[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
This issue is solved in Samba 4.16.4. Thanks very much Sumit for your work solving it with the Samba team! On Tue, May 17, 2022 at 1:55 PM tizo wrote: > > Is there anything else I can do to help with this issue?. I am willing > to create a whole new test environment from scratch if it is needed. > > Thanks very much. > > On Wed, May 11, 2022 at 5:04 PM tizo wrote: > > > > On Tue, May 3, 2022 at 11:29 AM tizo wrote: > > > > > > On Tue, May 3, 2022 at 9:18 AM tizo wrote: > > > > > > > > On Tue, May 3, 2022 at 2:43 AM Sumit Bose wrote: > > > > > > > > > > Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo: > > > > > > On Mon, May 2, 2022 at 2:36 PM Sumit Bose wrote: > > > > > > > > > > > > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo: > > > > > > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > thanks, at least I received your email. Can you run the > > > > > > > > > > > tests with > > > > > > > > > > > "krb5_use_fast = never" and > > > > > > > > > > > "krb5_use_enterprise_principal = True" again > > > > > > > > > > > but with 'debug_level = 9' in the [domain/...] section of > > > > > > > > > > > sssd.conf. > > > > > > > > > > > This will add some additional information into > > > > > > > > > > > krb5_child.log which > > > > > > > > > > > might help to understand why the client does not like the > > > > > > > > > > > reply from the > > > > > > > > > > > DC. > > > > > > > > > > > > > > > > > > > > > > bye, > > > > > > > > > > > Sumit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I cleared all the logs and ran the tests again with those > > > > > > > > > > parameters. > > > > > > > > > > I am sending the logs. Thanks! > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > can you try if you can change the password with 'kapsswd > > > > > > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can > > > > > > > > > you take a > > > > > > > > > network trace of this command with tcpdump and send it as > > > > > > > > > well? > > > > > > > > > > > > > > > > > > bye, > > > > > > > > > Sumit > > > > > > > > > > > > > > > > > > > > > > > > > It fails, and with kinit too: > > > > > > > > > > > > > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy > > > > > > > > Password for u...@adtest.fnr.gub.uy: > > > > > > > > kinit: KDC reply did not match expectations while getting > > > > > > > > initial credentials > > > > > > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy > > > > > > > > Password for u...@adtest.fnr.gub.uy: > > > > > > > > kpasswd: KDC reply did not match expectations getting initial > > > > > > > > ticket > > > > > > > > > > > > > > > > I am sending tcpdump captures while trying with kpasswd. There > > > > > > > > are > > > > > > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and > > > > > > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one > > > > > > > > replied > > > > > > > > in this case. > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > can you send the output of > > > > > > > > > > > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > > > > > > > > > > > > > as well and your /etc/krb5.conf? > > > > > > > > > > Hi, > > > > > > > > > > thanks. Can you try to remove the krb5-pkinit package and run > > > > > > > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > > > > > > > > > again while collecting the network trace and the debug output? > > > > > > > > > > bye, > > > > > Sumit > > > > > > > > > > > > > If I try to remove it, it tries to remove 301 packages. A lot of them > > > > are unused dependencies, but some ipa packages are dependent packages > > > > (ipa-healthcheck, ipa-server, ipa-server-dns, ipa-server-trust-ad). > > > > Here is the whole situation: > > > > > > > > [root@idmt01 ~]# dnf remove krb5-pkinit > > > > Dependencies resolved. > > > > > > > > Package Architecture > > > >Version > > > > Repository Size > > > > > > > > Removing: > > > > krb5-pkinit x86_64 > > > >1.18.2-14.el8 > > > > @baseos 131 k > > > > Removing dependent packages: > > > > ipa-healthcheck noarch > > > >
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Is there anything else I can do to help with this issue?. I am willing to create a whole new test environment from scratch if it is needed. Thanks very much. On Wed, May 11, 2022 at 5:04 PM tizo wrote: > > On Tue, May 3, 2022 at 11:29 AM tizo wrote: > > > > On Tue, May 3, 2022 at 9:18 AM tizo wrote: > > > > > > On Tue, May 3, 2022 at 2:43 AM Sumit Bose wrote: > > > > > > > > Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo: > > > > > On Mon, May 2, 2022 at 2:36 PM Sumit Bose wrote: > > > > > > > > > > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo: > > > > > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose > > > > > > > wrote: > > > > > > > > > > > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > thanks, at least I received your email. Can you run the > > > > > > > > > > tests with > > > > > > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal > > > > > > > > > > = True" again > > > > > > > > > > but with 'debug_level = 9' in the [domain/...] section of > > > > > > > > > > sssd.conf. > > > > > > > > > > This will add some additional information into > > > > > > > > > > krb5_child.log which > > > > > > > > > > might help to understand why the client does not like the > > > > > > > > > > reply from the > > > > > > > > > > DC. > > > > > > > > > > > > > > > > > > > > bye, > > > > > > > > > > Sumit > > > > > > > > > > > > > > > > > > > > > > > > > > > > I cleared all the logs and ran the tests again with those > > > > > > > > > parameters. > > > > > > > > > I am sending the logs. Thanks! > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > can you try if you can change the password with 'kapsswd > > > > > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you > > > > > > > > take a > > > > > > > > network trace of this command with tcpdump and send it as well? > > > > > > > > > > > > > > > > bye, > > > > > > > > Sumit > > > > > > > > > > > > > > > > > > > > > > It fails, and with kinit too: > > > > > > > > > > > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy > > > > > > > Password for u...@adtest.fnr.gub.uy: > > > > > > > kinit: KDC reply did not match expectations while getting initial > > > > > > > credentials > > > > > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy > > > > > > > Password for u...@adtest.fnr.gub.uy: > > > > > > > kpasswd: KDC reply did not match expectations getting initial > > > > > > > ticket > > > > > > > > > > > > > > I am sending tcpdump captures while trying with kpasswd. There are > > > > > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and > > > > > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one > > > > > > > replied > > > > > > > in this case. > > > > > > > > > > > > Hi, > > > > > > > > > > > > can you send the output of > > > > > > > > > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > > > > > > > > > > > as well and your /etc/krb5.conf? > > > > > > > > Hi, > > > > > > > > thanks. Can you try to remove the krb5-pkinit package and run > > > > > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > > > > > > > again while collecting the network trace and the debug output? > > > > > > > > bye, > > > > Sumit > > > > > > > > > > If I try to remove it, it tries to remove 301 packages. A lot of them > > > are unused dependencies, but some ipa packages are dependent packages > > > (ipa-healthcheck, ipa-server, ipa-server-dns, ipa-server-trust-ad). > > > Here is the whole situation: > > > > > > [root@idmt01 ~]# dnf remove krb5-pkinit > > > Dependencies resolved. > > > > > > Package Architecture > > >Version > > > Repository Size > > > > > > Removing: > > > krb5-pkinit x86_64 > > >1.18.2-14.el8 > > > @baseos 131 k > > > Removing dependent packages: > > > ipa-healthcheck noarch > > >0.7-6.module+el8.5.0+675+61f67439 > > > @appstream 290 k > > > ipa-server x86_64 > > >4.9.6-10.module+el8.5.0+719+4f06efb6 > > > @appstream 1.1 M > > > ipa-server-dns noarch > > >
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
On Tue, May 3, 2022 at 11:29 AM tizo wrote: > > On Tue, May 3, 2022 at 9:18 AM tizo wrote: > > > > On Tue, May 3, 2022 at 2:43 AM Sumit Bose wrote: > > > > > > Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo: > > > > On Mon, May 2, 2022 at 2:36 PM Sumit Bose wrote: > > > > > > > > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo: > > > > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose wrote: > > > > > > > > > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > thanks, at least I received your email. Can you run the tests > > > > > > > > > with > > > > > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = > > > > > > > > > True" again > > > > > > > > > but with 'debug_level = 9' in the [domain/...] section of > > > > > > > > > sssd.conf. > > > > > > > > > This will add some additional information into krb5_child.log > > > > > > > > > which > > > > > > > > > might help to understand why the client does not like the > > > > > > > > > reply from the > > > > > > > > > DC. > > > > > > > > > > > > > > > > > > bye, > > > > > > > > > Sumit > > > > > > > > > > > > > > > > > > > > > > > > > I cleared all the logs and ran the tests again with those > > > > > > > > parameters. > > > > > > > > I am sending the logs. Thanks! > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > can you try if you can change the password with 'kapsswd > > > > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you > > > > > > > take a > > > > > > > network trace of this command with tcpdump and send it as well? > > > > > > > > > > > > > > bye, > > > > > > > Sumit > > > > > > > > > > > > > > > > > > > It fails, and with kinit too: > > > > > > > > > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy > > > > > > Password for u...@adtest.fnr.gub.uy: > > > > > > kinit: KDC reply did not match expectations while getting initial > > > > > > credentials > > > > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy > > > > > > Password for u...@adtest.fnr.gub.uy: > > > > > > kpasswd: KDC reply did not match expectations getting initial ticket > > > > > > > > > > > > I am sending tcpdump captures while trying with kpasswd. There are > > > > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and > > > > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied > > > > > > in this case. > > > > > > > > > > Hi, > > > > > > > > > > can you send the output of > > > > > > > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > > > > > > > > > as well and your /etc/krb5.conf? > > > > > > Hi, > > > > > > thanks. Can you try to remove the krb5-pkinit package and run > > > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > > > > > again while collecting the network trace and the debug output? > > > > > > bye, > > > Sumit > > > > > > > If I try to remove it, it tries to remove 301 packages. A lot of them > > are unused dependencies, but some ipa packages are dependent packages > > (ipa-healthcheck, ipa-server, ipa-server-dns, ipa-server-trust-ad). > > Here is the whole situation: > > > > [root@idmt01 ~]# dnf remove krb5-pkinit > > Dependencies resolved. > > > > Package Architecture > >Version > > Repository Size > > > > Removing: > > krb5-pkinit x86_64 > >1.18.2-14.el8 > > @baseos 131 k > > Removing dependent packages: > > ipa-healthcheck noarch > >0.7-6.module+el8.5.0+675+61f67439 > > @appstream 290 k > > ipa-server x86_64 > >4.9.6-10.module+el8.5.0+719+4f06efb6 > > @appstream 1.1 M > > ipa-server-dns noarch > >4.9.6-10.module+el8.5.0+719+4f06efb6 > > @appstream 91 k > > ipa-server-trust-ad x86_64 > >4.9.6-10.module+el8.5.0+719+4f06efb6 > > @appstream 340 k > > Removing unused dependencies: > > 389-ds-base x86_64 > >1.4.3.23-14.module+el8.5.0+745+c5be68
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
On Tue, May 3, 2022 at 9:18 AM tizo wrote: > > On Tue, May 3, 2022 at 2:43 AM Sumit Bose wrote: > > > > Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo: > > > On Mon, May 2, 2022 at 2:36 PM Sumit Bose wrote: > > > > > > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo: > > > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose wrote: > > > > > > > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > > > > > > > Hi, > > > > > > > > > > > > > > > > thanks, at least I received your email. Can you run the tests > > > > > > > > with > > > > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = > > > > > > > > True" again > > > > > > > > but with 'debug_level = 9' in the [domain/...] section of > > > > > > > > sssd.conf. > > > > > > > > This will add some additional information into krb5_child.log > > > > > > > > which > > > > > > > > might help to understand why the client does not like the reply > > > > > > > > from the > > > > > > > > DC. > > > > > > > > > > > > > > > > bye, > > > > > > > > Sumit > > > > > > > > > > > > > > > > > > > > > > I cleared all the logs and ran the tests again with those > > > > > > > parameters. > > > > > > > I am sending the logs. Thanks! > > > > > > > > > > > > Hi, > > > > > > > > > > > > can you try if you can change the password with 'kapsswd > > > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take > > > > > > a > > > > > > network trace of this command with tcpdump and send it as well? > > > > > > > > > > > > bye, > > > > > > Sumit > > > > > > > > > > > > > > > > It fails, and with kinit too: > > > > > > > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy > > > > > Password for u...@adtest.fnr.gub.uy: > > > > > kinit: KDC reply did not match expectations while getting initial > > > > > credentials > > > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy > > > > > Password for u...@adtest.fnr.gub.uy: > > > > > kpasswd: KDC reply did not match expectations getting initial ticket > > > > > > > > > > I am sending tcpdump captures while trying with kpasswd. There are > > > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and > > > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied > > > > > in this case. > > > > > > > > Hi, > > > > > > > > can you send the output of > > > > > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > > > > > > > as well and your /etc/krb5.conf? > > > > Hi, > > > > thanks. Can you try to remove the krb5-pkinit package and run > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > > > again while collecting the network trace and the debug output? > > > > bye, > > Sumit > > > > If I try to remove it, it tries to remove 301 packages. A lot of them > are unused dependencies, but some ipa packages are dependent packages > (ipa-healthcheck, ipa-server, ipa-server-dns, ipa-server-trust-ad). > Here is the whole situation: > > [root@idmt01 ~]# dnf remove krb5-pkinit > Dependencies resolved. > > Package Architecture >Version > Repository Size > > Removing: > krb5-pkinit x86_64 >1.18.2-14.el8 > @baseos 131 k > Removing dependent packages: > ipa-healthcheck noarch >0.7-6.module+el8.5.0+675+61f67439 > @appstream 290 k > ipa-server x86_64 >4.9.6-10.module+el8.5.0+719+4f06efb6 > @appstream 1.1 M > ipa-server-dns noarch >4.9.6-10.module+el8.5.0+719+4f06efb6 > @appstream 91 k > ipa-server-trust-ad x86_64 >4.9.6-10.module+el8.5.0+719+4f06efb6 > @appstream 340 k > Removing unused dependencies: > 389-ds-base x86_64 >1.4.3.23-14.module+el8.5.0+745+c5be6847 > @appstream 9.2 M > 389-ds-base-libs x86_64 >1.4.3.23-14.module+el8.5.0+745+c5be6847 > @appstream 4.3 M > ant
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
On Tue, May 3, 2022 at 2:43 AM Sumit Bose wrote: > > Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo: > > On Mon, May 2, 2022 at 2:36 PM Sumit Bose wrote: > > > > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo: > > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose wrote: > > > > > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > > > > > > Hi, > > > > > > > > > > > > > > thanks, at least I received your email. Can you run the tests with > > > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = > > > > > > > True" again > > > > > > > but with 'debug_level = 9' in the [domain/...] section of > > > > > > > sssd.conf. > > > > > > > This will add some additional information into krb5_child.log > > > > > > > which > > > > > > > might help to understand why the client does not like the reply > > > > > > > from the > > > > > > > DC. > > > > > > > > > > > > > > bye, > > > > > > > Sumit > > > > > > > > > > > > > > > > > > > I cleared all the logs and ran the tests again with those > > > > > > parameters. > > > > > > I am sending the logs. Thanks! > > > > > > > > > > Hi, > > > > > > > > > > can you try if you can change the password with 'kapsswd > > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a > > > > > network trace of this command with tcpdump and send it as well? > > > > > > > > > > bye, > > > > > Sumit > > > > > > > > > > > > > It fails, and with kinit too: > > > > > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy > > > > Password for u...@adtest.fnr.gub.uy: > > > > kinit: KDC reply did not match expectations while getting initial > > > > credentials > > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy > > > > Password for u...@adtest.fnr.gub.uy: > > > > kpasswd: KDC reply did not match expectations getting initial ticket > > > > > > > > I am sending tcpdump captures while trying with kpasswd. There are > > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and > > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied > > > > in this case. > > > > > > Hi, > > > > > > can you send the output of > > > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > > > > > as well and your /etc/krb5.conf? > > Hi, > > thanks. Can you try to remove the krb5-pkinit package and run > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > again while collecting the network trace and the debug output? > > bye, > Sumit > If I try to remove it, it tries to remove 301 packages. A lot of them are unused dependencies, but some ipa packages are dependent packages (ipa-healthcheck, ipa-server, ipa-server-dns, ipa-server-trust-ad). Here is the whole situation: [root@idmt01 ~]# dnf remove krb5-pkinit Dependencies resolved. Package Architecture Version Repository Size Removing: krb5-pkinit x86_64 1.18.2-14.el8 @baseos 131 k Removing dependent packages: ipa-healthcheck noarch 0.7-6.module+el8.5.0+675+61f67439 @appstream 290 k ipa-server x86_64 4.9.6-10.module+el8.5.0+719+4f06efb6 @appstream 1.1 M ipa-server-dns noarch 4.9.6-10.module+el8.5.0+719+4f06efb6 @appstream 91 k ipa-server-trust-ad x86_64 4.9.6-10.module+el8.5.0+719+4f06efb6 @appstream 340 k Removing unused dependencies: 389-ds-base x86_64 1.4.3.23-14.module+el8.5.0+745+c5be6847 @appstream 9.2 M 389-ds-base-libs x86_64 1.4.3.23-14.module+el8.5.0+745+c5be6847 @appstream 4.3 M ant noarch 1.10.5-1.module+el8.3.0+255+2b2dd360 @appstream 451 k ant-lib noarch 1.10.5-1.module+el8.3.0+255+2b2dd360
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo: > On Mon, May 2, 2022 at 2:36 PM Sumit Bose wrote: > > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo: > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose wrote: > > > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > > > > > Hi, > > > > > > > > > > > > thanks, at least I received your email. Can you run the tests with > > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" > > > > > > again > > > > > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf. > > > > > > This will add some additional information into krb5_child.log which > > > > > > might help to understand why the client does not like the reply > > > > > > from the > > > > > > DC. > > > > > > > > > > > > bye, > > > > > > Sumit > > > > > > > > > > > > > > > > I cleared all the logs and ran the tests again with those parameters. > > > > > I am sending the logs. Thanks! > > > > > > > > Hi, > > > > > > > > can you try if you can change the password with 'kapsswd > > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a > > > > network trace of this command with tcpdump and send it as well? > > > > > > > > bye, > > > > Sumit > > > > > > > > > > It fails, and with kinit too: > > > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy > > > Password for u...@adtest.fnr.gub.uy: > > > kinit: KDC reply did not match expectations while getting initial > > > credentials > > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy > > > Password for u...@adtest.fnr.gub.uy: > > > kpasswd: KDC reply did not match expectations getting initial ticket > > > > > > I am sending tcpdump captures while trying with kpasswd. There are > > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and > > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied > > > in this case. > > > > Hi, > > > > can you send the output of > > > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > > > as well and your /etc/krb5.conf? Hi, thanks. Can you try to remove the krb5-pkinit package and run KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy again while collecting the network trace and the debug output? bye, Sumit > > > > bye, > > Sumit > > > > > > Output: > > [root@idmt01 tmp]# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > [4732] 1651514884.487540: Getting initial credentials for > u...@adtest.fnr.gub.uy > [4732] 1651514884.487541: Setting initial creds service to kadmin/changepw > [4732] 1651514884.487543: Sending unauthenticated request > [4732] 1651514884.487544: Sending request (179 bytes) to ADTEST.FNR.GUB.UY > [4732] 1651514884.487545: Initiating TCP connection to stream 10.2.100.3:88 > [4732] 1651514884.487546: Sending TCP request to stream 10.2.100.3:88 > [4732] 1651514884.487547: Received answer (314 bytes) from stream > 10.2.100.3:88 > [4732] 1651514884.487548: Terminating TCP connection to stream 10.2.100.3:88 > [4732] 1651514884.487549: Response was from master KDC > [4732] 1651514884.487550: Received error from KDC: > -1765328359/Additional pre-authentication required > [4732] 1651514884.487553: Preauthenticating using KDC method data > [4732] 1651514884.487554: Processing preauth types: PA-PK-AS-REQ (16), > PA-PK-AS-REP_OLD (15), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), > PA-FX-FAST (136), 655, PA-ETYPE-INFO2 (19) > [4732] 1651514884.487555: Selected etype info: etype aes256-cts, salt > "ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00" > [4732] 1651514884.487556: PKINIT client has no configured identity; giving up > [4732] 1651514884.487557: Preauth module pkinit (147) (info) returned: > 0/Success > [4732] 1651514884.487558: PKINIT client has no configured identity; giving up > [4732] 1651514884.487559: Preauth module pkinit (16) (real) returned: > 22/Invalid argument > Password for u...@adtest.fnr.gub.uy: > [4732] 1651514896.851314: AS key obtained for encrypted timestamp: > aes256-cts/75AC > [4732] 1651514896.851316: Encrypted timestamp (for 1651514896.949521): > plain 301AA011180F32303232303530323138303831365AA10502030E7D11, > encrypted > C418DCD1573DF5E07F0578A78FCB73D9A41DB9DF39398EE86AEA12F587FCED5A3D008FF9FB8565A73C29D1AEA9EB089C576D532C11F7BFD4 > [4732] 1651514896.851317: Preauth module encrypted_timestamp (2) > (real) returned: 0/Success > [4732] 1651514896.851318: Produced preauth for next request: > PA-ENC-TIMESTAMP (2) > [4732] 1651514896.851319: Sending request (257 bytes) to ADTEST.FNR.GUB.UY > [4732] 1651514896.851320: Initiating TCP connection to stream 10.2.100.3:88 > [4732] 1651514896.851321: Sending TCP request to stream 10.2.100.3:88 > [4732] 1651514896.851322: Received answer (1460 bytes) from stream > 10.2.100.3:88 > [4732] 1651514896.851323: Terminating TCP connection to stream 10.2.100.3:88 > [4732] 1651514896.851324: Response was from master KDC > [4732] 1651514896.851325: Processing preauth types: PA-ETYPE-INFO2 (19) > [4732] 1651514896.
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
On Mon, May 2, 2022 at 2:36 PM Sumit Bose wrote: > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo: > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose wrote: > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > > > > Hi, > > > > > > > > > > thanks, at least I received your email. Can you run the tests with > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" > > > > > again > > > > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf. > > > > > This will add some additional information into krb5_child.log which > > > > > might help to understand why the client does not like the reply from > > > > > the > > > > > DC. > > > > > > > > > > bye, > > > > > Sumit > > > > > > > > > > > > > I cleared all the logs and ran the tests again with those parameters. > > > > I am sending the logs. Thanks! > > > > > > Hi, > > > > > > can you try if you can change the password with 'kapsswd > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a > > > network trace of this command with tcpdump and send it as well? > > > > > > bye, > > > Sumit > > > > > > > It fails, and with kinit too: > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy > > Password for u...@adtest.fnr.gub.uy: > > kinit: KDC reply did not match expectations while getting initial > > credentials > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy > > Password for u...@adtest.fnr.gub.uy: > > kpasswd: KDC reply did not match expectations getting initial ticket > > > > I am sending tcpdump captures while trying with kpasswd. There are > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied > > in this case. > > Hi, > > can you send the output of > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > as well and your /etc/krb5.conf? > > bye, > Sumit > > Output: [root@idmt01 tmp]# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy [4732] 1651514884.487540: Getting initial credentials for u...@adtest.fnr.gub.uy [4732] 1651514884.487541: Setting initial creds service to kadmin/changepw [4732] 1651514884.487543: Sending unauthenticated request [4732] 1651514884.487544: Sending request (179 bytes) to ADTEST.FNR.GUB.UY [4732] 1651514884.487545: Initiating TCP connection to stream 10.2.100.3:88 [4732] 1651514884.487546: Sending TCP request to stream 10.2.100.3:88 [4732] 1651514884.487547: Received answer (314 bytes) from stream 10.2.100.3:88 [4732] 1651514884.487548: Terminating TCP connection to stream 10.2.100.3:88 [4732] 1651514884.487549: Response was from master KDC [4732] 1651514884.487550: Received error from KDC: -1765328359/Additional pre-authentication required [4732] 1651514884.487553: Preauthenticating using KDC method data [4732] 1651514884.487554: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-FAST (136), 655, PA-ETYPE-INFO2 (19) [4732] 1651514884.487555: Selected etype info: etype aes256-cts, salt "ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00" [4732] 1651514884.487556: PKINIT client has no configured identity; giving up [4732] 1651514884.487557: Preauth module pkinit (147) (info) returned: 0/Success [4732] 1651514884.487558: PKINIT client has no configured identity; giving up [4732] 1651514884.487559: Preauth module pkinit (16) (real) returned: 22/Invalid argument Password for u...@adtest.fnr.gub.uy: [4732] 1651514896.851314: AS key obtained for encrypted timestamp: aes256-cts/75AC [4732] 1651514896.851316: Encrypted timestamp (for 1651514896.949521): plain 301AA011180F32303232303530323138303831365AA10502030E7D11, encrypted C418DCD1573DF5E07F0578A78FCB73D9A41DB9DF39398EE86AEA12F587FCED5A3D008FF9FB8565A73C29D1AEA9EB089C576D532C11F7BFD4 [4732] 1651514896.851317: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [4732] 1651514896.851318: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [4732] 1651514896.851319: Sending request (257 bytes) to ADTEST.FNR.GUB.UY [4732] 1651514896.851320: Initiating TCP connection to stream 10.2.100.3:88 [4732] 1651514896.851321: Sending TCP request to stream 10.2.100.3:88 [4732] 1651514896.851322: Received answer (1460 bytes) from stream 10.2.100.3:88 [4732] 1651514896.851323: Terminating TCP connection to stream 10.2.100.3:88 [4732] 1651514896.851324: Response was from master KDC [4732] 1651514896.851325: Processing preauth types: PA-ETYPE-INFO2 (19) [4732] 1651514896.851326: Selected etype info: etype aes256-cts, salt "ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00" [4732] 1651514896.851327: Produced preauth for next request: (empty) [4732] 1651514896.851328: AS key determined by preauth: aes256-cts/75AC [4732] 1651514896.851329: Decrypted AS reply; session key is: aes256-cts/6539 [4732] 1651514896.851330: FAST negotiation: available kpasswd: KDC reply did not match expectations getting initial ticket I am sending /etc/krb5.conf and /var/
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo: > On Mon, May 2, 2022 at 11:56 AM Sumit Bose wrote: > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > > > Hi, > > > > > > > > thanks, at least I received your email. Can you run the tests with > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again > > > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf. > > > > This will add some additional information into krb5_child.log which > > > > might help to understand why the client does not like the reply from the > > > > DC. > > > > > > > > bye, > > > > Sumit > > > > > > > > > > I cleared all the logs and ran the tests again with those parameters. > > > I am sending the logs. Thanks! > > > > Hi, > > > > can you try if you can change the password with 'kapsswd > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a > > network trace of this command with tcpdump and send it as well? > > > > bye, > > Sumit > > > > It fails, and with kinit too: > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy > Password for u...@adtest.fnr.gub.uy: > kinit: KDC reply did not match expectations while getting initial credentials > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy > Password for u...@adtest.fnr.gub.uy: > kpasswd: KDC reply did not match expectations getting initial ticket > > I am sending tcpdump captures while trying with kpasswd. There are > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied > in this case. Hi, can you send the output of KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy as well and your /etc/krb5.conf? bye, Sumit ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
On Mon, May 2, 2022 at 11:56 AM Sumit Bose wrote: > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > > Hi, > > > > > > thanks, at least I received your email. Can you run the tests with > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again > > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf. > > > This will add some additional information into krb5_child.log which > > > might help to understand why the client does not like the reply from the > > > DC. > > > > > > bye, > > > Sumit > > > > > > > I cleared all the logs and ran the tests again with those parameters. > > I am sending the logs. Thanks! > > Hi, > > can you try if you can change the password with 'kapsswd > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a > network trace of this command with tcpdump and send it as well? > > bye, > Sumit > It fails, and with kinit too: [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy Password for u...@adtest.fnr.gub.uy: kinit: KDC reply did not match expectations while getting initial credentials [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy Password for u...@adtest.fnr.gub.uy: kpasswd: KDC reply did not match expectations getting initial ticket I am sending tcpdump captures while trying with kpasswd. There are two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and smbtest02.adtest.fnr.gub.uy), but I think that the first one replied in this case. tcpdump_capture_smbtest02 Description: Binary data tcpdump_capture_smbtest Description: Binary data ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > Hi, > > > > thanks, at least I received your email. Can you run the tests with > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf. > > This will add some additional information into krb5_child.log which > > might help to understand why the client does not like the reply from the > > DC. > > > > bye, > > Sumit > > > > I cleared all the logs and ran the tests again with those parameters. > I am sending the logs. Thanks! Hi, can you try if you can change the password with 'kapsswd u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a network trace of this command with tcpdump and send it as well? bye, Sumit ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
> Hi, > > thanks, at least I received your email. Can you run the tests with > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again > but with 'debug_level = 9' in the [domain/...] section of sssd.conf. > This will add some additional information into krb5_child.log which > might help to understand why the client does not like the reply from the > DC. > > bye, > Sumit > I cleared all the logs and ran the tests again with those parameters. I am sending the logs. Thanks! logs.tar.gz Description: application/gzip ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
tizo via FreeIPA-users wrote: >> >> Hi, >> >> can you try if adding >> >> krb5_use_enterprise_principal = True >> >> help? If not, please send full SSSD logs (everything in /var/log/sssd) >> next time. >> >> bye, >> Sumit >> > > Hi and thanks Sumit. I have just realized that the response that I > sent on Friday with all the logs and different tests, was rejected by > the moderator with "No reason given". > > Should I send the files in a tar.gz maybe? Or directly to your email?. Unfortunately the mailing list software doesn't allow for a reason when rejecting mail. The e-mail was 6M and the max size allowed without moderation is 256Kb. I generally let things through slightly bigger but this was too large. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Mon, May 02, 2022 at 09:31:37AM -0300 schrieb tizo: > > > > Hi, > > > > can you try if adding > > > > krb5_use_enterprise_principal = True > > > > help? If not, please send full SSSD logs (everything in /var/log/sssd) > > next time. > > > > bye, > > Sumit > > > > Hi and thanks Sumit. I have just realized that the response that I > sent on Friday with all the logs and different tests, was rejected by > the moderator with "No reason given". > > Should I send the files in a tar.gz maybe? Or directly to your email?. > Hi, thanks, at least I received your email. Can you run the tests with "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again but with 'debug_level = 9' in the [domain/...] section of sssd.conf. This will add some additional information into krb5_child.log which might help to understand why the client does not like the reply from the DC. bye, Sumit ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
> > Hi, > > can you try if adding > > krb5_use_enterprise_principal = True > > help? If not, please send full SSSD logs (everything in /var/log/sssd) > next time. > > bye, > Sumit > Hi and thanks Sumit. I have just realized that the response that I sent on Friday with all the logs and different tests, was rejected by the moderator with "No reason given". Should I send the files in a tar.gz maybe? Or directly to your email?. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Mon, Apr 25, 2022 at 01:23:05PM -0300 schrieb tizo via FreeIPA-users: > On Mon, Apr 25, 2022 at 12:23 PM tizo wrote: > > > > > Hi, > > > > > > thanks for the logs. The issue does not happen during Kerberos ticket > > > validation, as I thought but while trying to establish the FAST tunnel. > > > > > > There should be two way to solve this. The first is setting > > > > > > krb5_use_fast = never > > > > > > in the [domain/...] section of sssd.conf on every IPA client. The second > > > is to reestablish the trust as two-way trust with the '--two-way=True' > > > option of 'ipa trust-add'. I would recommend the latter. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > Hi Sumit, > > > > I'm taking Mateo's place here because he's busy with other things. > > Sorry for the delay. > > > > We tried two-way trust on a brand new IdM server for a new IdM domain > > (since the old server was giving others errors - we probably messed it > > up at some point), and we're back to square one: AD users without > > expiring password can login on the new IdM server with ssh, and for > > those with expired passwords journalctl gives: > > > > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: Password has > > expired > > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: KDC reply > > did not match expectations > > > > I really don't know if behind the scenes it's exactly the same problem > > as the first time, but it shouldn't since we updated the Samba servers > > to version 4.16.0 which has FAST support (as was noted in the Samba > > users list). I'm wondering at the moment if the samba-client package > > on the IdM server, that is version 4.14.5, could affect it or if it > > doesn't matter. > > > > How do you think I can continue from here? > > > > Thank you very much, > > > > tizo > > Just for the records, If I add krb5_use_fast = never in the > [domain/...] section of sssd.conf, I get the same in journalctl, but > something different in krb5_child.log: > > (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] (0x0020): > 1724: [-1765328361][Password has expired] > ** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING > BACKTRACE: >* (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): > krb5_child started. >* (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] > (0x1000): total buffer size: [115] >* (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] > (0x0100): cmd [241 (auth)] uid [10101] gid [10101] validate [true] > enterprise principal [false] offline [false] UPN > [u...@adtest.fnr.gub.uy] Hi, can you try if adding krb5_use_enterprise_principal = True help? If not, please send full SSSD logs (everything in /var/log/sssd) next time. bye, Sumit >* (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] > (0x2000): No old ccache >* (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] > (0x0100): ccname: [KCM:] old_ccname: [not set] keytab: > [/etc/krb5.keytab] >* (2022-04-25 13:17:05): [krb5_child[2000]] [check_use_fast] > (0x0100): Not using FAST. >* (2022-04-25 13:17:05): [krb5_child[2000]] [k5c_precreate_ccache] > (0x4000): Recreating ccache >* (2022-04-25 13:17:05): [krb5_child[2000]] [become_user] > (0x0200): Trying to become user [10101][10101]. >* (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x2000): > Running as [10101][10101]. >* (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options] > (0x0100): No specific renewable lifetime requested. >* (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options] > (0x0100): No specific lifetime requested. >* (2022-04-25 13:17:05): [krb5_child[2000]] > [set_canonicalize_option] (0x0100): Canonicalization is set to [true] >* (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will > perform auth >* (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will > perform online auth >* (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child] > (0x1000): Attempting to get a TGT >* (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [ADTEST.FNR.GUB.UY] >* (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder] > (0x4000): Got question [password]. >* (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] > (0x0020): 1724: [-1765328361][Password has expired] > ** BACKTRACE DUMP ENDS HERE > * > > (2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error] (0x0020): > 1853: [-1765328237][KDC reply did not match expectations] > ** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING > BACKTRACE: >* (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child] > (0x1000): Password was expired >* (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder] > (0x4000): Got question [password]. >* (2022-04-25 13:17:05): [krb5_child[2000]] [map_k
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
I would really appreciate any kind of help here. I don't know how I could go ahead with this issue, and it's the last one before going into production. Thanks very much!. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
On Mon, Apr 25, 2022 at 12:23 PM tizo wrote: > > > Hi, > > > > thanks for the logs. The issue does not happen during Kerberos ticket > > validation, as I thought but while trying to establish the FAST tunnel. > > > > There should be two way to solve this. The first is setting > > > > krb5_use_fast = never > > > > in the [domain/...] section of sssd.conf on every IPA client. The second > > is to reestablish the trust as two-way trust with the '--two-way=True' > > option of 'ipa trust-add'. I would recommend the latter. > > > > HTH > > > > bye, > > Sumit > > > > Hi Sumit, > > I'm taking Mateo's place here because he's busy with other things. > Sorry for the delay. > > We tried two-way trust on a brand new IdM server for a new IdM domain > (since the old server was giving others errors - we probably messed it > up at some point), and we're back to square one: AD users without > expiring password can login on the new IdM server with ssh, and for > those with expired passwords journalctl gives: > > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: Password has expired > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: KDC reply > did not match expectations > > I really don't know if behind the scenes it's exactly the same problem > as the first time, but it shouldn't since we updated the Samba servers > to version 4.16.0 which has FAST support (as was noted in the Samba > users list). I'm wondering at the moment if the samba-client package > on the IdM server, that is version 4.14.5, could affect it or if it > doesn't matter. > > How do you think I can continue from here? > > Thank you very much, > > tizo Just for the records, If I add krb5_use_fast = never in the [domain/...] section of sssd.conf, I get the same in journalctl, but something different in krb5_child.log: (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] (0x0020): 1724: [-1765328361][Password has expired] ** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): krb5_child started. * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] (0x1000): total buffer size: [115] * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] (0x0100): cmd [241 (auth)] uid [10101] gid [10101] validate [true] enterprise principal [false] offline [false] UPN [u...@adtest.fnr.gub.uy] * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] (0x2000): No old ccache * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] (0x0100): ccname: [KCM:] old_ccname: [not set] keytab: [/etc/krb5.keytab] * (2022-04-25 13:17:05): [krb5_child[2000]] [check_use_fast] (0x0100): Not using FAST. * (2022-04-25 13:17:05): [krb5_child[2000]] [k5c_precreate_ccache] (0x4000): Recreating ccache * (2022-04-25 13:17:05): [krb5_child[2000]] [become_user] (0x0200): Trying to become user [10101][10101]. * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x2000): Running as [10101][10101]. * (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. * (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options] (0x0100): No specific lifetime requested. * (2022-04-25 13:17:05): [krb5_child[2000]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will perform auth * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will perform online auth * (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child] (0x1000): Attempting to get a TGT * (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ADTEST.FNR.GUB.UY] * (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder] (0x4000): Got question [password]. * (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] (0x0020): 1724: [-1765328361][Password has expired] ** BACKTRACE DUMP ENDS HERE * (2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error] (0x0020): 1853: [-1765328237][KDC reply did not match expectations] ** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child] (0x1000): Password was expired * (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder] (0x4000): Got question [password]. * (2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error] (0x0020): 1853: [-1765328237][KDC reply did not match expectations] ** BACKTRACE DUMP ENDS HERE * ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
> Hi, > > thanks for the logs. The issue does not happen during Kerberos ticket > validation, as I thought but while trying to establish the FAST tunnel. > > There should be two way to solve this. The first is setting > > krb5_use_fast = never > > in the [domain/...] section of sssd.conf on every IPA client. The second > is to reestablish the trust as two-way trust with the '--two-way=True' > option of 'ipa trust-add'. I would recommend the latter. > > HTH > > bye, > Sumit > Hi Sumit, I'm taking Mateo's place here because he's busy with other things. Sorry for the delay. We tried two-way trust on a brand new IdM server for a new IdM domain (since the old server was giving others errors - we probably messed it up at some point), and we're back to square one: AD users without expiring password can login on the new IdM server with ssh, and for those with expired passwords journalctl gives: Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: Password has expired Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: KDC reply did not match expectations I really don't know if behind the scenes it's exactly the same problem as the first time, but it shouldn't since we updated the Samba servers to version 4.16.0 which has FAST support (as was noted in the Samba users list). I'm wondering at the moment if the samba-client package on the IdM server, that is version 4.14.5, could affect it or if it doesn't matter. How do you think I can continue from here? Thank you very much, tizo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Mon, Apr 11, 2022 at 10:26:04AM -0300 schrieb Mateo Duffour: > Hi, > > We send the krb5_child.log attached as requested. > The test was an ssh u...@adtest.xxx.xxx.xx@idmsrvpru.idmpru.xxx.xxx.xx from > our IdM server. Hi, thanks for the logs. The issue does not happen during Kerberos ticket validation, as I thought but while trying to establish the FAST tunnel. There should be two way to solve this. The first is setting krb5_use_fast = never in the [domain/...] section of sssd.conf on every IPA client. The second is to reestablish the trust as two-way trust with the '--two-way=True' option of 'ipa trust-add'. I would recommend the latter. HTH bye, Sumit > > > Many thanks. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > - Original Message - > From: "Sumit Bose" > To: "Mateo Duffour" > Cc: "Alexander Bokovoy" , "Sumit Bose" > , "freeipa-users" , > "tizo" > Sent: Friday, 8 April, 2022 02:45:06 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Am Thu, Apr 07, 2022 at 05:07:00PM -0300 schrieb Mateo Duffour: > > Hi, > > > > The last answer that we received on bugzilla and on samba lists sais "Your > > kpasswd is expecting FAST support which has been added in samba 4.16. So > > you either have to disable FAST or upgrade first." > > > > We've upgraded our Samba server version to 4.16.0 and we're getting this > > error now (when trying to login with any user from our IdM server): > > > > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error > > constructing AP-REQ armor: Server > > krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx not found in Kerberos database > > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error > > constructing AP-REQ armor: Server > > krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx not found in Kerberos database > > Hi, > > looks like there are issues requesting the cross-realm TGT, it would be > good to see the full krb5_child.log file with 'debug_level = 9' in the > [domain/...] section of sssd.conf to maybe better understand why this fails. > > I would expect that the cross-realm TGT is requested during the > validation of the Kerberos ticket. You can disable the validation as a > workaround by adding > > krb5_validate = false > > in the [domain/...] section of sssd.conf, see man sssd-krb5 for details. > > bye, > Sumit > > > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 > > user=u...@adtest.xxx.xxx.xx > > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): > > received for user u...@adtest.xxx.xxx.xx : 4 (System error) > > Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM: > > Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 > > > > Any help is appreciated, regards. > > > > Lic. Mateo Duffour > > Unidad Informática > > 2901.40.91 > > > > [ > > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > > [ http://www.fnr.gub.uy/ |] > > > > > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este > > mensaje y la información adjunta al mismo está dirigido exclusivamente a su > > destinatario. Puede contener información confidencial, privilegiada o de > > uso restringido, protegida por las normas. Si Ud. recibió este e-mail por > > error, por favor, sírvase notificarle a quien se lo envió y borrar el > > original. Cualquier otro uso del e-mail por Ud. está prohibido. > > > > > > From: "Mateo Duffour" > > To: "Alexander Bokovoy"
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Hi, We send the krb5_child.log attached as requested. The test was an ssh u...@adtest.xxx.xxx.xx@idmsrvpru.idmpru.xxx.xxx.xx from our IdM server. Many thanks. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. - Original Message - From: "Sumit Bose" To: "Mateo Duffour" Cc: "Alexander Bokovoy" , "Sumit Bose" , "freeipa-users" , "tizo" Sent: Friday, 8 April, 2022 02:45:06 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Thu, Apr 07, 2022 at 05:07:00PM -0300 schrieb Mateo Duffour: > Hi, > > The last answer that we received on bugzilla and on samba lists sais "Your > kpasswd is expecting FAST support which has been added in samba 4.16. So you > either have to disable FAST or upgrade first." > > We've upgraded our Samba server version to 4.16.0 and we're getting this > error now (when trying to login with any user from our IdM server): > > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error > constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx > not found in Kerberos database > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error > constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx > not found in Kerberos database Hi, looks like there are issues requesting the cross-realm TGT, it would be good to see the full krb5_child.log file with 'debug_level = 9' in the [domain/...] section of sssd.conf to maybe better understand why this fails. I would expect that the cross-realm TGT is requested during the validation of the Kerberos ticket. You can disable the validation as a workaround by adding krb5_validate = false in the [domain/...] section of sssd.conf, see man sssd-krb5 for details. bye, Sumit > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 > user=u...@adtest.xxx.xxx.xx > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): > received for user u...@adtest.xxx.xxx.xx : 4 (System error) > Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM: > Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 > > Any help is appreciated, regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Mateo Duffour" > To: "Alexander Bokovoy" > Cc: "Sumit Bose" , "freeipa-users" > , "tizo" > Sent: Friday, 11 March, 2022 15:49:31 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Hi, > > We are experiencing the same behavior on Samba AD DC 4.15.5, we are going to > report a bug on bugzilla.samba.org as you suggested. > > > Thanks again. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. r
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Thu, Apr 07, 2022 at 05:07:00PM -0300 schrieb Mateo Duffour: > Hi, > > The last answer that we received on bugzilla and on samba lists sais "Your > kpasswd is expecting FAST support which has been added in samba 4.16. So you > either have to disable FAST or upgrade first." > > We've upgraded our Samba server version to 4.16.0 and we're getting this > error now (when trying to login with any user from our IdM server): > > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error > constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx > not found in Kerberos database > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error > constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx > not found in Kerberos database Hi, looks like there are issues requesting the cross-realm TGT, it would be good to see the full krb5_child.log file with 'debug_level = 9' in the [domain/...] section of sssd.conf to maybe better understand why this fails. I would expect that the cross-realm TGT is requested during the validation of the Kerberos ticket. You can disable the validation as a workaround by adding krb5_validate = false in the [domain/...] section of sssd.conf, see man sssd-krb5 for details. bye, Sumit > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 > user=u...@adtest.xxx.xxx.xx > Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): > received for user u...@adtest.xxx.xxx.xx : 4 (System error) > Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM: > Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 > > Any help is appreciated, regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Mateo Duffour" > To: "Alexander Bokovoy" > Cc: "Sumit Bose" , "freeipa-users" > , "tizo" > Sent: Friday, 11 March, 2022 15:49:31 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Hi, > > We are experiencing the same behavior on Samba AD DC 4.15.5, we are going to > report a bug on bugzilla.samba.org as you suggested. > > > Thanks again. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Alexander Bokovoy" > To: "Mateo Duffour" > Cc: "Sumit Bose" , "freeipa-users" > , "tizo" > Sent: Friday, 11 March, 2022 15:03:58 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > On pe, 11 maalis 2022, Mateo Duffour wrote: > > > Hi, > > We installed Samba AD DC from this repo [ > https://samba.tranquil.it/redhat8/samba-4.14.10/ | > https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over > Roky Linux and it's on a trust relationship with IdM. > > > > Thanks. So this is a build with embedded Heimdal Kerberos version and a > relatively old one. > > This sounds like a bug worth opening Samba upstream. There is nothing > specific to FreeIPA in this communication, though. What happens is that > a Kerberos client (in this case kpasswd) attempts
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Hi, The last answer that we received on bugzilla and on samba lists sais "Your kpasswd is expecting FAST support which has been added in samba 4.16. So you either have to disable FAST or upgrade first." We've upgraded our Samba server version to 4.16.0 and we're getting this error now (when trying to login with any user from our IdM server): Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx not found in Kerberos database Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error constructing AP-REQ armor: Server krbtgt/adtest.xxx.xxx...@idmpru.xxx.xxx.xx not found in Kerberos database Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 user=u...@adtest.xxx.xxx.xx Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth): received for user u...@adtest.xxx.xxx.xx : 4 (System error) Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM: Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 Any help is appreciated, regards. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Mateo Duffour" To: "Alexander Bokovoy" Cc: "Sumit Bose" , "freeipa-users" , "tizo" Sent: Friday, 11 March, 2022 15:49:31 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, We are experiencing the same behavior on Samba AD DC 4.15.5, we are going to report a bug on bugzilla.samba.org as you suggested. Thanks again. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Alexander Bokovoy" To: "Mateo Duffour" Cc: "Sumit Bose" , "freeipa-users" , "tizo" Sent: Friday, 11 March, 2022 15:03:58 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired On pe, 11 maalis 2022, Mateo Duffour wrote: Hi, We installed Samba AD DC from this repo [ https://samba.tranquil.it/redhat8/samba-4.14.10/ | https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over Roky Linux and it's on a trust relationship with IdM. Thanks. So this is a build with embedded Heimdal Kerberos version and a relatively old one. This sounds like a bug worth opening Samba upstream. There is nothing specific to FreeIPA in this communication, though. What happens is that a Kerberos client (in this case kpasswd) attempts to change a password and fails when expecting a response on Kerberos level from Samba AD DC. It may be mix of expectations between kpasswd from MIT Kerberos (on Rocky) and Heimdal (embedded in Samba AD DC), but to fix it you'd need to talk to Samba AD developers. Please open a bug at bugzilla.samba.org, attach this capture and kpasswd trace logs. Also please provide details to what Samba build is this in the bug report. Prior doing that, may be try an upgrade to Samba 4.15.5 which is available in the same repositories from Tranquil IT. (https://samba.tranquil.it/redhat8/). BQ_BEGIN Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Hi, We are experiencing the same behavior on Samba AD DC 4.15.5, we are going to report a bug on bugzilla.samba.org as you suggested. Thanks again. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Alexander Bokovoy" To: "Mateo Duffour" Cc: "Sumit Bose" , "freeipa-users" , "tizo" Sent: Friday, 11 March, 2022 15:03:58 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired On pe, 11 maalis 2022, Mateo Duffour wrote: Hi, We installed Samba AD DC from this repo [ https://samba.tranquil.it/redhat8/samba-4.14.10/ | https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over Roky Linux and it's on a trust relationship with IdM. Thanks. So this is a build with embedded Heimdal Kerberos version and a relatively old one. This sounds like a bug worth opening Samba upstream. There is nothing specific to FreeIPA in this communication, though. What happens is that a Kerberos client (in this case kpasswd) attempts to change a password and fails when expecting a response on Kerberos level from Samba AD DC. It may be mix of expectations between kpasswd from MIT Kerberos (on Rocky) and Heimdal (embedded in Samba AD DC), but to fix it you'd need to talk to Samba AD developers. Please open a bug at bugzilla.samba.org, attach this capture and kpasswd trace logs. Also please provide details to what Samba build is this in the bug report. Prior doing that, may be try an upgrade to Samba 4.15.5 which is available in the same repositories from Tranquil IT. (https://samba.tranquil.it/redhat8/). BQ_BEGIN Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Alexander Bokovoy" To: "Mateo Duffour" Cc: "Sumit Bose" , "freeipa-users" , "tizo" Sent: Friday, 11 March, 2022 14:07:58 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired On pe, 11 maalis 2022, Mateo Duffour wrote: Hi, I've send the network capture attached, it was made with tcpdump in the IdM server to the Samba AD DC server, while trying to log in with ssh with user5. Hi, can you give more details about this Samba AD DC installation? What Samba version is that? How was it built? BQ_BEGIN Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "tizo" To: "freeipa-users" Cc: "Mateo Duffour" , "Alexander Bokovoy" , "Sumit Bose" Sent: Friday, 11 March, 2022 11:38:50 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, this is still the same pattern. Would it be possible to get a network trace to better understand how the KDC reply looks like and what might not be as expected by libkrb5? Additionally, can you try to set the password for the user with the expired password with KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. and send the output? bye, Sumit Hi there. I work wit
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
On pe, 11 maalis 2022, Mateo Duffour wrote: Hi, We installed Samba AD DC from this repo [ https://samba.tranquil.it/redhat8/samba-4.14.10/ | https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over Roky Linux and it's on a trust relationship with IdM. Thanks. So this is a build with embedded Heimdal Kerberos version and a relatively old one. This sounds like a bug worth opening Samba upstream. There is nothing specific to FreeIPA in this communication, though. What happens is that a Kerberos client (in this case kpasswd) attempts to change a password and fails when expecting a response on Kerberos level from Samba AD DC. It may be mix of expectations between kpasswd from MIT Kerberos (on Rocky) and Heimdal (embedded in Samba AD DC), but to fix it you'd need to talk to Samba AD developers. Please open a bug at bugzilla.samba.org, attach this capture and kpasswd trace logs. Also please provide details to what Samba build is this in the bug report. Prior doing that, may be try an upgrade to Samba 4.15.5 which is available in the same repositories from Tranquil IT. (https://samba.tranquil.it/redhat8/). Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Alexander Bokovoy" To: "Mateo Duffour" Cc: "Sumit Bose" , "freeipa-users" , "tizo" Sent: Friday, 11 March, 2022 14:07:58 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired On pe, 11 maalis 2022, Mateo Duffour wrote: Hi, I've send the network capture attached, it was made with tcpdump in the IdM server to the Samba AD DC server, while trying to log in with ssh with user5. Hi, can you give more details about this Samba AD DC installation? What Samba version is that? How was it built? BQ_BEGIN Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "tizo" To: "freeipa-users" Cc: "Mateo Duffour" , "Alexander Bokovoy" , "Sumit Bose" Sent: Friday, 11 March, 2022 11:38:50 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, this is still the same pattern. Would it be possible to get a network trace to better understand how the KDC reply looks like and what might not be as expected by libkrb5? Additionally, can you try to set the password for the user with the expired password with KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. and send the output? bye, Sumit Hi there. I work with Mateo. We are sending the network capture in some minutes, but to get ahead I am sending the other test: # KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx [47521] 1647008539.753136: Getting initial credentials for u...@adtest.xxx.xxx.xx [47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753138: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753139: Setting initial creds service to kadmin/changepw [47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753141: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753143: Sending unauthenticated request [47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008539.753145: Initiating TCP connection to stream [ http://10.2.100.4:88/
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Hi, We installed Samba AD DC from this repo [ https://samba.tranquil.it/redhat8/samba-4.14.10/ | https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over Roky Linux and it's on a trust relationship with IdM. Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Alexander Bokovoy" To: "Mateo Duffour" Cc: "Sumit Bose" , "freeipa-users" , "tizo" Sent: Friday, 11 March, 2022 14:07:58 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired On pe, 11 maalis 2022, Mateo Duffour wrote: Hi, I've send the network capture attached, it was made with tcpdump in the IdM server to the Samba AD DC server, while trying to log in with ssh with user5. Hi, can you give more details about this Samba AD DC installation? What Samba version is that? How was it built? BQ_BEGIN Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "tizo" To: "freeipa-users" Cc: "Mateo Duffour" , "Alexander Bokovoy" , "Sumit Bose" Sent: Friday, 11 March, 2022 11:38:50 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, this is still the same pattern. Would it be possible to get a network trace to better understand how the KDC reply looks like and what might not be as expected by libkrb5? Additionally, can you try to set the password for the user with the expired password with KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. and send the output? bye, Sumit Hi there. I work with Mateo. We are sending the network capture in some minutes, but to get ahead I am sending the other test: # KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx [47521] 1647008539.753136: Getting initial credentials for u...@adtest.xxx.xxx.xx [47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753138: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753139: Setting initial creds service to kadmin/changepw [47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753141: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753143: Sending unauthenticated request [47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008539.753145: Initiating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008540.776855: Initiating TCP connection to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776856: Sending TCP request to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776857: Received answer (278 bytes) from stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776858: Terminating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008540.776859: Terminating TCP connection to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776860: Response was from master KDC [47521] 1647008540.776861: Received error from KDC: -1765328359/Additional pre-authentication required [47521] 1647008540.776864: Preauthenticating using KDC method data [47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_O
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
On pe, 11 maalis 2022, Mateo Duffour wrote: Hi, I've send the network capture attached, it was made with tcpdump in the IdM server to the Samba AD DC server, while trying to log in with ssh with user5. Hi, can you give more details about this Samba AD DC installation? What Samba version is that? How was it built? Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "tizo" To: "freeipa-users" Cc: "Mateo Duffour" , "Alexander Bokovoy" , "Sumit Bose" Sent: Friday, 11 March, 2022 11:38:50 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, this is still the same pattern. Would it be possible to get a network trace to better understand how the KDC reply looks like and what might not be as expected by libkrb5? Additionally, can you try to set the password for the user with the expired password with KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. and send the output? bye, Sumit Hi there. I work with Mateo. We are sending the network capture in some minutes, but to get ahead I am sending the other test: # KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx [47521] 1647008539.753136: Getting initial credentials for u...@adtest.xxx.xxx.xx [47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753138: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753139: Setting initial creds service to kadmin/changepw [47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753141: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753143: Sending unauthenticated request [47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008539.753145: Initiating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008540.776855: Initiating TCP connection to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776856: Sending TCP request to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776857: Received answer (278 bytes) from stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776858: Terminating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008540.776859: Terminating TCP connection to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776860: Response was from master KDC [47521] 1647008540.776861: Received error from KDC: -1765328359/Additional pre-authentication required [47521] 1647008540.776864: Preauthenticating using KDC method data [47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19) [47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt "ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00" [47521] 1647008540.776867: PKINIT client has no configured identity; giving up [47521] 1647008540.776868: PKINIT client has no configured identity; giving up [47521] 1647008540.776869: Preauth module pkinit (16) (real) returned: 22/Invalid argument Password for u...@adtest.xxx.xxx.xx: [47521] 1647008555.456745: AS key obtained for encrypted timestamp: aes256-cts/0DAE [47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202): plain 301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted 588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C [47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [47521] 1647008555.456749: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008555.456751: Initiating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008556.458248: Initiating TCP connection to stream [ http://10.2.100
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Fri, Mar 11, 2022 at 01:32:50PM -0300 schrieb Mateo Duffour: > Hi, > > I've send the network capture attached, it was made with tcpdump in the IdM > server to the Samba AD DC server, while trying to log in with ssh with user5. Hi, thanks for the network trace. Alexander, can you have a look at the Kerberos packets in the network trace. It looks like the Samba DC is replying if a ticket for the 'kadmin/changepw' service principal is requested (packet 63) with a ticket for 'krbtgt' (packet 65). And it looks like this is not expected by libkrb5. bye, Sumit > > Regards, > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "tizo" > To: "freeipa-users" > Cc: "Mateo Duffour" , "Alexander Bokovoy" > , "Sumit Bose" > Sent: Friday, 11 March, 2022 11:38:50 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > > > > Hi, > > this is still the same pattern. Would it be possible to get a network > trace to better understand how the KDC reply looks like and what might > not be as expected by libkrb5? > > Additionally, can you try to set the password for the user with the > expired password with > > KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. > > and send the output? > > bye, > Sumit > > > > > > Hi there. I work with Mateo. We are sending the network capture in some > minutes, but to get ahead I am sending the other test: > > # KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx > [47521] 1647008539.753136: Getting initial credentials for > u...@adtest.xxx.xxx.xx > [47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 > [47521] 1647008539.753138: Retrieving > host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> > krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: > from KCM:0:84390 with result: -1765328243/Matching credential not found > [47521] 1647008539.753139: Setting initial creds service to kadmin/changepw > [47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 > [47521] 1647008539.753141: Retrieving > host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> > krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: > from KCM:0:84390 with result: -1765328243/Matching credential not found > [47521] 1647008539.753143: Sending unauthenticated request > [47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX > [47521] 1647008539.753145: Initiating TCP connection to stream [ > http://10.2.100.4:88/ | 10.2.100.4:88 ] > [47521] 1647008540.776855: Initiating TCP connection to stream [ > http://10.2.100.3:88/ | 10.2.100.3:88 ] > [47521] 1647008540.776856: Sending TCP request to stream [ > http://10.2.100.3:88/ | 10.2.100.3:88 ] > [47521] 1647008540.776857: Received answer (278 bytes) from stream [ > http://10.2.100.3:88/ | 10.2.100.3:88 ] > [47521] 1647008540.776858: Terminating TCP connection to stream [ > http://10.2.100.4:88/ | 10.2.100.4:88 ] > [47521] 1647008540.776859: Terminating TCP connection to stream [ > http://10.2.100.3:88/ | 10.2.100.3:88 ] > [47521] 1647008540.776860: Response was from master KDC > [47521] 1647008540.776861: Received error from KDC: -1765328359/Additional > pre-authentication required > [47521] 1647008540.776864: Preauthenticating using KDC method data > [47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), > PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19) > [47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt > "ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00" > [47521] 1647008540.776867: PKINIT client has no configured identity; giving > up > [47521] 1647008540.776868: PKINIT client has no configured identity; giving > up > [47521] 1647008540.776869: Preauth module pkinit (16) (real) returned: > 22/Invalid argument &g
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Hi, I've send the network capture attached, it was made with tcpdump in the IdM server to the Samba AD DC server, while trying to log in with ssh with user5. Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "tizo" To: "freeipa-users" Cc: "Mateo Duffour" , "Alexander Bokovoy" , "Sumit Bose" Sent: Friday, 11 March, 2022 11:38:50 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, this is still the same pattern. Would it be possible to get a network trace to better understand how the KDC reply looks like and what might not be as expected by libkrb5? Additionally, can you try to set the password for the user with the expired password with KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. and send the output? bye, Sumit Hi there. I work with Mateo. We are sending the network capture in some minutes, but to get ahead I am sending the other test: # KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx [47521] 1647008539.753136: Getting initial credentials for u...@adtest.xxx.xxx.xx [47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753138: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753139: Setting initial creds service to kadmin/changepw [47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753141: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753143: Sending unauthenticated request [47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008539.753145: Initiating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008540.776855: Initiating TCP connection to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776856: Sending TCP request to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776857: Received answer (278 bytes) from stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776858: Terminating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008540.776859: Terminating TCP connection to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008540.776860: Response was from master KDC [47521] 1647008540.776861: Received error from KDC: -1765328359/Additional pre-authentication required [47521] 1647008540.776864: Preauthenticating using KDC method data [47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19) [47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt "ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00" [47521] 1647008540.776867: PKINIT client has no configured identity; giving up [47521] 1647008540.776868: PKINIT client has no configured identity; giving up [47521] 1647008540.776869: Preauth module pkinit (16) (real) returned: 22/Invalid argument Password for u...@adtest.xxx.xxx.xx: [47521] 1647008555.456745: AS key obtained for encrypted timestamp: aes256-cts/0DAE [47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202): plain 301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted 588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C [47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [47521] 1647008555.456749: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008555.456751: Initiating TCP connection to stream [ http://10.2.100.4:88/ | 10.2.100.4:88 ] [47521] 1647008556.458248: Initiating TCP connection to stream [ http://10.2.100.3:88/ | 10.2.100.3:88 ] [47521] 1647008556.458249: Sending TCP request to stream [ http://10.2.100.3:88
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
> Hi, > > this is still the same pattern. Would it be possible to get a network > trace to better understand how the KDC reply looks like and what might > not be as expected by libkrb5? > > Additionally, can you try to set the password for the user with the > expired password with > > KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. > > and send the output? > > bye, > Sumit > > > Hi there. I work with Mateo. We are sending the network capture in some minutes, but to get ahead I am sending the other test: # KRB5_TRACE=/dev/stdout kpasswd u...@adtest.xxx.xxx.xx [47521] 1647008539.753136: Getting initial credentials for u...@adtest.xxx.xxx.xx [47521] 1647008539.753137: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753138: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753139: Setting initial creds service to kadmin/changepw [47521] 1647008539.753140: FAST armor ccache: KCM:0:84390 [47521] 1647008539.753141: Retrieving host/idmsrvpru.idmpru.xxx.xxx...@idmpru.xxx.xxx.xx -> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF: from KCM:0:84390 with result: -1765328243/Matching credential not found [47521] 1647008539.753143: Sending unauthenticated request [47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008539.753145: Initiating TCP connection to stream 10.2.100.4:88 [47521] 1647008540.776855: Initiating TCP connection to stream 10.2.100.3:88 [47521] 1647008540.776856: Sending TCP request to stream 10.2.100.3:88 [47521] 1647008540.776857: Received answer (278 bytes) from stream 10.2.100.3:88 [47521] 1647008540.776858: Terminating TCP connection to stream 10.2.100.4:88 [47521] 1647008540.776859: Terminating TCP connection to stream 10.2.100.3:88 [47521] 1647008540.776860: Response was from master KDC [47521] 1647008540.776861: Received error from KDC: -1765328359/Additional pre-authentication required [47521] 1647008540.776864: Preauthenticating using KDC method data [47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19) [47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt "ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00" [47521] 1647008540.776867: PKINIT client has no configured identity; giving up [47521] 1647008540.776868: PKINIT client has no configured identity; giving up [47521] 1647008540.776869: Preauth module pkinit (16) (real) returned: 22/Invalid argument Password for u...@adtest.xxx.xxx.xx: [47521] 1647008555.456745: AS key obtained for encrypted timestamp: aes256-cts/0DAE [47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202): plain 301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted 588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C [47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [47521] 1647008555.456749: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX [47521] 1647008555.456751: Initiating TCP connection to stream 10.2.100.4:88 [47521] 1647008556.458248: Initiating TCP connection to stream 10.2.100.3:88 [47521] 1647008556.458249: Sending TCP request to stream 10.2.100.3:88 [47521] 1647008556.458250: Received answer (1438 bytes) from stream 10.2.100.3:88 [47521] 1647008556.458251: Terminating TCP connection to stream 10.2.100.4:88 [47521] 1647008556.458252: Terminating TCP connection to stream 10.2.100.3:88 [47521] 1647008556.458253: Response was from master KDC [47521] 1647008556.458254: Processing preauth types: PA-PW-SALT (3) [47521] 1647008556.458255: Received salt "ADTEST.XXX.XXX.XXusu5" via padata type PA-PW-SALT (3) [47521] 1647008556.458256: Produced preauth for next request: (empty) [47521] 1647008556.458257: AS key determined by preauth: aes256-cts/0DAE [47521] 1647008556.458258: Decrypted AS reply; session key is: aes256-cts/35D9 [47521] 1647008556.458259: FAST negotiation: unavailable kpasswd: KDC reply did not match expectations getting initial ticket FYI, I have tried the same test with a user WITHOUT expired password, and it does not work either, and the log is exactly the same. Indeed, when I log in with ssh with this user, I cannot change the password too: $ passwd Changing password for user u...@adtest.xxx.xx.xx. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error Thanks very much. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://do
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Thu, Mar 10, 2022 at 06:11:41PM -0300 schrieb Mateo Duffour: > I made a mistake and copied other log, the log of the test mentioned is: > > Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: Password has > expired > Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: KDC reply did > not match expectations > Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 > user=u...@adtest.xxx.xxx.xx > Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth): > received for user u...@adtest.xxx.xxx.xx: 4 (System error) > Mar 10 18:08:10 idmsrvpru.idmpru.xxx.xxx.xx sshd[45683]: error: PAM: > Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 Hi, this is still the same pattern. Would it be possible to get a network trace to better understand how the KDC reply looks like and what might not be as expected by libkrb5? Additionally, can you try to set the password for the user with the expired password with KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST. and send the output? bye, Sumit > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Mateo Duffour" > To: "Sumit Bose" > Cc: "freeipa-users" , "Alexander > Bokovoy" > Sent: Thursday, 10 March, 2022 17:48:17 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Hi, > > We also tried with krb5_use_enterprise_principal with no success. > > With the intention of simplifying our scenario we are now testing (with the > same configurations that you suggested) an ssh of the user to IdM server. > On our IdM server we are getting the same error: > > ssh u...@adtest.xxx.xx.xx@idmsrvpru.idmpru.xxx.xx.xx > > Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: Password has > expired > Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: KDC reply did > not match expectations > Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 > user=usu5 > Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): > received for user usu5: 4 (System error) > Mar 10 16:50:14 idmsrvpru.idmpru.xxx.xxx.xx sshd[45293]: error: PAM: > Authentication failure for usu5 from 10.9.9.4 > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Sumit Bose" > To: "Mateo Duffour" > Cc: "Sumit Bose" , "freeipa-users" > , "Alexander Bokovoy" > > Sent: Thursday, 10 March, 2022 14:01:29 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour: > > > Hi Sumit, > > I have attached all the files you requested, this test was done with user > usu5 which has its password expired. > > > > Hi, > > thanks for the new logs. Can you check if adding > > krb5_use_enterprise_principal = True > > to the [domain/...] section of sssd.conf make it any better? If this > still does not help it would be good if you can record a network trace > coverin
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
I made a mistake and copied other log, the log of the test mentioned is: Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: Password has expired Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: KDC reply did not match expectations Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 user=u...@adtest.xxx.xxx.xx Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth): received for user u...@adtest.xxx.xxx.xx: 4 (System error) Mar 10 18:08:10 idmsrvpru.idmpru.xxx.xxx.xx sshd[45683]: error: PAM: Authentication failure for u...@adtest.xxx.xxx.xx from 10.9.9.4 Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Mateo Duffour" To: "Sumit Bose" Cc: "freeipa-users" , "Alexander Bokovoy" Sent: Thursday, 10 March, 2022 17:48:17 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, We also tried with krb5_use_enterprise_principal with no success. With the intention of simplifying our scenario we are now testing (with the same configurations that you suggested) an ssh of the user to IdM server. On our IdM server we are getting the same error: ssh u...@adtest.xxx.xx.xx@idmsrvpru.idmpru.xxx.xx.xx Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: Password has expired Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: KDC reply did not match expectations Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 user=usu5 Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): received for user usu5: 4 (System error) Mar 10 16:50:14 idmsrvpru.idmpru.xxx.xxx.xx sshd[45293]: error: PAM: Authentication failure for usu5 from 10.9.9.4 Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" To: "Mateo Duffour" Cc: "Sumit Bose" , "freeipa-users" , "Alexander Bokovoy" Sent: Thursday, 10 March, 2022 14:01:29 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour: Hi Sumit, I have attached all the files you requested, this test was done with user usu5 which has its password expired. Hi, thanks for the new logs. Can you check if adding krb5_use_enterprise_principal = True to the [domain/...] section of sssd.conf make it any better? If this still does not help it would be good if you can record a network trace covering the authentication attempt. bye, Sumit BQ_BEGIN Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" To: "Mateo Duffour" Cc: "Sumit Bose" , "freeipa-users" , "Alexander Bokovoy" Sent: Thursday, 10 March, 2022 07:23:11 Subject: Re: [Freeipa-users] Re: IdM with trust r
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Hi, We also tried with krb5_use_enterprise_principal with no success. With the intention of simplifying our scenario we are now testing (with the same configurations that you suggested) an ssh of the user to IdM server. On our IdM server we are getting the same error: ssh u...@adtest.xxx.xx.xx@idmsrvpru.idmpru.xxx.xx.xx Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: Password has expired Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: KDC reply did not match expectations Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4 user=usu5 Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth): received for user usu5: 4 (System error) Mar 10 16:50:14 idmsrvpru.idmpru.xxx.xxx.xx sshd[45293]: error: PAM: Authentication failure for usu5 from 10.9.9.4 Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" To: "Mateo Duffour" Cc: "Sumit Bose" , "freeipa-users" , "Alexander Bokovoy" Sent: Thursday, 10 March, 2022 14:01:29 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour: Hi Sumit, I have attached all the files you requested, this test was done with user usu5 which has its password expired. Hi, thanks for the new logs. Can you check if adding krb5_use_enterprise_principal = True to the [domain/...] section of sssd.conf make it any better? If this still does not help it would be good if you can record a network trace covering the authentication attempt. bye, Sumit BQ_BEGIN Regards, Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" To: "Mateo Duffour" Cc: "Sumit Bose" , "freeipa-users" , "Alexander Bokovoy" Sent: Thursday, 10 March, 2022 07:23:11 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Tue, Mar 08, 2022 at 01:42:53PM -0300 schrieb Mateo Duffour: Hi, thanks again for the quick reply. Sorry i did not have the time to test it again until now, i tried your recomendations. Its still behaving the same way than before, so I attached the sssd_pam.log you requested with the debug set to level 9 on pam section (sssd.conf). The log attached is from our Ubuntu 20.04 client. Hi, please send the related SSSD backened logs and krb5_child.log as well. bye, Sumit BQ_BEGIN We also tested it on our IdM server over Roky Linux, getting the same behaviour. Best regards. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" To: "Mateo Duffour" Cc: "Sumit Bose" , "freeipa-users" , "Alexander Bokovoy" Sent: Monday, 28 February, 2022 06:23:51 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Fri, Feb 25, 2022 at 11:21:
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour: > Hi Sumit, > > I have attached all the files you requested, this test was done with user > usu5 which has its password expired. Hi, thanks for the new logs. Can you check if adding krb5_use_enterprise_principal = True to the [domain/...] section of sssd.conf make it any better? If this still does not help it would be good if you can record a network trace covering the authentication attempt. bye, Sumit > > > Regards, > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Sumit Bose" > To: "Mateo Duffour" > Cc: "Sumit Bose" , "freeipa-users" > , "Alexander Bokovoy" > > Sent: Thursday, 10 March, 2022 07:23:11 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Am Tue, Mar 08, 2022 at 01:42:53PM -0300 schrieb Mateo Duffour: > > > Hi, thanks again for the quick reply. > Sorry i did not have the time to test it again until now, i tried your > recomendations. > > Its still behaving the same way than before, so I attached the sssd_pam.log > you requested with the debug set to level 9 on pam section (sssd.conf). > The log attached is from our Ubuntu 20.04 client. > > > > Hi, > > please send the related SSSD backened logs and krb5_child.log as well. > > bye, > Sumit > > > BQ_BEGIN > > We also tested it on our IdM server over Roky Linux, getting the same > behaviour. > > > Best regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Sumit Bose" > To: "Mateo Duffour" > Cc: "Sumit Bose" , "freeipa-users" > , "Alexander Bokovoy" > > Sent: Monday, 28 February, 2022 06:23:51 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour: > > > Hi, > > I send you attached the files needed, let me know if you need something else. > > > > Hi, > > thanks for the file, they look ok. After looking again at what you send > I came across > > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did > not match expectations > > which typically indicates a canonization of the principal by the > server-side which was not expected by the client. > > While version of SSSD are you using on the Ubuntu client? Recent version > of SSSD already set 'krb5_canonicalize = true' by default for > 'id_provider = ipa'. Maybe your version is a bit older? Please try if it > works better if you explicitly set > > krb5_canonicalize = true > > in the [domain/...] section of sssd.conf and restart SSSD. At least the > 'KDC reply did not match expectations' should be gone now. If the > password change still fails, please set 'debug_level = 9' in the [pam] > and [domain/...] section of sssd.conf, restart SSSD, run the test again > and send the logs from /var/log/sssd. > > bye, > Sumit > > > BQ_BEGIN > > > Thanks again, regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Tue, Mar 08, 2022 at 01:42:53PM -0300 schrieb Mateo Duffour: > Hi, thanks again for the quick reply. > Sorry i did not have the time to test it again until now, i tried your > recomendations. > > Its still behaving the same way than before, so I attached the sssd_pam.log > you requested with the debug set to level 9 on pam section (sssd.conf). > The log attached is from our Ubuntu 20.04 client. Hi, please send the related SSSD backened logs and krb5_child.log as well. bye, Sumit > > We also tested it on our IdM server over Roky Linux, getting the same > behaviour. > > > Best regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Sumit Bose" > To: "Mateo Duffour" > Cc: "Sumit Bose" , "freeipa-users" > , "Alexander Bokovoy" > > Sent: Monday, 28 February, 2022 06:23:51 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour: > > > Hi, > > I send you attached the files needed, let me know if you need something else. > > > > Hi, > > thanks for the file, they look ok. After looking again at what you send > I came across > > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did > not match expectations > > which typically indicates a canonization of the principal by the > server-side which was not expected by the client. > > While version of SSSD are you using on the Ubuntu client? Recent version > of SSSD already set 'krb5_canonicalize = true' by default for > 'id_provider = ipa'. Maybe your version is a bit older? Please try if it > works better if you explicitly set > > krb5_canonicalize = true > > in the [domain/...] section of sssd.conf and restart SSSD. At least the > 'KDC reply did not match expectations' should be gone now. If the > password change still fails, please set 'debug_level = 9' in the [pam] > and [domain/...] section of sssd.conf, restart SSSD, run the test again > and send the logs from /var/log/sssd. > > bye, > Sumit > > > BQ_BEGIN > > > Thanks again, regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Sumit Bose" > To: "freeipa-users" > Cc: "Alexander Bokovoy" , "Mateo Duffour" > > Sent: Friday, 25 February, 2022 03:46:43 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via > FreeIPA-users: > > > Which /etc/pam.d/ config file do you need ? > > > > Hi, > > from the logs below it looks like you are using ssh to log in, so it > would be /etc/pam.d/sshd and all the files which might be referenced in > that file. > > bye, > Sumit > > > BQ_BEGIN > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambie
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Hi, thanks again for the quick reply. Sorry i did not have the time to test it again until now, i tried your recomendations. Its still behaving the same way than before, so I attached the sssd_pam.log you requested with the debug set to level 9 on pam section (sssd.conf). The log attached is from our Ubuntu 20.04 client. We also tested it on our IdM server over Roky Linux, getting the same behaviour. Best regards. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" To: "Mateo Duffour" Cc: "Sumit Bose" , "freeipa-users" , "Alexander Bokovoy" Sent: Monday, 28 February, 2022 06:23:51 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour: Hi, I send you attached the files needed, let me know if you need something else. Hi, thanks for the file, they look ok. After looking again at what you send I came across Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not match expectations which typically indicates a canonization of the principal by the server-side which was not expected by the client. While version of SSSD are you using on the Ubuntu client? Recent version of SSSD already set 'krb5_canonicalize = true' by default for 'id_provider = ipa'. Maybe your version is a bit older? Please try if it works better if you explicitly set krb5_canonicalize = true in the [domain/...] section of sssd.conf and restart SSSD. At least the 'KDC reply did not match expectations' should be gone now. If the password change still fails, please set 'debug_level = 9' in the [pam] and [domain/...] section of sssd.conf, restart SSSD, run the test again and send the logs from /var/log/sssd. bye, Sumit BQ_BEGIN Thanks again, regards. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" To: "freeipa-users" Cc: "Alexander Bokovoy" , "Mateo Duffour" Sent: Friday, 25 February, 2022 03:46:43 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via FreeIPA-users: Which /etc/pam.d/ config file do you need ? Hi, from the logs below it looks like you are using ssh to log in, so it would be /etc/pam.d/sshd and all the files which might be referenced in that file. bye, Sumit BQ_BEGIN Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Mateo Duffour" To: "Alexander Bokovoy" Cc: "freeipa-users" Sent: Wednesday, 23 February, 2022 17:26:49 Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, thank you for the quick reply. We were further investigating the issue. We were testing with user "usu5" that has its password expired. The log of IdM server below shows that Samba AD DC is sending "Passwo
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour: > Hi, > > I send you attached the files needed, let me know if you need something else. Hi, thanks for the file, they look ok. After looking again at what you send I came across Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not match expectations which typically indicates a canonization of the principal by the server-side which was not expected by the client. While version of SSSD are you using on the Ubuntu client? Recent version of SSSD already set 'krb5_canonicalize = true' by default for 'id_provider = ipa'. Maybe your version is a bit older? Please try if it works better if you explicitly set krb5_canonicalize = true in the [domain/...] section of sssd.conf and restart SSSD. At least the 'KDC reply did not match expectations' should be gone now. If the password change still fails, please set 'debug_level = 9' in the [pam] and [domain/...] section of sssd.conf, restart SSSD, run the test again and send the logs from /var/log/sssd. bye, Sumit > > > Thanks again, regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Sumit Bose" > To: "freeipa-users" > Cc: "Alexander Bokovoy" , "Mateo Duffour" > > Sent: Friday, 25 February, 2022 03:46:43 > Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC > - User accounts with passwords expired > > Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via > FreeIPA-users: > > > Which /etc/pam.d/ config file do you need ? > > > > Hi, > > from the logs below it looks like you are using ssh to log in, so it > would be /etc/pam.d/sshd and all the files which might be referenced in > that file. > > bye, > Sumit > > > BQ_BEGIN > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ | ] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Mateo Duffour" > To: "Alexander Bokovoy" > Cc: "freeipa-users" > Sent: Wednesday, 23 February, 2022 17:26:49 > Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - > User accounts with passwords expired > > Hi, thank you for the quick reply. > > We were further investigating the issue. > > We were testing with user "usu5" that has its password expired. The log of > IdM server below shows that Samba AD DC is sending "Password has expired" for > user "usu5", thats OK. > So we can suspect that IdM is not behaving as expected, it should prompt a > password expiry to the user and let the user change it, but something is > wrong with our config or scenario because that does not happen. > > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has > expired > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did > not match expectations > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 > user=u...@adtest.fnr.gub.uy > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): > received for user u...@adtest.fnr.gub.uy: 4 (System error) > Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: > Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 > >
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Hi, I send you attached the files needed, let me know if you need something else. Thanks again, regards. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Sumit Bose" To: "freeipa-users" Cc: "Alexander Bokovoy" , "Mateo Duffour" Sent: Friday, 25 February, 2022 03:46:43 Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via FreeIPA-users: Which /etc/pam.d/ config file do you need ? Hi, from the logs below it looks like you are using ssh to log in, so it would be /etc/pam.d/sshd and all the files which might be referenced in that file. bye, Sumit BQ_BEGIN Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Mateo Duffour" To: "Alexander Bokovoy" Cc: "freeipa-users" Sent: Wednesday, 23 February, 2022 17:26:49 Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, thank you for the quick reply. We were further investigating the issue. We were testing with user "usu5" that has its password expired. The log of IdM server below shows that Samba AD DC is sending "Password has expired" for user "usu5", thats OK. So we can suspect that IdM is not behaving as expected, it should prompt a password expiry to the user and let the user change it, but something is wrong with our config or scenario because that does not happen. Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has expired Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not match expectations Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 user=u...@adtest.fnr.gub.uy Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): received for user u...@adtest.fnr.gub.uy: 4 (System error) Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that shows a login attempt with user "usu6", that is on the same situation as "usu5". We have done other tests as well, in this case we are logged on IdM server as user "usu1", which has a password not expired and working properly. But when we try to change it with "passwd" it also fails. [u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd Changing password for user u...@adtest.fnr.gub.uy. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error Log of this test on IdM server: Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in /etc/passwd Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Old password not accepted. Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_sss(passwd:chauthtok): Authentication failed for user u...@adtest.fnr.gub.uy: 4 (System error) Which pam logs do u need ? we have several files apparently. Thank you guys again and best regards. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ | ] No me imprimas si
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via FreeIPA-users: > Which /etc/pam.d/ config file do you need ? Hi, from the logs below it looks like you are using ssh to log in, so it would be /etc/pam.d/sshd and all the files which might be referenced in that file. bye, Sumit > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Mateo Duffour" > To: "Alexander Bokovoy" > Cc: "freeipa-users" > Sent: Wednesday, 23 February, 2022 17:26:49 > Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - > User accounts with passwords expired > > Hi, thank you for the quick reply. > > We were further investigating the issue. > > We were testing with user "usu5" that has its password expired. The log of > IdM server below shows that Samba AD DC is sending "Password has expired" for > user "usu5", thats OK. > So we can suspect that IdM is not behaving as expected, it should prompt a > password expiry to the user and let the user change it, but something is > wrong with our config or scenario because that does not happen. > > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has > expired > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did > not match expectations > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 > user=u...@adtest.fnr.gub.uy > Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): > received for user u...@adtest.fnr.gub.uy: 4 (System error) > Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: > Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 > > Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that > shows a login attempt with user "usu6", that is on the same situation as > "usu5". > > > > We have done other tests as well, in this case we are logged on IdM server as > user "usu1", which has a password not expired and working properly. But when > we try to change it with "passwd" it also fails. > > [u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd > Changing password for user u...@adtest.fnr.gub.uy. > Current Password: > Password change failed. Server message: Old password not accepted. > passwd: Authentication token manipulation error > > Log of this test on IdM server: > > Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in > /etc/passwd > Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_sss(passwd:chauthtok): User info message: Password change failed. Server > message: Old password not accepted. > Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: > pam_sss(passwd:chauthtok): Authentication failed for user > u...@adtest.fnr.gub.uy: 4 (System error) > > Which pam logs do u need ? we have several files apparently. > > > Thank you guys again and best regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > > > From: "Alexander Bokovoy" > To: "freeipa-users" > Cc: "Mateo Duffour" > Sent: Wednesday, 23 February, 2022 05:14:42 > Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - > User accounts with passwords expired > > Hello, > > On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: > > > Hi, > > We currently have an IdM installation with a trust relationship with a > Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user > accounts on IdM. We are having a problem with Samba user acounts that > have
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Which /etc/pam.d/ config file do you need ? Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Mateo Duffour" To: "Alexander Bokovoy" Cc: "freeipa-users" Sent: Wednesday, 23 February, 2022 17:26:49 Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hi, thank you for the quick reply. We were further investigating the issue. We were testing with user "usu5" that has its password expired. The log of IdM server below shows that Samba AD DC is sending "Password has expired" for user "usu5", thats OK. So we can suspect that IdM is not behaving as expected, it should prompt a password expiry to the user and let the user change it, but something is wrong with our config or scenario because that does not happen. Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has expired Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not match expectations Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8 user=u...@adtest.fnr.gub.uy Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth): received for user u...@adtest.fnr.gub.uy: 4 (System error) Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM: Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8 Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that shows a login attempt with user "usu6", that is on the same situation as "usu5". We have done other tests as well, in this case we are logged on IdM server as user "usu1", which has a password not expired and working properly. But when we try to change it with "passwd" it also fails. [u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd Changing password for user u...@adtest.fnr.gub.uy. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error Log of this test on IdM server: Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in /etc/passwd Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Old password not accepted. Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]: pam_sss(passwd:chauthtok): Authentication failed for user u...@adtest.fnr.gub.uy: 4 (System error) Which pam logs do u need ? we have several files apparently. Thank you guys again and best regards. Lic. Mateo Duffour Unidad Informática 2901.40.91 [ http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] [ http://www.fnr.gub.uy/ |] No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y la información adjunta al mismo está dirigido exclusivamente a su destinatario. Puede contener información confidencial, privilegiada o de uso restringido, protegida por las normas. Si Ud. recibió este e-mail por error, por favor, sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro uso del e-mail por Ud. está prohibido. From: "Alexander Bokovoy" To: "freeipa-users" Cc: "Mateo Duffour" Sent: Wednesday, 23 February, 2022 05:14:42 Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC - User accounts with passwords expired Hello, On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: Hi, We currently have an IdM installation with a trust relationship with a Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user accounts on IdM. We are having a problem with Samba user acounts that have its passwords expired. When we try to login with an ubuntu IdM client with one of those accounts, it fails and asks again for password. The behaviour we are expecting is that Ubuntu should ask for a password change. I think you need to look at SSSD troubleshooting guide and investigate a bit yourself. Without logs it is impossible to tell what's wrong. Please see https://sssd.io/troubleshooting/basics.html and https://sssd.io/troubleshooting/ipa_provider.html for two parts t
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Am Tue, Feb 22, 2022 at 03:40:27PM -0300 schrieb Mateo Duffour via FreeIPA-users: > Hi, > > We currently have an IdM installation with a trust relationship with a Samba > AD DC. Our user accounts reside on Samba AD DC, we dont have user accounts on > IdM. > We are having a problem with Samba user acounts that have its passwords > expired. > > When we try to login with an ubuntu IdM client with one of those accounts, it > fails and asks again for password. > The behaviour we are expecting is that Ubuntu should ask for a password > change. Hi, please share your PAM configuration files for the services your are using for login. bye, Sumit > > Thanks, best regards. > > Lic. Mateo Duffour > Unidad Informática > 2901.40.91 > > [ > http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay > | 18 de julio 985 - Piso 3, Montevideo, Uruguay ] > [ http://www.fnr.gub.uy/ |] > > > > No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje > y la información adjunta al mismo está dirigido exclusivamente a su > destinatario. Puede contener información confidencial, privilegiada o de uso > restringido, protegida por las normas. Si Ud. recibió este e-mail por error, > por favor, sírvase notificarle a quien se lo envió y borrar el original. > Cualquier otro uso del e-mail por Ud. está prohibido. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: IdM with trust relationship with Samba AD DC - User accounts with passwords expired
Hello, On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote: Hi, We currently have an IdM installation with a trust relationship with a Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user accounts on IdM. We are having a problem with Samba user acounts that have its passwords expired. When we try to login with an ubuntu IdM client with one of those accounts, it fails and asks again for password. The behaviour we are expecting is that Ubuntu should ask for a password change. I think you need to look at SSSD troubleshooting guide and investigate a bit yourself. Without logs it is impossible to tell what's wrong. Please see https://sssd.io/troubleshooting/basics.html and https://sssd.io/troubleshooting/ipa_provider.html for two parts that would be relevant here. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure