On Fri, Dec 16, 2016 at 09:19:08AM -0000, [email protected] wrote: > Hi > > I have 7 RHEL6U6 servers in a setup. I have configured authentication towards > AD on all of them. On 6 it works. On the last > * ldap search work > * ktlist, kinit works > * id works > > But authentication fails. I can't see why and need some help. They are not > 100% identical the 7 servers. I have installed KDE Desktop on the problematic > server and that in itself should not b0rk it, but we have been playing around > a bit more with this than we have with the rest.
Can you add the krb5_child.log file with debug_level=9 as well. bye, Sumit > > > # problematic server > [root@nnsceapp01s sssd]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 12/16/16 08:33:16 12/16/16 18:33:16 > krbtgt/[email protected] > renew until 12/23/16 08:33:16 > 12/16/16 08:40:29 12/16/16 18:33:16 > host/[email protected] > renew until 12/23/16 08:33:16 > 12/16/16 08:42:18 12/16/16 18:33:16 > host/[email protected] > renew until 12/23/16 08:33:16 > 12/16/16 08:42:24 12/16/16 18:33:16 > host/[email protected] > renew until 12/23/16 08:33:16 > 12/16/16 08:43:23 12/16/16 18:33:16 > ldap/[email protected] > renew until 12/23/16 08:33:16 > [root@nnsceapp01s sssd]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 host/[email protected] > 10 [email protected] > 10 [email protected] > 10 [email protected] > 10 [email protected] > 10 [email protected] > > [root@nnsceapp01s sssd]# id tsiv > uid=8087(tsiv) gid=804(unixtek) groups=804(unixtek) > [root@nnsceapp01s sssd]# grep tsiv /etc/passwd > [root@nnsceapp01s sssd]# /etc/init.d/sssd stop ; rm -Rf /var/log/sssd/* > /var/lib/sss/db/* /var/lib/sss/gpo_cache/* ; /etc/init.d/sssd start > Stopping sssd: [ OK ] > Starting sssd: [ OK ] > [root@nnsceapp01s sssd]# id tsiv > uid=8087(tsiv) gid=804(unixtek) groups=804(unixtek) > > [root@nnsceapp01s sssd]# su - tsiv > -bash: /home/tsiv/hosts: No such file or directory > tsiv@nnsceapp01s|0:~$ pwd > /home/tsiv > tsiv@nnsceapp01s|0:~$ logout > [root@nnsceapp01s sssd]# /usr/bin/ldapsearch -H > ldap://dcdkba021.corp.novocorp.net/ -Y GSSAPI -N -b > DC=CORP,DC=NOVOCORP,DC=NET sAMAccountName=tsiv | grep -i tsiv > SASL/GSSAPI authentication started > SASL username: [email protected] > SASL SSF: 56 > SASL data security layer installed. > # filter: sAMAccountName=tsiv > # TSIV, NovoNordisk, Company, corp.novocorp.net > dn: CN=TSIV,OU=NovoNordisk,OU=Company,DC=corp,DC=novocorp,DC=net > cn: TSIV > distinguishedName: CN=TSIV,OU=NovoNordisk,OU=Company,DC=corp,DC=novocorp,DC=ne > proxyAddresses: smtp:[email protected] > F23SPDLT)/cn=Recipients/cn=1481d9e9957b4572b6a9eae810dba6f3-TSIV > proxyAddresses: SMTP:[email protected] > proxyAddresses: sip:[email protected] > )/cn=Recipients/cn=tsiv > mailNickname: tsiv > wWWHomePage: http://mysite.nnit.com/personal/tsiv/ > name: TSIV > homeDirectory: \\FSDKHQ001\users403$\TSIV > sAMAccountName: TSIv > n=Recipients/cn=TSIVd4b > userPrincipalName: [email protected] > mail: [email protected] > unixHomeDirectory: /home/tsiv > msRTCSIP-PrimaryUserAddress: sip:[email protected] > [root@nnsceapp01s sssd]# > > But > > tsiv@nnsceapp01s's password: > Permission denied, please try again. > > From sssd_CORP.NOVOCORP.NET.log > > > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [TSIv] > found. > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [get_server_status] > (0x1000): Status of server 'dcdkba021.corp.novocorp.net' is 'working' > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [get_port_status] > (0x1000): Port status of port 0 for server 'dcdkba021.corp.novocorp.net' is > 'working' > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [get_server_status] > (0x1000): Status of server 'dcdkba021.corp.novocorp.net' is 'working' > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [be_resolve_server_process] (0x0200): Found address for server > dcdkba021.corp.novocorp.net: [10.1.11.34] TTL 3546 > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [23069] > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [23069] > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [write_pipe_handler] > (0x0400): All data has been sent! > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [parse_krb5_child_response] (0x1000): child response [1432158209][6][8]. > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [check_wait_queue] > (0x1000): Wait queue for user [TSIv] is empty. > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x20ffb50] done. > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [be_pam_handler_callback] (0x0100): Sending result [4][CORP.NOVOCORP.NET] > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] > [be_pam_handler_callback] (0x0100): Sent result [4][CORP.NOVOCORP.NET] > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [child_sig_handler] > (0x1000): Waiting for child [23069]. > (Fri Dec 16 10:15:25 2016) [sssd[be[CORP.NOVOCORP.NET]]] [child_sig_handler] > (0x0100): child [23069] finished successfully. > > # from sssd_pam.log > > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [get_client_cred] (0x4000): Client > creds: euid[0] egid[0] pid[22616]. > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0x1f12640][18] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [accept_fd_handler] (0x0400): Client > connected to privileged pipe! > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0x1f12640][18] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): > Received client version [3]. > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_cmd_get_version] (0x0200): > Offered version [3]. > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0x1f12640][18] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0x1f12640][18] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_cmd_authenticate] (0x0100): > entering pam_cmd_authenticate > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): > name 'tsiv' matched without domain, user is tsiv > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): command: > SSS_PAM_AUTHENTICATE > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: not > set > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): user: tsiv > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): service: > sshd > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not > set > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: > nx05.ad.noc.nnit.com > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 1 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok > type: 0 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 22616 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): logon name: > tsiv > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/CORP.NOVOCORP.NET/tsiv] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): > User [tsiv] not found in PAM cache. > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x410330:3:[email protected]] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CORP.NOVOCORP.NET][0x3][BE_REQ_INITGROUPS][1][name=tsiv] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x1f0b5f0 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): > Entering request [0x410330:3:[email protected]] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x1f0b5f0 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: > 0x1f09b10 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply > from Data Provider - DP error code: 0 errno: 0 error message: Success > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_check_user_search] (0x0100): > Requesting info for [[email protected]] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [ldb] (0x4000): Added timed event > "ltdb_callback": 0x1f1b030 > > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [ldb] (0x4000): Added timed event > "ltdb_timeout": 0x1f1b160 > > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [ldb] (0x4000): Running timer event > 0x1f1b030 "ltdb_callback" > > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [ldb] (0x4000): Destroying timer event > 0x1f1b160 "ltdb_timeout" > > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [ldb] (0x4000): Ending timer event > 0x1f1b030 "ltdb_callback" > > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_check_user_search] (0x0400): > Returning info for user [[email protected]] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pd_set_primary_name] (0x0400): User's > primary name is TSIv > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_initgr_cache_set] (0x2000): > [tsiv] added to PAM initgroup cache > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending > request with the following data: > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): command: > SSS_PAM_AUTHENTICATE > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: > CORP.NOVOCORP.NET > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): user: TSIv > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): service: > sshd > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not > set > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: > nx05.ad.noc.nnit.com > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 1 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok > type: 0 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 22616 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_print_data] (0x0100): logon name: > tsiv > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x1f12730 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x410330:3:[email protected]] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x1f12730 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: > 0x1f09b10 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): > received: [4 (System error)][CORP.NOVOCORP.NET] > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called > with result [4]: System error. > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 34 > (Fri Dec 16 10:15:25 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0x1f12640][18] > (Fri Dec 16 10:15:30 2016) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): > [tsiv] removed from PAM initgroup cache > > Running with debug=9 > > What am I missing? > > Thomas > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
