Hello,
I am experiencing some issues with this version of sssd in ad mode. I am
unable to connect to a computer. But when using the previous version on
another computer (sssd-1.11.6-30.el6.x86_64) it's working fine.
DC : Windows 2012R2
client 1 : centos 6.6 - sssd-1.11.6-30.el6.x86_64
client 2 centos 6.7- sssd-1.12.4-47.el6_7.7.x86_64
I am attaching the krb5_child.log file.
Has anyone got the same issues ?
According to the logs the error happens during the validation of the
Kerberos ticket. For this SSSD tries to get a service ticket for the
local client and check if this service ticket can be decrypted with the
keys from the local keytab.
It looks like the AD DC does not know about the service principal
'host/itserver05.mikros.int(a)EU.DOMAIN.COM'. This principal is typically
created when you join the AD domain. Is
the name
of the client where authentication fails? How did you join the domain,
did you use any special options?
bye,
Sumit
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main]
(0x0400): krb5_child started.
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] (0x1000): total
buffer size: [125]
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] (0x0100): cmd [241]
uid [111111] gid [1111111] validate [true] enterprise principal [true] offline [false] UPN
[mytest(a)EU.DOMAIN.COM]
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] (0x2000): No old
ccache
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] (0x0100): ccname:
[KEYRING:persistent:111111] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [check_use_fast] (0x0100): Not
using FAST.
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_precreate_ccache] (0x4000):
Recreating ccache
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [privileged_krb5_setup] (0x0080):
Cannot open the PAC responder socket
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [become_user] (0x0200): Trying to
become user [111111][1111111].
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main] (0x2000): Running as
[111111][1111111].
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_setup] (0x2000): Running as
[111111][1111111].
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [set_lifetime_options] (0x0100):
Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [set_lifetime_options] (0x0100):
Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [set_canonicalize_option] (0x0100):
SSSD_KRB5_CANONICALIZE is set to [true]
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main] (0x0400): Will perform
online auth
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [tgt_req_child] (0x1000):
Attempting to get a TGT
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [get_and_save_tgt] (0x0400):
Attempting kinit for realm [
EU.DOMAIN.COM]
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.664492: Getting initial credentials for
mytest\@EU.DOMAIN.COM(a)EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.664581: Sending request (219 bytes) to
EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.664766: Sending initial UDP request to dgram 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.665964: Received answer from dgram 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.666054: Response was from master KDC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.666074: Received error from KDC: -1765328359/Additional
pre-authentication required
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.666129: Processing preauth types: 16, 15, 19, 2
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.666141: Selected etype info: etype aes256-cts, salt
"EU.DOMAIN.COMmytest", params ""
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.674366: AS key obtained for encrypted timestamp: aes256-cts/4CD3
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.674405: Encrypted timestamp (for 1457629646.674380): plain
301AA011180F32303136303331303137303732365AA10502030A4A4C, encrypted
9AB9B53DFE7ABD21B60679A76950A7CFF70A466FF4455D666D9788720BA9B7EA67F4A9A1C9CBB9DC9A09170ABCEFA1B1C811994E7BFF29AC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.674417: Preauth module encrypted_timestamp (2) (flags=1) returned:
0/Success
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.674428: Produced preauth for next request: 2
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.674443: Sending request (299 bytes) to
EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.674491: Sending initial UDP request to dgram 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.675920: Received answer from dgram 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.675993: Response was from master KDC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.676009: Received error from KDC: -1765328332/Response too big for UDP,
retry with TCP
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.676017: Request or response is too big for UDP; retrying with TCP
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.676023: Sending request (299 bytes) to
EU.DOMAIN.COM (tcp only)
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.676055: Initiating TCP connection to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.676340: Sending TCP request to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677624: Received answer from stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677685: Response was from master KDC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677734: Processing preauth types: 19
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677756: Selected etype info: etype aes256-cts, salt
"EU.DOMAIN.COMmytest", params ""
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677763: Produced preauth for next request: (empty)
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677788: AS key determined by preauth: aes256-cts/4CD3
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677871: Decrypted AS reply; session key is: rc4-hmac/A720
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677901: FAST negotiation: unavailable
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_krb5_expire_callback_func]
(0x2000): exp_time: [4314436]
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [validate_tgt] (0x2000): Found
keytab entry with the realm of the credential.
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677957: Retrieving host/itserver05.mikros.int(a)EU.DOMAIN.COM from
MEMORY:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677966: Resolving unique ccache of type MEMORY
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677980: Initializing MEMORY:ZIyWoF4 with default princ
mytest(a)EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677989: Removing mytest(a)EU.DOMAIN.COM ->
krbtgt/EU.DOMAIN.COM(a)EU.DOMAIN.COM from MEMORY:ZIyWoF4
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.677996: Storing mytest(a)EU.DOMAIN.COM ->
krbtgt/EU.DOMAIN.COM(a)EU.DOMAIN.COM in MEMORY:ZIyWoF4
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.678029: Getting credentials mytest(a)EU.DOMAIN.COM ->
host/itserver05.mikros.int(a)EU.DOMAIN.COM using ccache MEMORY:ZIyWoF4
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.678049: Retrieving mytest(a)EU.DOMAIN.COM ->
host/itserver05.mikros.int(a)EU.DOMAIN.COM from MEMORY:ZIyWoF4 with result:
-1765328243/Matching credential not found
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.678062: Retrieving mytest(a)EU.DOMAIN.COM ->
krbtgt/EU.DOMAIN.COM(a)EU.DOMAIN.COM from MEMORY:ZIyWoF4 with result: 0/Success
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.678069: Found cached TGT for service realm: mytest(a)EU.DOMAIN.COM ->
krbtgt/EU.DOMAIN.COM(a)EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.678075: Requesting tickets for host/itserver05.mikros.int(a)EU.DOMAIN.COM,
referrals on
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.678089: Generated subkey for TGS request: rc4-hmac/4993
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.678098: etypes requested in TGS request: aes256-cts, aes128-cts,
des3-cbc-sha1, rc4-hmac
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.678185: Sending request (1683 bytes) to
EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.678249: Initiating TCP connection to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.678480: Sending TCP request to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.741482: Received answer from stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.741654: Response was from master KDC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.741706: TGS request result: -1765328377/Server not found in Kerberos
database
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.741718: Requesting tickets for host/itserver05.mikros.int(a)EU.DOMAIN.COM,
referrals off
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.741769: Generated subkey for TGS request: rc4-hmac/2A08
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.741784: etypes requested in TGS request: aes256-cts, aes128-cts,
des3-cbc-sha1, rc4-hmac
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.741859: Sending request (1683 bytes) to
EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.741913: Initiating TCP connection to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.742169: Sending TCP request to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.805000: Received answer from stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.805208: Response was from master KDC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.805261: TGS request result: -1765328377/Server not found in Kerberos
database
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000):
[9342] 1457629646.805312: Destroying ccache MEMORY:ZIyWoF4
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [validate_tgt] (0x0020): TGT failed
verification using key for [host/itserver05.mikros.int(a)EU.DOMAIN.COM].
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [get_and_save_tgt] (0x0020): 1007:
[-1765328377][Server not found in Kerberos database]
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [map_krb5_error] (0x0020): 1069:
[-1765328377][Server not found in Kerberos database]
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_send_data] (0x0200): Received
error code 1432158209
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [pack_response_packet] (0x2000):
response packet size: [20]
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_send_data] (0x4000): Response
sent.
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main] (0x0400): krb5_child
completed successfully
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org