On 03/30/2015 01:55 AM, Jakub Hrozek wrote:
On Fri, Mar 27, 2015 at 10:09:43PM +0100, Lukas Slebodnik wrote:
> On (27/03/15 14:01), Orion Poplawski wrote:
>> (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [be_pam_handler_callback]
>> (0x0100): Backend returned: (0, 4, <NULL>) [Success]
> I know that you fixed your problem, but pam error code 4 (System error)
> should not happend in sssd It means some serious problem.
>
> It can be related to the pevious debug message "krb5_auth_recv request
failed."
>
> Could you provide domain log file and krb5_child.log with enabled verbose
> logging? (put debug_level = 0xfff0 into domain section.
Yes, in addition, it would be nice to see the output of
KRB5_TRACE=/dev/stderr kinit -E -C orion(a)ad.nwra.com
Also, the UPN attribute of your user is really "Orion Poplawski(a)AD.NWRA.COM" ?
I reset the UPN attribute back to this, so:
# KRB5_TRACE=/dev/stderr kinit -E -C orion(a)ad.nwra.com
[14682] 1427923299.541804: Getting initial credentials for
orion\@ad.nwra.com(a)AD.NWRA.COM
[14682] 1427923299.542508: Sending request (177 bytes) to
AD.NWRA.COM
[14682] 1427923299.544866: Resolving hostname
XXXX.ad.nwra.com.
[14682] 1427923299.546848: Sending initial UDP request to dgram X.X.X.X:88
[14682] 1427923299.595880: Received answer (181 bytes) from dgram X.X.X:88
[14682] 1427923299.597244: Response was not from master KDC
[14682] 1427923299.597840: Received error from KDC: -1765328359/Additional
pre-authentication required
[14682] 1427923299.598759: Processing preauth types: 16, 15, 19, 2
[14682] 1427923299.599345: Selected etype info: etype aes256-cts, salt
"NWRA.LOCALorion", params ""
Password for orion\@ad.nwra.com(a)AD.NWRA.COM:
[14682] 1427923307.894606: AS key obtained for encrypted timestamp:
aes256-cts/EB95
[14682] 1427923307.895120: Encrypted timestamp (for 1427923308.62326): plain
301AA011180F32303135303430313231323134385AA105020300F376, encrypted
A0B0AD5BD340BBB7F2D4AC53F36AAF5BA7C3015EECCF8BA45AD9E7588402CCCEBD4AE88675FB49C17552BC867B0B7A2858A20B03E6538456
[14682] 1427923307.895352: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[14682] 1427923307.895803: Produced preauth for next request: 2
[14682] 1427923307.896316: Sending request (255 bytes) to
AD.NWRA.COM
[14682] 1427923307.898545: Resolving hostname
XXXXX.ad.nwra.com.
[14682] 1427923307.899718: Sending initial UDP request to dgram X.X.X.X:88
[14682] 1427923307.965212: Received answer (94 bytes) from dgram X.X.X.X:88
[14682] 1427923307.966477: Response was not from master KDC
[14682] 1427923307.967176: Received error from KDC: -1765328332/Response too
big for UDP, retry with TCP
[14682] 1427923307.967478: Request or response is too big for UDP; retrying
with TCP
[14682] 1427923307.968229: Sending request (255 bytes) to
AD.NWRA.COM (tcp only)
[14682] 1427923307.969800: Resolving hostname
XXXXXX.ad.nwra.com.
[14682] 1427923307.972228: Initiating TCP connection to stream X.X.X.X:88
[14682] 1427923308.15548: Sending TCP request to stream X.X.X.X:88
[14682] 1427923308.104200: Received answer (1503 bytes) from stream X.X.X.X:88
[14682] 1427923308.104497: Terminating TCP connection to stream X.X.X.X:88
[14682] 1427923308.106137: Response was not from master KDC
[14682] 1427923308.106752: Processing preauth types: 19
[14682] 1427923308.107281: Selected etype info: etype aes256-cts, salt
"NWRA.LOCALorion", params ""
[14682] 1427923308.107819: Produced preauth for next request: (empty)
[14682] 1427923308.108421: AS key determined by preauth: aes256-cts/EB95
[14682] 1427923308.109253: Decrypted AS reply; session key is: aes256-cts/300B
[14682] 1427923308.109691: FAST negotiation: unavailable
[14682] 1427923308.110190: Initializing KEYRING:persistent:0:0 with default
princ orion(a)AD.NWRA.COM
[14682] 1427923308.110709: Removing orion(a)AD.NWRA.COM ->
krbtgt/AD.NWRA.COM(a)AD.NWRA.COM from KEYRING:persistent:0:0
[14682] 1427923308.111274: Storing orion(a)AD.NWRA.COM ->
krbtgt/AD.NWRA.COM(a)AD.NWRA.COM in KEYRING:persistent:0:0
[14682] 1427923308.111718: Storing config in KEYRING:persistent:0:0 for
krbtgt/AD.NWRA.COM(a)AD.NWRA.COM: pa_type: 2
[14682] 1427923308.111953: Removing orion(a)AD.NWRA.COM ->
krb5_ccache_conf_data/pa_type/krbtgt\/AD.NWRA.COM\@AD.NWRA.COM(a)X-CACHECONF:
from KEYRING:persistent:0:0
[14682] 1427923308.112255: Storing orion(a)AD.NWRA.COM ->
krb5_ccache_conf_data/pa_type/krbtgt\/AD.NWRA.COM\@AD.NWRA.COM(a)X-CACHECONF: in
KEYRING:persistent:0:0
So one interesting thing I see is mention of NWRA.LOCAL. This is what our AD
domain used to be before we renamed it
AD.NWRA.COM, so perhaps there are still
some remnants in there.
Also, while the UPN was Orion Poplawski(a)AD.NWRA.COM, the "pre-2000" logon name
was still "NWRA\orion".
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301
http://www.nwra.com