On Thu, Mar 10, 2016 at 05:13:49PM +0000, Fabien CARRE wrote: > Hello, > I am experiencing some issues with this version of sssd in ad mode. I am > unable to connect to a computer. But when using the previous version on > another computer (sssd-1.11.6-30.el6.x86_64) it's working fine. > > DC : Windows 2012R2 > client 1 : centos 6.6 - sssd-1.11.6-30.el6.x86_64 > client 2 centos 6.7- sssd-1.12.4-47.el6_7.7.x86_64 > > I am attaching the krb5_child.log file. > > Has anyone got the same issues ?
According to the logs the error happens during the validation of the Kerberos ticket. For this SSSD tries to get a service ticket for the local client and check if this service ticket can be decrypted with the keys from the local keytab. It looks like the AD DC does not know about the service principal 'host/[email protected]'. This principal is typically created when you join the AD domain. Is itserver05.mikros.int the name of the client where authentication fails? How did you join the domain, did you use any special options? bye, Sumit > > Thanks > > Regards, > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main] (0x0400): > krb5_child started. > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] > (0x1000): total buffer size: [125] > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] > (0x0100): cmd [241] uid [111111] gid [1111111] validate [true] enterprise > principal [true] offline [false] UPN [[email protected]] > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] > (0x2000): No old ccache > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] > (0x0100): ccname: [KEYRING:persistent:111111] old_ccname: [not set] keytab: > [/etc/krb5.keytab] > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [check_use_fast] > (0x0100): Not using FAST. > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_precreate_ccache] > (0x4000): Recreating ccache > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [privileged_krb5_setup] > (0x0080): Cannot open the PAC responder socket > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [become_user] (0x0200): > Trying to become user [111111][1111111]. > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main] (0x2000): > Running as [111111][1111111]. > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_setup] (0x2000): > Running as [111111][1111111]. > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [set_lifetime_options] > (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [set_lifetime_options] > (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main] (0x0400): Will > perform online auth > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [EU.DOMAIN.COM] > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.664492: Getting initial > credentials for mytest\@[email protected] > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.664581: Sending request > (219 bytes) to EU.DOMAIN.COM > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.664766: Sending initial > UDP request to dgram 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.665964: Received answer > from dgram 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.666054: Response was > from master KDC > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.666074: Received error > from KDC: -1765328359/Additional pre-authentication required > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.666129: Processing > preauth types: 16, 15, 19, 2 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.666141: Selected etype > info: etype aes256-cts, salt "EU.DOMAIN.COMmytest", params "" > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674366: AS key obtained > for encrypted timestamp: aes256-cts/4CD3 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674405: Encrypted > timestamp (for 1457629646.674380): plain > 301AA011180F32303136303331303137303732365AA10502030A4A4C, encrypted > 9AB9B53DFE7ABD21B60679A76950A7CFF70A466FF4455D666D9788720BA9B7EA67F4A9A1C9CBB9DC9A09170ABCEFA1B1C811994E7BFF29AC > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674417: Preauth module > encrypted_timestamp (2) (flags=1) returned: 0/Success > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674428: Produced > preauth for next request: 2 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674443: Sending request > (299 bytes) to EU.DOMAIN.COM > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674491: Sending initial > UDP request to dgram 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.675920: Received answer > from dgram 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.675993: Response was > from master KDC > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.676009: Received error > from KDC: -1765328332/Response too big for UDP, retry with TCP > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.676017: Request or > response is too big for UDP; retrying with TCP > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.676023: Sending request > (299 bytes) to EU.DOMAIN.COM (tcp only) > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.676055: Initiating TCP > connection to stream 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.676340: Sending TCP > request to stream 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677624: Received answer > from stream 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677685: Response was > from master KDC > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677734: Processing > preauth types: 19 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677756: Selected etype > info: etype aes256-cts, salt "EU.DOMAIN.COMmytest", params "" > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677763: Produced > preauth for next request: (empty) > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677788: AS key > determined by preauth: aes256-cts/4CD3 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677871: Decrypted AS > reply; session key is: rc4-hmac/A720 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677901: FAST > negotiation: unavailable > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_krb5_expire_callback_func] (0x2000): exp_time: [4314436] > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [validate_tgt] > (0x2000): Found keytab entry with the realm of the credential. > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677957: Retrieving > host/[email protected] from MEMORY:/etc/krb5.keytab (vno 0, > enctype 0) with result: 0/Success > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677966: Resolving > unique ccache of type MEMORY > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677980: Initializing > MEMORY:ZIyWoF4 with default princ [email protected] > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677989: Removing > [email protected] -> krbtgt/[email protected] from MEMORY:ZIyWoF4 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677996: Storing > [email protected] -> krbtgt/[email protected] in MEMORY:ZIyWoF4 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678029: Getting > credentials [email protected] -> host/[email protected] > using ccache MEMORY:ZIyWoF4 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678049: Retrieving > [email protected] -> host/[email protected] from > MEMORY:ZIyWoF4 with result: -1765328243/Matching credential not found > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678062: Retrieving > [email protected] -> krbtgt/[email protected] from > MEMORY:ZIyWoF4 with result: 0/Success > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678069: Found cached > TGT for service realm: [email protected] -> > krbtgt/[email protected] > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678075: Requesting > tickets for host/[email protected], referrals on > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678089: Generated > subkey for TGS request: rc4-hmac/4993 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678098: etypes > requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678185: Sending request > (1683 bytes) to EU.DOMAIN.COM > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678249: Initiating TCP > connection to stream 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678480: Sending TCP > request to stream 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741482: Received answer > from stream 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741654: Response was > from master KDC > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741706: TGS request > result: -1765328377/Server not found in Kerberos database > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741718: Requesting > tickets for host/[email protected], referrals off > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741769: Generated > subkey for TGS request: rc4-hmac/2A08 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741784: etypes > requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741859: Sending request > (1683 bytes) to EU.DOMAIN.COM > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741913: Initiating TCP > connection to stream 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.742169: Sending TCP > request to stream 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.805000: Received answer > from stream 10.218.194.10:88 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.805208: Response was > from master KDC > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.805261: TGS request > result: -1765328377/Server not found in Kerberos database > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] > [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.805312: Destroying > ccache MEMORY:ZIyWoF4 > > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [validate_tgt] > (0x0020): TGT failed verification using key for > [host/[email protected]]. > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [get_and_save_tgt] > (0x0020): 1007: [-1765328377][Server not found in Kerberos database] > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [map_krb5_error] > (0x0020): 1069: [-1765328377][Server not found in Kerberos database] > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_send_data] > (0x0200): Received error code 1432158209 > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [pack_response_packet] > (0x2000): response packet size: [20] > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_send_data] > (0x4000): Response sent. > (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main] (0x0400): > krb5_child completed successfully > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
