sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
2 years, 1 month
Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
4 years, 3 months
'no primary group ID provided' when trying to use ldap mode against AD
by Daniel Hermans
Hi,
i'd like to use sssd in ldap mode against Active Directory so I have defined:
id_provider = ldap
auth_provider = ldap
Yes krb5 would be better but i only have a BIND account and cannot add computer objects.
This 'should' be possible - it works with nslcd. As I don't have Posix attributes i'm using:
ldap_id_mapping = true
fallback_homedir = /home/%d/%u
default_shell = /bin/bash
sssd can bind with LDAPS and can seem to get user info from the domain:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Some User,OU=Admin Accounts,DC=dev,DC=somedomain,DC=com].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_result] (0x2000): Trace: sh[0x7f5d15fbc030], connected[1], ops[0x7f5d1639d140], ldap[0x7f5d15fb5cd0]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_op_destructor] (0x2000): Operation 3 finished
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users
The UID mapping seems to succeed:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Save user
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x4000): Failed to retrieve UUID [2][No such file or directory].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_primary_name] (0x0400): Processing object someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Processing user someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x1000): Mapping user [someuser] objectSID [S-1-5-21-3970895924-989261097-3267629119-1443] to unix ID
But it gets no further with this message:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_idmap_primary_gid] (0x0080): no primary group ID provided
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Cannot get the GID for [someuser] in domain [extdev].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Failed to save user [someuser]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
Have tried against two different domains with identical result ( one a cleanly installed 2012R2 domain ).
Any ideas what I'm doing wrong? Is this possible? Various (old) posts suggests it is.
This was first (incorrectly) posted to sssd-devel, Jakub Hrozek updated and told me to define ldap_idmap_default_domain_sid so sssd no longer reports this:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
Thanks in advance!!
6 years, 11 months
SSSD - user id mapping
by Thomas Beaudry
Hi Everyone,
I am running into a problem with usernames disappearing (and being replaced by their uids). The prompt in the terminal also changes to "i have no name!@<HOST>"
Jakub suggested that it could be that the getgr* is failing for some reason
Here is the timestamp for when the error happens:
I have no name!@perf-imglab08:~$ date
Wed Jan 18 17:22:19 EST 2017
I have no name!@perf-imglab08:~$ getent group 1234
I have no name!@perf-imglab08:~$ date
Wed Jan 18 17:22:36 EST 2017
and here are my sssd logs:
sssd.log
(Wed Jan 18 17:22:13 2017) [sssd] [service_send_ping] (0x2000): Pinging concordia.ca
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a570
(Wed Jan 18 17:22:13 2017) [sssd] [service_send_ping] (0x2000): Pinging nss
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_add_timeout] (0x2000): 0x1473220
(Wed Jan 18 17:22:13 2017) [sssd] [service_send_ping] (0x2000): Pinging pam
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a4e0
(Wed Jan 18 17:22:13 2017) [sssd] [service_send_ping] (0x2000): Pinging ssh
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_add_timeout] (0x2000): 0x1478db0
(Wed Jan 18 17:22:13 2017) [sssd] [service_send_ping] (0x2000): Pinging autofs
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a4a0
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x1473220
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x146e7c0
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:13 2017) [sssd] [ping_check] (0x2000): Service nss replied to ping
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a570
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1468c00
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:13 2017) [sssd] [ping_check] (0x2000): Service concordia.ca replied to ping
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a4e0
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1474870
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:13 2017) [sssd] [ping_check] (0x2000): Service pam replied to ping
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x1478db0
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x14700f0
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:13 2017) [sssd] [ping_check] (0x2000): Service ssh replied to ping
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a4a0
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1471e30
(Wed Jan 18 17:22:13 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:13 2017) [sssd] [ping_check] (0x2000): Service autofs replied to ping
(Wed Jan 18 17:22:23 2017) [sssd] [service_send_ping] (0x2000): Pinging concordia.ca
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a4a0
(Wed Jan 18 17:22:23 2017) [sssd] [service_send_ping] (0x2000): Pinging nss
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_add_timeout] (0x2000): 0x1478db0
(Wed Jan 18 17:22:23 2017) [sssd] [service_send_ping] (0x2000): Pinging pam
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a4e0
(Wed Jan 18 17:22:23 2017) [sssd] [service_send_ping] (0x2000): Pinging ssh
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a570
(Wed Jan 18 17:22:23 2017) [sssd] [service_send_ping] (0x2000): Pinging autofs
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_add_timeout] (0x2000): 0x1473220
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x1478db0
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x146e7c0
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:23 2017) [sssd] [ping_check] (0x2000): Service nss replied to ping
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a4e0
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1474870
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:23 2017) [sssd] [ping_check] (0x2000): Service pam replied to ping
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a570
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x14700f0
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:23 2017) [sssd] [ping_check] (0x2000): Service ssh replied to ping
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a4a0
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1468c00
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:23 2017) [sssd] [ping_check] (0x2000): Service concordia.ca replied to ping
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x1473220
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1471e30
(Wed Jan 18 17:22:23 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:23 2017) [sssd] [ping_check] (0x2000): Service autofs replied to ping
(Wed Jan 18 17:22:33 2017) [sssd] [service_send_ping] (0x2000): Pinging concordia.ca
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_add_timeout] (0x2000): 0x1473220
(Wed Jan 18 17:22:33 2017) [sssd] [service_send_ping] (0x2000): Pinging nss
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a4a0
(Wed Jan 18 17:22:33 2017) [sssd] [service_send_ping] (0x2000): Pinging pam
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a570
(Wed Jan 18 17:22:33 2017) [sssd] [service_send_ping] (0x2000): Pinging ssh
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a4e0
(Wed Jan 18 17:22:33 2017) [sssd] [service_send_ping] (0x2000): Pinging autofs
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_add_timeout] (0x2000): 0x1478db0
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a4a0
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x146e7c0
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:33 2017) [sssd] [ping_check] (0x2000): Service nss replied to ping
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a570
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1474870
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:33 2017) [sssd] [ping_check] (0x2000): Service pam replied to ping
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x1473220
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1468c00
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:33 2017) [sssd] [ping_check] (0x2000): Service concordia.ca replied to ping
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a4e0
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x14700f0
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:33 2017) [sssd] [ping_check] (0x2000): Service ssh replied to ping
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x1478db0
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1471e30
(Wed Jan 18 17:22:33 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:33 2017) [sssd] [ping_check] (0x2000): Service autofs replied to ping
(Wed Jan 18 17:22:43 2017) [sssd] [service_send_ping] (0x2000): Pinging concordia.ca
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_add_timeout] (0x2000): 0x1478db0
(Wed Jan 18 17:22:43 2017) [sssd] [service_send_ping] (0x2000): Pinging nss
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a4e0
(Wed Jan 18 17:22:43 2017) [sssd] [service_send_ping] (0x2000): Pinging pam
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_add_timeout] (0x2000): 0x1473220
(Wed Jan 18 17:22:43 2017) [sssd] [service_send_ping] (0x2000): Pinging ssh
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a570
(Wed Jan 18 17:22:43 2017) [sssd] [service_send_ping] (0x2000): Pinging autofs
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_add_timeout] (0x2000): 0x146a4a0
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a4e0
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x146e7c0
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:43 2017) [sssd] [ping_check] (0x2000): Service nss replied to ping
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x1473220
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1474870
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:43 2017) [sssd] [ping_check] (0x2000): Service pam replied to ping
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x1478db0
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1468c00
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:43 2017) [sssd] [ping_check] (0x2000): Service concordia.ca replied to ping
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a570
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x14700f0
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:43 2017) [sssd] [ping_check] (0x2000): Service ssh replied to ping
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_remove_timeout] (0x2000): 0x146a4a0
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_dispatch] (0x4000): dbus conn: 0x1471e30
(Wed Jan 18 17:22:43 2017) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:43 2017) [sssd] [ping_check] (0x2000): Service autofs replied to ping
sssd_concordia.ca.log
(Wed Jan 18 17:22:13 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): dbus conn: 0xaa5740
(Wed Jan 18 17:22:13 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:13 2017) [sssd[be[concordia.ca]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Wed Jan 18 17:22:13 2017) [sssd[be[concordia.ca]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jan 18 17:22:23 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): dbus conn: 0xaa5740
(Wed Jan 18 17:22:23 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:23 2017) [sssd[be[concordia.ca]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Wed Jan 18 17:22:23 2017) [sssd[be[concordia.ca]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): dbus conn: 0xaa5740
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): dbus conn: 0xaeeb80
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][idnumber=1234]
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [be_req_set_domain] (0x0400): Changing request domain from [concordia.ca] to [concordia.ca]
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): dbus conn: 0xaeeb80
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][idnumber=1234]
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline
(Wed Jan 18 17:22:33 2017) [sssd[be[concordia.ca]]] [be_req_set_domain] (0x0400): Changing request domain from [concordia.ca] to [forestroot.concordia.montreal.qc.ca]
(Wed Jan 18 17:22:43 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): dbus conn: 0xaa5740
(Wed Jan 18 17:22:43 2017) [sssd[be[concordia.ca]]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jan 18 17:22:43 2017) [sssd[be[concordia.ca]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Wed Jan 18 17:22:43 2017) [sssd[be[concordia.ca]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
ldap_child.log
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [main] (0x0400): ldap_child started.
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [main] (0x2000): context initialized
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [unpack_buffer] (0x1000): total buffer size: 50
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [unpack_buffer] (0x1000): realm_str size: 12
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [unpack_buffer] (0x1000): got realm_str: CONCORDIA.CA
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [unpack_buffer] (0x1000): princ_str size: 14
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [unpack_buffer] (0x1000): got princ_str: PERF-IMGLAB08$
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [unpack_buffer] (0x1000): keytab_name size: 0
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [unpack_buffer] (0x1000): lifetime: 86400
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [unpack_buffer] (0x0200): Will run as [0][0].
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [privileged_krb5_setup] (0x2000): Kerberos context initialized
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [main] (0x2000): Kerberos context initialized
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [become_user] (0x0200): Trying to become user [0][0].
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [become_user] (0x0200): Already user [0].
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [main] (0x2000): Running as [0][0].
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [main] (0x2000): getting TGT sync
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [CONCORDIA.CA]
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [PERF-IMGLAB08$(a)CONCORDIA.CA]
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.728189: Getting initial credentials for PERF-IMGLAB08$(a)CONCORDIA.CA
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.728262: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes128-cts, aes256-cts
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.728291: Sending request (195 bytes) to CONCORDIA.CA
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.728317: Resolving hostname Int-con-dc-1.concordia.ca
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.729762: Sending initial UDP request to dgram 132.205.123.21:88
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.731123: Received answer (210 bytes) from dgram 132.205.123.21:88
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.734046: Response was not from master KDC
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.734082: Received error from KDC: -1765328359/Additional pre-authentication required
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.734104: Processing preauth types: 16, 15, 19, 2
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.734112: Selected etype info: etype aes256-cts, salt "CONCORDIA.CAhostperf-imglab08.concordia.ca", params ""
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.734127: Retrieving PERF-IMGLAB08$(a)CONCORDIA.CA from MEMORY:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Success
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.734137: AS key obtained for encrypted timestamp: aes256-cts/FC36
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.734161: Encrypted timestamp (for 1484778122.795789): plain 301AA011180F32303137303131383232323230325AA10502030C248D, encrypted 77571640DED5412F7668B68A1684793B574BFD047B5D9F7CC62D4197B088FB59018B3BB6E748E651507780452E6B4E8CC31F67FF4A31EEBD
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.734168: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.734173: Produced preauth for next request: 2
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.734189: Sending request (275 bytes) to CONCORDIA.CA
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.734196: Resolving hostname Int-con-dc-1.concordia.ca
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.735879: Sending initial UDP request to dgram 132.205.123.21:88
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.737712: Received answer (96 bytes) from dgram 132.205.123.21:88
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.739940: Response was not from master KDC
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.739968: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.739978: Request or response is too big for UDP; retrying with TCP
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.739986: Sending request (275 bytes) to CONCORDIA.CA (tcp only)
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.739996: Resolving hostname Int-con-dc-1.concordia.ca
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.741680: Initiating TCP connection to stream 132.205.123.21:88
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.742475: Sending TCP request to stream 132.205.123.21:88
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.744227: Received answer (1508 bytes) from stream 132.205.123.21:88
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.744240: Terminating TCP connection to stream 132.205.123.21:88
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.745376: Response was not from master KDC
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.745404: Processing preauth types: 19
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.745412: Selected etype info: etype aes256-cts, salt "CONCORDIA.CAhostperf-imglab08.concordia.ca", params ""
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.745419: Produced preauth for next request: (empty)
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.745425: AS key determined by preauth: aes256-cts/FC36
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.745450: Decrypted AS reply; session key is: aes256-cts/7A2A
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.745455: FAST negotiation: unavailable
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_CONCORDIA.CA_OaPYPl]
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.745483: Initializing FILE:/var/lib/sss/db/ccache_CONCORDIA.CA_OaPYPl with default princ PERF-IMGLAB08$(a)CONCORDIA.CA
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [sss_child_krb5_trace_cb] (0x4000): [25844] 1484778122.745537: Storing PERF-IMGLAB08$(a)CONCORDIA.CA -> krbtgt/CONCORDIA.CA(a)CONCORDIA.CA in FILE:/var/lib/sss/db/ccache_CONCORDIA.CA_OaPYPl
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [ldap_child_get_tgt_sync] (0x2000): Renaming [/var/lib/sss/db/ccache_CONCORDIA.CA_OaPYPl] to [/var/lib/sss/db/ccache_CONCORDIA.CA]
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/db/ccache_CONCORDIA.CA_OaPYPl]
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/db/ccache_CONCORDIA.CA_OaPYPl]
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [prepare_response] (0x0400): Building response for result [0]
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [pack_buffer] (0x2000): response size: 60
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [40] msg [FILE:/var/lib/sss/db/ccache_CONCORDIA.CA]
(Wed Jan 18 17:22:02 2017) [[sssd[ldap_child[25844]]]] [main] (0x0400): ldap_child completed successfully
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [main] (0x0400): ldap_child started.
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [main] (0x2000): context initialized
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [unpack_buffer] (0x1000): total buffer size: 50
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [unpack_buffer] (0x1000): realm_str size: 12
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [unpack_buffer] (0x1000): got realm_str: CONCORDIA.CA
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [unpack_buffer] (0x1000): princ_str size: 14
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [unpack_buffer] (0x1000): got princ_str: PERF-IMGLAB08$
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [unpack_buffer] (0x1000): keytab_name size: 0
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [unpack_buffer] (0x1000): lifetime: 86400
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [unpack_buffer] (0x0200): Will run as [0][0].
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [privileged_krb5_setup] (0x2000): Kerberos context initialized
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [main] (0x2000): Kerberos context initialized
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [become_user] (0x0200): Trying to become user [0][0].
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [become_user] (0x0200): Already user [0].
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [main] (0x2000): Running as [0][0].
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [main] (0x2000): getting TGT sync
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [CONCORDIA.CA]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [PERF-IMGLAB08$(a)CONCORDIA.CA]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.791179: Getting initial credentials for PERF-IMGLAB08$(a)CONCORDIA.CA
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.791382: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes128-cts, aes256-cts
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.791490: Sending request (195 bytes) to CONCORDIA.CA
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.791569: Resolving hostname Int-con-dc-1.concordia.ca
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.793862: Sending initial UDP request to dgram 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.795622: Received answer (210 bytes) from dgram 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.798139: Response was not from master KDC
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.798175: Received error from KDC: -1765328359/Additional pre-authentication required
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.798194: Processing preauth types: 16, 15, 19, 2
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.798201: Selected etype info: etype aes256-cts, salt "CONCORDIA.CAhostperf-imglab08.concordia.ca", params ""
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.798214: Retrieving PERF-IMGLAB08$(a)CONCORDIA.CA from MEMORY:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Success
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.798226: AS key obtained for encrypted timestamp: aes256-cts/FC36
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.798251: Encrypted timestamp (for 1484778188.864327): plain 301AA011180F32303137303131383232323330385AA10502030D3047, encrypted D1207C76AB678F2BBC0336F2F2EE373DF28682250D27A98B1249180CF5319FC7199D6018C0A44399945C235ECF9B295704D6EAEC3F5FF5FD
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.798259: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.798264: Produced preauth for next request: 2
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.798278: Sending request (275 bytes) to CONCORDIA.CA
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.798286: Resolving hostname Int-con-dc-1.concordia.ca
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.799446: Sending initial UDP request to dgram 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.801292: Received answer (96 bytes) from dgram 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.803814: Response was not from master KDC
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.803836: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.803844: Request or response is too big for UDP; retrying with TCP
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.803850: Sending request (275 bytes) to CONCORDIA.CA (tcp only)
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.803858: Resolving hostname Int-con-dc-1.concordia.ca
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.805392: Initiating TCP connection to stream 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.806522: Sending TCP request to stream 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.808296: Received answer (1508 bytes) from stream 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.808314: Terminating TCP connection to stream 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.809712: Response was not from master KDC
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.809737: Processing preauth types: 19
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.809747: Selected etype info: etype aes256-cts, salt "CONCORDIA.CAhostperf-imglab08.concordia.ca", params ""
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.809755: Produced preauth for next request: (empty)
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.809763: AS key determined by preauth: aes256-cts/FC36
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.809790: Decrypted AS reply; session key is: aes256-cts/A0EB
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.809796: FAST negotiation: unavailable
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_CONCORDIA.CA_btC2E5]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.809829: Initializing FILE:/var/lib/sss/db/ccache_CONCORDIA.CA_btC2E5 with default princ PERF-IMGLAB08$(a)CONCORDIA.CA
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [sss_child_krb5_trace_cb] (0x4000): [25873] 1484778188.809880: Storing PERF-IMGLAB08$(a)CONCORDIA.CA -> krbtgt/CONCORDIA.CA(a)CONCORDIA.CA in FILE:/var/lib/sss/db/ccache_CONCORDIA.CA_btC2E5
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [ldap_child_get_tgt_sync] (0x2000): Renaming [/var/lib/sss/db/ccache_CONCORDIA.CA_btC2E5] to [/var/lib/sss/db/ccache_CONCORDIA.CA]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/db/ccache_CONCORDIA.CA_btC2E5]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/db/ccache_CONCORDIA.CA_btC2E5]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [prepare_response] (0x0400): Building response for result [0]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [pack_buffer] (0x2000): response size: 60
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [40] msg [FILE:/var/lib/sss/db/ccache_CONCORDIA.CA]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25873]]]] [main] (0x0400): ldap_child completed successfully
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [main] (0x0400): ldap_child started.
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [main] (0x2000): context initialized
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [unpack_buffer] (0x1000): total buffer size: 50
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [unpack_buffer] (0x1000): realm_str size: 12
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [unpack_buffer] (0x1000): got realm_str: CONCORDIA.CA
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [unpack_buffer] (0x1000): princ_str size: 14
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [unpack_buffer] (0x1000): got princ_str: PERF-IMGLAB08$
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [unpack_buffer] (0x1000): keytab_name size: 0
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [unpack_buffer] (0x1000): lifetime: 86400
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [unpack_buffer] (0x0200): Will run as [0][0].
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [privileged_krb5_setup] (0x2000): Kerberos context initialized
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [main] (0x2000): Kerberos context initialized
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [become_user] (0x0200): Trying to become user [0][0].
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [become_user] (0x0200): Already user [0].
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [main] (0x2000): Running as [0][0].
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [main] (0x2000): getting TGT sync
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [CONCORDIA.CA]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [PERF-IMGLAB08$(a)CONCORDIA.CA]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.911434: Getting initial credentials for PERF-IMGLAB08$(a)CONCORDIA.CA
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.911637: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes128-cts, aes256-cts
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.911713: Sending request (195 bytes) to CONCORDIA.CA
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.911787: Resolving hostname Int-con-dc-1.concordia.ca
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.914393: Sending initial UDP request to dgram 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.915860: Received answer (210 bytes) from dgram 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.918866: Response was not from master KDC
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.918976: Received error from KDC: -1765328359/Additional pre-authentication required
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.919054: Processing preauth types: 16, 15, 19, 2
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.919087: Selected etype info: etype aes256-cts, salt "CONCORDIA.CAhostperf-imglab08.concordia.ca", params ""
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.919141: Retrieving PERF-IMGLAB08$(a)CONCORDIA.CA from MEMORY:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Success
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.919180: AS key obtained for encrypted timestamp: aes256-cts/FC36
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.919280: Encrypted timestamp (for 1484778188.973670): plain 301AA011180F32303137303131383232323330385AA10502030EDB66, encrypted D33317E3C9292ABF582F8D1E389DF6A3B5FFABFC7E0420B45A45B610EFD80E1D9C19CE9AAE0D7959B44E0773747AC7B0DCB56C9DFBF97DA3
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.919315: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.919337: Produced preauth for next request: 2
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.919431: Sending request (275 bytes) to CONCORDIA.CA
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.919472: Resolving hostname Int-con-dc-1.concordia.ca
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.921847: Sending initial UDP request to dgram 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.924168: Received answer (96 bytes) from dgram 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.927183: Response was not from master KDC
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.927216: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.927222: Request or response is too big for UDP; retrying with TCP
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.927227: Sending request (275 bytes) to CONCORDIA.CA (tcp only)
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.927234: Resolving hostname Int-con-dc-1.concordia.ca
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.928427: Initiating TCP connection to stream 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.929201: Sending TCP request to stream 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.931067: Received answer (1508 bytes) from stream 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.931080: Terminating TCP connection to stream 132.205.123.21:88
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.932326: Response was not from master KDC
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.932365: Processing preauth types: 19
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.932374: Selected etype info: etype aes256-cts, salt "CONCORDIA.CAhostperf-imglab08.concordia.ca", params ""
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.932380: Produced preauth for next request: (empty)
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.932387: AS key determined by preauth: aes256-cts/FC36
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.932409: Decrypted AS reply; session key is: aes256-cts/C509
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.932415: FAST negotiation: unavailable
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_CONCORDIA.CA_BHwy1c]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.932442: Initializing FILE:/var/lib/sss/db/ccache_CONCORDIA.CA_BHwy1c with default princ PERF-IMGLAB08$(a)CONCORDIA.CA
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [sss_child_krb5_trace_cb] (0x4000): [25874] 1484778188.932486: Storing PERF-IMGLAB08$(a)CONCORDIA.CA -> krbtgt/CONCORDIA.CA(a)CONCORDIA.CA in FILE:/var/lib/sss/db/ccache_CONCORDIA.CA_BHwy1c
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [ldap_child_get_tgt_sync] (0x2000): Renaming [/var/lib/sss/db/ccache_CONCORDIA.CA_BHwy1c] to [/var/lib/sss/db/ccache_CONCORDIA.CA]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/db/ccache_CONCORDIA.CA_BHwy1c]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/db/ccache_CONCORDIA.CA_BHwy1c]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [prepare_response] (0x0400): Building response for result [0]
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [pack_buffer] (0x2000): response size: 60
(Wed Jan 18 17:23:08 2017) [[sssd[ldap_child[25874]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [40] msg [FILE:/var/lib/sss/db/ccache_CONCORDIA.CA]
Any help would be greatly appreciated, I've been trying to solve this problem over the last 2 weeks to no success.
Thanks!
Thomas
7 years
account not authenticating in child domain
by sonia.gilbert@hawaiianair.com
Server is joined to abc.com and authentication is working to abc.com. A child domain was created a.abc.com but authentication is not working to the child domain.
sssd.conf
[root@server01 sssd]# more /etc/sssd/sssd.conf
[sssd]
domains = abc.com
config_file_version = 2
services = nss, pam
[domain/abc.com]
id_provider = ad
access_provider = simple
realmd_tags = manages-system joined-with-samba
ad_domain = abc.com
ad_server = dc01.abc.com,dc02.abc.com,_srv_
krb5_realm = ABC.COM
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
simple_allow_groups = TDI Remote Access Users(a)abc.com
debug_level = 0x07F0
[domain/a.abc.com]
ad_server = sdc01.a.abc.com,sdc02.a.abc.com,_srv_
From krb5 log:
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.682973: Getting initial credentials for 017978\@a.abc.com(a)abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683157: Sending request (217 bytes) to abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683431: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746482: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746600: Response was from master KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746660: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746708: Following referral to realm a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746788: Sending request (233 bytes) to a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.878092: Resolving hostname infsdcpci01.a.abc.com.
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.943098: Sending initial UDP request to dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.13629: Received answer (219 bytes) from dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.77982: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78076: Received error from KDC: -1765328359/Additional pre-authentication required
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78145: Processing preauth types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78192: Selected etype info: etype aes256-cts, salt "a.abc.com017978", params ""
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97413: AS key obtained for encrypted timestamp: aes256-cts/ED73
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97516: Encrypted timestamp (for 1485291543.976086): plain 301AA011180F32303137303132343230353930335AA10502030EE4D6, encrypted C7492B7309B4456330A7EE35DACBF67592D8573801102A3AB633823BE64F94EA7B1726E96F5EDAD9213AD0726D9CF89B214E96B1EB03B5AB
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97559: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97583: Produced preauth for next request: 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97621: Sending request (313 bytes) to a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.230488: Resolving hostname infsdcpci02.a.abc.com.
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.297013: Sending initial UDP request to dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.366557: Received answer (186 bytes) from dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428891: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428975: Received error from KDC: -1765328360/Preauthentication failed
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429029: Preauth tryagain input types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429068: Retrying AS request with master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429096: Getting initial credentials for 017978\@a.abc.com(a)abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429189: Sending request (217 bytes) to abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429275: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494276: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494363: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494397: Following referral to realm a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494467: Sending request (233 bytes) to a.abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed]
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed]
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x0200): Received error code 1432158215
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [pack_response_packet] (0x2000): response packet size: [4]
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x4000): Response sent.
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [main] (0x0400): krb5_child completed successfully
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.682973: Getting initial credentials for 017978\@a.abc.com(a)abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683157: Sending request (217 bytes) to abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683431: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746482: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746600: Response was from master KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746660: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746708: Following referral to realm a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746788: Sending request (233 bytes) to a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.878092: Resolving hostname infsdcpci01.a.abc.com.
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.943098: Sending initial UDP request to dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.13629: Received answer (219 bytes) from dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.77982: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78076: Received error from KDC: -1765328359/Additional pre-authentication required
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78145: Processing preauth types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78192: Selected etype info: etype aes256-cts, salt "a.abc.com017978", params ""
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97413: AS key obtained for encrypted timestamp: aes256-cts/ED73
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97516: Encrypted timestamp (for 1485291543.976086): plain 301AA011180F32303137303132343230353930335AA10502030EE4D6, encrypted C7492B7309B4456330A7EE35DACBF67592D8573801102A3AB633823BE64F94EA7B1726E96F5EDAD9213AD0726D9CF89B214E96B1EB03B5AB
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97559: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97583: Produced preauth for next request: 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97621: Sending request (313 bytes) to a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.230488: Resolving hostname infsdcpci02.a.abc.com.
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.297013: Sending initial UDP request to dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.366557: Received answer (186 bytes) from dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428891: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428975: Received error from KDC: -1765328360/Preauthentication failed
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429029: Preauth tryagain input types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429068: Retrying AS request with master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429096: Getting initial credentials for 017978\@a.abc.com(a)abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429189: Sending request (217 bytes) to abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429275: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494276: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494363: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494397: Following referral to realm a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494467: Sending request (233 bytes) to a.abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed]
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed]
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x0200): Received error code 1432158215
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [pack_response_packet] (0x2000): response packet size: [4]
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x4000): Response sent.
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [main] (0x0400): krb5_child completed successfully
From sssd domain log:
(Tue Jan 24 13:59:18 2017) [sssd[be[a.hawaiian.aero]]] [be_req_set_domain] (0x0400): Changing request domain from [abc.com] to [a.abc.com]
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [be_pam_handler] (0x0100): Got request with the following data
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): domain: a.abc.com
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): user: 017978(a)a.abc.com
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): service: conwrks
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): tty:
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): ruser:
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): rhost:
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): authtok type: 1
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): priv: 1
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): cli_pid: 13206
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): logon name: not set
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [017978(a)a.abc.com] is empty, running request [0x7f1aae523b70] immediately.
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [krb5_setup] (0x4000): No mapping for: 017978(a)a.abc.com
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f1aae525c60
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f1aae4e49f0
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Running timer event 0x7f1aae525c60 "ltdb_callback"
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Destroying timer event 0x7f1aae4e49f0 "ltdb_timeout"
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Ending timer event 0x7f1aae525c60 "ltdb_callback"
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [krb5_auth_send] (0x0100): Home directory for user [017978(a)a.abc.com] not known.
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working'
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc01.abc.com' is 'working'
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working'
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x0200): Found address for server dc01.abc.com: [x.x.161.251] TTL 3600
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [25955]
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [25955]
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [write_pipe_handler] (0x0400): All data has been sent!
(Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [child_sig_handler] (0x1000): Waiting for child [25955].
(Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [child_sig_handler] (0x0100): child [25955] finished successfully.
(Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [check_wait_queue] (0x1000): Wait queue for user [017978(a)a.abc.com] is empty.
(Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f1aae523b70] done.
(Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>) [Success (Failure setting user credentials)]
(Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Sending result [17][a.abc.com]
(Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Sent result [17][a.abc.com]
7 years, 1 month
Announcing SSSD 1.15.0
by Jakub Hrozek
== SSSD 1.15.0 ===
The SSSD team is proud to announce the release of version 1.15.0 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* SSSD now allows the responders to be activated by the systemd service
manager and exit when idle. This means the services line in sssd.conf is
optional and the responders can be started on-demand, simplifying the sssd
configuration. Please note that this change is backwards-compatible and
the responders listed explicitly in sssd.conf's services line are managed
by sssd in the same manner as in previous releases. Please refer to man
sssd.conf(5) for more information
* The sudo provider is no longer disabled for configurations that do not
explicitly include the sudo responder in the services list. In order to
disable the sudo-related back end code that executes the periodic LDAP
queries, set the sudo_provider to none explicitly
* The watchdog signal handler no longer uses signal-unsafe functions. This
bug was causing a deadlock in case the watchdog was about to kill a
stuck process
* A bug that prevented TLS to be set up correctly on systems where libldap
links with GnuTLS was fixed
* The functionality to alter SSSD configuration through the D-Bus interface
provided by the IFP responder was removed. This functionality was not used to
the best of our knowledge, had no tests and prevented the InfoPipe responder
from running as a non-privileged user.
* A bug that prevented statically-linked applications from using libnss_sss
was fixed by removing dependency on -lpthreads from the libnss_sss library
(please see https://sourceware.org/bugzilla/show_bug.cgi?id=20500 for
an example on why linking with -lpthread from an NSS modules is problematic)
* Previously, SSSD did not ignore GPOs that were missing the
gPCFunctionalityVersion attribute and failed the whole GPO
processing. Starting with this version, the GPOs without the
gPCFunctionalityVersion are skipped.
== Packaging Changes ==
* The Augeas development libraries are no longer required since the
configuration manipulation interface was dropped from the InfoPipe responder
* The libsss_config.so internal library was removed as well due to removal
of the InfoPipe config management
* In order to manage socket-activated or bus activated responders,
each responder is now represented by a systemd service file
(e.g. sssd-nss.service). All responders except InfoPipe, which is
bus-activated, are also managed by a socket unit file (e.g. sssd-nss.socket)
== Documentation Changes ==
* The sssd-secrets responder gained a new option max_payload_size that
allows the administrator to limit the maximum size of a secret
* A new option responder_idle_timeout was added to support idle termination
of socket-activated responders
* The sssd-ad and sssd-ipa man pages now summarize differences between
the generic Kerberos/LDAP back end and the specialized IPA/AD back ends
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/697
Use command line arguments instead env vars for krb5_child
https://fedorahosted.org/sssd/ticket/2201
Man pages do not specify that sssd dyndns_refresh_interval < 60 is pulled to 60 seconds
https://fedorahosted.org/sssd/ticket/2243
[RFE] Socket-activate responders
https://fedorahosted.org/sssd/ticket/2517
krb5_child: Remove getenv() ran as root
https://fedorahosted.org/sssd/ticket/3060
better debugging of timestamp cache modifications
https://fedorahosted.org/sssd/ticket/3129
[RFE] socket-activate the IFP responder
https://fedorahosted.org/sssd/ticket/3151
cache_req: complete the needs of NSS responders
https://fedorahosted.org/sssd/ticket/3156
nss_sss might leak memory when calling thread goes away
https://fedorahosted.org/sssd/ticket/3214
Update man pages for any AD provider config options that differ from ldap/krb5 providers defaults
https://fedorahosted.org/sssd/ticket/3215
Review and update SSSD's wiki pages for 1.15 Alpha release
https://fedorahosted.org/sssd/ticket/3235
SSSCTL should not be case sensitive when searching for usernames or groups in a case-insensitive domain
https://fedorahosted.org/sssd/ticket/3245
[RFE] Shutdown timeout for {socket,bus}-activated responders
https://fedorahosted.org/sssd/ticket/3275
Unchecked return value of sss_cmd_empty_packet(pctx->creq->out);
https://fedorahosted.org/sssd/ticket/3283
getsidbyid can fail in some cases due to cache_req refactoring
https://fedorahosted.org/sssd/ticket/3284
getsidbyname does not work properly with case insensitive domains
== Detailed Changelog ==
Amith Kumar (1):
* MAN: Updation of sssd-ad man page for case when dyndns_refresh_interval < 60 seconds
Carl Henrik Lunde (1):
* Prevent use after free in fd_input_available
David Michael (1):
* BUILD: Find a host-prefixed krb5-config when cross-compiling
Fabiano Fidêncio (34):
* SECRETS: Fix secrets rule in the allowed sections
* SECRETS: Add allowed_sec_users_options
* SECRETS: Delete all secrets stored during "max_secrets" test
* SECRETS: Add configurable payload size limit of a secret
* BUILD: Drop libsss_config
* IFP: Remove "ChangeDebugTemporarily?" method
* AUTOFS: Check return of sss_cmd_empty_packet()
* SUDO: Drop logic to disable the backend in case the provider is not set
* MONITOR: Expose the monitor's services type
* MONITOR: Pass the service type to the RegisterService? method
* UTIL: Introduce --socket-activated cmdline option for responders
* UTIL: Introduce --dbus-activated cmd option for responders
* RESPONDER: Make responders' common code ready for socket activation
* AUTOFS: Make AutoFS responder socket-activatable
* NSS: Make NSS responder socket-activatable
* PAC: Make PAC responder socket-activatable
* PAM: Make PAM responder socket-activatable
* SSH: Make SSH responder socket-activatable
* SUDO: Make Sudo responder socket-activatable
* IFP: Make IFP responder dbus-activatable
* MONITOR: Split up check_services()
* MONITOR: Deal with no services set up
* MONITOR: Deal with socket-activated responders
* MAN: Mention that the services' list is optional
* MAN: "user" doesn't work with socket-activated services
* MONITOR: Don't expose monitor_common_send_id()
* SBUS: Add a time_t pointer to the sbus_connection
* SBUS: Add destructor data to sbus_connection
* RESPONDER: Make clear {reset_,}idle_timer() are related to client
* RESPONDER: Don't expose client_idle_handler()
* RESPONDER: Shutdown {dbus,socket}-activated responders in case they're idle
* RESPONDER: Change how client timeout is calculated
* SERVER: Set the process group during server_setup()
* WATCHDOG: Avoid non async-signal-safe from the signal_handler
Howard Guo (1):
* sss_client: Defer thread cancellation until completion of nss/pam operations
Jakub Hrozek (16):
* Updating the version for the 1.14.3 development
* Updating the version to track sssd-1-15 development
* SYSDB: Split sysdb_try_to_find_expected_dn() into smaller functions
* SYSDB: Augment sysdb_try_to_find_expected_dn to match search base as well
* MONITOR: Do not set up watchdog for monitor
* MONITOR: Remove deprecated pong sbus method
* MONITOR: Remove unused shutDown sbus method
* Qualify ghost user attribute in case ldap_group_nesting_level is set to 0
* tests: Add a test for group resolution with ldap_group_nesting_level=0
* BUILD: Fix a typo in inotify.m4
* SSH: Use default_domain_suffix for users' authorized keys
* SYSDB: Suppress sysdb_delete_ts_entry failed: 0
* STAP: Only print transaction statistics if the script caught some transactions
* test_sssctl: Add an integration test for sssctl netgroup-show
* KRB5: Advise the user to inspect the krb5_child.log if the child fails with a System Error
* IFP: Fix GetUserAttr?
Justin Stephenson (2):
* MAN: Document different defaults for AD provider
* MAN: Document different defaults for IPA provider
Lukas Slebodnik (45):
* crypto: Port libcrypto code to openssl-1.1
* BUILD: Fix build without samba
* libcrypto: Check right value of CRYPTO_memcmp
* crypto-tests: Add unit test for sss_encrypt + sss_decrypt
* crypto-tests: Rename encrypt decrypt test case
* BUILD: Accept krb5 1.15 for building the PAC plugin
* dlopen-test: Use portable macro for location of .libs
* dlopen-test: Add missing libraries to the check list
* dlopen-test: Move libraries to the right "sections"
* dlopen-test: Add check for untested libraries
* BUILD: Fix linking with librt
* KRB5: Remove spurious warning in logs
* TESTS: Check new line at end of file
* UTIL: Fix implicit declaration of function 'htobe32'
* SYSDB: Remove unused prototype from header file
* sssctl: Fix missing declaration
* UTIL: Fix compilation of sss_utf8 with libunistring
* CONFDB: Supress clang false passitive warnings
* SIFP: Fix warning format-security
* RESPONDER: Remove dead assignment to the variable ret
* Fix compilation with python3.6
* intg: Generate tmp dir with lowercase
* LDAP: Fix debug messages after errors in *_get_send
* LDAP: Removed unused attr_type from users_get_send
* LDAP: Remove unused parameter attr_type from groups_get_send
* DP: Remove unused constants BE_ATTR_*
* DP: Remove unused attr_type from struct dp_id_data
* LDAP: Remove attrs_type related TODO comments
* sssd_ldb.py: Remove a leftover debug message
* intg: Fix python2,3 urllib
* intg: Avoid using xrange in tests
* intg: Avoid using iteritems for dictionary
* intg: Use bytes with hash function
* intg: Fix creating of slapd configuration
* intg: Use bytes for value of attributes in ldif
* intg: Use bytes as input in ctypes
* intg: Return strings from ctypes wrappers
* intg: Convert output of executed commands to strings
* intg: Return list for enumeration functions
* SYSDB: Update filter for get object by id
* sysdb-tests: Add test for sysdb_search_object_by_id
* sysdb: Search also aliases in sysdb_search_object_by_name
* sysdb-tests: Add test for sysdb_search_object_by_name
* MONITOR: Fix warning with undefined macro HAVE_SYSTEMD
* UTIL: Unset O_NONBLOCK for ldap connection
Michal Židek (7):
* sssctl: Flags for command initialization
* ipa: Nested netgroups do not work
* common: Fix domain case sensitivity init
* sssctl: Search by alias
* sssctl: Case insensitive filters
* tests: sssctl user/group-show basic tests
* MAN: sssctl debug level
Mike Ely (1):
* ad_access_filter search for nested groups
Pavel Březina (40):
* cache_req: move from switch to plugins; add logic
* cache_req: move from switch to plugins, add plugins
* cache_req: switch to new code
* cache_req: delete old code
* sudo: do not store usn if no rules are found
* nss: move nss_ctx->global_names to rctx
* ifp: remove unused fields from state
* setent_notify: remove unused private context
* sss_crypto.h: include required headers
* sss_output_name: do not require fq name
* cache_req: fix initgroups by name
* cache_req: skip first search on bypass cache
* cache_req: encapsulate output data into structure
* cache_req: add ability to gather result from all domains
* cache_req: add ability to filter domains by enumeration
* cache_req: add user enumeration
* cache_req: add group enumeration
* cache_req: add support for service by name
* cache_req: add support for service by port
* cache_req: add support for services enumeration
* cache_req: add support for netgroups
* cache_req: allow shallow copy of result
* cache_req: allow to return well known object as result
* cache_req: return well known objects in object by sid
* cache_req: make sure that we always fetch default attrs
* cache_req: allow upn search with attrs
* cache_req: add object by name
* cache_req: add object by id
* cache_req: make plug-ins definition const
* cache_req: improve debugging
* cache_req: fix plugin function description
* cache_req: allow to search subdomains without fqn
* cache_req: do not set ncache if dp request fails
* responders: unify usage of sss_cmd_send_empty and _error
* responders: remove checks that are handled inside cache_req
* responders: do not try to contact DP with LOCAL provider
* utils: add sss_ptr_hash module
* nss: rewrite nss responder so it uses cache_req
* nss: make nss responder tests work with new code
* nss: remove the old code
Petr Cech (2):
* SYSDB: Adding message to inform which cache is used
* SYSDB: Adding message about reason why cache changed
Petr Čech (5):
* SYSDB: Adding lowercase sudoUser form
* TESTS: Extending sysdb sudo store tests
* RESPONDER: Adding of return value checking
* UTIL: Removing of never read value
* SYSDB: Fixing of sudorule without a sudoUser
Sorah Fukumori (1):
* BUILD: Fix installation without samba
Sumit Bose (11):
* sysdb: add parent_dom to sysdb_get_direct_parents()
* sdap: make some nested group related calls public
* LDAP/AD: resolve domain local groups for remote users
* PAM: add a test for filter_responses()
* PAM: add pam_response_filter option
* IPA/AD: check auth ctx before using it
* krb5: Use command line arguments instead env vars for krb5_child
* krb5: fix two memory leaks
* krb5: add tests for common functions
* sss_ptr_hash_delete_all: use unsigned long int
* libwbclient-sssd: wbcLookupSid() allow NULL arguments
Victor Tapia (1):
* MONITOR: Create pidfile after responders started
7 years, 1 month
SSSD AD GPO and SUDO
by mdiorio@gmail.com
Hi Everyone,
I have an AD domain joined system using realmd and that is working fine. I want to use Group Policy to configure access, and have it set up. I added my users to the Allow log on through Terminal Services GPO and I can successfully authenticate and SSH into the system using kerberos and password auth.
My next problem is SUDO rights - I don't have any. Supposedly, ad_gpo_map_permit is a list of PAM services that are ALWAYS allowed when using GPO access, and this by default includes sudo and sudo-i. Yet I can't SUDO.
In /etc/nsswitch.conf I added:
sudoers: files sss
In /etc/sssd.conf I updated:
services = nss, pam, autofs, sudo
and added the empty [sudo] section.
In the [domain/] section I added:
sudo_provider: ad
but from what I've read this isn't needed.
Since I don't want the world to be able to SUDO, I also tried adding to sssd.conf domain section
ad_gpo_map_service = +sudo,+sudo-i
and added my users to the Allow logon as a service GPO, but still no luck.
My sssd sudo log doesn't look like it's querying GPO for permissions through.
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_get_rules_send] (0x0400): Running initgroups for [mdiorio(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_send] (0x0400): Cache Request [Initgroups by name #2]: New request
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_send] (0x0400): Cache Request [Initgroups by name #2]: Parsing input name [mdiorio(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'mdiorio(a)internal.ieeeglobalspec.com' matched expression for domain 'internal.ieeeglobalspec.com', user is mdiorio
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_set_name] (0x0400): Cache Request [Initgroups by name #2]: Setting name [mdiorio]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_select_domains] (0x0400): Cache Request [Initgroups by name #2]: Performing a single domain search
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_set_domain] (0x0400): Cache Request [Initgroups by name #2]: Using domain [internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_check_ncache] (0x0400): Cache Request [Initgroups by name #2]: Checking negative cache for [mdiorio(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/internal.ieeeglobalspec.com/mdiorio@internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_get_object] (0x0200): Cache Request [Initgroups by name #2]: Requesting info for [mdiorio(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_cache_check] (0x0400): Cache Request [Initgroups by name #2]: [mdiorio(a)internal.ieeeglobalspec.com] entry is valid
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_cache_search] (0x0400): Cache Request [Initgroups by name #2]: Returning info for [mdiorio(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_done] (0x0400): Cache Request [Initgroups by name #2]: Finished: Success
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(dataExpireTimestamp<=1485799511)(|(name=defaults)(sudoUser=ALL)(sudoUser=mdiorio(a)internal.ieeeglobalspec.com)(sudoUser=#1002201109)
......
Truncated AD Group query
----
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_refresh_rules_send] (0x0400): No expired rules were found for [mdiorio@internal.ieeeglobalspec.com(a)internal.ieeeglobalspec.com].
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Retrieving default options for [mdiorio@internal.ieeeglobalspec.com(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(name=defaults))]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 default options for [mdiorio@internal.ieeeglobalspec.com(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num: [0]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_get_rules_send] (0x0400): Running initgroups for [mdiorio(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_send] (0x0400): Cache Request [Initgroups by name #3]: New request
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_send] (0x0400): Cache Request [Initgroups by name #3]: Parsing input name [mdiorio(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'mdiorio(a)internal.ieeeglobalspec.com' matched expression for domain 'internal.ieeeglobalspec.com', user is mdiorio
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_set_name] (0x0400): Cache Request [Initgroups by name #3]: Setting name [mdiorio]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_select_domains] (0x0400): Cache Request [Initgroups by name #3]: Performing a single domain search
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_set_domain] (0x0400): Cache Request [Initgroups by name #3]: Using domain [internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_check_ncache] (0x0400): Cache Request [Initgroups by name #3]: Checking negative cache for [mdiorio(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/internal.ieeeglobalspec.com/mdiorio@internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_get_object] (0x0200): Cache Request [Initgroups by name #3]: Requesting info for [mdiorio(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_cache_check] (0x0400): Cache Request [Initgroups by name #3]: [mdiorio(a)internal.ieeeglobalspec.com] entry is valid
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_cache_search] (0x0400): Cache Request [Initgroups by name #3]: Returning info for [mdiorio(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [cache_req_done] (0x0400): Cache Request [Initgroups by name #3]: Finished: Success
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(dataExpireTimestamp<=1485799511)(|(name=defaults)(sudoUser=ALL)(sudoUser=mdiorio(a)internal.ieeeglobalspec.com)(sudoUser=#1002201109)
--------------
Truncated group query
--------------
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_fetch_rules] (0x0400): Returning 0 rules for [mdiorio@internal.ieeeglobalspec.com(a)internal.ieeeglobalspec.com]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): error: [0]
(Mon Jan 30 13:05:11 2017) [sssd[sudo]] [sudosrv_build_response] (0x2000): rules_num: [0]
(Mon Jan 30 13:05:13 2017) [sssd[sudo]] [client_recv] (0x0200): Client disconnected!
(Mon Jan 30 13:05:13 2017) [sssd[sudo]] [client_close_fn] (0x2000): Terminated client [0x7f95cfb03870][20]
One thing I do find strange is that it appears to be trying to find user@domain@domain
Any thoughts - I thought I had this all figured out, but I'm probably missing something simple.
Thanks!
7 years, 1 month
SSSD with AD issues with only certain users
by namanth@gmail.com
I am trying to diagnose a very weird problem. I have SSSD configured to connect to my domain. I have this working.
I can log in with a bunch of accounts, but not all accounts.
For instance.
[root@bscacad3 sssd]# getent passwd andersnj01
andersnj01:*:1533736219:1533633217:andersnj01:/home/bsclogon.buffalostate...
Jan 31 14:44:20 bscacad3 sshd[3641]: Accepted password for andersnj01 from 136.183.201.231 port 58620 ssh2
This accounts (andersnj01) can connect. It is in the same domain security group as the next one.
[root@bscacad3 sssd]# getent passwd kraatzn01
kraatzn01:*:1533844379:1533633217:kraatzn01:/home/bsclogon.buffalostate.e...
Jan 31 14:44:37 bscacad3 sshd[3687]: Failed password for kraatzn01 from 136.183.201.231 port 58624 ssh2
This account (kraatzn01) cannot log in. Again they are in the same security group.
Now to throw another layer on this. When I worked with this person directly and connected on the machine they were using, I was able to log in with his user/pass one time. As a matter of fact I could see that account was still logged in until I rebooted the machine, however when I went back to my machine it would refuse the login.
IPTABLES ports are open. All accounts in one security group can log in, some accounts in another security group cannot.
The auth line is:
ad_access_filter = (|(memberOf=CN=Linux_FacStaff,OU=Security Groups,DC=bsclogon,DC=buffalostate,DC=edu)(memberOf=CN=Linux_Student,OU=Security Groups,DC=bsclogon,DC=buffalostate,DC=edu))
both usernames above are part of the Linux_Student security group.
If you need any other conf files or any info, please let me know and I will respond as soon as i can.
Edit: I am sending this again, I am sorry about this. IT says i didnt post anything, and I do not see it in the list of posted. It this is moderated and it is posted 2 times, please disregard this one. Again new user, posting on website, sorry for the inconvenience.
7 years, 1 month
SSSD with AD issues with only certain users
by namanth@gmail.com
I am trying to diagnose a very weird problem. I have SSSD configured to connect to my domain. I have this working.
I can log in with a bunch of accounts, but not all accounts.
For instance.
[root@bscacad3 sssd]# getent passwd andersnj01
andersnj01:*:1533736219:1533633217:andersnj01:/home/bsclogon.buffalostate...
Jan 31 14:44:20 bscacad3 sshd[3641]: Accepted password for andersnj01 from 136.183.201.231 port 58620 ssh2
This accounts (andersnj01) can connect. It is in the same domain security group as the next one.
[root@bscacad3 sssd]# getent passwd kraatzn01
kraatzn01:*:1533844379:1533633217:kraatzn01:/home/bsclogon.buffalostate.e...
Jan 31 14:44:37 bscacad3 sshd[3687]: Failed password for kraatzn01 from 136.183.201.231 port 58624 ssh2
This account (kraatzn01) cannot log in. Again they are in the same security group.
Now to throw another layer on this. When I worked with this person directly and connected on the machine they were using, I was able to log in with his user/pass one time. As a matter of fact I could see that account was still logged in until I rebooted the machine, however when I went back to my machine it would refuse the login.
IPTABLES ports are open. All accounts in one security group can log in, some accounts in another security group cannot.
The auth line is:
ad_access_filter = (|(memberOf=CN=Linux_FacStaff,OU=Security Groups,DC=bsclogon,DC=buffalostate,DC=edu)(memberOf=CN=Linux_Student,OU=Security Groups,DC=bsclogon,DC=buffalostate,DC=edu))
both usernames above are part of the Linux_Student security group.
If you need any other conf files or any info, please let me know and I will respond as soon as i can.
7 years, 1 month
Re: account not authenticating in child domain
by sonia.gilbert@hawaiianair.com
Thank you Justin.
Centos 7, sssd 1.13
Authentication with the consoleworks application uses a yubikey via authlite which basically makes it two-factor authentication. It appends the AD credential password with a onetime password.
I tried to login with yubikey and without and get two different errors.
With Yubikey (correct password):
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): Will perform online auth
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [k5c_send_data] (0x0200): Received error code 1432158215
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [pack_response_packet] (0x2000): response packet size: [4]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): krb5_child completed successfully
Without yubikey (wrong password):
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): Will perform online auth
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328372][KDC policy rejects request]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [map_krb5_error] (0x0020): 1303: [-1765328372][KDC policy rejects request]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [k5c_send_data] (0x0200): Received error code 1432158209
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [pack_response_packet] (0x2000): response packet size: [4]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): krb5_child completed successfully
Would it help to remove it from realm and rejoin it to the realm? I have another server where the authentication to the parent domain in working where this one is not. I have compared the configurations but can't find the difference.
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team
3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503
Sonia.Gilbert(a)HawaiianAir.com<mailto:Sonia.Gilbert@HawaiianAir.com>
[HA Email Signature Logo]
7 years, 1 month