On one computer (Arch) I have misconfigured sssd and when I try to use PAM sssd tries to get ticket for username\@MYDOMAIN.COM\@[email protected]. On others (Gentoo) it works find.
(Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [[email protected]] (Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] (Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0100): child [5845] finished successfully. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: MYHOSTNAME$ (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'DC1.mydomain.com' as 'working' (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'DC1.mydomain.com' as 'working' (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry [[email protected],cn=users,cn=mydomain.com,cn=sysdb] has set [ts_cache] attrs. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry [[email protected],cn=users,cn=mydomain.com,cn=sysdb] has set [ts_cache] attrs. (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [[email protected]] (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): user: [email protected] (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: <RHOST> (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5844 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: [email protected] (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [dp_pam_handler] (0x0100): Got request with the following data (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: [email protected] (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sshd (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: ssh (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: <RHOST> (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 5844 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): logon name: not set (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [krb5_auth_send] (0x0100): Home directory for user [[email protected]] not known. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server dc3.mydomain.com: [<DC3IP>] TTL 3600 (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [unpack_buffer] (0x0100): cmd [241] uid [1019289252] gid [400513] validate [true] enterprise principal [true] offline [false] UPN [username\@[email protected]] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1019289252_XXXXXX] old_ccname: [KEYRING:persistent:200389252] keytab: [/etc/krb5.keytab] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [check_use_fast] (0x0100): Not using FAST. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [switch_creds] (0x0200): Switch user to [1019289252][400513]. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [become_user] (0x0200): Trying to become user [1019289252][400513]. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_lifetime_options] (0x0100): Lifetime is set to [3d] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328378][Client 'username\@MYDOMAIN.COM\@[email protected]' not found in Kerberos database] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [map_krb5_error] (0x0020): 1371: [-1765328378][Client 'username\@MYDOMAIN.COM\@[email protected]' not found in Kerberos database] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0100): child [5846] finished successfully. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][mydomain.com] (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Tue Mar 7 16:10:03 2017) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 27 (Tue Mar 7 16:10:05 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Tue Mar 7 16:10:08 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected! Logging over ssh with GSSAPI works. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
