[SSSD-users] Re: SSSD AD Login problems

Ondrej Valousek Mon, 23 May 2016 00:29:23 -0700

Can you do "kinit -k  [email protected]"
A good test if trust with AD works well - if not, sssd can not do much about 
it...
O.


-----Original Message-----
From: [email protected] [mailto:[email protected]] 
Sent: Monday, May 23, 2016 9:22 AM
To: [email protected]
Subject: [SSSD-users] SSSD AD Login problems

Hi All,

Last week I bound my computer to Active Directory and everything was working 
fine but as of today authentication has started to fail.

SSSD log

In the logs (debug = 7) I see:

(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] 
[be_resolve_server_process] (0x0200): Found address for server 
pmc-dc2.petermac.org.au: [172.23.8.18] TTL 3600 (Mon May 23 17:18:58 2016) 
[sssd[be[petermac.org.au]]] [ad_resolve_callback] (0x0100): Constructed uri 
'ldap://pmc-dc2.petermac.org.au'
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [ad_resolve_callback] 
(0x0100): Constructed GC uri 'ldap://pmc-dc2.petermac.org.au'
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [write_pipe_handler] 
(0x0400): All data has been sent!
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): 
krb5_child started.
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x1000): 
total buffer size: [136] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] 
[unpack_buffer] (0x0100): cmd [241] uid [1501] gid [1501] validate [true] 
enterprise principal [true] offline [false] UPN [Ellul [email protected]] 
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x0100): 
ccname: [KEYRING:persistent:1501] old_ccname: [not set] keytab: 
[/etc/krb5.keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] 
[check_use_fast] (0x0100): Not using FAST.
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [privileged_krb5_setup] 
(0x0080): Cannot open the PAC responder socket (Mon May 23 17:18:58 2016) 
[[sssd[krb5_child[6572]]]] [become_user] (0x0200): Trying to become user 
[1501][1501].
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] 
(0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] 
(0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_canonicalize_option] 
(0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon May 23 17:18:58 2016) 
[[sssd[krb5_child[6572]]]] [main] (0x0400): Will perform online auth (Mon May 
23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [tgt_req_child] (0x1000): 
Attempting to get a TGT (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] 
[get_and_save_tgt] (0x0400): Attempting kinit for realm [PETERMAC.ORG.AU] (Mon 
May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [validate_tgt] (0x0020): TGT 
failed verification using key for [[email protected]].
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [get_and_save_tgt] 
(0x0020): 1240: [-1765328340][Cannot find key for [email protected] kvno 
3 in keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] 
[map_krb5_error] (0x0020): 1301: [-1765328340][Cannot find key for 
[email protected] kvno 3 in keytab] (Mon May 23 17:18:58 2016) 
[[sssd[krb5_child[6572]]]] [k5c_send_data] (0x0200): Received error code 
1432158209 (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] 
(0x0400): krb5_child completed successfully (Mon May 23 17:18:58 2016) 
[sssd[be[petermac.org.au]]] [read_pipe_handler] (0x0400): EOF received, client 
finished (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] 
[parse_krb5_child_response] (0x1000): child response [1432158209][6][8].
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [check_wait_queue] 
(0x1000): Wait queue for user [Ellul Jason] is empty.
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [krb5_auth_queue_done] 
(0x1000): krb5_auth_queue request [0x555f73e8b420] done.
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] 
[be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] 
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] 
[be_pam_handler_callback] (0x0100): Sending result [4][petermac.org.au] (Mon 
May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] 
(0x0100): Sent result [4][petermac.org.au] (Mon May 23 17:18:58 2016) 
[sssd[be[petermac.org.au]]] [child_sig_handler] (0x1000): Waiting for child 
[6572].
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [child_sig_handler] 
(0x0100): child [6572] finished successfully.
(Mon May 23 17:18:58 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [4 (System error)][petermac.org.au] (Mon May 23 17:18:58 2016) 
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System 
error.
(Mon May 23 17:18:58 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 32 (Mon May 
23 17:18:58 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon May 23 17:18:59 2016) [sssd[nss]] [client_recv] (0x0200): Client 
disconnected!

[root@la35185 jellul]# klist -k -t /etc/krb5.keytab Keytab name: 
FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 23/05/16 12:55:53 [email protected]
   2 23/05/16 12:55:53 [email protected]
   2 23/05/16 12:55:53 [email protected]
   2 23/05/16 12:55:53 [email protected]
   2 23/05/16 12:55:53 [email protected]
   2 23/05/16 12:55:53 HOST/[email protected]
   2 23/05/16 12:55:53 HOST/[email protected]
   2 23/05/16 12:55:53 HOST/[email protected]
   2 23/05/16 12:55:53 HOST/[email protected]
   2 23/05/16 12:55:53 HOST/[email protected]
   2 23/05/16 12:55:53 HOST/[email protected]
   2 23/05/16 12:55:53 HOST/[email protected]
   2 23/05/16 12:55:53 HOST/[email protected]
   2 23/05/16 12:55:53 HOST/[email protected]
   2 23/05/16 12:55:53 HOST/[email protected]
   2 23/05/16 12:55:53 RestrictedKrbHost/[email protected]
   2 23/05/16 12:55:53 RestrictedKrbHost/[email protected]
   2 23/05/16 12:55:53 RestrictedKrbHost/[email protected]
   2 23/05/16 12:55:53 RestrictedKrbHost/[email protected]
   2 23/05/16 12:55:53 RestrictedKrbHost/[email protected]
   2 23/05/16 12:55:53 RestrictedKrbHost/[email protected]
   2 23/05/16 12:55:54 RestrictedKrbHost/[email protected]
   2 23/05/16 12:55:54 RestrictedKrbHost/[email protected]
   2 23/05/16 12:55:54 RestrictedKrbHost/[email protected]
   2 23/05/16 12:55:54 RestrictedKrbHost/[email protected]

Many thanks

Jason
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]

-----

The information contained in this e-mail and in any attachments is confidential 
and is designated solely for the attention of the intended recipient(s). If you 
are not an intended recipient, you must not use, disclose, copy, distribute or 
retain this e-mail or any part thereof. If you have received this e-mail in 
error, please notify the sender by return e-mail and delete all copies of this 
e-mail from your computer system(s). Please direct any additional queries to: 
[email protected]. Thank You. Silicon and Software Systems Limited (S3 
Group). Registered in Ireland no. 378073. Registered Office: South County 
Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]

[SSSD-users] Re: SSSD AD Login problems

Reply via email to