> On 22 Nov 2022, at 17:43, Sumit Bose <[email protected]> wrote: > > Am Tue, Nov 22, 2022 at 03:29:18PM +0100 schrieb Francis Augusto > Medeiros-Logeay: >> >> >>> On 22 Nov 2022, at 15:22, Sumit Bose <[email protected]> wrote: >>> >>> Am Tue, Nov 22, 2022 at 02:21:13PM +0100 schrieb Francis Augusto >>> Medeiros-Logeay: >>>> Hi, >>>> >>>> After the latest updates coming from Red Hat on RHEL 8.7, we can't >>>> authenticate on AD. The logs show this: >>>> >>>> Nov 22 14:15:53 ic-rhel8-t001.c.domain.no sshd[6275]: pam_sss(sshd:auth): >>>> received for user ec-franciaa: 4 (System error) >>>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sshd[6275]: Failed password for >>>> ec-franciaa from ::1 port 51406 ssh2 >>>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed: >>>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >>>> information, Minor = Server not found in Kerberos database. >>>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed: >>>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >>>> information, Minor = Server not found in Kerberos database. >>>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed: >>>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >>>> information, Minor = Server not found in Kerberos database. >>>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed: >>>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >>>> information, Minor = Server not found in Kerberos database. >>>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed: >>>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >>>> information, Minor = Server not found in Kerberos database. >>>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed: >>>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >>>> information, Minor = Server not found in Kerberos database. >>>> Nov 22 14:15:56 ic-rhel8-t001.c.domain.no sshd[6275]: Connection closed by >>>> authenticating user francis ::1 port 51406 [preauth] >>>> >>>> >>>> I've deleted the computer account and rejoined the machine to the domain. I >>>> can check users existence using id, it seems the machine is well joined, >>>> but >>>> somehow authentication doesn't work. >>>> >>>> >>>> [domain/DOMAIN.NO] >>>> id_provider = ad >>>> auth_provider = ad >>>> autofs_provider = ad >>>> chpass_provider = ad >>>> access_provider = ad >>>> ldap_id_mapping = false >>>> ldap_user_principal = nosuchattribute >>> >>> Hi, >>> >>> there is a fair chance that the line above will make the PAC validation >>> fail which was added in the latest version. Do you really need this >>> option? If not, please remove it and try again. If it is really needed >>> adding >>> >>> krb5_validate = false >>> >>> to the [domain/...] section of sssd.conf and restarting SSSD might help >>> until a better fix is available. The issue is tracked in >>> https://bugzilla.redhat.com/show_bug.cgi?id=2144491. >>> >>> HTH >>> >>> bye, >>> Sumit >> >> >> Thanks a lot, Sumit! >> >> Removing `ldap_user_princilap = nosuchattribute` didn’t work, but adding the >> `krb5_validate = false` did. > > Hi, > > would it be possible to send me debug logs with 'debug_level = 9' in the > [domain/...] and [pac] sections of sssd.conf where neither > ldap_user_principal nor 'krb5_validate = false' is set?
Thanks a lot, Sumit. Sending you the log below. But, truth be told, we don’t have a [pac] session configured, so I created one just for the debug_level. (2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_req_reply_std] (0x1000): [RID#6] DP Request [Initgroups #6]: Returning [Success]: 0,0,Success (2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success (2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_dispatch] (0x4000): Dispatching. (2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_dispatch] (0x4000): Dispatching. (2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_dispatch] (0x4000): Dispatching. (2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.pamHandler on /sssd (2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.pam] (2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_pam_handler_send] (0x0100): Got request with the following data (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): domain: DOMAIN.NO (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): user: [email protected] (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): service: sshd (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): tty: ssh (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): ruser: (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): rhost: ::1 (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): authtok type: 1 (Password) (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available) (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): priv: 1 (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): cli_pid: 13919 (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): child_pid: 0 (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): logon name: not set (2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): flags: 0 (2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_attach_req] (0x0400): [RID#7] DP Request [PAM Authenticate #7]: REQ_TRACE: New request. [sssd.pam CID #1] Flags [0000]. (2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_attach_req] (0x0400): [RID#7] Number of active DP request: 1 (2022-11-22 20:03:21): [be[DOMAIN.NO]] [sss_domain_get_state] (0x1000): [RID#7] Domain DOMAIN.NO is Active (2022-11-22 20:03:21): [be[DOMAIN.NO]] [krb5_auth_queue_send] (0x1000): [RID#7] Wait queue of user [[email protected]] is empty, running request [0x5649c3a4b960] immediately. (2022-11-22 20:03:21): [be[DOMAIN.NO]] [krb5_setup] (0x4000): [RID#7] No mapping for: [email protected] (2022-11-22 20:03:21): [be[DOMAIN.NO]] [krb5_auth_send] (0x0040): [RID#7] compare_principal_realm failed. (2022-11-22 20:03:21): [be[DOMAIN.NO]] [check_wait_queue] (0x1000): [RID#7] Wait queue for user [[email protected]] is empty. (2022-11-22 20:03:21): [be[DOMAIN.NO]] [krb5_auth_queue_done] (0x0040): [RID#7] krb5_auth_recv failed with: 22 (2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_req_done] (0x0400): [RID#7] DP Request [PAM Authenticate #7]: Request handler finished [0]: Success (2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_req_done] (0x20000): [RID#7] DP Request [PAM Authenticate #7]: Handling request took [0.101] milliseconds. (2022-11-22 20:03:21): [be[DOMAIN.NO]] [_dp_req_recv] (0x0400): [RID#7] DP Request [PAM Authenticate #7]: Receiving request data. (2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_req_destructor] (0x0400): [RID#7] DP Request [PAM Authenticate #7]: Request removed. (2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_req_destructor] (0x0400): [RID#7] Number of active DP request: 0 (2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_method_enabled] (0x0400): [RID#7] Target selinux is not configured (2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_dispatch] (0x4000): Dispatching. > >> >> Is there an upcoming fix coming for this, by any chance? > > Yes, please watch the bugzilla ticket. Will do so. Thanks! Francis _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
