Hello list,
I'm facing an issue here that prevents authenticating a user within a client machine.
When an sssd daemon has been running for a few days, suddenly krb5 fails to authenticate a user with the following error from krb5_child.log:
[[sssd[krb5_child[1616]]]] [get_and_save_tgt] (0x0020): 1695: [-1765328360][Preauthentication failed] [[sssd[krb5_child[1616]]]] [map_krb5_error] (0x0020): 1808: [-1765328360][Preauthentication failed] [[sssd[krb5_child[1616]]]] [k5c_send_data] (0x0200): Received error code 1432158221
And these messages from sssd_pam.log:
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting user credentials)][server-pro.mydomain.local] [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [17]: Failure setting user credentials.
In order to get authentication back working, I need to restart sssd daemon, sometimes several times!
This is happening in every client machine in my network, I've been trying to figure out for days what could be happening here, but it has been impossible for me to find the cause.
I have to clarify that this fails only when trying to run a command with sudo, because I'm using ssh keys to log into my client machines. Also, I'm using a DNS domain different that the REALM name, and my three FreeIPA servers has multiple network interfaces (a total of 4 nics, 3 of them were added after the IPA installation and initial configuration).
In the followings link you can find logs with debug_level = 10 of a session (ssh login/a failed sudo/logout) where this error were reproduced:
- krb5_child.log: https://pastebin.com/BNtVsJuB - sssd_pam.log: https://pastebin.com/8ZF50Y92
I'm using FreeIPA from CentOS 7.6 (server and clients), all software updated two weeks ago:
- krb5 1.15.1-37.el7_6 - ipa 4.6.4-10.el7_6.3 - sssd 1.16.2-13.el7_6.8
Does anybody could help me to figure out how to solve this?
Thank you very much in advance, regards...
Hello list,
After much testing I've found that this issue is not related to the IPA client machine, but to the IPA server the IPA client is using, and that's because I can log in into some of my IPA Servers (via Web Panel), but not to others, and that coincides with the server the clients can/can't login are using. So it seems there is a synchronization problem between my 3 IPA servers that I can't pinpoint yet.
So far, any change that I apply to any user via the Web Panel o command line is replicated to the other servers, but I've failed to see what parameter could be set in the servers where I'm unable to login.
I've tested with a user created with no locking policies at all, but this user can only login successfully to some IPA servers too.
Time is synchronized correctly between my three servers, ntpstat show that time is correct within 75 ms as much, so it doesn't seem to be the issue here.
Does this ring a bell to anyone? Any pointer in where to look further will be much appreciated.
Thanks in advance, regards...
Raul
Check the firewall settings on all servers if all needed ports are open to all other IPA servers. I had similar problems with broken replication due to lost firewall configs. In any case I'd start with searching for errors in /var/log (dirsrv, krb5kdc.log, kadmind.log, pki, sssd, tomcat, httpd, messages...)
On Wed, 17 Jul 2019 00:35:09 -0000 Raul Gomez via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello list,
After much testing I've found that this issue is not related to the IPA client machine, but to the IPA server the IPA client is using, and that's because I can log in into some of my IPA Servers (via Web Panel), but not to others, and that coincides with the server the clients can/can't login are using. So it seems there is a synchronization problem between my 3 IPA servers that I can't pinpoint yet.
So far, any change that I apply to any user via the Web Panel o command line is replicated to the other servers, but I've failed to see what parameter could be set in the servers where I'm unable to login.
I've tested with a user created with no locking policies at all, but this user can only login successfully to some IPA servers too.
Time is synchronized correctly between my three servers, ntpstat show that time is correct within 75 ms as much, so it doesn't seem to be the issue here.
Does this ring a bell to anyone? Any pointer in where to look further will be much appreciated.
Thanks in advance, regards...
Raul _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello!
I've checked firewall, ports and routes but it looked fine, BUT by checking this I've found A LOT of packet loss in the network interfaces and after looking further I decided to move my server VMs to another virtualization cluster.
After moving them and forcing a DB reinitialization, everything has been working fine for the last 5 days. Before moving the servers, the error occurred just a few hours after a DB reinitialization, so it seems the network packet loss was causing kerberos to fail to authenticate.
Thank you very much for your answer, it ended up helping me in finding the actual cause of trouble!
Regards...
freeipa-users@lists.fedorahosted.org