[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-08-10 Thread tizo via FreeIPA-users
This issue is solved in Samba 4.16.4. Thanks very much Sumit for your
work solving it with the Samba team!

On Tue, May 17, 2022 at 1:55 PM tizo  wrote:
>
> Is there anything else I can do to help with this issue?. I am willing
> to create a whole new test environment from scratch if it is needed.
>
> Thanks very much.
>
> On Wed, May 11, 2022 at 5:04 PM tizo  wrote:
> >
> > On Tue, May 3, 2022 at 11:29 AM tizo  wrote:
> > >
> > > On Tue, May 3, 2022 at 9:18 AM tizo  wrote:
> > > >
> > > > On Tue, May 3, 2022 at 2:43 AM Sumit Bose  wrote:
> > > > >
> > > > > Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo:
> > > > > > On Mon, May 2, 2022 at 2:36 PM Sumit Bose  wrote:
> > > > > > >
> > > > > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> > > > > > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose  
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > > > > > > > > > Hi,
> > > > > > > > > > >
> > > > > > > > > > > thanks, at least I received your email. Can you run the 
> > > > > > > > > > > tests with
> > > > > > > > > > > "krb5_use_fast = never" and 
> > > > > > > > > > > "krb5_use_enterprise_principal = True" again
> > > > > > > > > > > but with 'debug_level = 9' in the [domain/...] section of 
> > > > > > > > > > > sssd.conf.
> > > > > > > > > > > This will add some additional information into 
> > > > > > > > > > > krb5_child.log which
> > > > > > > > > > > might help to understand why the client does not like the 
> > > > > > > > > > > reply from the
> > > > > > > > > > > DC.
> > > > > > > > > > >
> > > > > > > > > > > bye,
> > > > > > > > > > > Sumit
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I cleared all the logs and ran the tests again with those 
> > > > > > > > > > parameters.
> > > > > > > > > > I am sending the logs. Thanks!
> > > > > > > > >
> > > > > > > > > Hi,
> > > > > > > > >
> > > > > > > > > can you try if you can change the password with 'kapsswd
> > > > > > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can 
> > > > > > > > > you take a
> > > > > > > > > network trace of this command with tcpdump and send it as 
> > > > > > > > > well?
> > > > > > > > >
> > > > > > > > > bye,
> > > > > > > > > Sumit
> > > > > > > > >
> > > > > > > >
> > > > > > > > It fails, and with kinit too:
> > > > > > > >
> > > > > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy
> > > > > > > > Password for u...@adtest.fnr.gub.uy:
> > > > > > > > kinit: KDC reply did not match expectations while getting 
> > > > > > > > initial credentials
> > > > > > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy
> > > > > > > > Password for u...@adtest.fnr.gub.uy:
> > > > > > > > kpasswd: KDC reply did not match expectations getting initial 
> > > > > > > > ticket
> > > > > > > >
> > > > > > > > I am sending tcpdump captures while trying with kpasswd. There 
> > > > > > > > are
> > > > > > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and
> > > > > > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one 
> > > > > > > > replied
> > > > > > > > in this case.
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > can you send the output of
> > > > > > >
> > > > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> > > > > > >
> > > > > > > as well and your /etc/krb5.conf?
> > > > >
> > > > > Hi,
> > > > >
> > > > > thanks. Can you try to remove the krb5-pkinit package and run
> > > > >
> > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> > > > >
> > > > > again while collecting the network trace and the debug output?
> > > > >
> > > > > bye,
> > > > > Sumit
> > > > >
> > > >
> > > > If I try to remove it, it tries to remove 301 packages. A lot of them
> > > > are unused dependencies, but some ipa packages are dependent packages
> > > > (ipa-healthcheck, ipa-server, ipa-server-dns, ipa-server-trust-ad).
> > > > Here is the whole situation:
> > > >
> > > > [root@idmt01 ~]# dnf remove krb5-pkinit
> > > > Dependencies resolved.
> > > > 
> > > >  Package  Architecture
> > > >Version
> > > > Repository   Size
> > > > 
> > > > Removing:
> > > >  krb5-pkinit  x86_64
> > > >1.18.2-14.el8
> > > > @baseos 131 k
> > > > Removing dependent packages:
> > > >  ipa-healthcheck  noarch
> > > >   

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-17 Thread tizo via FreeIPA-users
Is there anything else I can do to help with this issue?. I am willing
to create a whole new test environment from scratch if it is needed.

Thanks very much.

On Wed, May 11, 2022 at 5:04 PM tizo  wrote:
>
> On Tue, May 3, 2022 at 11:29 AM tizo  wrote:
> >
> > On Tue, May 3, 2022 at 9:18 AM tizo  wrote:
> > >
> > > On Tue, May 3, 2022 at 2:43 AM Sumit Bose  wrote:
> > > >
> > > > Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo:
> > > > > On Mon, May 2, 2022 at 2:36 PM Sumit Bose  wrote:
> > > > > >
> > > > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> > > > > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose  
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > > > > > > > > Hi,
> > > > > > > > > >
> > > > > > > > > > thanks, at least I received your email. Can you run the 
> > > > > > > > > > tests with
> > > > > > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal 
> > > > > > > > > > = True" again
> > > > > > > > > > but with 'debug_level = 9' in the [domain/...] section of 
> > > > > > > > > > sssd.conf.
> > > > > > > > > > This will add some additional information into 
> > > > > > > > > > krb5_child.log which
> > > > > > > > > > might help to understand why the client does not like the 
> > > > > > > > > > reply from the
> > > > > > > > > > DC.
> > > > > > > > > >
> > > > > > > > > > bye,
> > > > > > > > > > Sumit
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > I cleared all the logs and ran the tests again with those 
> > > > > > > > > parameters.
> > > > > > > > > I am sending the logs. Thanks!
> > > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > can you try if you can change the password with 'kapsswd
> > > > > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you 
> > > > > > > > take a
> > > > > > > > network trace of this command with tcpdump and send it as well?
> > > > > > > >
> > > > > > > > bye,
> > > > > > > > Sumit
> > > > > > > >
> > > > > > >
> > > > > > > It fails, and with kinit too:
> > > > > > >
> > > > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy
> > > > > > > Password for u...@adtest.fnr.gub.uy:
> > > > > > > kinit: KDC reply did not match expectations while getting initial 
> > > > > > > credentials
> > > > > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy
> > > > > > > Password for u...@adtest.fnr.gub.uy:
> > > > > > > kpasswd: KDC reply did not match expectations getting initial 
> > > > > > > ticket
> > > > > > >
> > > > > > > I am sending tcpdump captures while trying with kpasswd. There are
> > > > > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and
> > > > > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one 
> > > > > > > replied
> > > > > > > in this case.
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > can you send the output of
> > > > > >
> > > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> > > > > >
> > > > > > as well and your /etc/krb5.conf?
> > > >
> > > > Hi,
> > > >
> > > > thanks. Can you try to remove the krb5-pkinit package and run
> > > >
> > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> > > >
> > > > again while collecting the network trace and the debug output?
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > >
> > > If I try to remove it, it tries to remove 301 packages. A lot of them
> > > are unused dependencies, but some ipa packages are dependent packages
> > > (ipa-healthcheck, ipa-server, ipa-server-dns, ipa-server-trust-ad).
> > > Here is the whole situation:
> > >
> > > [root@idmt01 ~]# dnf remove krb5-pkinit
> > > Dependencies resolved.
> > > 
> > >  Package  Architecture
> > >Version
> > > Repository   Size
> > > 
> > > Removing:
> > >  krb5-pkinit  x86_64
> > >1.18.2-14.el8
> > > @baseos 131 k
> > > Removing dependent packages:
> > >  ipa-healthcheck  noarch
> > >0.7-6.module+el8.5.0+675+61f67439
> > > @appstream  290 k
> > >  ipa-server   x86_64
> > >4.9.6-10.module+el8.5.0+719+4f06efb6
> > > @appstream  1.1 M
> > >  ipa-server-dns   noarch
> > > 

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-11 Thread tizo via FreeIPA-users
On Tue, May 3, 2022 at 11:29 AM tizo  wrote:
>
> On Tue, May 3, 2022 at 9:18 AM tizo  wrote:
> >
> > On Tue, May 3, 2022 at 2:43 AM Sumit Bose  wrote:
> > >
> > > Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo:
> > > > On Mon, May 2, 2022 at 2:36 PM Sumit Bose  wrote:
> > > > >
> > > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> > > > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose  wrote:
> > > > > > >
> > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > > > > > > > Hi,
> > > > > > > > >
> > > > > > > > > thanks, at least I received your email. Can you run the tests 
> > > > > > > > > with
> > > > > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = 
> > > > > > > > > True" again
> > > > > > > > > but with 'debug_level = 9' in the [domain/...] section of 
> > > > > > > > > sssd.conf.
> > > > > > > > > This will add some additional information into krb5_child.log 
> > > > > > > > > which
> > > > > > > > > might help to understand why the client does not like the 
> > > > > > > > > reply from the
> > > > > > > > > DC.
> > > > > > > > >
> > > > > > > > > bye,
> > > > > > > > > Sumit
> > > > > > > > >
> > > > > > > >
> > > > > > > > I cleared all the logs and ran the tests again with those 
> > > > > > > > parameters.
> > > > > > > > I am sending the logs. Thanks!
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > can you try if you can change the password with 'kapsswd
> > > > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you 
> > > > > > > take a
> > > > > > > network trace of this command with tcpdump and send it as well?
> > > > > > >
> > > > > > > bye,
> > > > > > > Sumit
> > > > > > >
> > > > > >
> > > > > > It fails, and with kinit too:
> > > > > >
> > > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy
> > > > > > Password for u...@adtest.fnr.gub.uy:
> > > > > > kinit: KDC reply did not match expectations while getting initial 
> > > > > > credentials
> > > > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy
> > > > > > Password for u...@adtest.fnr.gub.uy:
> > > > > > kpasswd: KDC reply did not match expectations getting initial ticket
> > > > > >
> > > > > > I am sending tcpdump captures while trying with kpasswd. There are
> > > > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and
> > > > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied
> > > > > > in this case.
> > > > >
> > > > > Hi,
> > > > >
> > > > > can you send the output of
> > > > >
> > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> > > > >
> > > > > as well and your /etc/krb5.conf?
> > >
> > > Hi,
> > >
> > > thanks. Can you try to remove the krb5-pkinit package and run
> > >
> > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> > >
> > > again while collecting the network trace and the debug output?
> > >
> > > bye,
> > > Sumit
> > >
> >
> > If I try to remove it, it tries to remove 301 packages. A lot of them
> > are unused dependencies, but some ipa packages are dependent packages
> > (ipa-healthcheck, ipa-server, ipa-server-dns, ipa-server-trust-ad).
> > Here is the whole situation:
> >
> > [root@idmt01 ~]# dnf remove krb5-pkinit
> > Dependencies resolved.
> > 
> >  Package  Architecture
> >Version
> > Repository   Size
> > 
> > Removing:
> >  krb5-pkinit  x86_64
> >1.18.2-14.el8
> > @baseos 131 k
> > Removing dependent packages:
> >  ipa-healthcheck  noarch
> >0.7-6.module+el8.5.0+675+61f67439
> > @appstream  290 k
> >  ipa-server   x86_64
> >4.9.6-10.module+el8.5.0+719+4f06efb6
> > @appstream  1.1 M
> >  ipa-server-dns   noarch
> >4.9.6-10.module+el8.5.0+719+4f06efb6
> > @appstream   91 k
> >  ipa-server-trust-ad  x86_64
> >4.9.6-10.module+el8.5.0+719+4f06efb6
> > @appstream  340 k
> > Removing unused dependencies:
> >  389-ds-base  x86_64
> >1.4.3.23-14.module+el8.5.0+745+c5be68

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-03 Thread tizo via FreeIPA-users
On Tue, May 3, 2022 at 9:18 AM tizo  wrote:
>
> On Tue, May 3, 2022 at 2:43 AM Sumit Bose  wrote:
> >
> > Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo:
> > > On Mon, May 2, 2022 at 2:36 PM Sumit Bose  wrote:
> > > >
> > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> > > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose  wrote:
> > > > > >
> > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > thanks, at least I received your email. Can you run the tests 
> > > > > > > > with
> > > > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = 
> > > > > > > > True" again
> > > > > > > > but with 'debug_level = 9' in the [domain/...] section of 
> > > > > > > > sssd.conf.
> > > > > > > > This will add some additional information into krb5_child.log 
> > > > > > > > which
> > > > > > > > might help to understand why the client does not like the reply 
> > > > > > > > from the
> > > > > > > > DC.
> > > > > > > >
> > > > > > > > bye,
> > > > > > > > Sumit
> > > > > > > >
> > > > > > >
> > > > > > > I cleared all the logs and ran the tests again with those 
> > > > > > > parameters.
> > > > > > > I am sending the logs. Thanks!
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > can you try if you can change the password with 'kapsswd
> > > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take 
> > > > > > a
> > > > > > network trace of this command with tcpdump and send it as well?
> > > > > >
> > > > > > bye,
> > > > > > Sumit
> > > > > >
> > > > >
> > > > > It fails, and with kinit too:
> > > > >
> > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy
> > > > > Password for u...@adtest.fnr.gub.uy:
> > > > > kinit: KDC reply did not match expectations while getting initial 
> > > > > credentials
> > > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy
> > > > > Password for u...@adtest.fnr.gub.uy:
> > > > > kpasswd: KDC reply did not match expectations getting initial ticket
> > > > >
> > > > > I am sending tcpdump captures while trying with kpasswd. There are
> > > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and
> > > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied
> > > > > in this case.
> > > >
> > > > Hi,
> > > >
> > > > can you send the output of
> > > >
> > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> > > >
> > > > as well and your /etc/krb5.conf?
> >
> > Hi,
> >
> > thanks. Can you try to remove the krb5-pkinit package and run
> >
> > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> >
> > again while collecting the network trace and the debug output?
> >
> > bye,
> > Sumit
> >
>
> If I try to remove it, it tries to remove 301 packages. A lot of them
> are unused dependencies, but some ipa packages are dependent packages
> (ipa-healthcheck, ipa-server, ipa-server-dns, ipa-server-trust-ad).
> Here is the whole situation:
>
> [root@idmt01 ~]# dnf remove krb5-pkinit
> Dependencies resolved.
> 
>  Package  Architecture
>Version
> Repository   Size
> 
> Removing:
>  krb5-pkinit  x86_64
>1.18.2-14.el8
> @baseos 131 k
> Removing dependent packages:
>  ipa-healthcheck  noarch
>0.7-6.module+el8.5.0+675+61f67439
> @appstream  290 k
>  ipa-server   x86_64
>4.9.6-10.module+el8.5.0+719+4f06efb6
> @appstream  1.1 M
>  ipa-server-dns   noarch
>4.9.6-10.module+el8.5.0+719+4f06efb6
> @appstream   91 k
>  ipa-server-trust-ad  x86_64
>4.9.6-10.module+el8.5.0+719+4f06efb6
> @appstream  340 k
> Removing unused dependencies:
>  389-ds-base  x86_64
>1.4.3.23-14.module+el8.5.0+745+c5be6847
> @appstream  9.2 M
>  389-ds-base-libs x86_64
>1.4.3.23-14.module+el8.5.0+745+c5be6847
> @appstream  4.3 M
>  ant

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-03 Thread tizo via FreeIPA-users
On Tue, May 3, 2022 at 2:43 AM Sumit Bose  wrote:
>
> Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo:
> > On Mon, May 2, 2022 at 2:36 PM Sumit Bose  wrote:
> > >
> > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose  wrote:
> > > > >
> > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > > > > > Hi,
> > > > > > >
> > > > > > > thanks, at least I received your email. Can you run the tests with
> > > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = 
> > > > > > > True" again
> > > > > > > but with 'debug_level = 9' in the [domain/...] section of 
> > > > > > > sssd.conf.
> > > > > > > This will add some additional information into krb5_child.log 
> > > > > > > which
> > > > > > > might help to understand why the client does not like the reply 
> > > > > > > from the
> > > > > > > DC.
> > > > > > >
> > > > > > > bye,
> > > > > > > Sumit
> > > > > > >
> > > > > >
> > > > > > I cleared all the logs and ran the tests again with those 
> > > > > > parameters.
> > > > > > I am sending the logs. Thanks!
> > > > >
> > > > > Hi,
> > > > >
> > > > > can you try if you can change the password with 'kapsswd
> > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a
> > > > > network trace of this command with tcpdump and send it as well?
> > > > >
> > > > > bye,
> > > > > Sumit
> > > > >
> > > >
> > > > It fails, and with kinit too:
> > > >
> > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy
> > > > Password for u...@adtest.fnr.gub.uy:
> > > > kinit: KDC reply did not match expectations while getting initial 
> > > > credentials
> > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy
> > > > Password for u...@adtest.fnr.gub.uy:
> > > > kpasswd: KDC reply did not match expectations getting initial ticket
> > > >
> > > > I am sending tcpdump captures while trying with kpasswd. There are
> > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and
> > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied
> > > > in this case.
> > >
> > > Hi,
> > >
> > > can you send the output of
> > >
> > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> > >
> > > as well and your /etc/krb5.conf?
>
> Hi,
>
> thanks. Can you try to remove the krb5-pkinit package and run
>
> KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
>
> again while collecting the network trace and the debug output?
>
> bye,
> Sumit
>

If I try to remove it, it tries to remove 301 packages. A lot of them
are unused dependencies, but some ipa packages are dependent packages
(ipa-healthcheck, ipa-server, ipa-server-dns, ipa-server-trust-ad).
Here is the whole situation:

[root@idmt01 ~]# dnf remove krb5-pkinit
Dependencies resolved.

 Package  Architecture
   Version
Repository   Size

Removing:
 krb5-pkinit  x86_64
   1.18.2-14.el8
@baseos 131 k
Removing dependent packages:
 ipa-healthcheck  noarch
   0.7-6.module+el8.5.0+675+61f67439
@appstream  290 k
 ipa-server   x86_64
   4.9.6-10.module+el8.5.0+719+4f06efb6
@appstream  1.1 M
 ipa-server-dns   noarch
   4.9.6-10.module+el8.5.0+719+4f06efb6
@appstream   91 k
 ipa-server-trust-ad  x86_64
   4.9.6-10.module+el8.5.0+719+4f06efb6
@appstream  340 k
Removing unused dependencies:
 389-ds-base  x86_64
   1.4.3.23-14.module+el8.5.0+745+c5be6847
@appstream  9.2 M
 389-ds-base-libs x86_64
   1.4.3.23-14.module+el8.5.0+745+c5be6847
@appstream  4.3 M
 ant  noarch
   1.10.5-1.module+el8.3.0+255+2b2dd360
@appstream  451 k
 ant-lib  noarch
   1.10.5-1.module+el8.3.0+255+2b2dd360
  

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-02 Thread Sumit Bose via FreeIPA-users
Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo:
> On Mon, May 2, 2022 at 2:36 PM Sumit Bose  wrote:
> >
> > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose  wrote:
> > > >
> > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > > > > Hi,
> > > > > >
> > > > > > thanks, at least I received your email. Can you run the tests with
> > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" 
> > > > > > again
> > > > > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf.
> > > > > > This will add some additional information into krb5_child.log which
> > > > > > might help to understand why the client does not like the reply 
> > > > > > from the
> > > > > > DC.
> > > > > >
> > > > > > bye,
> > > > > > Sumit
> > > > > >
> > > > >
> > > > > I cleared all the logs and ran the tests again with those parameters.
> > > > > I am sending the logs. Thanks!
> > > >
> > > > Hi,
> > > >
> > > > can you try if you can change the password with 'kapsswd
> > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a
> > > > network trace of this command with tcpdump and send it as well?
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > >
> > > It fails, and with kinit too:
> > >
> > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy
> > > Password for u...@adtest.fnr.gub.uy:
> > > kinit: KDC reply did not match expectations while getting initial 
> > > credentials
> > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy
> > > Password for u...@adtest.fnr.gub.uy:
> > > kpasswd: KDC reply did not match expectations getting initial ticket
> > >
> > > I am sending tcpdump captures while trying with kpasswd. There are
> > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and
> > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied
> > > in this case.
> >
> > Hi,
> >
> > can you send the output of
> >
> > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> >
> > as well and your /etc/krb5.conf?

Hi,

thanks. Can you try to remove the krb5-pkinit package and run

KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy

again while collecting the network trace and the debug output?

bye,
Sumit

> >
> > bye,
> > Sumit
> >
> >
> 
> Output:
> 
> [root@idmt01 tmp]# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
> [4732] 1651514884.487540: Getting initial credentials for 
> u...@adtest.fnr.gub.uy
> [4732] 1651514884.487541: Setting initial creds service to kadmin/changepw
> [4732] 1651514884.487543: Sending unauthenticated request
> [4732] 1651514884.487544: Sending request (179 bytes) to ADTEST.FNR.GUB.UY
> [4732] 1651514884.487545: Initiating TCP connection to stream 10.2.100.3:88
> [4732] 1651514884.487546: Sending TCP request to stream 10.2.100.3:88
> [4732] 1651514884.487547: Received answer (314 bytes) from stream 
> 10.2.100.3:88
> [4732] 1651514884.487548: Terminating TCP connection to stream 10.2.100.3:88
> [4732] 1651514884.487549: Response was from master KDC
> [4732] 1651514884.487550: Received error from KDC:
> -1765328359/Additional pre-authentication required
> [4732] 1651514884.487553: Preauthenticating using KDC method data
> [4732] 1651514884.487554: Processing preauth types: PA-PK-AS-REQ (16),
> PA-PK-AS-REP_OLD (15), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2),
> PA-FX-FAST (136), 655, PA-ETYPE-INFO2 (19)
> [4732] 1651514884.487555: Selected etype info: etype aes256-cts, salt
> "ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00"
> [4732] 1651514884.487556: PKINIT client has no configured identity; giving up
> [4732] 1651514884.487557: Preauth module pkinit (147) (info) returned: 
> 0/Success
> [4732] 1651514884.487558: PKINIT client has no configured identity; giving up
> [4732] 1651514884.487559: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> Password for u...@adtest.fnr.gub.uy:
> [4732] 1651514896.851314: AS key obtained for encrypted timestamp:
> aes256-cts/75AC
> [4732] 1651514896.851316: Encrypted timestamp (for 1651514896.949521):
> plain 301AA011180F32303232303530323138303831365AA10502030E7D11,
> encrypted 
> C418DCD1573DF5E07F0578A78FCB73D9A41DB9DF39398EE86AEA12F587FCED5A3D008FF9FB8565A73C29D1AEA9EB089C576D532C11F7BFD4
> [4732] 1651514896.851317: Preauth module encrypted_timestamp (2)
> (real) returned: 0/Success
> [4732] 1651514896.851318: Produced preauth for next request:
> PA-ENC-TIMESTAMP (2)
> [4732] 1651514896.851319: Sending request (257 bytes) to ADTEST.FNR.GUB.UY
> [4732] 1651514896.851320: Initiating TCP connection to stream 10.2.100.3:88
> [4732] 1651514896.851321: Sending TCP request to stream 10.2.100.3:88
> [4732] 1651514896.851322: Received answer (1460 bytes) from stream 
> 10.2.100.3:88
> [4732] 1651514896.851323: Terminating TCP connection to stream 10.2.100.3:88
> [4732] 1651514896.851324: Response was from master KDC
> [4732] 1651514896.851325: Processing preauth types: PA-ETYPE-INFO2 (19)
> [4732] 1651514896.

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-02 Thread tizo via FreeIPA-users
On Mon, May 2, 2022 at 2:36 PM Sumit Bose  wrote:
>
> Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> > On Mon, May 2, 2022 at 11:56 AM Sumit Bose  wrote:
> > >
> > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > > > Hi,
> > > > >
> > > > > thanks, at least I received your email. Can you run the tests with
> > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" 
> > > > > again
> > > > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf.
> > > > > This will add some additional information into krb5_child.log which
> > > > > might help to understand why the client does not like the reply from 
> > > > > the
> > > > > DC.
> > > > >
> > > > > bye,
> > > > > Sumit
> > > > >
> > > >
> > > > I cleared all the logs and ran the tests again with those parameters.
> > > > I am sending the logs. Thanks!
> > >
> > > Hi,
> > >
> > > can you try if you can change the password with 'kapsswd
> > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a
> > > network trace of this command with tcpdump and send it as well?
> > >
> > > bye,
> > > Sumit
> > >
> >
> > It fails, and with kinit too:
> >
> > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy
> > Password for u...@adtest.fnr.gub.uy:
> > kinit: KDC reply did not match expectations while getting initial 
> > credentials
> > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy
> > Password for u...@adtest.fnr.gub.uy:
> > kpasswd: KDC reply did not match expectations getting initial ticket
> >
> > I am sending tcpdump captures while trying with kpasswd. There are
> > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and
> > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied
> > in this case.
>
> Hi,
>
> can you send the output of
>
> KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
>
> as well and your /etc/krb5.conf?
>
> bye,
> Sumit
>
>

Output:

[root@idmt01 tmp]# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy
[4732] 1651514884.487540: Getting initial credentials for u...@adtest.fnr.gub.uy
[4732] 1651514884.487541: Setting initial creds service to kadmin/changepw
[4732] 1651514884.487543: Sending unauthenticated request
[4732] 1651514884.487544: Sending request (179 bytes) to ADTEST.FNR.GUB.UY
[4732] 1651514884.487545: Initiating TCP connection to stream 10.2.100.3:88
[4732] 1651514884.487546: Sending TCP request to stream 10.2.100.3:88
[4732] 1651514884.487547: Received answer (314 bytes) from stream 10.2.100.3:88
[4732] 1651514884.487548: Terminating TCP connection to stream 10.2.100.3:88
[4732] 1651514884.487549: Response was from master KDC
[4732] 1651514884.487550: Received error from KDC:
-1765328359/Additional pre-authentication required
[4732] 1651514884.487553: Preauthenticating using KDC method data
[4732] 1651514884.487554: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2),
PA-FX-FAST (136), 655, PA-ETYPE-INFO2 (19)
[4732] 1651514884.487555: Selected etype info: etype aes256-cts, salt
"ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00"
[4732] 1651514884.487556: PKINIT client has no configured identity; giving up
[4732] 1651514884.487557: Preauth module pkinit (147) (info) returned: 0/Success
[4732] 1651514884.487558: PKINIT client has no configured identity; giving up
[4732] 1651514884.487559: Preauth module pkinit (16) (real) returned:
22/Invalid argument
Password for u...@adtest.fnr.gub.uy:
[4732] 1651514896.851314: AS key obtained for encrypted timestamp:
aes256-cts/75AC
[4732] 1651514896.851316: Encrypted timestamp (for 1651514896.949521):
plain 301AA011180F32303232303530323138303831365AA10502030E7D11,
encrypted 
C418DCD1573DF5E07F0578A78FCB73D9A41DB9DF39398EE86AEA12F587FCED5A3D008FF9FB8565A73C29D1AEA9EB089C576D532C11F7BFD4
[4732] 1651514896.851317: Preauth module encrypted_timestamp (2)
(real) returned: 0/Success
[4732] 1651514896.851318: Produced preauth for next request:
PA-ENC-TIMESTAMP (2)
[4732] 1651514896.851319: Sending request (257 bytes) to ADTEST.FNR.GUB.UY
[4732] 1651514896.851320: Initiating TCP connection to stream 10.2.100.3:88
[4732] 1651514896.851321: Sending TCP request to stream 10.2.100.3:88
[4732] 1651514896.851322: Received answer (1460 bytes) from stream 10.2.100.3:88
[4732] 1651514896.851323: Terminating TCP connection to stream 10.2.100.3:88
[4732] 1651514896.851324: Response was from master KDC
[4732] 1651514896.851325: Processing preauth types: PA-ETYPE-INFO2 (19)
[4732] 1651514896.851326: Selected etype info: etype aes256-cts, salt
"ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00"
[4732] 1651514896.851327: Produced preauth for next request: (empty)
[4732] 1651514896.851328: AS key determined by preauth: aes256-cts/75AC
[4732] 1651514896.851329: Decrypted AS reply; session key is: aes256-cts/6539
[4732] 1651514896.851330: FAST negotiation: available
kpasswd: KDC reply did not match expectations getting initial ticket

I am sending /etc/krb5.conf and
/var/

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-02 Thread Sumit Bose via FreeIPA-users
Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> On Mon, May 2, 2022 at 11:56 AM Sumit Bose  wrote:
> >
> > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > > Hi,
> > > >
> > > > thanks, at least I received your email. Can you run the tests with
> > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again
> > > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf.
> > > > This will add some additional information into krb5_child.log which
> > > > might help to understand why the client does not like the reply from the
> > > > DC.
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > >
> > > I cleared all the logs and ran the tests again with those parameters.
> > > I am sending the logs. Thanks!
> >
> > Hi,
> >
> > can you try if you can change the password with 'kapsswd
> > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a
> > network trace of this command with tcpdump and send it as well?
> >
> > bye,
> > Sumit
> >
> 
> It fails, and with kinit too:
> 
> [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy
> Password for u...@adtest.fnr.gub.uy:
> kinit: KDC reply did not match expectations while getting initial credentials
> [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy
> Password for u...@adtest.fnr.gub.uy:
> kpasswd: KDC reply did not match expectations getting initial ticket
> 
> I am sending tcpdump captures while trying with kpasswd. There are
> two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and
> smbtest02.adtest.fnr.gub.uy), but I think that the first one replied
> in this case.

Hi,

can you send the output of

KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy

as well and your /etc/krb5.conf?

bye,
Sumit

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-02 Thread tizo via FreeIPA-users
On Mon, May 2, 2022 at 11:56 AM Sumit Bose  wrote:
>
> Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > Hi,
> > >
> > > thanks, at least I received your email. Can you run the tests with
> > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again
> > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf.
> > > This will add some additional information into krb5_child.log which
> > > might help to understand why the client does not like the reply from the
> > > DC.
> > >
> > > bye,
> > > Sumit
> > >
> >
> > I cleared all the logs and ran the tests again with those parameters.
> > I am sending the logs. Thanks!
>
> Hi,
>
> can you try if you can change the password with 'kapsswd
> u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a
> network trace of this command with tcpdump and send it as well?
>
> bye,
> Sumit
>

It fails, and with kinit too:

[root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy
Password for u...@adtest.fnr.gub.uy:
kinit: KDC reply did not match expectations while getting initial credentials
[root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy
Password for u...@adtest.fnr.gub.uy:
kpasswd: KDC reply did not match expectations getting initial ticket

I am sending tcpdump captures while trying with kpasswd. There are
two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and
smbtest02.adtest.fnr.gub.uy), but I think that the first one replied
in this case.


tcpdump_capture_smbtest02
Description: Binary data


tcpdump_capture_smbtest
Description: Binary data
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-02 Thread Sumit Bose via FreeIPA-users
Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > Hi,
> >
> > thanks, at least I received your email. Can you run the tests with
> > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again
> > but with 'debug_level = 9' in the [domain/...] section of sssd.conf.
> > This will add some additional information into krb5_child.log which
> > might help to understand why the client does not like the reply from the
> > DC.
> >
> > bye,
> > Sumit
> >
> 
> I cleared all the logs and ran the tests again with those parameters.
> I am sending the logs. Thanks!

Hi,

can you try if you can change the password with 'kapsswd
u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a
network trace of this command with tcpdump and send it as well?

bye,
Sumit
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-02 Thread tizo via FreeIPA-users
> Hi,
>
> thanks, at least I received your email. Can you run the tests with
> "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again
> but with 'debug_level = 9' in the [domain/...] section of sssd.conf.
> This will add some additional information into krb5_child.log which
> might help to understand why the client does not like the reply from the
> DC.
>
> bye,
> Sumit
>

I cleared all the logs and ran the tests again with those parameters.
I am sending the logs. Thanks!


logs.tar.gz
Description: application/gzip
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-02 Thread Rob Crittenden via FreeIPA-users
tizo via FreeIPA-users wrote:
>>
>> Hi,
>>
>> can you try if adding
>>
>> krb5_use_enterprise_principal = True
>>
>> help? If not, please send full SSSD logs (everything in /var/log/sssd)
>> next time.
>>
>> bye,
>> Sumit
>>
> 
> Hi and thanks Sumit. I have just realized that the response that I
> sent on Friday with all the logs and different tests, was rejected by
> the moderator with "No reason given".
> 
> Should I send the files in a tar.gz maybe? Or directly to your email?.

Unfortunately the mailing list software doesn't allow for a reason when
rejecting mail. The e-mail was 6M and the max size allowed without
moderation is 256Kb. I generally let things through slightly bigger but
this was too large.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-02 Thread Sumit Bose via FreeIPA-users
Am Mon, May 02, 2022 at 09:31:37AM -0300 schrieb tizo:
> >
> > Hi,
> >
> > can you try if adding
> >
> > krb5_use_enterprise_principal = True
> >
> > help? If not, please send full SSSD logs (everything in /var/log/sssd)
> > next time.
> >
> > bye,
> > Sumit
> >
> 
> Hi and thanks Sumit. I have just realized that the response that I
> sent on Friday with all the logs and different tests, was rejected by
> the moderator with "No reason given".
> 
> Should I send the files in a tar.gz maybe? Or directly to your email?.
> 

Hi,

thanks, at least I received your email. Can you run the tests with
"krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again
but with 'debug_level = 9' in the [domain/...] section of sssd.conf.
This will add some additional information into krb5_child.log which
might help to understand why the client does not like the reply from the
DC.

bye,
Sumit
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-05-02 Thread tizo via FreeIPA-users
>
> Hi,
>
> can you try if adding
>
> krb5_use_enterprise_principal = True
>
> help? If not, please send full SSSD logs (everything in /var/log/sssd)
> next time.
>
> bye,
> Sumit
>

Hi and thanks Sumit. I have just realized that the response that I
sent on Friday with all the logs and different tests, was rejected by
the moderator with "No reason given".

Should I send the files in a tar.gz maybe? Or directly to your email?.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-04-28 Thread Sumit Bose via FreeIPA-users
Am Mon, Apr 25, 2022 at 01:23:05PM -0300 schrieb tizo via FreeIPA-users:
> On Mon, Apr 25, 2022 at 12:23 PM tizo  wrote:
> >
> > > Hi,
> > >
> > > thanks for the logs. The issue does not happen during Kerberos ticket
> > > validation, as I thought but while trying to establish the FAST tunnel.
> > >
> > > There should be two way to solve this. The first is setting
> > >
> > > krb5_use_fast = never
> > >
> > > in the [domain/...] section of sssd.conf on every IPA client. The second
> > > is to reestablish the trust as two-way trust with the '--two-way=True'
> > > option of 'ipa trust-add'. I would recommend the latter.
> > >
> > > HTH
> > >
> > > bye,
> > > Sumit
> > >
> >
> > Hi Sumit,
> >
> > I'm taking Mateo's place here because he's busy with other things.
> > Sorry for the delay.
> >
> > We tried two-way trust on a brand new IdM server for a new IdM domain
> > (since the old server was giving others errors - we probably messed it
> > up at some point), and we're back to square one: AD users without
> > expiring password can login on the new IdM server with ssh, and for
> > those with expired passwords journalctl gives:
> >
> > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: Password has 
> > expired
> > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: KDC reply
> > did not match expectations
> >
> > I really don't know if behind the scenes it's exactly the same problem
> > as the first time, but it shouldn't since we updated the Samba servers
> > to version 4.16.0 which has FAST support (as was noted in the Samba
> > users list). I'm wondering at the moment if the samba-client package
> > on the IdM server, that is version 4.14.5, could affect it or if it
> > doesn't matter.
> >
> > How do you think I can continue from here?
> >
> > Thank you very much,
> >
> > tizo
> 
> Just for the records, If I add krb5_use_fast = never in the
> [domain/...] section of sssd.conf, I get the same in journalctl, but
> something different in krb5_child.log:
> 
> (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] (0x0020):
> 1724: [-1765328361][Password has expired]
> ** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
> BACKTRACE:
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400):
> krb5_child started.
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
> (0x1000): total buffer size: [115]
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
> (0x0100): cmd [241 (auth)] uid [10101] gid [10101] validate [true]
> enterprise principal [false] offline [false] UPN
> [u...@adtest.fnr.gub.uy]

Hi,

can you try if adding

krb5_use_enterprise_principal = True

help? If not, please send full SSSD logs (everything in /var/log/sssd)
next time.

bye,
Sumit

>*  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
> (0x2000): No old ccache
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
> (0x0100): ccname: [KCM:] old_ccname: [not set] keytab:
> [/etc/krb5.keytab]
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [check_use_fast]
> (0x0100): Not using FAST.
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [k5c_precreate_ccache]
> (0x4000): Recreating ccache
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [become_user]
> (0x0200): Trying to become user [10101][10101].
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x2000):
> Running as [10101][10101].
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options]
> (0x0100): No specific renewable lifetime requested.
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options]
> (0x0100): No specific lifetime requested.
>*  (2022-04-25 13:17:05): [krb5_child[2000]]
> [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will
> perform auth
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will
> perform online auth
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [ADTEST.FNR.GUB.UY]
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder]
> (0x4000): Got question [password].
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt]
> (0x0020): 1724: [-1765328361][Password has expired]
> ** BACKTRACE DUMP ENDS HERE
> *
> 
> (2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error] (0x0020):
> 1853: [-1765328237][KDC reply did not match expectations]
> ** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
> BACKTRACE:
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child]
> (0x1000): Password was expired
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder]
> (0x4000): Got question [password].
>*  (2022-04-25 13:17:05): [krb5_child[2000]] [map_k

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-04-28 Thread tizo via FreeIPA-users
I would really appreciate any kind of help here. I don't know how I
could go ahead with this issue, and it's the last one before going
into production.

Thanks very much!.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-04-25 Thread tizo via FreeIPA-users
On Mon, Apr 25, 2022 at 12:23 PM tizo  wrote:
>
> > Hi,
> >
> > thanks for the logs. The issue does not happen during Kerberos ticket
> > validation, as I thought but while trying to establish the FAST tunnel.
> >
> > There should be two way to solve this. The first is setting
> >
> > krb5_use_fast = never
> >
> > in the [domain/...] section of sssd.conf on every IPA client. The second
> > is to reestablish the trust as two-way trust with the '--two-way=True'
> > option of 'ipa trust-add'. I would recommend the latter.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
>
> Hi Sumit,
>
> I'm taking Mateo's place here because he's busy with other things.
> Sorry for the delay.
>
> We tried two-way trust on a brand new IdM server for a new IdM domain
> (since the old server was giving others errors - we probably messed it
> up at some point), and we're back to square one: AD users without
> expiring password can login on the new IdM server with ssh, and for
> those with expired passwords journalctl gives:
>
> Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: Password has expired
> Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: KDC reply
> did not match expectations
>
> I really don't know if behind the scenes it's exactly the same problem
> as the first time, but it shouldn't since we updated the Samba servers
> to version 4.16.0 which has FAST support (as was noted in the Samba
> users list). I'm wondering at the moment if the samba-client package
> on the IdM server, that is version 4.14.5, could affect it or if it
> doesn't matter.
>
> How do you think I can continue from here?
>
> Thank you very much,
>
> tizo

Just for the records, If I add krb5_use_fast = never in the
[domain/...] section of sssd.conf, I get the same in journalctl, but
something different in krb5_child.log:

(2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] (0x0020):
1724: [-1765328361][Password has expired]
** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400):
krb5_child started.
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
(0x1000): total buffer size: [115]
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
(0x0100): cmd [241 (auth)] uid [10101] gid [10101] validate [true]
enterprise principal [false] offline [false] UPN
[u...@adtest.fnr.gub.uy]
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
(0x2000): No old ccache
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer]
(0x0100): ccname: [KCM:] old_ccname: [not set] keytab:
[/etc/krb5.keytab]
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [check_use_fast]
(0x0100): Not using FAST.
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [k5c_precreate_ccache]
(0x4000): Recreating ccache
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [become_user]
(0x0200): Trying to become user [10101][10101].
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x2000):
Running as [10101][10101].
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options]
(0x0100): No specific renewable lifetime requested.
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options]
(0x0100): No specific lifetime requested.
   *  (2022-04-25 13:17:05): [krb5_child[2000]]
[set_canonicalize_option] (0x0100): Canonicalization is set to [true]
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will
perform auth
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will
perform online auth
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child]
(0x1000): Attempting to get a TGT
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [ADTEST.FNR.GUB.UY]
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder]
(0x4000): Got question [password].
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt]
(0x0020): 1724: [-1765328361][Password has expired]
** BACKTRACE DUMP ENDS HERE
*

(2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error] (0x0020):
1853: [-1765328237][KDC reply did not match expectations]
** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child]
(0x1000): Password was expired
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder]
(0x4000): Got question [password].
   *  (2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error]
(0x0020): 1853: [-1765328237][KDC reply did not match expectations]
** BACKTRACE DUMP ENDS HERE
*
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-04-25 Thread tizo via FreeIPA-users
> Hi,
>
> thanks for the logs. The issue does not happen during Kerberos ticket
> validation, as I thought but while trying to establish the FAST tunnel.
>
> There should be two way to solve this. The first is setting
>
> krb5_use_fast = never
>
> in the [domain/...] section of sssd.conf on every IPA client. The second
> is to reestablish the trust as two-way trust with the '--two-way=True'
> option of 'ipa trust-add'. I would recommend the latter.
>
> HTH
>
> bye,
> Sumit
>

Hi Sumit,

I'm taking Mateo's place here because he's busy with other things.
Sorry for the delay.

We tried two-way trust on a brand new IdM server for a new IdM domain
(since the old server was giving others errors - we probably messed it
up at some point), and we're back to square one: AD users without
expiring password can login on the new IdM server with ssh, and for
those with expired passwords journalctl gives:

Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: Password has expired
Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: KDC reply
did not match expectations

I really don't know if behind the scenes it's exactly the same problem
as the first time, but it shouldn't since we updated the Samba servers
to version 4.16.0 which has FAST support (as was noted in the Samba
users list). I'm wondering at the moment if the samba-client package
on the IdM server, that is version 4.14.5, could affect it or if it
doesn't matter.

How do you think I can continue from here?

Thank you very much,

tizo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-04-11 Thread Sumit Bose via FreeIPA-users
Am Mon, Apr 11, 2022 at 10:26:04AM -0300 schrieb Mateo Duffour:
> Hi,
> 
> We send the krb5_child.log attached as requested.
> The test was an ssh u...@adtest.xxx.xxx.xx@idmsrvpru.idmpru.xxx.xxx.xx from 
> our IdM server.

Hi,

thanks for the logs. The issue does not happen during Kerberos ticket
validation, as I thought but while trying to establish the FAST tunnel.

There should be two way to solve this. The first is setting

krb5_use_fast = never

in the [domain/...] section of sssd.conf on every IPA client. The second
is to reestablish the trust as two-way trust with the '--two-way=True'
option of 'ipa trust-add'. I would recommend the latter.

HTH

bye,
Sumit

> 
> 
> Many thanks.
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido.
> 
> - Original Message -
> From: "Sumit Bose" 
> To: "Mateo Duffour" 
> Cc: "Alexander Bokovoy" , "Sumit Bose" 
> , "freeipa-users" , 
> "tizo" 
> Sent: Friday, 8 April, 2022 02:45:06
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired
> 
> Am Thu, Apr 07, 2022 at 05:07:00PM -0300 schrieb Mateo Duffour:
> > Hi, 
> > 
> > The last answer that we received on bugzilla and on samba lists sais "Your 
> > kpasswd is expecting FAST support which has been added in samba 4.16. So 
> > you either have to disable FAST or upgrade first." 
> > 
> > We've upgraded our Samba server version to 4.16.0 and we're getting this 
> > error now (when trying to login with any user from our IdM server): 
> > 
> > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error 
> > constructing AP-REQ armor: Server 
> > krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx not found in Kerberos database 
> > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error 
> > constructing AP-REQ armor: Server 
> > krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx not found in Kerberos database 
> 
> Hi,
> 
> looks like there are issues requesting the cross-realm TGT, it would be
> good to see the full krb5_child.log file with 'debug_level = 9' in the
> [domain/...] section of sssd.conf to maybe better understand why this fails.
> 
> I would expect that the cross-realm TGT is requested during the
> validation of the Kerberos ticket. You can disable the validation as a
> workaround by adding
> 
> krb5_validate = false
> 
> in the [domain/...] section of sssd.conf, see man sssd-krb5 for details.
> 
> bye,
> Sumit
> 
> > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): 
> > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 
> > user=u...@adtest.xxx.xxx.xx 
> > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): 
> > received for user u...@adtest.xxx.xxx.xx : 4 (System error) 
> > Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM: 
> > Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 
> > 
> > Any help is appreciated, regards. 
> > 
> > Lic. Mateo Duffour 
> > Unidad Informática 
> > 2901.40.91 
> > 
> > [ 
> > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> >  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> > [ http://www.fnr.gub.uy/ |] 
> > 
> > 
> > 
> > No me imprimas si no es necesario. Protejamos el medio ambiente. Este 
> > mensaje y la información adjunta al mismo está dirigido exclusivamente a su 
> > destinatario. Puede contener información confidencial, privilegiada o de 
> > uso restringido, protegida por las normas. Si Ud. recibió este e-mail por 
> > error, por favor, sírvase notificarle a quien se lo envió y borrar el 
> > original. Cualquier otro uso del e-mail por Ud. está prohibido. 
> > 
> > 
> > From: "Mateo Duffour"  
> > To: "Alexander Bokovoy"  

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-04-11 Thread Mateo Duffour via FreeIPA-users
Hi,

We send the krb5_child.log attached as requested.
The test was an ssh u...@adtest.xxx.xxx.xx@idmsrvpru.idmpru.xxx.xxx.xx from our 
IdM server.


Many thanks.

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido.

- Original Message -
From: "Sumit Bose" 
To: "Mateo Duffour" 
Cc: "Alexander Bokovoy" , "Sumit Bose" , 
"freeipa-users" , "tizo" 

Sent: Friday, 8 April, 2022 02:45:06
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired

Am Thu, Apr 07, 2022 at 05:07:00PM -0300 schrieb Mateo Duffour:
> Hi, 
> 
> The last answer that we received on bugzilla and on samba lists sais "Your 
> kpasswd is expecting FAST support which has been added in samba 4.16. So you 
> either have to disable FAST or upgrade first." 
> 
> We've upgraded our Samba server version to 4.16.0 and we're getting this 
> error now (when trying to login with any user from our IdM server): 
> 
> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error 
> constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx 
> not found in Kerberos database 
> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error 
> constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx 
> not found in Kerberos database 

Hi,

looks like there are issues requesting the cross-realm TGT, it would be
good to see the full krb5_child.log file with 'debug_level = 9' in the
[domain/...] section of sssd.conf to maybe better understand why this fails.

I would expect that the cross-realm TGT is requested during the
validation of the Kerberos ticket. You can disable the validation as a
workaround by adding

krb5_validate = false

in the [domain/...] section of sssd.conf, see man sssd-krb5 for details.

bye,
Sumit

> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 
> user=u...@adtest.xxx.xxx.xx 
> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): 
> received for user u...@adtest.xxx.xxx.xx : 4 (System error) 
> Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM: 
> Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 
> 
> Any help is appreciated, regards. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Mateo Duffour"  
> To: "Alexander Bokovoy"  
> Cc: "Sumit Bose" , "freeipa-users" 
> , "tizo"  
> Sent: Friday, 11 March, 2022 15:49:31 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> Hi, 
> 
> We are experiencing the same behavior on Samba AD DC 4.15.5, we are going to 
> report a bug on bugzilla.samba.org as you suggested. 
> 
> 
> Thanks again. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. r

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-04-07 Thread Sumit Bose via FreeIPA-users
Am Thu, Apr 07, 2022 at 05:07:00PM -0300 schrieb Mateo Duffour:
> Hi, 
> 
> The last answer that we received on bugzilla and on samba lists sais "Your 
> kpasswd is expecting FAST support which has been added in samba 4.16. So you 
> either have to disable FAST or upgrade first." 
> 
> We've upgraded our Samba server version to 4.16.0 and we're getting this 
> error now (when trying to login with any user from our IdM server): 
> 
> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error 
> constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx 
> not found in Kerberos database 
> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error 
> constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx 
> not found in Kerberos database 

Hi,

looks like there are issues requesting the cross-realm TGT, it would be
good to see the full krb5_child.log file with 'debug_level = 9' in the
[domain/...] section of sssd.conf to maybe better understand why this fails.

I would expect that the cross-realm TGT is requested during the
validation of the Kerberos ticket. You can disable the validation as a
workaround by adding

krb5_validate = false

in the [domain/...] section of sssd.conf, see man sssd-krb5 for details.

bye,
Sumit

> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 
> user=u...@adtest.xxx.xxx.xx 
> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): 
> received for user u...@adtest.xxx.xxx.xx : 4 (System error) 
> Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM: 
> Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 
> 
> Any help is appreciated, regards. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Mateo Duffour"  
> To: "Alexander Bokovoy"  
> Cc: "Sumit Bose" , "freeipa-users" 
> , "tizo"  
> Sent: Friday, 11 March, 2022 15:49:31 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> Hi, 
> 
> We are experiencing the same behavior on Samba AD DC 4.15.5, we are going to 
> report a bug on bugzilla.samba.org as you suggested. 
> 
> 
> Thanks again. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Alexander Bokovoy"  
> To: "Mateo Duffour"  
> Cc: "Sumit Bose" , "freeipa-users" 
> , "tizo"  
> Sent: Friday, 11 March, 2022 15:03:58 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> On pe, 11 maalis 2022, Mateo Duffour wrote: 
> 
> 
> Hi, 
> 
> We installed Samba AD DC from this repo [ 
> https://samba.tranquil.it/redhat8/samba-4.14.10/ | 
> https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over 
> Roky Linux and it's on a trust relationship with IdM. 
> 
> 
> 
> Thanks. So this is a build with embedded Heimdal Kerberos version and a 
> relatively old one. 
> 
> This sounds like a bug worth opening Samba upstream. There is nothing 
> specific to FreeIPA in this communication, though. What happens is that 
> a Kerberos client (in this case kpasswd) attempts

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-04-07 Thread Mateo Duffour via FreeIPA-users
Hi, 

The last answer that we received on bugzilla and on samba lists sais "Your 
kpasswd is expecting FAST support which has been added in samba 4.16. So you 
either have to disable FAST or upgrade first." 

We've upgraded our Samba server version to 4.16.0 and we're getting this error 
now (when trying to login with any user from our IdM server): 

Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error 
constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx 
not found in Kerberos database 
Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error 
constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx 
not found in Kerberos database 
Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 
user=u...@adtest.xxx.xxx.xx 
Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): 
received for user u...@adtest.xxx.xxx.xx : 4 (System error) 
Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM: 
Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 

Any help is appreciated, regards. 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Mateo Duffour"  
To: "Alexander Bokovoy"  
Cc: "Sumit Bose" , "freeipa-users" 
, "tizo"  
Sent: Friday, 11 March, 2022 15:49:31 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Hi, 

We are experiencing the same behavior on Samba AD DC 4.15.5, we are going to 
report a bug on bugzilla.samba.org as you suggested. 


Thanks again. 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Alexander Bokovoy"  
To: "Mateo Duffour"  
Cc: "Sumit Bose" , "freeipa-users" 
, "tizo"  
Sent: Friday, 11 March, 2022 15:03:58 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

On pe, 11 maalis 2022, Mateo Duffour wrote: 


Hi, 

We installed Samba AD DC from this repo [ 
https://samba.tranquil.it/redhat8/samba-4.14.10/ | 
https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over 
Roky Linux and it's on a trust relationship with IdM. 



Thanks. So this is a build with embedded Heimdal Kerberos version and a 
relatively old one. 

This sounds like a bug worth opening Samba upstream. There is nothing 
specific to FreeIPA in this communication, though. What happens is that 
a Kerberos client (in this case kpasswd) attempts to change a password 
and fails when expecting a response on Kerberos level from Samba AD DC. 

It may be mix of expectations between kpasswd from MIT Kerberos (on 
Rocky) and Heimdal (embedded in Samba AD DC), but to fix it you'd need 
to talk to Samba AD developers. 

Please open a bug at bugzilla.samba.org, attach this capture and 
kpasswd trace logs. Also please provide details to what Samba build is 
this in the bug report. 

Prior doing that, may be try an upgrade to Samba 4.15.5 which is 
available in the same repositories from Tranquil IT. 
(https://samba.tranquil.it/redhat8/). 


BQ_BEGIN


Regards, 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ | ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-11 Thread Mateo Duffour via FreeIPA-users
Hi, 

We are experiencing the same behavior on Samba AD DC 4.15.5, we are going to 
report a bug on bugzilla.samba.org as you suggested. 


Thanks again. 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Alexander Bokovoy"  
To: "Mateo Duffour"  
Cc: "Sumit Bose" , "freeipa-users" 
, "tizo"  
Sent: Friday, 11 March, 2022 15:03:58 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

On pe, 11 maalis 2022, Mateo Duffour wrote: 


Hi, 

We installed Samba AD DC from this repo [ 
https://samba.tranquil.it/redhat8/samba-4.14.10/ | 
https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over 
Roky Linux and it's on a trust relationship with IdM. 



Thanks. So this is a build with embedded Heimdal Kerberos version and a 
relatively old one. 

This sounds like a bug worth opening Samba upstream. There is nothing 
specific to FreeIPA in this communication, though. What happens is that 
a Kerberos client (in this case kpasswd) attempts to change a password 
and fails when expecting a response on Kerberos level from Samba AD DC. 

It may be mix of expectations between kpasswd from MIT Kerberos (on 
Rocky) and Heimdal (embedded in Samba AD DC), but to fix it you'd need 
to talk to Samba AD developers. 

Please open a bug at bugzilla.samba.org, attach this capture and 
kpasswd trace logs. Also please provide details to what Samba build is 
this in the bug report. 

Prior doing that, may be try an upgrade to Samba 4.15.5 which is 
available in the same repositories from Tranquil IT. 
(https://samba.tranquil.it/redhat8/). 


BQ_BEGIN


Regards, 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ | ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Alexander Bokovoy"  
To: "Mateo Duffour"  
Cc: "Sumit Bose" , "freeipa-users" 
, "tizo"  
Sent: Friday, 11 March, 2022 14:07:58 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

On pe, 11 maalis 2022, Mateo Duffour wrote: 


Hi, 

I've send the network capture attached, it was made with tcpdump in the 
IdM server to the Samba AD DC server, while trying to log in with ssh 
with user5. 



Hi, 

can you give more details about this Samba AD DC installation? What 
Samba version is that? How was it built? 




BQ_BEGIN 

Regards, 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ | ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "tizo"  
To: "freeipa-users"  
Cc: "Mateo Duffour" , "Alexander Bokovoy" 
, "Sumit Bose"  
Sent: Friday, 11 March, 2022 11:38:50 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 




Hi, 

this is still the same pattern. Would it be possible to get a network 
trace to better understand how the KDC reply looks like and what might 
not be as expected by libkrb5? 

Additionally, can you try to set the password for the user with the 
expired password with 

KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. 

and send the output? 

bye, 
Sumit 





Hi there. I work wit

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-11 Thread Alexander Bokovoy via FreeIPA-users

On pe, 11 maalis 2022, Mateo Duffour wrote:

Hi,

We installed Samba AD DC from this repo [
https://samba.tranquil.it/redhat8/samba-4.14.10/ |
https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over
Roky Linux and it's on a trust relationship with IdM.


Thanks. So this is a build with embedded Heimdal Kerberos version and a
relatively old one.

This sounds like a bug worth opening Samba upstream. There is nothing
specific to FreeIPA in this communication, though. What happens is that
a Kerberos client (in this case kpasswd) attempts to change a password
and fails when expecting a response on Kerberos level from Samba AD DC.

It may be mix of expectations between kpasswd from MIT Kerberos (on
Rocky) and Heimdal (embedded in Samba AD DC), but to fix it you'd need
to talk to Samba AD developers.

Please open a bug at bugzilla.samba.org, attach this capture and
kpasswd trace logs. Also please provide details to what Samba build is
this in the bug report.

Prior doing that, may be try an upgrade to Samba 4.15.5 which is
available in the same repositories from Tranquil IT.
(https://samba.tranquil.it/redhat8/).




Regards,

Lic. Mateo Duffour
Unidad Informática
2901.40.91

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ |]



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido.


From: "Alexander Bokovoy" 
To: "Mateo Duffour" 
Cc: "Sumit Bose" , "freeipa-users" , 
"tizo" 
Sent: Friday, 11 March, 2022 14:07:58
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired

On pe, 11 maalis 2022, Mateo Duffour wrote:


Hi,

I've send the network capture attached, it was made with tcpdump in the
IdM server to the Samba AD DC server, while trying to log in with ssh
with user5.



Hi,

can you give more details about this Samba AD DC installation? What
Samba version is that? How was it built?




BQ_BEGIN

Regards,

Lic. Mateo Duffour
Unidad Informática
2901.40.91

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido.


From: "tizo" 
To: "freeipa-users" 
Cc: "Mateo Duffour" , "Alexander Bokovoy" , 
"Sumit Bose" 
Sent: Friday, 11 March, 2022 11:38:50
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired




Hi,

this is still the same pattern. Would it be possible to get a network
trace to better understand how the KDC reply looks like and what might
not be as expected by libkrb5?

Additionally, can you try to set the password for the user with the
expired password with

KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST.

and send the output?

bye,
Sumit





Hi there. I work with Mateo. We are sending the network capture in some 
minutes, but to get ahead I am sending the other test:

# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx
[47521] 1647008539.753136: Getting initial credentials for 
u...@adtest.xxx.xxx.xx
[47521] 1647008539.753137: FAST armor ccache: KCM:0:84390
[47521] 1647008539.753138: Retrieving 
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
 from KCM:0:84390 with result: -1765328243/Matching credential not found
[47521] 1647008539.753139: Setting initial creds service to kadmin/changepw
[47521] 1647008539.753140: FAST armor ccache: KCM:0:84390
[47521] 1647008539.753141: Retrieving 
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
 from KCM:0:84390 with result: -1765328243/Matching credential not found
[47521] 1647008539.753143: Sending unauthenticated request
[47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX
[47521] 1647008539.753145: Initiating TCP connection to stream [ 
http://10.2.100.4:88/ 

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-11 Thread Mateo Duffour via FreeIPA-users
Hi, 

We installed Samba AD DC from this repo [ 
https://samba.tranquil.it/redhat8/samba-4.14.10/ | 
https://samba.tranquil.it/redhat8/samba-4.14.10/ ] 
Its running over Roky Linux and it's on a trust relationship with IdM. 


Regards, 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Alexander Bokovoy"  
To: "Mateo Duffour"  
Cc: "Sumit Bose" , "freeipa-users" 
, "tizo"  
Sent: Friday, 11 March, 2022 14:07:58 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

On pe, 11 maalis 2022, Mateo Duffour wrote: 


Hi, 

I've send the network capture attached, it was made with tcpdump in the 
IdM server to the Samba AD DC server, while trying to log in with ssh 
with user5. 



Hi, 

can you give more details about this Samba AD DC installation? What 
Samba version is that? How was it built? 




BQ_BEGIN

Regards, 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ | ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "tizo"  
To: "freeipa-users"  
Cc: "Mateo Duffour" , "Alexander Bokovoy" 
, "Sumit Bose"  
Sent: Friday, 11 March, 2022 11:38:50 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 




Hi, 

this is still the same pattern. Would it be possible to get a network 
trace to better understand how the KDC reply looks like and what might 
not be as expected by libkrb5? 

Additionally, can you try to set the password for the user with the 
expired password with 

KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. 

and send the output? 

bye, 
Sumit 





Hi there. I work with Mateo. We are sending the network capture in some 
minutes, but to get ahead I am sending the other test: 

# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx 
[47521] 1647008539.753136: Getting initial credentials for 
u...@adtest.xxx.xxx.xx 
[47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 
[47521] 1647008539.753138: Retrieving 
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
 from KCM:0:84390 with result: -1765328243/Matching credential not found 
[47521] 1647008539.753139: Setting initial creds service to kadmin/changepw 
[47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 
[47521] 1647008539.753141: Retrieving 
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
 from KCM:0:84390 with result: -1765328243/Matching credential not found 
[47521] 1647008539.753143: Sending unauthenticated request 
[47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX 
[47521] 1647008539.753145: Initiating TCP connection to stream [ 
http://10.2.100.4:88/ | 10.2.100.4:88 ] 
[47521] 1647008540.776855: Initiating TCP connection to stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ] 
[47521] 1647008540.776856: Sending TCP request to stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ] 
[47521] 1647008540.776857: Received answer (278 bytes) from stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ] 
[47521] 1647008540.776858: Terminating TCP connection to stream [ 
http://10.2.100.4:88/ | 10.2.100.4:88 ] 
[47521] 1647008540.776859: Terminating TCP connection to stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ] 
[47521] 1647008540.776860: Response was from master KDC 
[47521] 1647008540.776861: Received error from KDC: -1765328359/Additional 
pre-authentication required 
[47521] 1647008540.776864: Preauthenticating using KDC method data 
[47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), 
PA-PK-AS-REP_O

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-11 Thread Alexander Bokovoy via FreeIPA-users

On pe, 11 maalis 2022, Mateo Duffour wrote:

Hi,

I've send the network capture attached, it was made with tcpdump in the
IdM server to the Samba AD DC server, while trying to log in with ssh
with user5.


Hi,

can you give more details about this Samba AD DC installation? What
Samba version is that? How was it built?





Regards,

Lic. Mateo Duffour
Unidad Informática
2901.40.91

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ |]



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido.


From: "tizo" 
To: "freeipa-users" 
Cc: "Mateo Duffour" , "Alexander Bokovoy" , 
"Sumit Bose" 
Sent: Friday, 11 March, 2022 11:38:50
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired




Hi,

this is still the same pattern. Would it be possible to get a network
trace to better understand how the KDC reply looks like and what might
not be as expected by libkrb5?

Additionally, can you try to set the password for the user with the
expired password with

KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST.

and send the output?

bye,
Sumit





Hi there. I work with Mateo. We are sending the network capture in some 
minutes, but to get ahead I am sending the other test:

# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx
[47521] 1647008539.753136: Getting initial credentials for 
u...@adtest.xxx.xxx.xx
[47521] 1647008539.753137: FAST armor ccache: KCM:0:84390
[47521] 1647008539.753138: Retrieving 
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
 from KCM:0:84390 with result: -1765328243/Matching credential not found
[47521] 1647008539.753139: Setting initial creds service to kadmin/changepw
[47521] 1647008539.753140: FAST armor ccache: KCM:0:84390
[47521] 1647008539.753141: Retrieving 
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
 from KCM:0:84390 with result: -1765328243/Matching credential not found
[47521] 1647008539.753143: Sending unauthenticated request
[47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX
[47521] 1647008539.753145: Initiating TCP connection to stream [ 
http://10.2.100.4:88/ | 10.2.100.4:88 ]
[47521] 1647008540.776855: Initiating TCP connection to stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008540.776856: Sending TCP request to stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008540.776857: Received answer (278 bytes) from stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008540.776858: Terminating TCP connection to stream [ 
http://10.2.100.4:88/ | 10.2.100.4:88 ]
[47521] 1647008540.776859: Terminating TCP connection to stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ]
[47521] 1647008540.776860: Response was from master KDC
[47521] 1647008540.776861: Received error from KDC: -1765328359/Additional 
pre-authentication required
[47521] 1647008540.776864: Preauthenticating using KDC method data
[47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), 
PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19)
[47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt 
"ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00"
[47521] 1647008540.776867: PKINIT client has no configured identity; giving up
[47521] 1647008540.776868: PKINIT client has no configured identity; giving up
[47521] 1647008540.776869: Preauth module pkinit (16) (real) returned: 
22/Invalid argument
Password for u...@adtest.xxx.xxx.xx:
[47521] 1647008555.456745: AS key obtained for encrypted timestamp: 
aes256-cts/0DAE
[47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202): plain 
301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted 
588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C
[47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real) 
returned: 0/Success
[47521] 1647008555.456749: Produced preauth for next request: PA-ENC-TIMESTAMP 
(2)
[47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX
[47521] 1647008555.456751: Initiating TCP connection to stream [ 
http://10.2.100.4:88/ | 10.2.100.4:88 ]
[47521] 1647008556.458248: Initiating TCP connection to stream [ 
http://10.2.100

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-11 Thread Sumit Bose via FreeIPA-users
Am Fri, Mar 11, 2022 at 01:32:50PM -0300 schrieb Mateo Duffour:
> Hi, 
> 
> I've send the network capture attached, it was made with tcpdump in the IdM 
> server to the Samba AD DC server, while trying to log in with ssh with user5. 

Hi,

thanks for the network trace.

Alexander, can you have a look at the Kerberos packets in the network
trace.

It looks like the Samba DC is replying if a ticket for the
'kadmin/changepw' service principal is requested (packet 63) with a
ticket for 'krbtgt' (packet 65). And it looks like this is not expected
by libkrb5.

bye,
Sumit

> 
> Regards, 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "tizo"  
> To: "freeipa-users"  
> Cc: "Mateo Duffour" , "Alexander Bokovoy" 
> , "Sumit Bose"  
> Sent: Friday, 11 March, 2022 11:38:50 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> 
> 
> 
> Hi, 
> 
> this is still the same pattern. Would it be possible to get a network 
> trace to better understand how the KDC reply looks like and what might 
> not be as expected by libkrb5? 
> 
> Additionally, can you try to set the password for the user with the 
> expired password with 
> 
> KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. 
> 
> and send the output? 
> 
> bye, 
> Sumit 
> 
> 
> 
> 
> 
> Hi there. I work with Mateo. We are sending the network capture in some 
> minutes, but to get ahead I am sending the other test: 
> 
> # KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx 
> [47521] 1647008539.753136: Getting initial credentials for 
> u...@adtest.xxx.xxx.xx 
> [47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 
> [47521] 1647008539.753138: Retrieving 
> host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
>  from KCM:0:84390 with result: -1765328243/Matching credential not found 
> [47521] 1647008539.753139: Setting initial creds service to kadmin/changepw 
> [47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 
> [47521] 1647008539.753141: Retrieving 
> host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
>  from KCM:0:84390 with result: -1765328243/Matching credential not found 
> [47521] 1647008539.753143: Sending unauthenticated request 
> [47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX 
> [47521] 1647008539.753145: Initiating TCP connection to stream [ 
> http://10.2.100.4:88/ | 10.2.100.4:88 ] 
> [47521] 1647008540.776855: Initiating TCP connection to stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008540.776856: Sending TCP request to stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008540.776857: Received answer (278 bytes) from stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008540.776858: Terminating TCP connection to stream [ 
> http://10.2.100.4:88/ | 10.2.100.4:88 ] 
> [47521] 1647008540.776859: Terminating TCP connection to stream [ 
> http://10.2.100.3:88/ | 10.2.100.3:88 ] 
> [47521] 1647008540.776860: Response was from master KDC 
> [47521] 1647008540.776861: Received error from KDC: -1765328359/Additional 
> pre-authentication required 
> [47521] 1647008540.776864: Preauthenticating using KDC method data 
> [47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), 
> PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19) 
> [47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt 
> "ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00" 
> [47521] 1647008540.776867: PKINIT client has no configured identity; giving 
> up 
> [47521] 1647008540.776868: PKINIT client has no configured identity; giving 
> up 
> [47521] 1647008540.776869: Preauth module pkinit (16) (real) returned: 
> 22/Invalid argument 
&g

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-11 Thread Mateo Duffour via FreeIPA-users
Hi, 

I've send the network capture attached, it was made with tcpdump in the IdM 
server to the Samba AD DC server, while trying to log in with ssh with user5. 

Regards, 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "tizo"  
To: "freeipa-users"  
Cc: "Mateo Duffour" , "Alexander Bokovoy" 
, "Sumit Bose"  
Sent: Friday, 11 March, 2022 11:38:50 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 




Hi, 

this is still the same pattern. Would it be possible to get a network 
trace to better understand how the KDC reply looks like and what might 
not be as expected by libkrb5? 

Additionally, can you try to set the password for the user with the 
expired password with 

KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. 

and send the output? 

bye, 
Sumit 





Hi there. I work with Mateo. We are sending the network capture in some 
minutes, but to get ahead I am sending the other test: 

# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx 
[47521] 1647008539.753136: Getting initial credentials for 
u...@adtest.xxx.xxx.xx 
[47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 
[47521] 1647008539.753138: Retrieving 
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
 from KCM:0:84390 with result: -1765328243/Matching credential not found 
[47521] 1647008539.753139: Setting initial creds service to kadmin/changepw 
[47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 
[47521] 1647008539.753141: Retrieving 
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
 from KCM:0:84390 with result: -1765328243/Matching credential not found 
[47521] 1647008539.753143: Sending unauthenticated request 
[47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX 
[47521] 1647008539.753145: Initiating TCP connection to stream [ 
http://10.2.100.4:88/ | 10.2.100.4:88 ] 
[47521] 1647008540.776855: Initiating TCP connection to stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ] 
[47521] 1647008540.776856: Sending TCP request to stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ] 
[47521] 1647008540.776857: Received answer (278 bytes) from stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ] 
[47521] 1647008540.776858: Terminating TCP connection to stream [ 
http://10.2.100.4:88/ | 10.2.100.4:88 ] 
[47521] 1647008540.776859: Terminating TCP connection to stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ] 
[47521] 1647008540.776860: Response was from master KDC 
[47521] 1647008540.776861: Received error from KDC: -1765328359/Additional 
pre-authentication required 
[47521] 1647008540.776864: Preauthenticating using KDC method data 
[47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), 
PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19) 
[47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt 
"ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00" 
[47521] 1647008540.776867: PKINIT client has no configured identity; giving up 
[47521] 1647008540.776868: PKINIT client has no configured identity; giving up 
[47521] 1647008540.776869: Preauth module pkinit (16) (real) returned: 
22/Invalid argument 
Password for u...@adtest.xxx.xxx.xx: 
[47521] 1647008555.456745: AS key obtained for encrypted timestamp: 
aes256-cts/0DAE 
[47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202): plain 
301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted 
588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C
 
[47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real) 
returned: 0/Success 
[47521] 1647008555.456749: Produced preauth for next request: PA-ENC-TIMESTAMP 
(2) 
[47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX 
[47521] 1647008555.456751: Initiating TCP connection to stream [ 
http://10.2.100.4:88/ | 10.2.100.4:88 ] 
[47521] 1647008556.458248: Initiating TCP connection to stream [ 
http://10.2.100.3:88/ | 10.2.100.3:88 ] 
[47521] 1647008556.458249: Sending TCP request to stream [ 
http://10.2.100.3:88

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-11 Thread tizo via FreeIPA-users
> Hi,
>
> this is still the same pattern. Would it be possible to get a network
> trace to better understand how the KDC reply looks like and what might
> not be as expected by libkrb5?
>
> Additionally, can you try to set the password for the user with the
> expired password with
>
> KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST.
>
> and send the output?
>
> bye,
> Sumit
>
>
>
Hi there. I work with Mateo. We are sending the network capture in some
minutes, but to get ahead I am sending the other test:

# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx
[47521] 1647008539.753136: Getting initial credentials for
u...@adtest.xxx.xxx.xx
[47521] 1647008539.753137: FAST armor ccache: KCM:0:84390
[47521] 1647008539.753138: Retrieving
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx ->
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
from KCM:0:84390 with result: -1765328243/Matching credential not found
[47521] 1647008539.753139: Setting initial creds service to kadmin/changepw
[47521] 1647008539.753140: FAST armor ccache: KCM:0:84390
[47521] 1647008539.753141: Retrieving
host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx ->
krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
from KCM:0:84390 with result: -1765328243/Matching credential not found
[47521] 1647008539.753143: Sending unauthenticated request
[47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX
[47521] 1647008539.753145: Initiating TCP connection to stream 10.2.100.4:88
[47521] 1647008540.776855: Initiating TCP connection to stream 10.2.100.3:88
[47521] 1647008540.776856: Sending TCP request to stream 10.2.100.3:88
[47521] 1647008540.776857: Received answer (278 bytes) from stream
10.2.100.3:88
[47521] 1647008540.776858: Terminating TCP connection to stream
10.2.100.4:88
[47521] 1647008540.776859: Terminating TCP connection to stream
10.2.100.3:88
[47521] 1647008540.776860: Response was from master KDC
[47521] 1647008540.776861: Received error from KDC: -1765328359/Additional
pre-authentication required
[47521] 1647008540.776864: Preauthenticating using KDC method data
[47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16),
PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19)
[47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt
"ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00"
[47521] 1647008540.776867: PKINIT client has no configured identity; giving
up
[47521] 1647008540.776868: PKINIT client has no configured identity; giving
up
[47521] 1647008540.776869: Preauth module pkinit (16) (real) returned:
22/Invalid argument
Password for u...@adtest.xxx.xxx.xx:
[47521] 1647008555.456745: AS key obtained for encrypted timestamp:
aes256-cts/0DAE
[47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202):
plain 301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted
588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C
[47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[47521] 1647008555.456749: Produced preauth for next request:
PA-ENC-TIMESTAMP (2)
[47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX
[47521] 1647008555.456751: Initiating TCP connection to stream 10.2.100.4:88
[47521] 1647008556.458248: Initiating TCP connection to stream 10.2.100.3:88
[47521] 1647008556.458249: Sending TCP request to stream 10.2.100.3:88
[47521] 1647008556.458250: Received answer (1438 bytes) from stream
10.2.100.3:88
[47521] 1647008556.458251: Terminating TCP connection to stream
10.2.100.4:88
[47521] 1647008556.458252: Terminating TCP connection to stream
10.2.100.3:88
[47521] 1647008556.458253: Response was from master KDC
[47521] 1647008556.458254: Processing preauth types: PA-PW-SALT (3)
[47521] 1647008556.458255: Received salt "ADTEST.XXX.XXX.XXusu5" via padata
type PA-PW-SALT (3)
[47521] 1647008556.458256: Produced preauth for next request: (empty)
[47521] 1647008556.458257: AS key determined by preauth: aes256-cts/0DAE
[47521] 1647008556.458258: Decrypted AS reply; session key is:
aes256-cts/35D9
[47521] 1647008556.458259: FAST negotiation: unavailable
kpasswd: KDC reply did not match expectations getting initial ticket

FYI, I have tried the same test with a user WITHOUT expired password, and
it does not work either, and the log is exactly the same. Indeed, when I
log in with ssh with this user, I cannot change the password too:

$ passwd
Changing password for user u...@adtest.xxx.xx.xx.
Current Password:
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error

Thanks very much.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://do

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-10 Thread Sumit Bose via FreeIPA-users
Am Thu, Mar 10, 2022 at 06:11:41PM -0300 schrieb Mateo Duffour:
> I made a mistake and copied other log, the log of the test mentioned is: 
> 
> Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: Password has 
> expired 
> Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: KDC reply did 
> not match expectations 
> Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 
> user=u...@adtest.xxx.xxx.xx 
> Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth): 
> received for user u...@adtest.xxx.xxx.xx: 4 (System error) 
> Mar 10 18:08:10 idmsrvpru.idmpru.xxx.xxx.xx sshd[45683]: error: PAM: 
> Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 

Hi,

this is still the same pattern. Would it be possible to get a network
trace to better understand how the KDC reply looks like and what might
not be as expected by libkrb5?

Additionally, can you try to set the password for the user with the
expired password with

KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST.

and send the output?

bye,
Sumit

> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Mateo Duffour"  
> To: "Sumit Bose"  
> Cc: "freeipa-users" , "Alexander 
> Bokovoy"  
> Sent: Thursday, 10 March, 2022 17:48:17 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> Hi, 
> 
> We also tried with krb5_use_enterprise_principal with no success. 
> 
> With the intention of simplifying our scenario we are now testing (with the 
> same configurations that you suggested) an ssh of the user to IdM server. 
> On our IdM server we are getting the same error: 
> 
> ssh u...@adtest.xxx.xx.xx@idmsrvpru.idmpru.xxx.xx.xx 
> 
> Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: Password has 
> expired 
> Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: KDC reply did 
> not match expectations 
> Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 
> user=usu5 
> Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): 
> received for user usu5: 4 (System error) 
> Mar 10 16:50:14 idmsrvpru.idmpru.xxx.xxx.xx sshd[45293]: error: PAM: 
> Authentication failure for usu5 from 10.9.9.4 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Sumit Bose"  
> To: "Mateo Duffour"  
> Cc: "Sumit Bose" , "freeipa-users" 
> , "Alexander Bokovoy" 
>  
> Sent: Thursday, 10 March, 2022 14:01:29 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour: 
> 
> 
> Hi Sumit, 
> 
> I have attached all the files you requested, this test was done with user 
> usu5 which has its password expired. 
> 
> 
> 
> Hi, 
> 
> thanks for the new logs. Can you check if adding 
> 
> krb5_use_enterprise_principal = True 
> 
> to the [domain/...] section of sssd.conf make it any better? If this 
> still does not help it would be good if you can record a network trace 
> coverin

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-10 Thread Mateo Duffour via FreeIPA-users
I made a mistake and copied other log, the log of the test mentioned is: 

Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: Password has 
expired 
Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: KDC reply did 
not match expectations 
Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 
user=u...@adtest.xxx.xxx.xx 
Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth): 
received for user u...@adtest.xxx.xxx.xx: 4 (System error) 
Mar 10 18:08:10 idmsrvpru.idmpru.xxx.xxx.xx sshd[45683]: error: PAM: 
Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Mateo Duffour"  
To: "Sumit Bose"  
Cc: "freeipa-users" , "Alexander Bokovoy" 
 
Sent: Thursday, 10 March, 2022 17:48:17 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Hi, 

We also tried with krb5_use_enterprise_principal with no success. 

With the intention of simplifying our scenario we are now testing (with the 
same configurations that you suggested) an ssh of the user to IdM server. 
On our IdM server we are getting the same error: 

ssh u...@adtest.xxx.xx.xx@idmsrvpru.idmpru.xxx.xx.xx 

Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: Password has 
expired 
Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: KDC reply did 
not match expectations 
Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 
user=usu5 
Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): 
received for user usu5: 4 (System error) 
Mar 10 16:50:14 idmsrvpru.idmpru.xxx.xxx.xx sshd[45293]: error: PAM: 
Authentication failure for usu5 from 10.9.9.4 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Sumit Bose"  
To: "Mateo Duffour"  
Cc: "Sumit Bose" , "freeipa-users" 
, "Alexander Bokovoy" 
 
Sent: Thursday, 10 March, 2022 14:01:29 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour: 


Hi Sumit, 

I have attached all the files you requested, this test was done with user usu5 
which has its password expired. 



Hi, 

thanks for the new logs. Can you check if adding 

krb5_use_enterprise_principal = True 

to the [domain/...] section of sssd.conf make it any better? If this 
still does not help it would be good if you can record a network trace 
covering the authentication attempt. 

bye, 
Sumit 


BQ_BEGIN


Regards, 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ | ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Sumit Bose"  
To: "Mateo Duffour"  
Cc: "Sumit Bose" , "freeipa-users" 
, "Alexander Bokovoy" 
 
Sent: Thursday, 10 March, 2022 07:23:11 
Subject: Re: [Freeipa-users] Re: IdM with trust r

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-10 Thread Mateo Duffour via FreeIPA-users
Hi, 

We also tried with krb5_use_enterprise_principal with no success. 

With the intention of simplifying our scenario we are now testing (with the 
same configurations that you suggested) an ssh of the user to IdM server. 
On our IdM server we are getting the same error: 

ssh u...@adtest.xxx.xx.xx@idmsrvpru.idmpru.xxx.xx.xx 

Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: Password has 
expired 
Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: KDC reply did 
not match expectations 
Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 
user=usu5 
Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): 
received for user usu5: 4 (System error) 
Mar 10 16:50:14 idmsrvpru.idmpru.xxx.xxx.xx sshd[45293]: error: PAM: 
Authentication failure for usu5 from 10.9.9.4 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Sumit Bose"  
To: "Mateo Duffour"  
Cc: "Sumit Bose" , "freeipa-users" 
, "Alexander Bokovoy" 
 
Sent: Thursday, 10 March, 2022 14:01:29 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour: 


Hi Sumit, 

I have attached all the files you requested, this test was done with user usu5 
which has its password expired. 



Hi, 

thanks for the new logs. Can you check if adding 

krb5_use_enterprise_principal = True 

to the [domain/...] section of sssd.conf make it any better? If this 
still does not help it would be good if you can record a network trace 
covering the authentication attempt. 

bye, 
Sumit 


BQ_BEGIN


Regards, 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ | ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Sumit Bose"  
To: "Mateo Duffour"  
Cc: "Sumit Bose" , "freeipa-users" 
, "Alexander Bokovoy" 
 
Sent: Thursday, 10 March, 2022 07:23:11 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Am Tue, Mar 08, 2022 at 01:42:53PM -0300 schrieb Mateo Duffour: 


Hi, thanks again for the quick reply. 
Sorry i did not have the time to test it again until now, i tried your 
recomendations. 

Its still behaving the same way than before, so I attached the sssd_pam.log you 
requested with the debug set to level 9 on pam section (sssd.conf). 
The log attached is from our Ubuntu 20.04 client. 



Hi, 

please send the related SSSD backened logs and krb5_child.log as well. 

bye, 
Sumit 


BQ_BEGIN 

We also tested it on our IdM server over Roky Linux, getting the same 
behaviour. 


Best regards. 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ | ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Sumit Bose"  
To: "Mateo Duffour"  
Cc: "Sumit Bose" , "freeipa-users" 
, "Alexander Bokovoy" 
 
Sent: Monday, 28 February, 2022 06:23:51 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Am Fri, Feb 25, 2022 at 11:21:

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-10 Thread Sumit Bose via FreeIPA-users
Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour:
> Hi Sumit, 
> 
> I have attached all the files you requested, this test was done with user 
> usu5 which has its password expired. 

Hi,

thanks for the new logs. Can you check if adding

krb5_use_enterprise_principal = True

to the [domain/...] section of sssd.conf make it any better? If this
still does not help it would be good if you can record a network trace
covering the authentication attempt.

bye,
Sumit

> 
> 
> Regards, 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Sumit Bose"  
> To: "Mateo Duffour"  
> Cc: "Sumit Bose" , "freeipa-users" 
> , "Alexander Bokovoy" 
>  
> Sent: Thursday, 10 March, 2022 07:23:11 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> Am Tue, Mar 08, 2022 at 01:42:53PM -0300 schrieb Mateo Duffour: 
> 
> 
> Hi, thanks again for the quick reply. 
> Sorry i did not have the time to test it again until now, i tried your 
> recomendations. 
> 
> Its still behaving the same way than before, so I attached the sssd_pam.log 
> you requested with the debug set to level 9 on pam section (sssd.conf). 
> The log attached is from our Ubuntu 20.04 client. 
> 
> 
> 
> Hi, 
> 
> please send the related SSSD backened logs and krb5_child.log as well. 
> 
> bye, 
> Sumit 
> 
> 
> BQ_BEGIN
> 
> We also tested it on our IdM server over Roky Linux, getting the same 
> behaviour. 
> 
> 
> Best regards. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
> 2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ | ] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Sumit Bose"  
> To: "Mateo Duffour"  
> Cc: "Sumit Bose" , "freeipa-users" 
> , "Alexander Bokovoy" 
>  
> Sent: Monday, 28 February, 2022 06:23:51 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour: 
> 
> 
> Hi, 
> 
> I send you attached the files needed, let me know if you need something else. 
> 
> 
> 
> Hi, 
> 
> thanks for the file, they look ok. After looking again at what you send 
> I came across 
> 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did 
> not match expectations 
> 
> which typically indicates a canonization of the principal by the 
> server-side which was not expected by the client. 
> 
> While version of SSSD are you using on the Ubuntu client? Recent version 
> of SSSD already set 'krb5_canonicalize = true' by default for 
> 'id_provider = ipa'. Maybe your version is a bit older? Please try if it 
> works better if you explicitly set 
> 
> krb5_canonicalize = true 
> 
> in the [domain/...] section of sssd.conf and restart SSSD. At least the 
> 'KDC reply did not match expectations' should be gone now. If the 
> password change still fails, please set 'debug_level = 9' in the [pam] 
> and [domain/...] section of sssd.conf, restart SSSD, run the test again 
> and send the logs from /var/log/sssd. 
> 
> bye, 
> Sumit 
> 
> 
> BQ_BEGIN 
> 
> 
> Thanks again, regards. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
> 2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-10 Thread Sumit Bose via FreeIPA-users
Am Tue, Mar 08, 2022 at 01:42:53PM -0300 schrieb Mateo Duffour:
> Hi, thanks again for the quick reply. 
> Sorry i did not have the time to test it again until now, i tried your 
> recomendations. 
> 
> Its still behaving the same way than before, so I attached the sssd_pam.log 
> you requested with the debug set to level 9 on pam section (sssd.conf). 
> The log attached is from our Ubuntu 20.04 client. 

Hi,

please send the related SSSD backened logs and krb5_child.log as well.

bye,
Sumit

> 
> We also tested it on our IdM server over Roky Linux, getting the same 
> behaviour. 
> 
> 
> Best regards. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Sumit Bose"  
> To: "Mateo Duffour"  
> Cc: "Sumit Bose" , "freeipa-users" 
> , "Alexander Bokovoy" 
>  
> Sent: Monday, 28 February, 2022 06:23:51 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour: 
> 
> 
> Hi, 
> 
> I send you attached the files needed, let me know if you need something else. 
> 
> 
> 
> Hi, 
> 
> thanks for the file, they look ok. After looking again at what you send 
> I came across 
> 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did 
> not match expectations 
> 
> which typically indicates a canonization of the principal by the 
> server-side which was not expected by the client. 
> 
> While version of SSSD are you using on the Ubuntu client? Recent version 
> of SSSD already set 'krb5_canonicalize = true' by default for 
> 'id_provider = ipa'. Maybe your version is a bit older? Please try if it 
> works better if you explicitly set 
> 
> krb5_canonicalize = true 
> 
> in the [domain/...] section of sssd.conf and restart SSSD. At least the 
> 'KDC reply did not match expectations' should be gone now. If the 
> password change still fails, please set 'debug_level = 9' in the [pam] 
> and [domain/...] section of sssd.conf, restart SSSD, run the test again 
> and send the logs from /var/log/sssd. 
> 
> bye, 
> Sumit 
> 
> 
> BQ_BEGIN
> 
> 
> Thanks again, regards. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
> 2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ | ] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Sumit Bose"  
> To: "freeipa-users"  
> Cc: "Alexander Bokovoy" , "Mateo Duffour" 
>  
> Sent: Friday, 25 February, 2022 03:46:43 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via 
> FreeIPA-users: 
> 
> 
> Which /etc/pam.d/ config file do you need ? 
> 
> 
> 
> Hi, 
> 
> from the logs below it looks like you are using ssh to log in, so it 
> would be /etc/pam.d/sshd and all the files which might be referenced in 
> that file. 
> 
> bye, 
> Sumit 
> 
> 
> BQ_BEGIN 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
> 2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ | ] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambie

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-03-08 Thread Mateo Duffour via FreeIPA-users
Hi, thanks again for the quick reply. 
Sorry i did not have the time to test it again until now, i tried your 
recomendations. 

Its still behaving the same way than before, so I attached the sssd_pam.log you 
requested with the debug set to level 9 on pam section (sssd.conf). 
The log attached is from our Ubuntu 20.04 client. 

We also tested it on our IdM server over Roky Linux, getting the same 
behaviour. 


Best regards. 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Sumit Bose"  
To: "Mateo Duffour"  
Cc: "Sumit Bose" , "freeipa-users" 
, "Alexander Bokovoy" 
 
Sent: Monday, 28 February, 2022 06:23:51 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour: 


Hi, 

I send you attached the files needed, let me know if you need something else. 



Hi, 

thanks for the file, they look ok. After looking again at what you send 
I came across 

Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not 
match expectations 

which typically indicates a canonization of the principal by the 
server-side which was not expected by the client. 

While version of SSSD are you using on the Ubuntu client? Recent version 
of SSSD already set 'krb5_canonicalize = true' by default for 
'id_provider = ipa'. Maybe your version is a bit older? Please try if it 
works better if you explicitly set 

krb5_canonicalize = true 

in the [domain/...] section of sssd.conf and restart SSSD. At least the 
'KDC reply did not match expectations' should be gone now. If the 
password change still fails, please set 'debug_level = 9' in the [pam] 
and [domain/...] section of sssd.conf, restart SSSD, run the test again 
and send the logs from /var/log/sssd. 

bye, 
Sumit 


BQ_BEGIN


Thanks again, regards. 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ | ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Sumit Bose"  
To: "freeipa-users"  
Cc: "Alexander Bokovoy" , "Mateo Duffour" 
 
Sent: Friday, 25 February, 2022 03:46:43 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via 
FreeIPA-users: 


Which /etc/pam.d/ config file do you need ? 



Hi, 

from the logs below it looks like you are using ssh to log in, so it 
would be /etc/pam.d/sshd and all the files which might be referenced in 
that file. 

bye, 
Sumit 


BQ_BEGIN 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ | ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Mateo Duffour"  
To: "Alexander Bokovoy"  
Cc: "freeipa-users"  
Sent: Wednesday, 23 February, 2022 17:26:49 
Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Hi, thank you for the quick reply. 

We were further investigating the issue. 

We were testing with user "usu5" that has its password expired. The log of IdM 
server below shows that Samba AD DC is sending "Passwo

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-02-28 Thread Sumit Bose via FreeIPA-users
Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour:
> Hi, 
> 
> I send you attached the files needed, let me know if you need something else. 

Hi,

thanks for the file, they look ok. After looking again at what you send
I came across

Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did 
not match expectations

which typically indicates a canonization of the principal by the
server-side which was not expected by the client.

While version of SSSD are you using on the Ubuntu client? Recent version
of SSSD already set 'krb5_canonicalize = true' by default for
'id_provider = ipa'. Maybe your version is a bit older? Please try if it
works better if you explicitly set

krb5_canonicalize = true

in the [domain/...] section of sssd.conf and restart SSSD. At least the
'KDC reply did not match expectations' should be gone now. If the
password change still fails, please set 'debug_level = 9' in the [pam]
and [domain/...] section of sssd.conf, restart SSSD, run the test again
and send the logs from /var/log/sssd.

bye,
Sumit

> 
> 
> Thanks again, regards. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Sumit Bose"  
> To: "freeipa-users"  
> Cc: "Alexander Bokovoy" , "Mateo Duffour" 
>  
> Sent: Friday, 25 February, 2022 03:46:43 
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC 
> - User accounts with passwords expired 
> 
> Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via 
> FreeIPA-users: 
> 
> 
> Which /etc/pam.d/ config file do you need ? 
> 
> 
> 
> Hi, 
> 
> from the logs below it looks like you are using ssh to log in, so it 
> would be /etc/pam.d/sshd and all the files which might be referenced in 
> that file. 
> 
> bye, 
> Sumit 
> 
> 
> BQ_BEGIN
> 
> Lic. Mateo Duffour 
> Unidad Informática 
> 2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ | ] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Mateo Duffour"  
> To: "Alexander Bokovoy"  
> Cc: "freeipa-users"  
> Sent: Wednesday, 23 February, 2022 17:26:49 
> Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - 
> User accounts with passwords expired 
> 
> Hi, thank you for the quick reply. 
> 
> We were further investigating the issue. 
> 
> We were testing with user "usu5" that has its password expired. The log of 
> IdM server below shows that Samba AD DC is sending "Password has expired" for 
> user "usu5", thats OK. 
> So we can suspect that IdM is not behaving as expected, it should prompt a 
> password expiry to the user and let the user change it, but something is 
> wrong with our config or scenario because that does not happen. 
> 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has 
> expired 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did 
> not match expectations 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 
> user=u...@adtest.fnr.gub.uy 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
> received for user u...@adtest.fnr.gub.uy: 4 (System error) 
> Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: 
> Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 
> 
>

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-02-25 Thread Mateo Duffour via FreeIPA-users
Hi, 

I send you attached the files needed, let me know if you need something else. 


Thanks again, regards. 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Sumit Bose"  
To: "freeipa-users"  
Cc: "Alexander Bokovoy" , "Mateo Duffour" 
 
Sent: Friday, 25 February, 2022 03:46:43 
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via 
FreeIPA-users: 


Which /etc/pam.d/ config file do you need ? 



Hi, 

from the logs below it looks like you are using ssh to log in, so it 
would be /etc/pam.d/sshd and all the files which might be referenced in 
that file. 

bye, 
Sumit 


BQ_BEGIN

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ | ] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Mateo Duffour"  
To: "Alexander Bokovoy"  
Cc: "freeipa-users"  
Sent: Wednesday, 23 February, 2022 17:26:49 
Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Hi, thank you for the quick reply. 

We were further investigating the issue. 

We were testing with user "usu5" that has its password expired. The log of IdM 
server below shows that Samba AD DC is sending "Password has expired" for user 
"usu5", thats OK. 
So we can suspect that IdM is not behaving as expected, it should prompt a 
password expiry to the user and let the user change it, but something is wrong 
with our config or scenario because that does not happen. 

Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has 
expired 
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not 
match expectations 
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 
user=u...@adtest.fnr.gub.uy 
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
received for user u...@adtest.fnr.gub.uy: 4 (System error) 
Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: 
Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 

Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that 
shows a login attempt with user "usu6", that is on the same situation as 
"usu5". 

 

We have done other tests as well, in this case we are logged on IdM server as 
user "usu1", which has a password not expired and working properly. But when we 
try to change it with "passwd" it also fails. 

[u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd 
Changing password for user u...@adtest.fnr.gub.uy. 
Current Password: 
Password change failed. Server message: Old password not accepted. 
passwd: Authentication token manipulation error 

Log of this test on IdM server: 

Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in 
/etc/passwd 
Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
pam_sss(passwd:chauthtok): User info message: Password change failed. Server 
message: Old password not accepted. 
Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
pam_sss(passwd:chauthtok): Authentication failed for user 
u...@adtest.fnr.gub.uy: 4 (System error) 

Which pam logs do u need ? we have several files apparently. 


Thank you guys again and best regards. 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ | ] 



No me imprimas si

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-02-24 Thread Sumit Bose via FreeIPA-users
Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via 
FreeIPA-users:
> Which /etc/pam.d/ config file do you need ? 

Hi,

from the logs below it looks like you are using ssh to log in, so it
would be /etc/pam.d/sshd and all the files which might be referenced in
that file.

bye,
Sumit

> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Mateo Duffour"  
> To: "Alexander Bokovoy"  
> Cc: "freeipa-users"  
> Sent: Wednesday, 23 February, 2022 17:26:49 
> Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - 
> User accounts with passwords expired 
> 
> Hi, thank you for the quick reply. 
> 
> We were further investigating the issue. 
> 
> We were testing with user "usu5" that has its password expired. The log of 
> IdM server below shows that Samba AD DC is sending "Password has expired" for 
> user "usu5", thats OK. 
> So we can suspect that IdM is not behaving as expected, it should prompt a 
> password expiry to the user and let the user change it, but something is 
> wrong with our config or scenario because that does not happen. 
> 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has 
> expired 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did 
> not match expectations 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 
> user=u...@adtest.fnr.gub.uy 
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
> received for user u...@adtest.fnr.gub.uy: 4 (System error) 
> Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: 
> Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 
> 
> Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that 
> shows a login attempt with user "usu6", that is on the same situation as 
> "usu5". 
> 
>  
> 
> We have done other tests as well, in this case we are logged on IdM server as 
> user "usu1", which has a password not expired and working properly. But when 
> we try to change it with "passwd" it also fails. 
> 
> [u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd 
> Changing password for user u...@adtest.fnr.gub.uy. 
> Current Password: 
> Password change failed. Server message: Old password not accepted. 
> passwd: Authentication token manipulation error 
> 
> Log of this test on IdM server: 
> 
> Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
> pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in 
> /etc/passwd 
> Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
> pam_sss(passwd:chauthtok): User info message: Password change failed. Server 
> message: Old password not accepted. 
> Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
> pam_sss(passwd:chauthtok): Authentication failed for user 
> u...@adtest.fnr.gub.uy: 4 (System error) 
> 
> Which pam logs do u need ? we have several files apparently. 
> 
> 
> Thank you guys again and best regards. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 
> 
> 
> From: "Alexander Bokovoy"  
> To: "freeipa-users"  
> Cc: "Mateo Duffour"  
> Sent: Wednesday, 23 February, 2022 05:14:42 
> Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - 
> User accounts with passwords expired 
> 
> Hello, 
> 
> On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: 
> 
> 
> Hi, 
> 
> We currently have an IdM installation with a trust relationship with a 
> Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user 
> accounts on IdM. We are having a problem with Samba user acounts that 
> have

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-02-24 Thread Mateo Duffour via FreeIPA-users
Which /etc/pam.d/ config file do you need ? 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Mateo Duffour"  
To: "Alexander Bokovoy"  
Cc: "freeipa-users"  
Sent: Wednesday, 23 February, 2022 17:26:49 
Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Hi, thank you for the quick reply. 

We were further investigating the issue. 

We were testing with user "usu5" that has its password expired. The log of IdM 
server below shows that Samba AD DC is sending "Password has expired" for user 
"usu5", thats OK. 
So we can suspect that IdM is not behaving as expected, it should prompt a 
password expiry to the user and let the user change it, but something is wrong 
with our config or scenario because that does not happen. 

Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has 
expired 
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not 
match expectations 
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 
user=u...@adtest.fnr.gub.uy 
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): 
received for user u...@adtest.fnr.gub.uy: 4 (System error) 
Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: 
Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 

Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that 
shows a login attempt with user "usu6", that is on the same situation as 
"usu5". 

 

We have done other tests as well, in this case we are logged on IdM server as 
user "usu1", which has a password not expired and working properly. But when we 
try to change it with "passwd" it also fails. 

[u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd 
Changing password for user u...@adtest.fnr.gub.uy. 
Current Password: 
Password change failed. Server message: Old password not accepted. 
passwd: Authentication token manipulation error 

Log of this test on IdM server: 

Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in 
/etc/passwd 
Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
pam_sss(passwd:chauthtok): User info message: Password change failed. Server 
message: Old password not accepted. 
Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: 
pam_sss(passwd:chauthtok): Authentication failed for user 
u...@adtest.fnr.gub.uy: 4 (System error) 

Which pam logs do u need ? we have several files apparently. 


Thank you guys again and best regards. 

Lic. Mateo Duffour 
Unidad Informática 
2901.40.91 

[ 
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
 | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
[ http://www.fnr.gub.uy/ |] 



No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y 
la información adjunta al mismo está dirigido exclusivamente a su destinatario. 
Puede contener información confidencial, privilegiada o de uso restringido, 
protegida por las normas. Si Ud. recibió este e-mail por error, por favor, 
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro 
uso del e-mail por Ud. está prohibido. 


From: "Alexander Bokovoy"  
To: "freeipa-users"  
Cc: "Mateo Duffour"  
Sent: Wednesday, 23 February, 2022 05:14:42 
Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - 
User accounts with passwords expired 

Hello, 

On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: 


Hi, 

We currently have an IdM installation with a trust relationship with a 
Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user 
accounts on IdM. We are having a problem with Samba user acounts that 
have its passwords expired. 

When we try to login with an ubuntu IdM client with one of those 
accounts, it fails and asks again for password. The behaviour we are 
expecting is that Ubuntu should ask for a password change. 



I think you need to look at SSSD troubleshooting guide and investigate a 
bit yourself. Without logs it is impossible to tell what's wrong. 

Please see https://sssd.io/troubleshooting/basics.html and 
https://sssd.io/troubleshooting/ipa_provider.html for two parts t

[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-02-23 Thread Sumit Bose via FreeIPA-users
Am Tue, Feb 22, 2022 at 03:40:27PM -0300 schrieb Mateo Duffour via 
FreeIPA-users:
> Hi, 
> 
> We currently have an IdM installation with a trust relationship with a Samba 
> AD DC. Our user accounts reside on Samba AD DC, we dont have user accounts on 
> IdM. 
> We are having a problem with Samba user acounts that have its passwords 
> expired. 
> 
> When we try to login with an ubuntu IdM client with one of those accounts, it 
> fails and asks again for password. 
> The behaviour we are expecting is that Ubuntu should ask for a password 
> change. 

Hi,

please share your PAM configuration files for the services your are
using for login.

bye,
Sumit

> 
> Thanks, best regards. 
> 
> Lic. Mateo Duffour 
> Unidad Informática 
>   2901.40.91 
> 
> [ 
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
>  | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] 
> [ http://www.fnr.gub.uy/ |] 
> 
> 
> 
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje 
> y la información adjunta al mismo está dirigido exclusivamente a su 
> destinatario. Puede contener información confidencial, privilegiada o de uso 
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error, 
> por favor, sírvase notificarle a quien se lo envió y borrar el original. 
> Cualquier otro uso del e-mail por Ud. está prohibido. 

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired

2022-02-23 Thread Alexander Bokovoy via FreeIPA-users

Hello,

On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote:

Hi,

We currently have an IdM installation with a trust relationship with a
Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user
accounts on IdM.  We are having a problem with Samba user acounts that
have its passwords expired.

When we try to login with an ubuntu IdM client with one of those
accounts, it fails and asks again for password.  The behaviour we are
expecting is that Ubuntu should ask for a password change.


I think you need to look at SSSD troubleshooting guide and investigate a
bit yourself. Without logs it is impossible to tell what's wrong.

Please see https://sssd.io/troubleshooting/basics.html and
https://sssd.io/troubleshooting/ipa_provider.html for two parts that
would be relevant here.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure