Hi I have 7 RHEL6U6 servers in a setup. I have configured authentication towards AD on all of them. On 6 it works. On the last * ldap search work * ktlist, kinit works * id works
But authentication fails. I can't see why and need some help. They are not 100% identical the 7 servers. I have installed KDE Desktop on the problematic server and that in itself should not b0rk it, but we have been playing around a bit more with this than we have with the rest. # problematic server [root@nnsceapp01s sssd]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 12/16/16 08:33:16 12/16/16 18:33:16 krbtgt/[email protected] renew until 12/23/16 08:33:16 12/16/16 08:40:29 12/16/16 18:33:16 host/[email protected] renew until 12/23/16 08:33:16 12/16/16 08:42:18 12/16/16 18:33:16 host/[email protected] renew until 12/23/16 08:33:16 12/16/16 08:42:24 12/16/16 18:33:16 host/[email protected] renew until 12/23/16 08:33:16 12/16/16 08:43:23 12/16/16 18:33:16 ldap/[email protected] renew until 12/23/16 08:33:16 [root@nnsceapp01s sssd]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 10 host/[email protected] 10 host/[email protected] 10 host/[email protected] 10 host/[email protected] 10 host/[email protected] 10 host/[email protected] 10 host/[email protected] 10 host/[email protected] 10 host/[email protected] 10 host/[email protected] 10 [email protected] 10 [email protected] 10 [email protected] 10 [email protected] 10 [email protected] [root@nnsceapp01s sssd]# id tsiv uid=8087(tsiv) gid=804(unixtek) groups=804(unixtek) [root@nnsceapp01s sssd]# grep tsiv /etc/passwd [root@nnsceapp01s sssd]# /etc/init.d/sssd stop ; rm -Rf /var/log/sssd/* /var/lib/sss/db/* /var/lib/sss/gpo_cache/* ; /etc/init.d/sssd start Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@nnsceapp01s sssd]# id tsiv uid=8087(tsiv) gid=804(unixtek) groups=804(unixtek) [root@nnsceapp01s sssd]# su - tsiv -bash: /home/tsiv/hosts: No such file or directory tsiv@nnsceapp01s|0:~$ pwd /home/tsiv tsiv@nnsceapp01s|0:~$ logout [root@nnsceapp01s sssd]# /usr/bin/ldapsearch -H ldap://dcdkba021.corp.novocorp.net/ -Y GSSAPI -N -b DC=CORP,DC=NOVOCORP,DC=NET sAMAccountName=tsiv | grep -i tsiv SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # filter: sAMAccountName=tsiv # TSIV, NovoNordisk, Company, corp.novocorp.net dn: CN=TSIV,OU=NovoNordisk,OU=Company,DC=corp,DC=novocorp,DC=net cn: TSIV distinguishedName: CN=TSIV,OU=NovoNordisk,OU=Company,DC=corp,DC=novocorp,DC=ne proxyAddresses: smtp:[email protected] F23SPDLT)/cn=Recipients/cn=1481d9e9957b4572b6a9eae810dba6f3-TSIV proxyAddresses: SMTP:[email protected] proxyAddresses: sip:[email protected] )/cn=Recipients/cn=tsiv mailNickname: tsiv wWWHomePage: http://mysite.nnit.com/personal/tsiv/ name: TSIV homeDirectory: \\FSDKHQ001\users403$\TSIV sAMAccountName: TSIv n=Recipients/cn=TSIVd4b userPrincipalName: [email protected] mail: [email protected] unixHomeDirectory: /home/tsiv msRTCSIP-PrimaryUserAddress: sip:[email protected] [root@nnsceapp01s sssd]# But tsiv@nnsceapp01s's password: Permission denied, please try again. From sssd_CORP.NOVOCORP.NET.log (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [TSIv] found. (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [get_server_status] (0x1000): Status of server 'dcdkba021.corp.novocorp.net' is 'working' (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [get_port_status] (0x1000): Port status of port 0 for server 'dcdkba021.corp.novocorp.net' is 'working' (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [get_server_status] (0x1000): Status of server 'dcdkba021.corp.novocorp.net' is 'working' (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [be_resolve_server_process] (0x0200): Found address for server dcdkba021.corp.novocorp.net: [10.1.11.34] TTL 3546 (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [23069] (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [child_handler_setup] (0x2000): Signal handler set up for pid [23069] (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [parse_krb5_child_response] (0x1000): child response [1432158209][6][8]. (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [check_wait_queue] (0x1000): Wait queue for user [TSIv] is empty. (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x20ffb50] done. (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [be_pam_handler_callback] (0x0100): Sending result [4][CORP.NOVOCORP.NET] (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [be_pam_handler_callback] (0x0100): Sent result [4][CORP.NOVOCORP.NET] (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [child_sig_handler] (0x1000): Waiting for child [23069]. (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [child_sig_handler] (0x0100): child [23069] finished successfully. # from sssd_pam.log (Fri Dec 16 10:15:25 2016) [sssd[pam]] [get_client_cred] (0x4000): Client creds: euid[0] egid[0] pid[22616]. (Fri Dec 16 10:15:25 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1f12640][18] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Fri Dec 16 10:15:25 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1f12640][18] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Fri Dec 16 10:15:25 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1f12640][18] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1f12640][18] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'tsiv' matched without domain, user is tsiv (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): user: tsiv (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: nx05.ad.noc.nnit.com (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 22616 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): logon name: tsiv (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/CORP.NOVOCORP.NET/tsiv] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): User [tsiv] not found in PAM cache. (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x410330:3:[email protected]] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [CORP.NOVOCORP.NET][0x3][BE_REQ_INITGROUPS][1][name=tsiv] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x1f0b5f0 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x410330:3:[email protected]] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x1f0b5f0 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x1f09b10 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [[email protected]] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1f1b030 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1f1b160 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [ldb] (0x4000): Running timer event 0x1f1b030 "ltdb_callback" (Fri Dec 16 10:15:25 2016) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x1f1b160 "ltdb_timeout" (Fri Dec 16 10:15:25 2016) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x1f1b030 "ltdb_callback" (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [[email protected]] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is TSIv (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [tsiv] added to PAM initgroup cache (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: CORP.NOVOCORP.NET (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): user: TSIv (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: nx05.ad.noc.nnit.com (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 22616 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): logon name: tsiv (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x1f12730 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x410330:3:[email protected]] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x1f12730 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x1f09b10 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][CORP.NOVOCORP.NET] (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34 (Fri Dec 16 10:15:25 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1f12640][18] (Fri Dec 16 10:15:30 2016) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [tsiv] removed from PAM initgroup cache Running with debug=9 What am I missing? Thomas _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
