On 23 Nov 2022, at 07:19, Sumit Bose <sbose@redhat.com> wrote:

Am Tue, Nov 22, 2022 at 08:10:26PM +0100 schrieb Francis Augusto Medeiros-Logeay:

...

Hi,

would it be possible to send me debug logs with 'debug_level = 9' in the
[domain/...] and [pac] sections of sssd.conf where neither
ldap_user_principal nor 'krb5_validate = false' is set?

Thanks a lot, Sumit.
Sending you the log below. But, truth be told, we don’t have a [pac] session configured, so I created one just for the debug_level.

(2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_req_reply_std] (0x1000): [RID#6] DP Request [Initgroups #6]: Returning [Success]: 0,0,Success
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_dispatch] (0x4000): Dispatching.
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_dispatch] (0x4000): Dispatching.
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_dispatch] (0x4000): Dispatching.
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.pamHandler on /sssd
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.pam]
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_pam_handler_send] (0x0100): Got request with the following data
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): domain: DOMAIN.NO
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): user: francis@domain.no
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): service: sshd
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): tty: ssh
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): ruser: 
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): rhost: ::1
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): authtok type: 1 (Password)
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available)
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): priv: 1
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): cli_pid: 13919
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): child_pid: 0
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): logon name: not set
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [pam_print_data] (0x0100): flags: 0
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_attach_req] (0x0400): [RID#7] DP Request [PAM Authenticate #7]: REQ_TRACE: New request. [sssd.pam CID #1] Flags [0000].
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_attach_req] (0x0400): [RID#7] Number of active DP request: 1
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [sss_domain_get_state] (0x1000): [RID#7] Domain DOMAIN.NO is Active
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [krb5_auth_queue_send] (0x1000): [RID#7] Wait queue of user [francis@domain.no] is empty, running request [0x5649c3a4b960] immediately.
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [krb5_setup] (0x4000): [RID#7] No mapping for: francis@domain.no
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [krb5_auth_send] (0x0040): [RID#7] compare_principal_realm failed.

Hi,

can you check which value is stored in the 'userPrincipalName' attribute
for the user 'francis@domain.no' on the AD DC?

bye,

Sumit

(2022-11-22 20:03:21): [be[DOMAIN.NO]] [check_wait_queue] (0x1000): [RID#7] Wait queue for user [francis@domain.no] is empty.
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [krb5_auth_queue_done] (0x0040): [RID#7] krb5_auth_recv failed with: 22
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_req_done] (0x0400): [RID#7] DP Request [PAM Authenticate #7]: Request handler finished [0]: Success
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_req_done] (0x20000): [RID#7] DP Request [PAM Authenticate #7]: Handling request took [0.101] milliseconds.
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [_dp_req_recv] (0x0400): [RID#7] DP Request [PAM Authenticate #7]: Receiving request data.
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_req_destructor] (0x0400): [RID#7] DP Request [PAM Authenticate #7]: Request removed.
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_req_destructor] (0x0400): [RID#7] Number of active DP request: 0
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [dp_method_enabled] (0x0400): [RID#7] Target selinux is not configured
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success
(2022-11-22 20:03:21): [be[DOMAIN.NO]] [sbus_dispatch] (0x4000): Dispatching.

Is there an upcoming fix coming for this, by any chance?

Yes, please watch the bugzilla ticket.

Will do so. Thanks!

Francis
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue