Re: [Freeipa-users] Malformed representation of principal - krb5_child.log
On (28/04/17 16:21), Sullivan, Daniel [CRI] wrote: >Jakub, > >Thank you for your email. We maintain our own repo that we populate from >Copr; your question led me to realize that the repo was broken and this >particular system was running an older version of sssd. I upgraded it to >1.14.2-2.el6 and the problem was resolved. Thank you Sumit and Jakub for your >help. Have a nice weekend. > Do you really maintain own copr? Or do you use https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-14/ I am just curious :-) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Malformed representation of principal - krb5_child.log
Jakub, Thank you for your email. We maintain our own repo that we populate from Copr; your question led me to realize that the repo was broken and this particular system was running an older version of sssd. I upgraded it to 1.14.2-2.el6 and the problem was resolved. Thank you Sumit and Jakub for your help. Have a nice weekend. Dan > On Apr 28, 2017, at 10:34 AM, Jakub Hrozekwrote: > > On Fri, Apr 28, 2017 at 03:28:31PM +, Sullivan, Daniel [CRI] wrote: >> Hi, Sumit, >> >> Thank you for taking the time to respond to me. I tried that; it did not >> work. I am using sssd 1.14.0-3.el6. Any other support you (or anybody >> else) could provide would be greatly appreciated. > > Do you remember where did you install this RPM from? I don't think we ever > released 1.14 for el6 via RHEL. > > (yum info sssd would tell you I think) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Malformed representation of principal - krb5_child.log
On Fri, Apr 28, 2017 at 03:28:31PM +, Sullivan, Daniel [CRI] wrote: > Hi, Sumit, > > Thank you for taking the time to respond to me. I tried that; it did not > work. I am using sssd 1.14.0-3.el6. Any other support you (or anybody else) > could provide would be greatly appreciated. Do you remember where did you install this RPM from? I don't think we ever released 1.14 for el6 via RHEL. (yum info sssd would tell you I think) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Malformed representation of principal - krb5_child.log
Hi, Sumit, Thank you for taking the time to respond to me. I tried that; it did not work. I am using sssd 1.14.0-3.el6. Any other support you (or anybody else) could provide would be greatly appreciated. Dan > On Apr 28, 2017, at 10:13 AM, Sumit Bosewrote: > > On Fri, Apr 28, 2017 at 02:54:44PM +, Sullivan, Daniel [CRI] wrote: >> HI, >> >> I haven’t posted in a while, I hope everybody is doing well. I have a >> problem that I am having a difficult time diagnosing. To start, I want to >> say that we have a pretty large IPA environment. It generally works good. >> Most of our servers are of the same flavor RHEL6/7, and pull down their >> sssd/IPA RPMs from a standard repo. We also deploy sssd/ipa-client from >> SaltStack, so there’s not much variation on configuration. I have a client >> that is being very finicky, I am getting a message that says "Malformed >> representation of principal” in my krb5_child.log (when trying to log in). >> I’m really kind of an ends with the right way to troubleshoot this further. >> Here’s what I know; >> >> 1) I can kinit -k as root >> 2) I can kinit user@domain, even for the user in the sssd logs >> 3) I’ve blown away /var/lib/sss, deleted /etc/krb*, reinstalled sssd-common, >> sssd, & ipa-client. >> >> My logs are below. Would somebody be able to perhaps provide input on the >> best way to further troubleshoot this issue? >> >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0400): >> krb5_child started. >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] >> (0x1000): total buffer size: [174] >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] >> (0x0100): cmd [241] uid [339788572] gid [339788572] validate [true] >> enterprise principal [false] offline [false] UPN [user@domain@DOMAIN] > > There was an issue in an older version of SSSD which saved a wrong UPN > in the cache. Please check if the latest version of SSSD for your > platform installed, stop SSSD, remove the cache file in > /var/lib/sss/db/, start SSSD and try again. > > If you do not want to remove the cache completely you can use e.g. > ldbedit to delete the offending entry individually, search for > user@domain@DOMAIN. > > HTH > > bye, > Sumit > >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] >> (0x2000): No old ccache >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] >> (0x0100): ccname: [FILE:/tmp/krb5cc_339788572_XX] old_ccname: [not set] >> keytab: [/etc/krb5.keytab] >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_precreate_ccache] >> (0x4000): Recreating ccache >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup_fast] >> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/server.fqdn@DOMAIN] >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 >> [find_principal_in_keytab] (0x4000): Trying to find principal >> host/server.fqdn@DOMAIN in keytab. >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [match_principal] >> (0x1000): Principal matched to the sample (host/server.fqdn@DOMAIN). >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [check_fast_ccache] >> (0x0200): FAST TGT is still valid. >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [become_user] >> (0x0200): Trying to become user [339788572][339788572]. >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x2000): >> Running as [339788572][339788572]. >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x2000): >> Running as [339788572][339788572]. >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x0020): >> 2529: [-1765328250][Malformed representation of principal] >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): >> krb5_child_setup failed. >> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): >> krb5_child failed! >> >> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [read_pipe_handler] >> (0x0400): EOF received, client finished >> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] >> [parse_krb5_child_response] (0x0020): message too short. >> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [krb5_auth_done] >> (0x0040): Could not parse child response [22]: Invalid argument >> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [check_wait_queue] >> (0x1000): Wait queue for user [user@domain] is empty. >> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [krb5_auth_queue_done] >> (0x0040): krb5_auth_recv failed with: 22 >> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] >> [ipa_pam_auth_handler_krb5_done] (0x0040): KRB5 auth failed [22]: Invalid >> argument >> >> I appreciate your help with this. >> >> Thank you, >> >> Dan Sullivan >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for
Re: [Freeipa-users] Malformed representation of principal - krb5_child.log
On Fri, Apr 28, 2017 at 02:54:44PM +, Sullivan, Daniel [CRI] wrote: > HI, > > I haven’t posted in a while, I hope everybody is doing well. I have a > problem that I am having a difficult time diagnosing. To start, I want to > say that we have a pretty large IPA environment. It generally works good. > Most of our servers are of the same flavor RHEL6/7, and pull down their > sssd/IPA RPMs from a standard repo. We also deploy sssd/ipa-client from > SaltStack, so there’s not much variation on configuration. I have a client > that is being very finicky, I am getting a message that says "Malformed > representation of principal” in my krb5_child.log (when trying to log in). > I’m really kind of an ends with the right way to troubleshoot this further. > Here’s what I know; > > 1) I can kinit -k as root > 2) I can kinit user@domain, even for the user in the sssd logs > 3) I’ve blown away /var/lib/sss, deleted /etc/krb*, reinstalled sssd-common, > sssd, & ipa-client. > > My logs are below. Would somebody be able to perhaps provide input on the > best way to further troubleshoot this issue? > > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0400): > krb5_child started. > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] > (0x1000): total buffer size: [174] > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] > (0x0100): cmd [241] uid [339788572] gid [339788572] validate [true] > enterprise principal [false] offline [false] UPN [user@domain@DOMAIN] There was an issue in an older version of SSSD which saved a wrong UPN in the cache. Please check if the latest version of SSSD for your platform installed, stop SSSD, remove the cache file in /var/lib/sss/db/, start SSSD and try again. If you do not want to remove the cache completely you can use e.g. ldbedit to delete the offending entry individually, search for user@domain@DOMAIN. HTH bye, Sumit > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] > (0x2000): No old ccache > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_339788572_XX] old_ccname: [not set] > keytab: [/etc/krb5.keytab] > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_precreate_ccache] > (0x4000): Recreating ccache > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/server.fqdn@DOMAIN] > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 > [find_principal_in_keytab] (0x4000): Trying to find principal > host/server.fqdn@DOMAIN in keytab. > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [match_principal] > (0x1000): Principal matched to the sample (host/server.fqdn@DOMAIN). > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [become_user] (0x0200): > Trying to become user [339788572][339788572]. > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x2000): > Running as [339788572][339788572]. > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x2000): > Running as [339788572][339788572]. > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x0020): > 2529: [-1765328250][Malformed representation of principal] > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): > krb5_child_setup failed. > (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): > krb5_child failed! > > (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [parse_krb5_child_response] > (0x0020): message too short. > (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [krb5_auth_done] (0x0040): > Could not parse child response [22]: Invalid argument > (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [check_wait_queue] > (0x1000): Wait queue for user [user@domain] is empty. > (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [krb5_auth_queue_done] > (0x0040): krb5_auth_recv failed with: 22 > (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] > [ipa_pam_auth_handler_krb5_done] (0x0040): KRB5 auth failed [22]: Invalid > argument > > I appreciate your help with this. > > Thank you, > > Dan Sullivan > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Malformed representation of principal - krb5_child.log
HI, I haven’t posted in a while, I hope everybody is doing well. I have a problem that I am having a difficult time diagnosing. To start, I want to say that we have a pretty large IPA environment. It generally works good. Most of our servers are of the same flavor RHEL6/7, and pull down their sssd/IPA RPMs from a standard repo. We also deploy sssd/ipa-client from SaltStack, so there’s not much variation on configuration. I have a client that is being very finicky, I am getting a message that says "Malformed representation of principal” in my krb5_child.log (when trying to log in). I’m really kind of an ends with the right way to troubleshoot this further. Here’s what I know; 1) I can kinit -k as root 2) I can kinit user@domain, even for the user in the sssd logs 3) I’ve blown away /var/lib/sss, deleted /etc/krb*, reinstalled sssd-common, sssd, & ipa-client. My logs are below. Would somebody be able to perhaps provide input on the best way to further troubleshoot this issue? (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0400): krb5_child started. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] (0x1000): total buffer size: [174] (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] (0x0100): cmd [241] uid [339788572] gid [339788572] validate [true] enterprise principal [false] offline [false] UPN [user@domain@DOMAIN] (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] (0x2000): No old ccache (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_339788572_XX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_precreate_ccache] (0x4000): Recreating ccache (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/server.fqdn@DOMAIN] (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [find_principal_in_keytab] (0x4000): Trying to find principal host/server.fqdn@DOMAIN in keytab. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [match_principal] (0x1000): Principal matched to the sample (host/server.fqdn@DOMAIN). (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [become_user] (0x0200): Trying to become user [339788572][339788572]. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x2000): Running as [339788572][339788572]. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x2000): Running as [339788572][339788572]. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [k5c_setup] (0x0020): 2529: [-1765328250][Malformed representation of principal] (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): krb5_child_setup failed. (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722 [main] (0x0020): krb5_child failed! (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [parse_krb5_child_response] (0x0020): message too short. (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [krb5_auth_done] (0x0040): Could not parse child response [22]: Invalid argument (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [check_wait_queue] (0x1000): Wait queue for user [user@domain] is empty. (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [krb5_auth_queue_done] (0x0040): krb5_auth_recv failed with: 22 (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [ipa_pam_auth_handler_krb5_done] (0x0040): KRB5 auth failed [22]: Invalid argument I appreciate your help with this. Thank you, Dan Sullivan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project