delete the offending entry individually, search for
user@domain@DOMAIN.

HTH

bye,
Sumit

> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] 
> (0x2000): No old ccache
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] 
> (0x0100): ccname: [FILE:/tmp/krb5cc_339788572_XX] old_ccname: [not set] 
> keytab: [/etc/krb5.keytab]
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_precreate_ccache] 
> (0x4000): Recreating ccache
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup_fast] 
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/server.fqdn@DOMAIN]
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 
> [find_principal_in_keytab] (0x4000): Trying to find principal 
> host/server.fqdn@DOMAIN in keytab.
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [match_principal] 
> (0x1000): Principal matched to the sample (host/server.fqdn@DOMAIN).
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [check_fast_ccache] 
> (0x0200): FAST TGT is still valid.
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [become_user] (0x0200): 
> Trying to become user [339788572][339788572].
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x2000): 
> Running as [339788572][339788572].
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x2000): 
> Running as [339788572][339788572].
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x0020): 
> 2529: [-1765328250][Malformed representation of principal]
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): 
> krb5_child_setup failed.
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): 
> krb5_child failed!
> 
> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [read_pipe_handler] 
> (0x0400): EOF received, client finished
> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [parse_krb5_child_response] 
> (0x0020): message too short.
> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [krb5_auth_done] (0x0040): 
> Could not parse child response [22]: Invalid argument
> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [check_wait_queue] 
> (0x1000): Wait queue for user [user@domain] is empty.
> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [krb5_auth_queue_done] 
> (0x0040): krb5_auth_recv failed with: 22
> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] 
> [ipa_pam_auth_handler_krb5_done] (0x0040): KRB5 auth failed [22]: Invalid 
> argument
> 
> I appreciate your help with this.
> 
> Thank you,
> 
> Dan Sullivan
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Malformed representation of principal - krb5_child.log

2017-04-28 Thread Sullivan, Daniel [CRI]

HI,

I haven’t posted in a while, I hope everybody is doing well.  I have a problem 
that I am having a difficult time diagnosing.  To start, I want to say that we 
have a pretty large IPA environment.  It generally works good.  Most of our 
servers are of the same flavor RHEL6/7, and pull down their sssd/IPA RPMs from 
a standard repo.  We also deploy sssd/ipa-client from SaltStack, so there’s not 
much variation on configuration.  I have a client that is being very finicky, I 
am getting a message that says "Malformed representation of principal” in my 
krb5_child.log (when trying to log in).  I’m really kind of an ends with the 
right way to troubleshoot this further.  Here’s what I know;

1) I can kinit -k as root
2) I can kinit user@domain, even for the user in the sssd logs
3) I’ve blown away /var/lib/sss, deleted /etc/krb*, reinstalled sssd-common, 
sssd, & ipa-client.

My logs are below.  Would somebody be able to perhaps provide input on the best 
way to further troubleshoot this issue?

(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0400): 
krb5_child started.
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] (0x1000): 
total buffer size: [174]
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] (0x0100): 
cmd [241] uid [339788572] gid [339788572] validate [true] enterprise principal 
[false] offline [false] UPN [user@domain@DOMAIN]
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] (0x2000): 
No old ccache
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] (0x0100): 
ccname: [FILE:/tmp/krb5cc_339788572_XX] old_ccname: [not set] keytab: 
[/etc/krb5.keytab]
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_precreate_ccache] 
(0x4000): Recreating ccache
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup_fast] 
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/server.fqdn@DOMAIN]
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 
[find_principal_in_keytab] (0x4000): Trying to find principal 
host/server.fqdn@DOMAIN in keytab.
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [match_principal] 
(0x1000): Principal matched to the sample (host/server.fqdn@DOMAIN).
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [check_fast_ccache] 
(0x0200): FAST TGT is still valid.
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [become_user] (0x0200): 
Trying to become user [339788572][339788572].
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x2000): Running 
as [339788572][339788572].
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x2000): 
Running as [339788572][339788572].
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x0020): 
2529: [-1765328250][Malformed representation of principal]
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): 
krb5_child_setup failed.
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): 
krb5_child failed!

(Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [read_pipe_handler] (0x0400): 
EOF received, client finished
(Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [parse_krb5_child_response] 
(0x0020): message too short.
(Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [krb5_auth_done] (0x0040): 
Could not parse child response [22]: Invalid argument
(Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [check_wait_queue] (0x1000): 
Wait queue for user [user@domain] is empty.
(Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [krb5_auth_queue_done] 
(0x0040): krb5_auth_recv failed with: 22
(Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] 
[ipa_pam_auth_handler_krb5_done] (0x0040): KRB5 auth failed [22]: Invalid 
argument

I appreciate your help with this.

Thank you,

Dan Sullivan


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

[Freeipa-users] Malformed representation of principal - krb5_child.log

6 matches

Site Navigation

Mail list logo

Footer information