On Mon, Apr 01, 2019 at 07:04:01AM -0000, Peter de Groot wrote: > > Thank you so much for the reply.. Apologies.. I have not found the option to > email me replies ;-( So was lax in getting back to you > > Some interesting stuff... The kinit -C -E gave me a password error. but the > kinit clean did not.. > > 2 loads of debug.. and the /etc/krb5.conf > First for the account that is causing the problem, and for interests sake.. > one that does not. > > Thought bubbles. > > e4182s01sv023 is a ubuntu box on our network... but is certainly not an AD > controller.. Is a vanilla machine with a gui running docker for our Xibo > server .. Not sure what the config is. > > our on-site domain controller is a RODC (read only domain controller) Is > the (e4182s01sv001 10.251.17.2 ). The other addresses point "upstream"..and > are commented out... > > --------------------------- Not working account ------------------------ > > root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit > [email protected] > [5186] 1554101337.247277: Getting initial credentials for > [email protected] > [5186] 1554101337.247279: Sending unauthenticated request > [5186] 1554101337.247280: Sending request (198 bytes) to > ORANGE.SCHOOLS.INTERNAL > [5186] 1554101337.247281: Sending initial UDP request to dgram 10.251.17.2:88 > [5186] 1554101337.247282: Received answer (227 bytes) from dgram > 10.251.17.2:88 > [5186] 1554101337.247283: Response was from master KDC > [5186] 1554101337.247284: Received error from KDC: -1765328359/Additional > pre-authentication required > [5186] 1554101337.247287: Preauthenticating using KDC method data > [5186] 1554101337.247288: Processing preauth types: 16, 15, 19, 2 > [5186] 1554101337.247289: Selected etype info: etype aes256-cts, salt > "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params ""
^^^ > Password for [email protected]: > [5186] 1554101341.706478: AS key obtained for encrypted timestamp: > aes256-cts/8217 > [5186] 1554101341.706480: Encrypted timestamp (for 1554101348.551637): plain > 301AA011180F32303139303430313036343930385AA1050203086AD5, encrypted > 37E0EBC0CA374D8B79089A73622CE2A033D1477A5898474FF1F510DB28BCF562382501BF7FC58FA96EB309288C0CCCC186FF225CC3A1C302 > [5186] 1554101341.706481: Preauth module encrypted_timestamp (2) (real) > returned: 0/Success > [5186] 1554101341.706482: Produced preauth for next request: 2 > [5186] 1554101341.706483: Sending request (278 bytes) to > ORANGE.SCHOOLS.INTERNAL > [5186] 1554101341.706484: Sending initial UDP request to dgram 10.251.17.2:88 > [5186] 1554101341.706485: Received answer (118 bytes) from dgram > 10.251.17.2:88 > [5186] 1554101341.706486: Response was from master KDC > [5186] 1554101341.706487: Received error from KDC: -1765328332/Response too > big for UDP, retry with TCP > [5186] 1554101341.706488: Request or response is too big for UDP; retrying > with TCP > [5186] 1554101341.706489: Sending request (278 bytes) to > ORANGE.SCHOOLS.INTERNAL (tcp only) > [5186] 1554101341.706490: Initiating TCP connection to stream 10.251.17.2:88 > [5186] 1554101341.706491: Sending TCP request to stream 10.251.17.2:88 > [5186] 1554101341.706492: Received answer (2057 bytes) from stream > 10.251.17.2:88 > [5186] 1554101341.706493: Terminating TCP connection to stream 10.251.17.2:88 > [5186] 1554101341.706494: Response was from master KDC > [5186] 1554101341.706495: Processing preauth types: 19 > [5186] 1554101341.706496: Selected etype info: etype aes256-cts, salt > "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params "" > [5186] 1554101341.706497: Produced preauth for next request: (empty) > [5186] 1554101341.706498: AS key determined by preauth: aes256-cts/8217 > [5186] 1554101341.706499: Decrypted AS reply; session key is: aes256-cts/31CF > [5186] 1554101341.706500: FAST negotiation: unavailable > [5186] 1554101341.706501: Initializing FILE:/tmp/krb5cc_0 with default princ > [email protected] > [5186] 1554101341.706502: Storing [email protected] -> > krbtgt/[email protected] in FILE:/tmp/krb5cc_0 > [5186] 1554101341.706503: Storing config in FILE:/tmp/krb5cc_0 for > krbtgt/[email protected]: pa_type: 2 > [5186] 1554101341.706504: Storing [email protected] -> > krb5_ccache_conf_data/pa_type/krbtgt\/ORANGE.SCHOOLS.INTERNAL\@ORANGE.SCHOOLS.INTERNAL@X-CACHECONF: > in FILE:/tmp/krb5cc_0 > > ---------------------------------------------------------------------------------------------------------------- > > > root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit -C -E > [email protected] > [5188] 1554101419.357336: Getting initial credentials for > E2052982\@[email protected] > [5188] 1554101419.357338: Sending unauthenticated request > [5188] 1554101419.357339: Sending request (222 bytes) to > ORANGE.SCHOOLS.INTERNAL > [5188] 1554101419.357340: Sending initial UDP request to dgram 10.251.17.2:88 > [5188] 1554101419.357341: Received answer (257 bytes) from dgram > 10.251.17.2:88 > [5188] 1554101419.357342: Response was from master KDC > [5188] 1554101419.357343: Received error from KDC: -1765328359/Additional > pre-authentication required > [5188] 1554101419.357346: Preauthenticating using KDC method data > [5188] 1554101419.357347: Processing preauth types: 16, 15, 19, 2 > [5188] 1554101419.357348: Selected etype info: etype aes256-cts, salt > "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params "" In theory the salt values here and above should be the same. Can you send the complete LDAP object of your AD user and the one for the host e4182s01sv023.orange.schools.internal if is exists? bye, Sumit > Password for E2052982\@[email protected]: > [5188] 1554101423.561284: AS key obtained for encrypted timestamp: > aes256-cts/3D4E > [5188] 1554101423.561286: Encrypted timestamp (for 1554101430.919162): plain > 301AA011180F32303139303430313036353033305AA10502030E067A, encrypted > D94687570DB208752390A6133A228CCA354D65B19CDE89148F73AA37699598B25D33F3D3C319DDDE77AFA0D889B903887A7963E9F90F48A7 > [5188] 1554101423.561287: Preauth module encrypted_timestamp (2) (real) > returned: 0/Success > [5188] 1554101423.561288: Produced preauth for next request: 2 > [5188] 1554101423.561289: Sending request (302 bytes) to > ORANGE.SCHOOLS.INTERNAL > [5188] 1554101423.561290: Sending initial UDP request to dgram 10.251.17.2:88 > [5188] 1554101423.561291: Received answer (221 bytes) from dgram > 10.251.17.2:88 > [5188] 1554101423.561292: Response was from master KDC > [5188] 1554101423.561293: Received error from KDC: > -1765328360/Preauthentication failed > [5188] 1554101423.561296: Preauthenticating using KDC method data > [5188] 1554101423.561297: Processing preauth types: 19 > [5188] 1554101423.561298: Selected etype info: etype aes256-cts, salt > "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params "" > kinit: Password incorrect while getting initial credential > > -----------------------------------------------------Working account > --------------------------------------- > > > root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit > [email protected] > [5189] 1554101493.100226: Getting initial credentials for > [email protected] > [5189] 1554101493.100228: Sending unauthenticated request > [5189] 1554101493.100229: Sending request (198 bytes) to > ORANGE.SCHOOLS.INTERNAL > [5189] 1554101493.100230: Sending initial UDP request to dgram 10.251.17.2:88 > [5189] 1554101493.100231: Received answer (227 bytes) from dgram > 10.251.17.2:88 > [5189] 1554101493.100232: Response was from master KDC > [5189] 1554101493.100233: Received error from KDC: -1765328359/Additional > pre-authentication required > [5189] 1554101493.100236: Preauthenticating using KDC method data > [5189] 1554101493.100237: Processing preauth types: 16, 15, 19, 2 > [5189] 1554101493.100238: Selected etype info: etype aes256-cts, salt > "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" > Password for [email protected]: > [5189] 1554101496.919879: AS key obtained for encrypted timestamp: > aes256-cts/D46A > [5189] 1554101496.919881: Encrypted timestamp (for 1554101504.268445): plain > 301AA011180F32303139303430313036353134345AA105020304189D, encrypted > 26FF52413B27417C80958CA9278046140009E6D41B704107A83A6FC9D84B1C27DD39B99526D54DC3E9D8F4831231C352CB25272DC675CF4A > [5189] 1554101496.919882: Preauth module encrypted_timestamp (2) (real) > returned: 0/Success > [5189] 1554101496.919883: Produced preauth for next request: 2 > [5189] 1554101496.919884: Sending request (278 bytes) to > ORANGE.SCHOOLS.INTERNAL > [5189] 1554101496.919885: Sending initial UDP request to dgram 10.251.17.2:88 > [5189] 1554101496.919886: Received answer (118 bytes) from dgram > 10.251.17.2:88 > [5189] 1554101496.919887: Response was from master KDC > [5189] 1554101496.919888: Received error from KDC: -1765328332/Response too > big for UDP, retry with TCP > [5189] 1554101496.919889: Request or response is too big for UDP; retrying > with TCP > [5189] 1554101496.919890: Sending request (278 bytes) to > ORANGE.SCHOOLS.INTERNAL (tcp only) > [5189] 1554101496.919891: Initiating TCP connection to stream 10.251.17.2:88 > [5189] 1554101496.919892: Sending TCP request to stream 10.251.17.2:88 > [5189] 1554101496.919893: Received answer (2033 bytes) from stream > 10.251.17.2:88 > [5189] 1554101496.919894: Terminating TCP connection to stream 10.251.17.2:88 > [5189] 1554101496.919895: Response was from master KDC > [5189] 1554101496.919896: Processing preauth types: 19 > [5189] 1554101496.919897: Selected etype info: etype aes256-cts, salt > "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" > [5189] 1554101496.919898: Produced preauth for next request: (empty) > [5189] 1554101496.919899: AS key determined by preauth: aes256-cts/D46A > [5189] 1554101496.919900: Decrypted AS reply; session key is: aes256-cts/9927 > [5189] 1554101496.919901: FAST negotiation: unavailable > [5189] 1554101496.919902: Initializing FILE:/tmp/krb5cc_0 with default princ > [email protected] > [5189] 1554101496.919903: Storing [email protected] -> > krbtgt/[email protected] in FILE:/tmp/krb5cc_0 > [5189] 1554101496.919904: Storing config in FILE:/tmp/krb5cc_0 for > krbtgt/[email protected]: pa_type: 2 > [5189] 1554101496.919905: Storing [email protected] -> > krb5_ccache_conf_data/pa_type/krbtgt\/ORANGE.SCHOOLS.INTERNAL\@ORANGE.SCHOOLS.INTERNAL@X-CACHECONF: > in FILE:/tmp/krb5cc_0 > > ----------------------------------------------------------------------------------------------------------- > > > root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit -C -E > [email protected] > [5190] 1554101561.515120: Getting initial credentials for > Ev005629\@[email protected] > [5190] 1554101561.515122: Sending unauthenticated request > [5190] 1554101561.515123: Sending request (222 bytes) to > ORANGE.SCHOOLS.INTERNAL > [5190] 1554101561.515124: Sending initial UDP request to dgram 10.251.17.2:88 > [5190] 1554101561.515125: Received answer (227 bytes) from dgram > 10.251.17.2:88 > [5190] 1554101561.515126: Response was from master KDC > [5190] 1554101561.515127: Received error from KDC: -1765328359/Additional > pre-authentication required > [5190] 1554101561.515130: Preauthenticating using KDC method data > [5190] 1554101561.515131: Processing preauth types: 16, 15, 19, 2 > [5190] 1554101561.515132: Selected etype info: etype aes256-cts, salt > "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" > Password for Ev005629\@[email protected]: > [5190] 1554101566.134163: AS key obtained for encrypted timestamp: > aes256-cts/D46A > [5190] 1554101566.134165: Encrypted timestamp (for 1554101573.492495): plain > 301AA011180F32303139303430313036353235335AA10502030783CF, encrypted > ED85BD609D059F6741BBBCD4505B8CEDAE8A3A0EF7A98987F82C3B93414A61072A11A482370A805BE1D3490EE9CA3E81DD7B10A36E1FAA6B > [5190] 1554101566.134166: Preauth module encrypted_timestamp (2) (real) > returned: 0/Success > [5190] 1554101566.134167: Produced preauth for next request: 2 > [5190] 1554101566.134168: Sending request (302 bytes) to > ORANGE.SCHOOLS.INTERNAL > [5190] 1554101566.134169: Sending initial UDP request to dgram 10.251.17.2:88 > [5190] 1554101566.134170: Received answer (118 bytes) from dgram > 10.251.17.2:88 > [5190] 1554101566.134171: Response was from master KDC > [5190] 1554101566.134172: Received error from KDC: -1765328332/Response too > big for UDP, retry with TCP > [5190] 1554101566.134173: Request or response is too big for UDP; retrying > with TCP > [5190] 1554101566.134174: Sending request (302 bytes) to > ORANGE.SCHOOLS.INTERNAL (tcp only) > [5190] 1554101566.134175: Initiating TCP connection to stream 10.251.17.2:88 > [5190] 1554101566.134176: Sending TCP request to stream 10.251.17.2:88 > [5190] 1554101566.134177: Received answer (2049 bytes) from stream > 10.251.17.2:88 > [5190] 1554101566.134178: Terminating TCP connection to stream 10.251.17.2:88 > [5190] 1554101566.134179: Response was from master KDC > [5190] 1554101566.134180: Processing preauth types: 19 > [5190] 1554101566.134181: Selected etype info: etype aes256-cts, salt > "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" > [5190] 1554101566.134182: Produced preauth for next request: (empty) > [5190] 1554101566.134183: AS key determined by preauth: aes256-cts/D46A > [5190] 1554101566.134184: Decrypted AS reply; session key is: aes256-cts/A383 > [5190] 1554101566.134185: FAST negotiation: unavailable > [5190] 1554101566.134186: Initializing FILE:/tmp/krb5cc_0 with default princ > [email protected] > [5190] 1554101566.134187: Storing [email protected] -> > krbtgt/[email protected] in FILE:/tmp/krb5cc_0 > [5190] 1554101566.134188: Storing config in FILE:/tmp/krb5cc_0 for > krbtgt/[email protected]: pa_type: 2 > [5190] 1554101566.134189: Storing [email protected] -> > krb5_ccache_conf_data/pa_type/krbtgt\/ORANGE.SCHOOLS.INTERNAL\@ORANGE.SCHOOLS.INTERNAL@X-CACHECONF: > in FILE:/tmp/krb5cc_0 > > ------------------------------------ krb5.conf > --------------------------------- > cat /etc/krb5.conf > [libdefaults] > default_realm = ORANGE.SCHOOLS.INTERNAL > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > # default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > # default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > default_keytab_name = FILE:/etc/krb5.keytab > dns_lookup_realm = true > dns_lookup_kdc = true > rdns=false > > [domain_realm] > .orange.schools.internal = ORANGE.SCHOOLS.INTERNAL > orange.schools.internal = ORANGE.SCHOOLS.INTERNAL > > #[realms] > # SCHOOLS.INTERNAL = { > # kdc = E7359SVINT730.schools.internal > # kdc = E7359SVINT731.schools.internal > # kdc = E7359SVINT732.schools.internal > #} > > > ORANGE.SCHOOLS.INTERNAL = { > # kdc = E7359SVINT743.orange.schools.internal:88 > kdc = E4182s01sv001.orange.schools.internal:88 > admin_server = E4182s01sv001.orange.schools.internal > default_domain = orange.schools.internal > } > > > [logging] > kdc = FILE:/var/log/krb5kdc/kdc.log > admin_server = FILE:/var/log/krb5kdc/kadmin.log > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
