Re: [SSSD-users] problems sssd-1.9.2

Longina Przybyszewska Fri, 30 Nov 2012 07:09:57 -0800

This is a good question.

Is it wrong?


Computer should always have valid TGT .
What happens if computer’s TGT   expires – or rather , if it expires   does 
user still have  access to all services?

Do I need some tuning in config  to prevent that?

I catched in ldap_child.log precise change from preauthentication success--> 
preauthentication faile

ls –l /etc/krb5.keytab
-rw------- 1 root root 894 Nov 07:48 /etc/krb5.keytab



(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [main] (0x2000): getting 
TGT sync
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] 
(0x2000): Kerberos context initialized
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] 
(0x2000): got realm_name: [NAT.C.SDU.DK]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] 
(0x0100): Principal name is: [[email protected]]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] 
(0x0100): Using keytab [default]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] 
(0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] 
(0x2000): credentials initialized
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] 
(0x2000): credentials stored
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] 
(0x2000): Got KDC time offset
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [prepare_response] 
(0x0400): Building response for result [0]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [pack_buffer] (0x2000): 
response size: 60
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [pack_buffer] (0x1000): 
result [0] krberr [0] msgsize [40] msg 
[FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [main] (0x0400): 
ldap_child completed successfully
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x0400): 
ldap_child started.
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x2000): context 
initialized
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): 
total buffer size: 37
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): 
realm_str size: 12
Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): 
got realm_str: NAT.C.SDU.DK
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): 
princ_str size: 9
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): 
got princ_str: VICTORIA$
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): 
keytab_name size: 0
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): 
lifetime: 86400
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x2000): getting 
TGT sync:
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [unpack_buffer] (0x1000): 
keytab_name size: 0
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [unpack_buffer] (0x1000): 
lifetime: 86400
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x2000): getting 
TGT sync
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] 
(0x2000): Kerberos context initialized
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] 
(0x2000): got realm_name: [NAT.C.SDU.DK]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] 
(0x0100): Principal name is: [[email protected]]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] 
(0x0100): Using keytab [default]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] 
(0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] 
(0x0010): Failed to init credentials: Preauthentication failed
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x0020): 
ldap_child_get_tgt_sync failed.
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [prepare_response] 
(0x0400): Building response for result [-1765328360]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [pack_buffer] (0x2000): 
response size: 44
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [pack_buffer] (0x1000): 
result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x0400): 
ldap_child completed successfully
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8138]]]] [main] (0x0400): 
ldap_child started.

Longina
From: [email protected] 
[mailto:[email protected]] On Behalf Of Ondrej Valousek
Sent: 29. november 2012 14:27
To: [email protected]
Subject: Re: [SSSD-users] problems sssd-1.9.2

Why do you need a TGT generated from a machine account principal?
Use your own instead.

O.

On 11/29/2012 12:12 PM, Longina Przybyszewska wrote:

Can sssd do it for me ? Do I miss some options configured properly ?

_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Re: [SSSD-users] problems sssd-1.9.2

Reply via email to