There are two errors I see in the logs. First, the ldap_child.log ends with:
(Sun Jul 22 16:07:37 2018) [[sssd[ldap_child[9680]]]] [sss_child_krb5_trace_cb] (0x4000):
[9680] 1532250457.238992: Initiating TCP connection to stream 192.168.2.10:88
and nothing after that so I wonder if the child was subsequently killed due to a timeout
after it tried to authenticate to the DC. But we don’t have the full logs so I’m just
guessing.
The other issue I see is in krb5_child.log, first there is this:
(Sun Jul 22 15:54:36 2018) [[sssd[krb5_child[9331]]]] [get_and_save_tgt] (0x0400):
krb5_get_init_creds_password returned [-1765328174] during pre-auth.
but this is “just” preauth failed, then the authentication goes on about 6 seconds later:
(Sun Jul 22 15:54:42 2018) [[sssd[krb5_child[9337]]]] [unpack_buffer] (0x0100): cmd [241]
uid [1837401456] gid [1837401456] validate [true] enterprise principal [false] offline
[true] UPN [savelev(a)START-LINE.LOCAL]
but the interesting part here is “offline [true]” which indicates some connectivity
issues. And btw the delay of 6 seconds matches the default timeouts.
It would be nice to see the complete logs, though.
On 22 Jul 2018, at 11:48, Николай Савельев via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Here
22.07.2018, 16:32, "Alexander Bokovoy" <abokovoy(a)redhat.com>:
> On su, 22 heinä 2018, Николай Савельев wrote:
>> 22.07.2018, 14:16, "Alexander Bokovoy" <abokovoy(a)redhat.com>:
>>
>>> Again, show sssd logs. I suspect it is something with communicating to
>>> your AD DCs because SSSD doesn't use anything else to authenticate.
>> Here you are
>
> So, SSSD is not able to communicate with AD DCs and puts the domain
> offline. You can see in /var/log/sssd/krb5_child.log and ldap_child.log
> for details on why thing fail.
>
--
С уважением, Николай.
<krb5_child.log><ldap_child.log>_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...