[SSSD-users] Re: username is mapped to username\@MYDOMAIN.COM\@[email protected] in kerberos

Sumit Bose Thu, 09 Mar 2017 00:30:52 -0800

On Thu, Mar 09, 2017 at 12:14:08AM -0000, Maciej Piechotka wrote:
> On one computer (Arch) I have misconfigured sssd and when I try to use PAM 
> sssd tries to get ticket for 
> username\@MYDOMAIN.COM\@[email protected]. On others (Gentoo) it 
> works find.


It looks like due to the misconfiguration(?) SSSD stored a wrong
representation of the canonical Kerberos principal in its cache. I think
the only way to get around this is to remove the entry from the cache
and the easiest way to do this is to remove the cache with rm. Please
note that this will remove all cached password for the offline usage as
well. If this is not acceptable you can use the ldbedit utility to only
remove the offending entry.

HTH

bye,
Sumit

> 
> (Tue Mar  7 16:10:03 2017) [[sssd[ldap_child[5845]]]] 
> [ldap_child_get_tgt_sync] (0x0100): Principal name is: 
> [[email protected]]
> (Tue Mar  7 16:10:03 2017) [[sssd[ldap_child[5845]]]] 
> [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
> (Tue Mar  7 16:10:03 2017) [[sssd[ldap_child[5845]]]] 
> [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [child_sig_handler] 
> (0x0100): child [5845] finished successfully.
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [sdap_cli_auth_step] 
> (0x0100): expire timeout is 900
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [sasl_bind_send] 
> (0x0100): Executing sasl bind mech: gssapi, user: MYHOSTNAME$
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [fo_set_port_status] 
> (0x0100): Marking port 3268 of server 'DC1.mydomain.com' as 'working'
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] 
> [set_server_common_status] (0x0100): Marking server 'DC1.mydomain.com' as 
> 'working'
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [sysdb_set_entry_attr] 
> (0x0200): Entry 
> [[email protected],cn=users,cn=mydomain.com,cn=sysdb] has set 
> [ts_cache] attrs.
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] 
> [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID 
> S-1-5-32-545
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [sysdb_set_entry_attr] 
> (0x0200): Entry 
> [[email protected],cn=users,cn=mydomain.com,cn=sysdb] has set 
> [ts_cache] attrs.
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_check_user_search] (0x0100): 
> Requesting info for [[email protected]]
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending 
> request with the following data:
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): command: 
> SSS_PAM_AUTHENTICATE
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: 
> mydomain.com
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): user: 
> [email protected]
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): service: 
> sshd
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not 
> set
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 
> <RHOST>
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok 
> type: 1
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok 
> type: 0
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 
> 5844
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: 
> [email protected]
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): 
> pam_dp_send_req returned 0
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [dp_pam_handler] 
> (0x0100): Got request with the following data
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): command: SSS_PAM_AUTHENTICATE
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): domain: mydomain.com
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): user: [email protected]
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): service: sshd
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): tty: ssh
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): ruser: 
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): rhost: <RHOST>
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): authtok type: 1
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): newauthtok type: 0
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): priv: 1
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): cli_pid: 5844
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] 
> (0x0100): logon name: not set
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [krb5_auth_send] 
> (0x0100): Home directory for user [[email protected]] not known.
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [fo_resolve_service_send] 
> (0x0100): Trying to resolve service 'AD'
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [resolve_srv_send] 
> (0x0200): The status of SRV lookup is resolved
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] 
> [be_resolve_server_process] (0x0200): Found address for server 
> dc3.mydomain.com: [<DC3IP>] TTL 3600
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [unpack_buffer] 
> (0x0100): cmd [241] uid [1019289252] gid [400513] validate [true] enterprise 
> principal [true] offline [false] UPN [username\@[email protected]]
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [unpack_buffer] 
> (0x0100): ccname: [FILE:/tmp/krb5cc_1019289252_XXXXXX] old_ccname: 
> [KEYRING:persistent:200389252] keytab: [/etc/krb5.keytab]
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [check_use_fast] 
> (0x0100): Not using FAST.
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [switch_creds] 
> (0x0200): Switch user to [1019289252][400513].
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [switch_creds] 
> (0x0200): Switch user to [0][0].
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [privileged_krb5_setup] 
> (0x0080): Cannot open the PAC responder socket
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [become_user] (0x0200): 
> Trying to become user [1019289252][400513].
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_lifetime_options] 
> (0x0100): Renewable lifetime is set to [7d]
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_lifetime_options] 
> (0x0100): Lifetime is set to [3d]
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] 
> [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [get_and_save_tgt] 
> (0x0020): 1302: [-1765328378][Client 
> 'username\@MYDOMAIN.COM\@[email protected]' not found in Kerberos 
> database]
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [map_krb5_error] 
> (0x0020): 1371: [-1765328378][Client 
> 'username\@MYDOMAIN.COM\@[email protected]' not found in Kerberos 
> database]
> (Tue Mar  7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [k5c_send_data] 
> (0x0200): Received error code 1432158209
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [child_sig_handler] 
> (0x0100): child [5846] finished successfully.
> (Tue Mar  7 16:10:03 2017) [sssd[be[mydomain.com]]] [krb5_auth_done] 
> (0x0040): The krb5_child process returned an error. Please inspect the 
> krb5_child.log file or the journal for more information
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
> received: [4 (System error)][mydomain.com]
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called 
> with result [4]: System error.
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [filter_responses] (0x0100): 
> [pam_response_filter] not available, not fatal.
> (Tue Mar  7 16:10:03 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 27
> (Tue Mar  7 16:10:05 2017) [sssd[pam]] [client_recv] (0x0200): Client 
> disconnected!
> (Tue Mar  7 16:10:08 2017) [sssd[nss]] [client_recv] (0x0200): Client 
> disconnected!
> 
> Logging over ssh with GSSAPI works. 
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[SSSD-users] Re: username is mapped to username\@MYDOMAIN.COM\@[email protected] in kerberos

Reply via email to