On Tue, 2017-05-23 at 10:11 +0200, Joakim Tjernlund wrote: > On Mon, 2017-05-22 at 22:29 +0200, Lukas Slebodnik wrote: > > On (22/05/17 14:53), Joakim Tjernlund wrote: > > > > The time is not synchronised between client and server. > > > > MIT krb5 can handle small offset. But I would highly recommends > > > > to keep time in sync. > > > > > > There is some time problem on and off but this has never been too much. I > > > don't > > > think this was the root problem here ? > > > > > > > As I already mention I would highly recommend to keep time in sync. > > It will reduce possible errors. > > > > Configure ntpd/chrony on client and server is not a rocket science :-) > > Sure, no rocket science but I have little control over the AD servers. :( > Anyhow, I did a "net ads info" and it came back with Server time offset: 0 > so I don't think there is a time difference(or very small)? > The clients are already on NTP. > > > > > > > > > Renewing of a ticket failed because it is already expired. > > > > Maybe due to time shift between client and server(KDC) > > > > > > Yes, it is expired to begin with. I got a ticket, then suspended the > > > computer long enough for > > > the ticket to expire(10 hours here) and then woke up and unlocked the > > > screen. > > > The problem is that sssd never tries to get a new ticket using my creds I > > > gave when unlocking. > > > Even if I do several lock/unlocks after the network is restored, sssd > > > will not get me a new ticket. > > > > > > > sssd would get new ticket if it was in online mode. > > But it offline mode. > > > > I would highly recommend to keep time in sync with server > > and then debug why sssd was in offline mode. > > Or why it went to offline mode. > > > > With 1.15 you can use sssctl e.g. > > I did run sssctl domain-status infinera.com and it came back with: > Unable to get online status [3]: Communication error > org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes > include: the remote application > did not send a reply, the message bus security policy blocked the reply, the > reply timeout expired, or the > network connection was broken. > Check that SSSD is running and the InfoPipe responder is enabled. Make sure > 'ifp' is listed in the 'services' > option in sssd.conf. > Unable to get online status > > I then just added 'ifp' to 'services' and restarted sssd and now it works: > sssctl domain-status infinera.com > Online status: Online > > Active servers: > AD Global Catalog: not connected > AD Domain Controller: se-dc01.infinera.com > ..... > > Could the problem I saw be related to not having ifp in services ? > I will check again when the ticket expires again. > > Jocke
On another machine I added ifp to services and just reloaded the sssd config (signal HUG to sssd) and just got this in the domain log: (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [be_primary_server_timeout] (0x0400): Looking for primary server! (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [get_server_status] (0x1000): Status of server 'se-dc02.infinera.com' is 'working' (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'se-dc02.infinera.com' is 'not working' (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues. (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [get_port_status] (0x0100): Resetting the status of port 0 for server 'se-dc02.infinera.com' (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [get_server_status] (0x1000): Status of server 'se-dc02.infinera.com' is 'working' (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [be_resolve_server_process] (0x0200): Found address for server se-dc02.infinera.com: [10.210.34.22] TTL 3600 (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://se-dc02.infinera.com' (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://se-dc02.infinera.com' (Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [be_run_reconnect_cb] (0x0400): Reconnecting. Running callbacks. and later (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, GENTOO-LABBB$, INFINERA.COM, 86400) (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service AD (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [get_server_status] (0x1000): Status of server 'se-dc02.infinera.com' is 'name resolved' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'se-dc02.infinera.com' is 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [get_server_status] (0x1000): Status of server 'se-dc02.infinera.com' is 'name resolved' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_resolve_server_process] (0x0200): Found address for server se-dc02.infinera.com: [10.210.34.22] TTL 3600 (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 49 (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [30118] (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30118] (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_process_result] (0x2000): Trace: sh[0x9cadd0], connected[1], ops[(nil)], ldap[0x990c40] (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [child_sig_handler] (0x1000): Waiting for child [30118]. (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [child_sig_handler] (0x0100): child [30118] finished successfully. (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_INFINERA.COM], expired on [1495563696] (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1495528596 (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: GENTOO-LABBB$ (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_cli_connect_recv] (0x0400): Connection established. (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2067 (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'se-dc02.infinera.com' as 'working' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100): Marking server 'se-dc02.infinera.com' as 'working' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'se-dc02.infinera.com' as 'working' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_handle_release] (0x2000): Trace: sh[0x9cadd0], connected[1], ops[(nil)], ldap[0x990c40], destructor_lock[0], release_memory[0] (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [dp_req_done] (0x0400): DP Request [Online Check #83]: Request handler finished [0]: Success (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [_dp_req_recv] (0x0400): DP Request [Online Check #83]: Receiving request data. (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [dp_req_destructor] (0x0400): DP Request [Online Check #83]: Request removed. (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_check_online_done] (0x0400): Error during online check [0]: Success (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_reset_services] (0x1000): Resetting all servers in all services (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100): Marking server 'se-dc02.infinera.com' as 'name not resolved' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'se-dc02.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'se-dc02.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100): Marking server 'se-dc01.infinera.com' as 'name not resolved' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'se-dc01.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'se-dc01.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100): Marking server 'sv-dc02.infinera.com' as 'name not resolved' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'sv-dc02.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'sv-dc02.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100): Marking server 'sv-dc01.infinera.com' as 'name not resolved' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'sv-dc01.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'sv-dc01.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100): Marking server 'se-dc02.infinera.com' as 'name not resolved' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'se-dc02.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'se-dc02.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100): Marking server 'se-dc01.infinera.com' as 'name not resolved' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'se-dc01.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'se-dc01.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100): Marking server 'sv-dc02.infinera.com' as 'name not resolved' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'sv-dc02.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'sv-dc02.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100): Marking server 'sv-dc01.infinera.com' as 'name not resolved' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'sv-dc01.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'sv-dc01.infinera.com' as 'neutral' (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [reactivate_subdoms] (0x1000): Resetting all subdomains (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sss_domain_get_state] (0x1000): Domain infinera.com is Active (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_ptask_disable] (0x0400): Task [Check if online (periodic)]: disabling task (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_ptask_online_cb] (0x0400): Back end is online (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_ptask_enable] (0x0400): Task [Subdomains Refresh]: enabling task (Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_ptask_schedule] (0x0400): Task [Subdomains Refresh]: scheduling task 0 seconds from now [1495527696] but krb5_child log just repeats: (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [renew_tgt_child] (0x1000): Renewing a ticket (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.638731: Retrieving jo...@infinera.com -> krbtgt/infinera....@infinera.com from FILE:/tmp/krb5cc_1001 with result: 0/Success (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.638747: Get cred via TGT krbtgt/infinera....@infinera.com after requesting krbtgt/infinera....@infinera.com (canonicalize off) (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.638788: Generated subkey for TGS request: aes256-cts/3F94 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.638841: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.638944: Encoding request body and padata into FAST request (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.639036: Sending request (1901 bytes) to INFINERA.COM (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.639179: Resolving hostname se-dc01.infinera.com (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.639483: Initiating TCP connection to stream 10.210.34.21:88 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.639888: Sending TCP request to stream 10.210.34.21:88 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.640356: Received answer (123 bytes) from stream 10.210.34.21:88 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.640375: Terminating TCP connection to stream 10.210.34.21:88 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.640416: Response was not from master KDC (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.640436: Got cred; -1765328352/Ticket expired (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [map_krb5_error] (0x0020): 1643: [-1765328352][Ticket expired] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [k5c_send_data] (0x0200): Received error code 1432158229 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [pack_response_packet] (0x2000): response packet size: [4] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [k5c_send_data] (0x4000): Response sent. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [main] (0x0400): krb5_child completed successfully (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [main] (0x0400): krb5_child started. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [unpack_buffer] (0x1000): total buffer size: [154] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [unpack_buffer] (0x0100): cmd [248] uid [1001] gid [100] validate [true] enterprise principal [false] offline [false] UPN [jo...@infinera.com] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1001] old_ccname: [FILE:/tmp/krb5cc_1001] keytab: [/etc/krb5.keytab] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [check_use_fast] (0x0100): Not using FAST. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [switch_creds] (0x0200): Switch user to [1001][100]. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1001] and is active and TGT is valid. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [become_user] (0x0200): Trying to become user [1001][100]. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [main] (0x2000): Running as [1001][100]. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [k5c_setup] (0x2000): Running as [1001][100]. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [set_lifetime_options] (0x0100): Lifetime is set to [24h] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [main] (0x0400): Will perform ticket renewal (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [renew_tgt_child] (0x1000): Renewing a ticket (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.647807: Retrieving jo...@infinera.com -> krbtgt/infinera....@infinera.com from FILE:/tmp/krb5cc_1001 with result: 0/Success (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.647819: Get cred via TGT krbtgt/infinera....@infinera.com after requesting krbtgt/infinera....@infinera.com (canonicalize off) (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.647845: Generated subkey for TGS request: aes256-cts/37F1 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.647884: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.647941: Encoding request body and padata into FAST request (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.647990: Sending request (1901 bytes) to INFINERA.COM (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.648096: Resolving hostname se-dc01.infinera.com (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.648529: Initiating TCP connection to stream 10.210.34.21:88 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.648973: Sending TCP request to stream 10.210.34.21:88 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.649464: Received answer (123 bytes) from stream 10.210.34.21:88 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.649480: Terminating TCP connection to stream 10.210.34.21:88 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.649516: Response was not from master KDC (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000): [30165] 1495527829.649532: Got cred; -1765328352/Ticket expired (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [map_krb5_error] (0x0020): 1643: [-1765328352][Ticket expired] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [k5c_send_data] (0x0200): Received error code 1432158229 (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [pack_response_packet] (0x2000): response packet size: [4] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [k5c_send_data] (0x4000): Response sent. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [main] (0x0400): krb5_child completed successfully (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [main] (0x0400): krb5_child started. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [unpack_buffer] (0x1000): total buffer size: [154] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [unpack_buffer] (0x0100): cmd [248] uid [1001] gid [100] validate [true] enterprise principal [false] offline [false] UPN [jo...@infinera.com] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1001] old_ccname: [FILE:/tmp/krb5cc_1001] keytab: [/etc/krb5.keytab] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [check_use_fast] (0x0100): Not using FAST. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [switch_creds] (0x0200): Switch user to [1001][100]. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1001] and is active and TGT is valid. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [become_user] (0x0200): Trying to become user [1001][100]. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [main] (0x2000): Running as [1001][100]. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [k5c_setup] (0x2000): Running as [1001][100]. (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [set_lifetime_options] (0x0100): Lifetime is set to [24h] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [main] (0x0400): Will perform ticket renewal The network is just fine. Jocke _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
