Hello,
Would anyone mind helping me troubleshoot a problem?
1. Running a two-way trust between AD2016 and ipa-server 4.5.4-10.el7.
2. Unable to log into an IPA client with an AD account via ssh. The client has no trouble with “kinit $ad_user” and “getent passwd $ad_user”.
3. The AD user appears to properly exist in the correct groups for IPA/ad internal/external mapping as described in the docs.
I think the problem occurs here, with the PAC fetch:
==> /var/log/sssd/sssd_pac.log <==
(Mon Feb 11 05:24:36 2019) [sssd[pac]] [sysdb_search_object_attr] (0x0020): Search with filter [(&(|(objectCategory=user)(objectCategory=group))(objectSIDString= < MY SID HERE >))] returned more than one object.
(Mon Feb 11 05:24:36 2019) [sssd[pac]] [sysdb_search_object_attr] (0x0040): Error: 22 (Invalid argument)
(Mon Feb 11 05:24:36 2019) [sssd[pac]] [cache_req_search_cache] (0x0020): CR #5: Unable to lookup [<MY SID>@ad.domain.com] in cache [22]: Invalid argument
==> /var/log/sssd/krb5_child.log-20190210 <==
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][22].
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [<my username>@AD.DOMAIN.COM] might not be correct.
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [create_ccache] (0x0020): 973: [-1750600185][Invalid UID in persistent keyring name]
(Mon Feb 11 05:24:36 2019) [[sssd[krb5_child[26961]]]] [map_krb5_error] (0x0020): 1657: [-1750600185][Invalid UID in persistent keyring name]
==> /var/log/sssd/sssd_ipa.domain.com.log <==
(Mon Feb 11 05:24:36 2019) [sssd[be[ipa.domain.com]]] [child_sig_handler] (0x0100): child [26961] finished successfully.
(Mon Feb 11 05:24:36 2019) [sssd[be[ipa.domain.com]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information
Addtl. Details:
PAC type: MS-PAC
Thanks,
D