Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
On Mon, Nov 10, 2014 at 09:29:04AM -0800, Michael Lasevich wrote: I can certainly try, it would need to be compatible with CentOS 6.6 though. -M Thank you very much, can you try these packages? Please note they wouldn't fix your problem, but will hopefully shed some more light on what's going on: https://jhrozek.fedorapeople.org/sssd-test-builds/krb5-ccache-debugging/ So according to the logs, the create_ccache() function failed. Unfortunately, we don't do very good job at logging the failures there.. Michael, are you able to run a custom package with extra debugging? It would help us pinpoint which line actually is failing. Thanks a lot for providing the logs! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
Sending you logs directly. Thanks. -M On 11/11/14, 5:33 AM, Jakub Hrozek wrote: On Mon, Nov 10, 2014 at 09:29:04AM -0800, Michael Lasevich wrote: I can certainly try, it would need to be compatible with CentOS 6.6 though. -M Thank you very much, can you try these packages? Please note they wouldn't fix your problem, but will hopefully shed some more light on what's going on: https://jhrozek.fedorapeople.org/sssd-test-builds/krb5-ccache-debugging/ So according to the logs, the create_ccache() function failed. Unfortunately, we don't do very good job at logging the failures there.. Michael, are you able to run a custom package with extra debugging? It would help us pinpoint which line actually is failing. Thanks a lot for providing the logs! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
Hi Lukas, Already opened case within Red Hat. They told on case there is private bugzilla for this known problem, the case got closed. Im on vacation and RH Customer Portal seems off right now, cant find if got the case got updated or there is errata for this issue. 2014-11-08 14:44 GMT-02:00 Lukas Slebodnik lsleb...@redhat.com: On (08/11/14 12:24), Diaulas Castro wrote: We have similar issue but on RHEL 6.6 (sssd 1.11), the problem is about enumerating groups. Diaulas, Have you reported your problem? I know just about one problem with IPA and sssd-1.11 (on RHEL 6.6) The upstream bug is https://fedorahosted.org/sssd/ticket/2471 There is a workaround. You can change value of option ldap_group_object_class in domain section to ipaUserGroup ldap_group_object_class = ipaUserGroup Could you confirm that you had the same problem? Otherwise please report bug either to upstream trac or Red Had Bugzilla. Use the command id some_group_that_user_belong on affected client, logout and try logon again. Our issue was with sudo not working, but everything based on groups stopped to work too. For workaround (if this is your problem too) edit sssd.con on domain section: enumarating = true It would be better to fix it in sssd. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
On Fri, Nov 07, 2014 at 04:00:19PM -0800, Michael Lasevich wrote: Exactly 16 hours after reboot the problem returned on both servers. What has a 16 hour timeout? I set log level to 10 and got some logs, but they are long and not sure what I am looking for. I am attaching some logs ( out of sheer paranoia I have slightly sanitized them, 1.1.1.2 is the secondary IPA server, usern...@my.domain.com is the principle and endserver.my.domain.com is the IPA client this is happening on) Thank you, I see some errors in the log: (Fri Nov 7 16:09:54 2014) [[sssd[krb5_child[13722 [get_and_save_tgt] (0x0020): 1021: [-1765328188][Internal credentials cache error] (Fri Nov 7 16:09:54 2014) [[sssd[krb5_child[13722 [map_krb5_error] (0x0020): 1043: [-1765328188][Internal credentials cache error] (Fri Nov 7 16:09:54 2014) [[sssd[krb5_child[13722 [k5c_send_data] (0x0200): Received error code 1432158209 (Fri Nov 7 16:09:54 2014) [[sssd[krb5_child[13722 [pack_response_packet] (0x2000): response packet size: [20] (Fri Nov 7 16:09:54 2014) [[sssd[krb5_child[13722 [k5c_send_data] (0x4000): Response sent. (Fri Nov 7 16:09:54 2014) [[sssd[krb5_child[13722 [main] (0x0400): krb5_child completed successfully The complete run for that particular process is: (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [main] (0x0400): krb5_child started. (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [unpack_buffer] (0x1000): total buffer size: [132] (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [unpack_buffer] (0x0100): cmd [241] uid [24166] gid [24166] validate [true] enterprise principal [false] offline [false] UPN [usern...@my.domain.com] (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_24166_jgS4rv] keytab: [/etc/krb5.keytab] (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/endserver.my.domain@my.domain.com] (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [find_principal_in_keytab] (0x4000): Trying to find principal host/endserver.my.domain@my.domain.com in keytab. (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [match_principal] (0x1000): Principal matched to the sample (host/endserver.my.domain@my.domain.com). (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [sss_child_krb5_trace_cb] (0x4000): [13722] 1415401793.988922: Retrieving host/endserver.my.domain@my.domain.com - krbtgt/my.domain@my.domain.com from FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM with result: 0/Success (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [main] (0x0400): Will perform online auth (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [get_and_save_tgt] (0x0400): Attempting kinit for realm [MY.DOMAIN.COM] (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [sss_child_krb5_trace_cb] (0x4000): [13722] 1415401793.989029: Getting initial credentials for usern...@my.domain.com (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [sss_child_krb5_trace_cb] (0x4000): [13722] 1415401793.989099: FAST armor ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [sss_child_krb5_trace_cb] (0x4000): [13722] 1415401793.989173: Retrieving host/endserver.my.domain@my.domain.com - krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM\@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not found (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [sss_child_krb5_trace_cb] (0x4000): [13722] 1415401793.989247: Sending request (190 bytes) to MY.DOMAIN.COM (Fri Nov 7 16:09:53 2014) [[sssd[krb5_child[13722 [sss_child_krb5_trace_cb] (0x4000): [13722] 1415401793.989534: Sending initial UDP request to dgram 1.1.1.2:88 (Fri
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
I can certainly try, it would need to be compatible with CentOS 6.6 though. -M So according to the logs, the create_ccache() function failed. Unfortunately, we don't do very good job at logging the failures there.. Michael, are you able to run a custom package with extra debugging? It would help us pinpoint which line actually is failing. Thanks a lot for providing the logs! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
We have similar issue but on RHEL 6.6 (sssd 1.11), the problem is about enumerating groups. Use the command id some_group_that_user_belong on affected client, logout and try logon again. Our issue was with sudo not working, but everything based on groups stopped to work too. For workaround (if this is your problem too) edit sssd.con on domain section: enumarating = true 2014-11-07 22:00 GMT-02:00 Michael Lasevich mlasev...@gmail.com: Exactly 16 hours after reboot the problem returned on both servers. What has a 16 hour timeout? I set log level to 10 and got some logs, but they are long and not sure what I am looking for. I am attaching some logs ( out of sheer paranoia I have slightly sanitized them, 1.1.1.2 is the secondary IPA server, usern...@my.domain.com is the principle and endserver.my.domain.com is the IPA client this is happening on) On Fri, Nov 7, 2014 at 1:18 AM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Nov 06, 2014 at 09:33:35PM -0800, Michael Lasevich wrote: For what its worth, my issue was resolved when I rebooted the server. Restarting sssd and/or clearing it's cache did not do it, but a full reboot seems to have done it. Something much have been cached or some temp file I missed. Will need to look into it further as I have a number of servers yet to be upgraded and having to reboot linux servers to do an upgrade seem sacrilegious... We need to see the krb5_child.log file ideally with a very high debug_level (10 would enable KRB5_TRACE debugging as well..) -M On Thu, Nov 6, 2014 at 9:26 PM, David Taylor david.tay...@speedcast.com wrote: As an add on, I've upgraded our Xen template to 6.6 and run up a new VM using that and it attaches to the IPA environment perfectly well, so I'm guessing it is an issue with the upgrade scripts. Best regards *David Taylor* *From:* Michael Lasevich [mailto:mlasev...@gmail.com] *Sent:* Friday, 7 November 2014 4:00 PM *To:* Jakub Hrozek *Cc:* David Taylor; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6 I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11 (centos 6.5 to 6.6) I seem to be able to log in via ssh, but when I use http pam service, I get inconsistent behavior - seems like sometimes it works and others it errors out (success and failure can happen within a second) In the logs I see things like: [sssd[krb5_child[15410]]]: Internal credentials cache error and authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=username received for user username: 4 (System error) Nothing in the audit.log that I can see I am guessing this is an sssd issue but I am hoping someone here knows how to deal with it. IN case it matters - here is the pam config: authrequired pam_env.so authsufficientpam_sss.so authrequired pam_deny.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so -M On Wed, Nov 5, 2014 at 1:05 AM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Nov 05, 2014 at 02:30:55AM +, David Taylor wrote: Thanks for the reply. The PAM file is pretty stock for a centos build #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
On (08/11/14 12:24), Diaulas Castro wrote: We have similar issue but on RHEL 6.6 (sssd 1.11), the problem is about enumerating groups. Diaulas, Have you reported your problem? I know just about one problem with IPA and sssd-1.11 (on RHEL 6.6) The upstream bug is https://fedorahosted.org/sssd/ticket/2471 There is a workaround. You can change value of option ldap_group_object_class in domain section to ipaUserGroup ldap_group_object_class = ipaUserGroup Could you confirm that you had the same problem? Otherwise please report bug either to upstream trac or Red Had Bugzilla. Use the command id some_group_that_user_belong on affected client, logout and try logon again. Our issue was with sudo not working, but everything based on groups stopped to work too. For workaround (if this is your problem too) edit sssd.con on domain section: enumarating = true It would be better to fix it in sssd. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
On Thu, Nov 06, 2014 at 09:33:35PM -0800, Michael Lasevich wrote: For what its worth, my issue was resolved when I rebooted the server. Restarting sssd and/or clearing it's cache did not do it, but a full reboot seems to have done it. Something much have been cached or some temp file I missed. Will need to look into it further as I have a number of servers yet to be upgraded and having to reboot linux servers to do an upgrade seem sacrilegious... We need to see the krb5_child.log file ideally with a very high debug_level (10 would enable KRB5_TRACE debugging as well..) -M On Thu, Nov 6, 2014 at 9:26 PM, David Taylor david.tay...@speedcast.com wrote: As an add on, I’ve upgraded our Xen template to 6.6 and run up a new VM using that and it attaches to the IPA environment perfectly well, so I’m guessing it is an issue with the upgrade scripts. Best regards *David Taylor* *From:* Michael Lasevich [mailto:mlasev...@gmail.com] *Sent:* Friday, 7 November 2014 4:00 PM *To:* Jakub Hrozek *Cc:* David Taylor; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6 I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11 (centos 6.5 to 6.6) I seem to be able to log in via ssh, but when I use http pam service, I get inconsistent behavior - seems like sometimes it works and others it errors out (success and failure can happen within a second) In the logs I see things like: [sssd[krb5_child[15410]]]: Internal credentials cache error and authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=username received for user username: 4 (System error) Nothing in the audit.log that I can see I am guessing this is an sssd issue but I am hoping someone here knows how to deal with it. IN case it matters - here is the pam config: authrequired pam_env.so authsufficientpam_sss.so authrequired pam_deny.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so -M On Wed, Nov 5, 2014 at 1:05 AM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Nov 05, 2014 at 02:30:55AM +, David Taylor wrote: Thanks for the reply. The PAM file is pretty stock for a centos build #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so Best regards David Taylor OK, so pam_sss is there ... And yet you see no mention of pam_sss.so in /var/log/secure ? Is this the file that was included from the service-specific PAM configuration? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11 (centos 6.5 to 6.6) I seem to be able to log in via ssh, but when I use http pam service, I get inconsistent behavior - seems like sometimes it works and others it errors out (success and failure can happen within a second) In the logs I see things like: [sssd[krb5_child[15410]]]: Internal credentials cache error and authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=username received for user username: 4 (System error) Nothing in the audit.log that I can see I am guessing this is an sssd issue but I am hoping someone here knows how to deal with it. IN case it matters - here is the pam config: authrequired pam_env.so authsufficientpam_sss.so authrequired pam_deny.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so -M On Wed, Nov 5, 2014 at 1:05 AM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Nov 05, 2014 at 02:30:55AM +, David Taylor wrote: Thanks for the reply. The PAM file is pretty stock for a centos build #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so Best regards David Taylor OK, so pam_sss is there ... And yet you see no mention of pam_sss.so in /var/log/secure ? Is this the file that was included from the service-specific PAM configuration? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
As an add on, I’ve upgraded our Xen template to 6.6 and run up a new VM using that and it attaches to the IPA environment perfectly well, so I’m guessing it is an issue with the upgrade scripts. Best regards David Taylor From: Michael Lasevich [mailto:mlasev...@gmail.com] Sent: Friday, 7 November 2014 4:00 PM To: Jakub Hrozek Cc: David Taylor; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6 I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11 (centos 6.5 to 6.6) I seem to be able to log in via ssh, but when I use http pam service, I get inconsistent behavior - seems like sometimes it works and others it errors out (success and failure can happen within a second) In the logs I see things like: [sssd[krb5_child[15410]]]: Internal credentials cache error and authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=username received for user username: 4 (System error) Nothing in the audit.log that I can see I am guessing this is an sssd issue but I am hoping someone here knows how to deal with it. IN case it matters - here is the pam config: authrequired pam_env.so authsufficientpam_sss.so authrequired pam_deny.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so -M On Wed, Nov 5, 2014 at 1:05 AM, Jakub Hrozek jhro...@redhat.commailto:jhro...@redhat.com wrote: On Wed, Nov 05, 2014 at 02:30:55AM +, David Taylor wrote: Thanks for the reply. The PAM file is pretty stock for a centos build #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so Best regards David Taylor OK, so pam_sss is there ... And yet you see no mention of pam_sss.so in /var/log/secure ? Is this the file that was included from the service-specific PAM configuration? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
For what its worth, my issue was resolved when I rebooted the server. Restarting sssd and/or clearing it's cache did not do it, but a full reboot seems to have done it. Something much have been cached or some temp file I missed. Will need to look into it further as I have a number of servers yet to be upgraded and having to reboot linux servers to do an upgrade seem sacrilegious... -M On Thu, Nov 6, 2014 at 9:26 PM, David Taylor david.tay...@speedcast.com wrote: As an add on, I’ve upgraded our Xen template to 6.6 and run up a new VM using that and it attaches to the IPA environment perfectly well, so I’m guessing it is an issue with the upgrade scripts. Best regards *David Taylor* *From:* Michael Lasevich [mailto:mlasev...@gmail.com] *Sent:* Friday, 7 November 2014 4:00 PM *To:* Jakub Hrozek *Cc:* David Taylor; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6 I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11 (centos 6.5 to 6.6) I seem to be able to log in via ssh, but when I use http pam service, I get inconsistent behavior - seems like sometimes it works and others it errors out (success and failure can happen within a second) In the logs I see things like: [sssd[krb5_child[15410]]]: Internal credentials cache error and authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=username received for user username: 4 (System error) Nothing in the audit.log that I can see I am guessing this is an sssd issue but I am hoping someone here knows how to deal with it. IN case it matters - here is the pam config: authrequired pam_env.so authsufficientpam_sss.so authrequired pam_deny.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so -M On Wed, Nov 5, 2014 at 1:05 AM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Nov 05, 2014 at 02:30:55AM +, David Taylor wrote: Thanks for the reply. The PAM file is pretty stock for a centos build #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so Best regards David Taylor OK, so pam_sss is there ... And yet you see no mention of pam_sss.so in /var/log/secure ? Is this the file that was included from the service-specific PAM configuration? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
On (06/11/14 21:00), Michael Lasevich wrote: I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11 (centos 6.5 to 6.6) I seem to be able to log in via ssh, but when I use http pam service, I get inconsistent behavior - seems like sometimes it works and others it errors out (success and failure can happen within a second) In the logs I see things like: [sssd[krb5_child[15410]]]: Internal credentials cache error and authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=username received for user username: 4 (System error) When pam_sss returned System error it meand unextected situation in sssd. If you are able to reproduce problem on another machine (youhave alredy restarted this one) could you provide log files from sssd? put debug_level = 7 into doman section of /etc/sssd/sssd.conf and log files will be stored in directory /var/log/sssd/ LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
On Wed, Nov 05, 2014 at 02:30:55AM +, David Taylor wrote: Thanks for the reply. The PAM file is pretty stock for a centos build #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so Best regards David Taylor OK, so pam_sss is there ... And yet you see no mention of pam_sss.so in /var/log/secure ? Is this the file that was included from the service-specific PAM configuration? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
Thanks for the reply. The PAM file is pretty stock for a centos build #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so Best regards David Taylor -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Friday, 31 October 2014 7:35 PM To: David Taylor Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6 On 31 Oct 2014, at 02:23, David Taylor david.tay...@speedcast.com wrote: I just recently updated one of our test servers from CentOS 6.5 to CentOS 6.6, after which I noticed that IPA logons were no longer available. From what I can see the upgrade includes quite a few changes with regard to sssd. - NTP is up and synced on the Auth servers and the client. - DNS is working to the IPA servers - I can do a kinit for users with no problem - I have uninstalled the ipa client, deleted the host profile on the IPA server and one a rejoin. The rejoin worked but the problem is the same. Software versions using - rpm -qa | grep -i ipa - rpm -qa | grep -i sssd Software versions before: libipa_hbac-1.9.2-129.el6_5.4.x86_64 device-mapper-multipath-0.4.9-72.el6_5.4.x86_64 libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 device-mapper-multipath-libs-0.4.9-72.el6_5.4.x86_64 sssd-1.9.2-129.el6_5.4.x86_64 sssd-client-1.9.2-129.el6_5.4.x86_64 Software version after: sssd-ipa-1.11.6-30.el6.x86_64 libipa_hbac-1.11.6-30.el6.x86_64 device-mapper-multipath-libs-0.4.9-80.el6.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 libipa_hbac-python-1.11.6-30.el6.x86_64 ipa-python-3.0.0-42.el6.centos.x86_64 device-mapper-multipath-0.4.9-80.el6.x86_64 sssd-ldap-1.11.6-30.el6.x86_64 sssd-ad-1.11.6-30.el6.x86_64 python-sssdconfig-1.11.6-30.el6.noarch sssd-client-1.11.6-30.el6.x86_64 sssd-krb5-common-1.11.6-30.el6.x86_64 sssd-ipa-1.11.6-30.el6.x86_64 sssd-common-1.11.6-30.el6.x86_64 sssd-proxy-1.11.6-30.el6.x86_64 sssd-common-pac-1.11.6-30.el6.x86_64 sssd-krb5-1.11.6-30.el6.x86_64 sssd-1.11.6-30.el6.x86_64 The /var/log/secure logs show the following Oct 31 10:38:30 test01 sshd[2790]: Invalid user dtaylor from ip removed Oct 31 10:38:30 test01 sshd[2791]: input_userauth_request: invalid user dtaylor Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): check pass; user unknown Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host removed Oct 31 10:38:30 test01 sshd[2790]: pam_succeed_if(sshd:auth): error retrieving information about user dtaylor Do you also see pam_sss being mentioned at all in your /var/log/secure at all? Can you paste your PAM configuration? It’s expected that pam_unix fails to find the IPA user, but I would also expect the PAM stack to ask pam_sss next... The /var/log/audit/audit.log logs show the following type=CRYPTO_KEY_USER msg=audit(1414715857.270:107): user pid=5831 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5831 suid=0 exe=/usr/sbin/sshd hostname=? addr=ip removed terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1414715857.270:108): user pid=5831 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=d0:6f:2f:5f:49:44:94:f2:b2:4e:15:43:69:89:9c:1d direction=? spid=5831 suid=0 exe=/usr/sbin/sshd hostname=? addr=ip removed terminal=? res=success' type=CRYPTO_SESSION msg=audit(1414715857.272:109): user pid=5830 uid=0 auid=0 ses=1 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 spid=5831 suid=74 rport=44361 laddr=Client ip removed lport=22 exe=/usr/sbin/sshd hostname=? addr=ip removed terminal=? res=success' type=CRYPTO_SESSION msg=audit(1414715857.272:110): user pid=5830 uid=0 auid=0 ses=1 msg='op=start direction=from-server
Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6
On 31 Oct 2014, at 02:23, David Taylor david.tay...@speedcast.com wrote: I just recently updated one of our test servers from CentOS 6.5 to CentOS 6.6, after which I noticed that IPA logons were no longer available. From what I can see the upgrade includes quite a few changes with regard to sssd. - NTP is up and synced on the Auth servers and the client. - DNS is working to the IPA servers - I can do a kinit for users with no problem - I have uninstalled the ipa client, deleted the host profile on the IPA server and one a rejoin. The rejoin worked but the problem is the same. Software versions using - rpm -qa | grep -i ipa - rpm -qa | grep -i sssd Software versions before: libipa_hbac-1.9.2-129.el6_5.4.x86_64 device-mapper-multipath-0.4.9-72.el6_5.4.x86_64 libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 device-mapper-multipath-libs-0.4.9-72.el6_5.4.x86_64 sssd-1.9.2-129.el6_5.4.x86_64 sssd-client-1.9.2-129.el6_5.4.x86_64 Software version after: sssd-ipa-1.11.6-30.el6.x86_64 libipa_hbac-1.11.6-30.el6.x86_64 device-mapper-multipath-libs-0.4.9-80.el6.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 libipa_hbac-python-1.11.6-30.el6.x86_64 ipa-python-3.0.0-42.el6.centos.x86_64 device-mapper-multipath-0.4.9-80.el6.x86_64 sssd-ldap-1.11.6-30.el6.x86_64 sssd-ad-1.11.6-30.el6.x86_64 python-sssdconfig-1.11.6-30.el6.noarch sssd-client-1.11.6-30.el6.x86_64 sssd-krb5-common-1.11.6-30.el6.x86_64 sssd-ipa-1.11.6-30.el6.x86_64 sssd-common-1.11.6-30.el6.x86_64 sssd-proxy-1.11.6-30.el6.x86_64 sssd-common-pac-1.11.6-30.el6.x86_64 sssd-krb5-1.11.6-30.el6.x86_64 sssd-1.11.6-30.el6.x86_64 The /var/log/secure logs show the following Oct 31 10:38:30 test01 sshd[2790]: Invalid user dtaylor from ip removed Oct 31 10:38:30 test01 sshd[2791]: input_userauth_request: invalid user dtaylor Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): check pass; user unknown Oct 31 10:38:30 test01 sshd[2790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host removed Oct 31 10:38:30 test01 sshd[2790]: pam_succeed_if(sshd:auth): error retrieving information about user dtaylor Do you also see pam_sss being mentioned at all in your /var/log/secure at all? Can you paste your PAM configuration? It’s expected that pam_unix fails to find the IPA user, but I would also expect the PAM stack to ask pam_sss next... The /var/log/audit/audit.log logs show the following type=CRYPTO_KEY_USER msg=audit(1414715857.270:107): user pid=5831 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5831 suid=0 exe=/usr/sbin/sshd hostname=? addr=ip removed terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1414715857.270:108): user pid=5831 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=d0:6f:2f:5f:49:44:94:f2:b2:4e:15:43:69:89:9c:1d direction=? spid=5831 suid=0 exe=/usr/sbin/sshd hostname=? addr=ip removed terminal=? res=success' type=CRYPTO_SESSION msg=audit(1414715857.272:109): user pid=5830 uid=0 auid=0 ses=1 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 spid=5831 suid=74 rport=44361 laddr=Client ip removed lport=22 exe=/usr/sbin/sshd hostname=? addr=ip removed terminal=? res=success' type=CRYPTO_SESSION msg=audit(1414715857.272:110): user pid=5830 uid=0 auid=0 ses=1 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 spid=5831 suid=74 rport=44361 laddr=Client ip removed lport=22 exe=/usr/sbin/sshd hostname=? addr=ip removed terminal=? res=success' type=USER_LOGIN msg=audit(1414715857.310:111): user pid=5830 uid=0 auid=0 ses=1 msg='op=login acct=28756E6B6E6F776E207573657229 exe=/usr/sbin/sshd hostname=? addr=ip removed terminal=ssh res=failed' type=USER_AUTH msg=audit(1414715859.211:112): user pid=5830 uid=0 auid=0 ses=1 msg='op=PAM:authentication acct=? exe=/usr/sbin/sshd hostname=hostname removed addr=ip removed terminal=ssh res=failed' type=USER_AUTH msg=audit(1414715859.212:113): user pid=5830 uid=0 auid=0 ses=1 msg='op=password acct=28696E76616C6964207573657229 exe=/usr/sbin/sshd hostname=? addr=ip removed terminal=ssh res=failed' type=CRYPTO_KEY_USER msg=audit(1414715862.076:114): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy kind=session fp=? direction=both spid=5831 suid=74 rport=44361 laddr=Client ip removed lport=22 exe=/usr/sbin/sshd hostname=? addr=ip removed terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1414715862.078:115): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy kind=server fp=5e:ee:58:a2:25:ec:16:3e:8c:61:01:e6:de:76:3d:32 direction=? spid=5830 suid=0 exe=/usr/sbin/sshd hostname=? addr=ip removed terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1414715862.079:116): user pid=5830 uid=0 auid=0 ses=1 msg='op=destroy
