9:51 a.m.
Hello,
Would anyone mind helping me troubleshoot a problem?
1. Running a two-way trust between AD2016 and ipa-server 4.5.4-10.el7.
2. Unable to log into an IPA client with an AD account via ssh. The client has no trouble
with “kinit $ad_user” and “getent passwd $ad_user”.
3. The AD user appears to properly exist in the correct groups for IPA/ad
internal/external mapping as described in the docs.
I think the problem occurs here, with the PAC fetch:
==> /var/log/sssd/sssd_pac.log <==
(Mon Feb 11 05:24:36 2019) [sssd[pac]] [sysdb_search_object_attr] (0x0020): Search with
filter [(&(|(objectCategory=user)(objectCategory=group))(objectSIDString= < MY SID
HERE >))] returned more than one object.
(Mon Feb 11 05:24:36 2019) [sssd[pac]] [sysdb_search_object_attr] (0x0040): Error: 22
(Invalid argument)
(Mon Feb 11 05:24:36 2019) [sssd[pac]] [cache_req_search_cache] (0x0020): CR #5: Unable to
lookup [<MY SID>(a)ad.domain.com] in cache [22]: Invalid argument
==> /var/log/sssd/krb5_child.log-20190210 <==
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][22].
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [validate_tgt] (0x0040):
sss_send_pac failed, group membership for user with principal [<my
username>(a)AD.DOMAIN.COM] might not be correct.
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [create_ccache] (0x0020): 973:
[-1750600185][Invalid UID in persistent keyring name]
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [map_krb5_error] (0x0020): 1657:
[-1750600185][Invalid UID in persistent keyring name]
==> /var/log/sssd/sssd_ipa.domain.com.log <==
(Mon Feb 11 05:24:36 2019) [sssd[be[ipa.domain.com]]] [child_sig_handler] (0x0100): child
[26961] finished successfully.
(Mon Feb 11 05:24:36 2019) [sssd[be[ipa.domain.com]]] [krb5_auth_done] (0x0040): The
krb5_child process returned an error. Please inspect the krb5_child.log file or the
journal for more information
Addtl. Details:
# ipa service-show ldap/prod-ipa01.ipa.domain.com(a)IPA.DOMAIN.COM| grep PAC
PAC type: MS-PAC
Thanks,
D