Hi Devs, I am seeing an issue with sssd-1.8.0-32.el6.x86_64
Issue description. Password authentication does not work. However I can su to the user. Here is what I see in the krb5_child log when I try to login. (Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]] [krb5_child_setup] (0x4000): Not using FAST. (Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]] [validate_tgt] (0x4000): Found keytab entry with the realm of the credential. (Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [validate_tgt] (0x0200): TGT verified using key for [host/[email protected]]. (Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [become_user] (0x4000): Trying to become user [1416][80]. (Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [create_ccache_file] (0x0020): mkstemp failed [13][Permission denied]. (Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [get_and_save_tgt] (0x0020): 688: [13][Permission denied] (Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [tgt_req_child] (0x0020): 919: [13][Permission denied] Here is what i see in the ldap_chile log when I try to login. (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): total buffer size: 69 (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): realm_str size: 22 (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): got realm_str: MY.DOMAIN.COM (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): princ_str size: 31 (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): got princ_str: [email protected] (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [[email protected]] Here is what i see in the sssd_my.domain.log when I try to login. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sysdb_get_direct_parents] (0x1000): dpage is a member of 19 sysdb groups (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [save_rfc2307bis_user_memberships] (0x2000): Updating memberships for dpage (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_get_initgr_done] (0x4000): Initgroups done (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_id_op_done] (0x4000): releasing operation connection (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0xc4e580], connected[1], ops[(nil)], ldap[0xc4bfa0] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sbus_dispatch] (0x4000): dbus conn: C3A630 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sbus_dispatch] (0x4000): Dispatching. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): domain: my.domain.com (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): user: dpage (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): service: sshd (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): tty: ssh (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): ruser: (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): rhost: 10.0.30.102 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): authtok size: 9 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): cli_pid: 5232 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_pam_handler] (0x1000): Wait queue of user [dpage] is empty, running request immediately. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0xce8a60 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0xcdb4a0 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): tevent: Destroying timer event 0xcdb4a0 "ltdb_timeout" (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): tevent: Ending timer event 0xce8a60 "ltdb_callback" (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_auth_send] (0x0100): No ccache file for user [dpage] found. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_auth_send] (0x4000): Ccache_file is [not set] and is not active and TGT is not valid. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is 'name resolved' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_port_status] (0x1000): Port status of port 88 for server 'ad2.my.domain.com' is 'neutral' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [resolve_srv_send] (0x0400): The status of SRV lookup is resolved (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is 'name resolved' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_resolve_server_done] (0x1000): Saving the first resolved server (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_resolve_server_done] (0x0200): Found address for server ad2.my.domain.com: [10.0.0.201] TTL 3600 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KPASSWD' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is 'name resolved' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_port_status] (0x1000): Port status of port 464 for server 'ad2.my.domain.com' is 'neutral' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [resolve_srv_send] (0x0400): The status of SRV lookup is resolved (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is 'name resolved' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_resolve_server_done] (0x1000): Saving the first resolved server (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_resolve_server_done] (0x0200): Found address for server ad2.my.domain.com: [10.0.0.201] TTL 3600 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_find_ccache_step] (0x4000): Recreating ccache file. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [create_ccache_dir] (0x4000): Ccache directory name [/tmp/krb5cc_1416_XXXXXX] does not contain illegal patterns. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5240] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [5240] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_child_done] (0x4000): child response [4][1][18]. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_child_done] (0x4000): child response [4][6][8]. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [check_wait_queue] (0x1000): Wait queue for user [dpage] is empty. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_pam_handler_callback] (0x0100): Sending result [4][my.domain.com] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_pam_handler_callback] (0x0100): Sent result [4][my.domain.com] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [child_sig_handler] (0x1000): Waiting for child [5240]. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [child_sig_handler] (0x0100): child [5240] finished successfully. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes Any suggestions? Here are my configs. #/etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 [realms] MY.DOMAIN.COM = { kdc = ad.my.domain.com:88 admin_server = ad.my.domain.com default_domain = my.domain.com } [domain_realm] .my.domain.com = MY.DOMAIN.COM my.domain.com = MY.DOMAIN.COM #/etc/sssd/sssd.conf [domain/default] cache_credentials = fasle [sssd] config_file_version = 2 domains = my.domain.com reconnection_retries = 3 sbus_timeout = 30 services = nss, pam [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/my.domain.com] cache_credentials = false enumerate = false min_id = 80 max_id = 30000 id_provider = ldap auth_provider = krb5 ldap_uri = ldap://ad3.my.domain.com/ ldap_schema = rfc2307bis ldap_user_search_base = dc=my,dc=domain,dc=com ldap_user_object_class = person ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_search_base = dc=my,dc=domain,dc=com ldap_group_object_class = group ldap_group_modify_timestamp = whenChanged ldap_group_nesting_level = 5 ldap_account_expire_policy = ad ldap_sasl_authid = [email protected] ldap_krb5_init_creds = true ldap_pwd_policy = mit_kerberos chpass_provider = krb5 ldap_sasl_mech = GSSAPI krb5_realm = MY.DOMAIN.COM krb5_validate = true ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = sAMAccountName ldap_group_gid_number = gidNumber ldap_force_upper_case_realm = true ldap_referrals = false # User Group and Account Access access_provider = simple #simple_allow_users = simple_allow_groups = m4_login debug_level = 10 _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
