On Mon, Feb 11, 2019 at 03:51:07PM +0000, D via FreeIPA-users wrote:
Hello,
Would anyone mind helping me troubleshoot a problem?
1. Running a two-way trust between AD2016 and ipa-server 4.5.4-10.el7.
2. Unable to log into an IPA client with an AD account via ssh. The client has no
trouble with “kinit $ad_user” and “getent passwd $ad_user”.
3. The AD user appears to properly exist in the correct groups for IPA/ad
internal/external mapping as described in the docs.
I think the problem occurs here, with the PAC fetch:
==> /var/log/sssd/sssd_pac.log <==
(Mon Feb 11 05:24:36 2019) [sssd[pac]] [sysdb_search_object_attr] (0x0020): Search with
filter [(&(|(objectCategory=user)(objectCategory=group))(objectSIDString= < MY SID
HERE >))] returned more than one object.
SIDs should be unique and it looks that currently in SSSD's cache are
more than one object with the given SID. You can check the results
yourself by calling:
ldbsearch -H /var/lib/sss/db/cache_DOMAIN.NAME.ldb
'(&(|(objectCategory=user)(objectCategory=group))(objectSIDString= < MY SID
HERE >))'
(ldbsearch is in the ldb-tools package). Maybe this already explains
what has happened but feel free to send the (sanitized) output.
(Mon Feb 11 05:24:36 2019) [sssd[pac]] [sysdb_search_object_attr]
(0x0040): Error: 22 (Invalid argument)
(Mon Feb 11 05:24:36 2019) [sssd[pac]] [cache_req_search_cache] (0x0020): CR #5: Unable
to lookup [<MY SID>(a)ad.domain.com] in cache [22]: Invalid argument
==> /var/log/sssd/krb5_child.log-20190210 <==
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][22].
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [validate_tgt] (0x0040):
sss_send_pac failed, group membership for user with principal [<my
username>(a)AD.DOMAIN.COM] might not be correct.
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [create_ccache] (0x0020): 973:
[-1750600185][Invalid UID in persistent keyring name]
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [map_krb5_error] (0x0020): 1657:
[-1750600185][Invalid UID in persistent keyring name]
That's odd. At the start of the log messages for 'krb5_child[26961]'
there should be a line like:
[unpack_buffer] (0x0100): ccname: [KEYRING:persistent:.....
Can you send the full line which the complete name of the ccache?
bye,
Sumit
==> /var/log/sssd/sssd_ipa.domain.com.log <==
(Mon Feb 11 05:24:36 2019) [sssd[be[ipa.domain.com]]] [child_sig_handler] (0x0100): child
[26961] finished successfully.
(Mon Feb 11 05:24:36 2019) [sssd[be[ipa.domain.com]]] [krb5_auth_done] (0x0040): The
krb5_child process returned an error. Please inspect the krb5_child.log file or the
journal for more information
Addtl. Details:
# ipa service-show ldap/prod-ipa01.ipa.domain.com(a)IPA.DOMAIN.COM| grep PAC
PAC type: MS-PAC
Thanks,
D
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...