[SSSD-users] Re: Error with subsequent login using AD account

Sumit Bose Mon, 03 Dec 2018 01:32:49 -0800

On Mon, Dec 03, 2018 at 08:00:51AM -0000, Peter de Groot wrote:
> 
> Please help.. desperate..
> 
> Installed sssd (version 1.16.1) on ubuntu authing against AD.
> 
> Problem .. and this appears to be only one user..
> 
> 1. Login with the user..  No trouble
> 2. log out and try to login again.
> 3. Before even asking for a password, it comes up with access denied.
> 
> The only way I can fix this is to do a sssctl cache-remove.  And then I can 
> log in again.
> Rinse and repeat.  It seems to be a dud entry in the cache ?
> 
> After days of trawling the logs... the only thing that seem to leap out is 
> this in the krb5 logs.  That entry in the salt is e4182s01sv023.  The machine 
> is called e418201sv025  ???  Where is it getting the 23 from ?  We do have a 
> host with that name on the network.. but not this one...
> 
> (Mon Dec  3 15:29:29 2018) [[sssd[krb5_child[11596]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11596] 1543822169.407460: Selected etype 
> info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params 
> ""
> (Mon Dec  3 15:29:29 2018) [[sssd[krb5_child[11596]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11596] 1543822169.407479: Selected etype 
> info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params 
> ""
> (Mon Dec  3 15:30:13 2018) [[sssd[krb5_child[11746]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11746] 1543822213.745198: Selected etype 
> info: etype aes256-cts, salt 
> "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params ""
> (Mon Dec  3 15:30:13 2018) [[sssd[krb5_child[11746]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11746] 1543822213.745213: Selected etype 
> info: etype aes256-cts, salt 
> "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params ""
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851028: Selected etype 
> info: etype aes256-cts, salt 
> "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params ""
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851043: Selected etype 
> info: etype aes256-cts, salt 
> "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params ""


Do you have entries for e4182s01sv023 in the keytab? You can check with
'klist -k'

HTH

bye,
Sumit

> 
> The bottom of the log file
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851023: Received error 
> from KDC: -1765328359/Additional pre-authenticat
> ion required
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851026: 
> Preauthenticating using KDC method data
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851027: Processing 
> preauth types: 16, 15, 19, 2
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851028: Selected etype 
> info: etype aes256-cts, salt "ORANGE.SCHOOLS.INT
> ERNALhoste4182s01sv023.orange.schools.internal", params ""
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_krb5_responder] 
> (0x4000): Got question [password].
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851029: AS key 
> obtained for encrypted timestamp: aes256-cts/BBF9
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851031: Encrypted 
> timestamp (for 1543822221.598566): plain 301AA011180F
> 32303138313230333037333032315AA1050203092226, encrypted 
> 89607EC763BD323A282F20C7ED58C75EA84F1638692A5CBCBF13BCF6F079891B1E2D140825C5E518334D7B138560D6E8ACA09F77315D131B
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851032: Preauth module 
> encrypted_timestamp (2) (real) returned: 0/Succe
> ss
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851033: Produced 
> preauth for next request: 2
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851034: Sending 
> request (302 bytes) to ORANGE.SCHOOLS.INTERNAL
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851035: Sending 
> initial UDP request to dgram 10.251.17.2:88
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851036: Received 
> answer (221 bytes) from dgram 10.251.17.2:88
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851037: Response was 
> from master KDC
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851038: Received error 
> from KDC: -1765328360/Preauthentication failed
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851041: 
> Preauthenticating using KDC method data
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851042: Processing 
> preauth types: 19
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851043: Selected etype 
> info: etype aes256-cts, salt "ORANGE.SCHOOLS.INT
> ERNALhoste4182s01sv023.orange.schools.internal", params ""
> 
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] 
> [sss_krb5_get_init_creds_password] (0x0020): 1618: 
> [-1765328360][Preauthentication failed]
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [get_and_save_tgt] 
> (0x0020): 1695: [-1765328360][Preauthentication failed]
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [map_krb5_error] 
> (0x0020): 1808: [-1765328360][Preauthentication failed]
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [k5c_send_data] 
> (0x0200): Received error code 1432158221
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [pack_response_packet] 
> (0x2000): response packet size: [4]
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [k5c_send_data] 
> (0x4000): Response sent.
> (Mon Dec  3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [main] (0x0400): 
> krb5_child completed successfully
> 
> roo
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

[SSSD-users] Re: Error with subsequent login using AD account

Reply via email to