Hello list,
I'm facing an issue here that prevents authenticating a user within a client machine.
When an sssd daemon has been running for a few days, suddenly krb5 fails to authenticate a user with the following error from krb5_child.log:
[[sssd[krb5_child[1616]]]] [get_and_save_tgt] (0x0020): 1695: [-1765328360][Preauthentication failed] [[sssd[krb5_child[1616]]]] [map_krb5_error] (0x0020): 1808: [-1765328360][Preauthentication failed] [[sssd[krb5_child[1616]]]] [k5c_send_data] (0x0200): Received error code 1432158221
And these messages from sssd_pam.log:
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting user credentials)][server-pro.mydomain.local] [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [17]: Failure setting user credentials.
In order to get authentication back working, I need to restart sssd daemon, sometimes several times!
This is happening in every client machine in my network, I've been trying to figure out for days what could be happening here, but it has been impossible for me to find the cause.
I have to clarify that this fails only when trying to run a command with sudo, because I'm using ssh keys to log into my client machines. Also, I'm using a DNS domain different that the REALM name, and my three FreeIPA servers has multiple network interfaces (a total of 4 nics, 3 of them were added after the IPA installation and initial configuration).
In the followings link you can find logs with debug_level = 10 of a session (ssh login/a failed sudo/logout) where this error were reproduced:
- krb5_child.log: https://pastebin.com/BNtVsJuB - sssd_pam.log: https://pastebin.com/8ZF50Y92
I'm using FreeIPA from CentOS 7.6 (server and clients), all software updated two weeks ago:
- krb5 1.15.1-37.el7_6 - ipa 4.6.4-10.el7_6.3 - sssd 1.16.2-13.el7_6.8
Does anybody could help me to figure out how to solve this?
Thank you very much in advance, regards...