On Tue, 2017-05-23 at 10:11 +0200, Joakim Tjernlund wrote:
On Mon, 2017-05-22 at 22:29 +0200, Lukas Slebodnik wrote:
> On (22/05/17 14:53), Joakim Tjernlund wrote:
> > > The time is not synchronised between client and server.
> > > MIT krb5 can handle small offset. But I would highly recommends
> > > to keep time in sync.
> >
> > There is some time problem on and off but this has never been too much. I
don't
> > think this was the root problem here ?
> >
>
> As I already mention I would highly recommend to keep time in sync.
> It will reduce possible errors.
>
> Configure ntpd/chrony on client and server is not a rocket science :-)
Sure, no rocket science but I have little control over the AD servers. :(
Anyhow, I did a "net ads info" and it came back with Server time offset: 0
so I don't think there is a time difference(or very small)?
The clients are already on NTP.
>
>
> > > Renewing of a ticket failed because it is already expired.
> > > Maybe due to time shift between client and server(KDC)
> >
> > Yes, it is expired to begin with. I got a ticket, then suspended the computer
long enough for
> > the ticket to expire(10 hours here) and then woke up and unlocked the screen.
> > The problem is that sssd never tries to get a new ticket using my creds I gave
when unlocking.
> > Even if I do several lock/unlocks after the network is restored, sssd will not
get me a new ticket.
> >
>
> sssd would get new ticket if it was in online mode.
> But it offline mode.
>
> I would highly recommend to keep time in sync with server
> and then debug why sssd was in offline mode.
> Or why it went to offline mode.
>
> With 1.15 you can use sssctl e.g.
I did run sssctl domain-status
infinera.com and it came back with:
Unable to get online status [3]: Communication error
org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the
remote application
did not send a reply, the message bus security policy blocked the reply, the reply
timeout expired, or the
network connection was broken.
Check that SSSD is running and the InfoPipe responder is enabled. Make sure 'ifp'
is listed in the 'services'
option in sssd.conf.
Unable to get online status
I then just added 'ifp' to 'services' and restarted sssd and now it
works:
sssctl domain-status
infinera.com
Online status: Online
Active servers:
AD Global Catalog: not connected
AD Domain Controller:
se-dc01.infinera.com
.....
Could the problem I saw be related to not having ifp in services ?
I will check again when the ticket expires again.
Jocke
On another machine I added ifp to services and just reloaded the sssd config (signal HUG
to sssd) and
just got this in the domain log:
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [be_primary_server_timeout] (0x0400):
Looking for primary server!
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [fo_resolve_service_send] (0x0100):
Trying to resolve service 'AD'
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [get_server_status] (0x1000): Status
of server 'se-dc02.infinera.com' is 'working'
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [get_port_status] (0x1000): Port
status of port 0 for server 'se-dc02.infinera.com' is 'not working'
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [get_port_status] (0x0080): SSSD is
unable to complete the full connection request, this internal status does not necessarily
indicate network port issues.
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [get_port_status] (0x0100): Resetting
the status of port 0 for server 'se-dc02.infinera.com'
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [fo_resolve_service_activate_timeout]
(0x2000): Resolve timeout set to 6 seconds
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [get_server_status] (0x1000): Status
of server 'se-dc02.infinera.com' is 'working'
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [be_resolve_server_process] (0x1000):
Saving the first resolved server
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [be_resolve_server_process] (0x0200):
Found address for server
se-dc02.infinera.com: [10.210.34.22] TTL 3600
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [ad_resolve_callback] (0x0100):
Constructed uri 'ldap://se-dc02.infinera.com'
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [ad_resolve_callback] (0x0100):
Constructed GC uri 'ldap://se-dc02.infinera.com'
(Tue May 23 10:15:29 2017) [sssd[be[infinera.com]]] [be_run_reconnect_cb] (0x0400):
Reconnecting. Running callbacks.
and later
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_kinit_send] (0x0400): Attempting
kinit (default, GENTOO-LABBB$,
INFINERA.COM, 86400)
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_kinit_next_kdc] (0x1000):
Resolving next KDC for service AD
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_resolve_service_send] (0x0100):
Trying to resolve service 'AD'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [get_server_status] (0x1000): Status
of server 'se-dc02.infinera.com' is 'name resolved'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [get_port_status] (0x1000): Port
status of port 0 for server 'se-dc02.infinera.com' is 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_resolve_service_activate_timeout]
(0x2000): Resolve timeout set to 6 seconds
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [get_server_status] (0x1000): Status
of server 'se-dc02.infinera.com' is 'name resolved'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_resolve_server_process] (0x1000):
Saving the first resolved server
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_resolve_server_process] (0x0200):
Found address for server
se-dc02.infinera.com: [10.210.34.22] TTL 3600
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_kinit_kdc_resolved] (0x1000):
KDC resolved, attempting to get TGT...
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [create_tgt_req_send_buffer] (0x0400):
buffer size: 49
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [child_handler_setup] (0x2000):
Setting up signal handler up for pid [30118]
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [child_handler_setup] (0x2000): Signal
handler set up for pid [30118]
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_tgt_child_timeout] (0x0400):
Setting 6 seconds timeout for tgt child
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_process_result] (0x2000): Trace:
sh[0x9cadd0], connected[1], ops[(nil)], ldap[0x990c40]
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_process_result] (0x2000): Trace:
end of ldap_result list
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [write_pipe_handler] (0x0400): All
data has been sent!
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [child_sig_handler] (0x1000): Waiting
for child [30118].
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [child_sig_handler] (0x0100): child
[30118] finished successfully.
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [read_pipe_handler] (0x0400): EOF
received, client finished
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_get_tgt_recv] (0x0400): Child
responded: 0 [
FILE:/var/lib/sss/db/ccache_INFINERA.COM], expired on [1495563696]
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_cli_auth_step] (0x0100): expire
timeout is 900
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_cli_auth_step] (0x1000): the
connection will expire at 1495528596
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sasl_bind_send] (0x0100): Executing
sasl bind mech: GSSAPI, user: GENTOO-LABBB$
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_cli_connect_recv] (0x0400):
Connection established.
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [_be_fo_set_port_status] (0x8000):
Setting status: PORT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c:
sdap_cli_connect_recv: 2067
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'se-dc02.infinera.com' as 'working'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100):
Marking server 'se-dc02.infinera.com' as 'working'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking
port 0 of duplicate server 'se-dc02.infinera.com' as 'working'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sdap_handle_release] (0x2000): Trace:
sh[0x9cadd0], connected[1], ops[(nil)], ldap[0x990c40], destructor_lock[0],
release_memory[0]
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [remove_connection_callback] (0x4000):
Successfully removed connection callback.
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [dp_req_done] (0x0400): DP Request
[Online Check #83]: Request handler finished [0]: Success
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [_dp_req_recv] (0x0400): DP Request
[Online Check #83]: Receiving request data.
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [dp_req_destructor] (0x0400): DP
Request [Online Check #83]: Request removed.
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [dp_req_destructor] (0x0400): Number
of active DP request: 0
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_check_online_done] (0x0400): Error
during online check [0]: Success
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_reset_services] (0x1000):
Resetting all servers in all services
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100):
Marking server 'se-dc02.infinera.com' as 'name not resolved'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'se-dc02.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking
port 0 of duplicate server 'se-dc02.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100):
Marking server 'se-dc01.infinera.com' as 'name not resolved'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'se-dc01.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking
port 0 of duplicate server 'se-dc01.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100):
Marking server 'sv-dc02.infinera.com' as 'name not resolved'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'sv-dc02.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking
port 0 of duplicate server 'sv-dc02.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100):
Marking server 'sv-dc01.infinera.com' as 'name not resolved'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'sv-dc01.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking
port 0 of duplicate server 'sv-dc01.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100):
Marking server 'se-dc02.infinera.com' as 'name not resolved'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'se-dc02.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking
port 0 of duplicate server 'se-dc02.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100):
Marking server 'se-dc01.infinera.com' as 'name not resolved'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'se-dc01.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking
port 0 of duplicate server 'se-dc01.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100):
Marking server 'sv-dc02.infinera.com' as 'name not resolved'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'sv-dc02.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking
port 0 of duplicate server 'sv-dc02.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [set_server_common_status] (0x0100):
Marking server 'sv-dc01.infinera.com' as 'name not resolved'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'sv-dc01.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [fo_set_port_status] (0x0400): Marking
port 0 of duplicate server 'sv-dc01.infinera.com' as 'neutral'
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [reactivate_subdoms] (0x1000):
Resetting all subdomains
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [sss_domain_get_state] (0x1000):
Domain
infinera.com is Active
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_ptask_disable] (0x0400): Task
[Check if online (periodic)]: disabling task
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_run_online_cb] (0x0080): Going
online. Running callbacks.
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_ptask_online_cb] (0x0400): Back
end is online
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_ptask_enable] (0x0400): Task
[Subdomains Refresh]: enabling task
(Tue May 23 10:21:36 2017) [sssd[be[infinera.com]]] [be_ptask_schedule] (0x0400): Task
[Subdomains Refresh]: scheduling task 0 seconds from now [1495527696]
but krb5_child log just repeats:
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [renew_tgt_child] (0x1000):
Renewing a ticket
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.638731: Retrieving jocke(a)INFINERA.COM ->
krbtgt/INFINERA.COM(a)INFINERA.COM from FILE:/tmp/krb5cc_1001 with result: 0/Success
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.638747: Get cred via TGT krbtgt/INFINERA.COM(a)INFINERA.COM after
requesting krbtgt/INFINERA.COM(a)INFINERA.COM (canonicalize off)
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.638788: Generated subkey for TGS request: aes256-cts/3F94
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.638841: etypes requested in TGS request: aes256-cts, aes128-cts,
des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.638944: Encoding request body and padata into FAST request
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.639036: Sending request (1901 bytes) to
INFINERA.COM
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.639179: Resolving hostname
se-dc01.infinera.com
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.639483: Initiating TCP connection to stream 10.210.34.21:88
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.639888: Sending TCP request to stream 10.210.34.21:88
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.640356: Received answer (123 bytes) from stream 10.210.34.21:88
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.640375: Terminating TCP connection to stream 10.210.34.21:88
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.640416: Response was not from master KDC
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [sss_child_krb5_trace_cb] (0x4000):
[30164] 1495527829.640436: Got cred; -1765328352/Ticket expired
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [map_krb5_error] (0x0020): 1643:
[-1765328352][Ticket expired]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [k5c_send_data] (0x0200): Received
error code 1432158229
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [pack_response_packet] (0x2000):
response packet size: [4]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [k5c_send_data] (0x4000): Response
sent.
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [main] (0x0400): krb5_child
completed successfully
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [main] (0x0400): krb5_child
started.
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [unpack_buffer] (0x1000): total
buffer size: [154]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [unpack_buffer] (0x0100): cmd [248]
uid [1001] gid [100] validate [true] enterprise principal [false] offline [false] UPN
[jocke(a)INFINERA.COM]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [unpack_buffer] (0x0100): ccname:
[FILE:/tmp/krb5cc_1001] old_ccname: [FILE:/tmp/krb5cc_1001] keytab: [/etc/krb5.keytab]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [check_use_fast] (0x0100): Not
using FAST.
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [switch_creds] (0x0200): Switch
user to [1001][100].
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_krb5_cc_verify_ccache]
(0x2000): TGT not found or expired.
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [switch_creds] (0x0200): Switch
user to [0][0].
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [k5c_check_old_ccache] (0x4000):
Ccache_file is [FILE:/tmp/krb5cc_1001] and is active and TGT is valid.
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [privileged_krb5_setup] (0x0080):
Cannot open the PAC responder socket
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [become_user] (0x0200): Trying to
become user [1001][100].
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [main] (0x2000): Running as
[1001][100].
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [k5c_setup] (0x2000): Running as
[1001][100].
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [set_lifetime_options] (0x0100):
Renewable lifetime is set to [7d]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [set_lifetime_options] (0x0100):
Lifetime is set to [24h]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [set_canonicalize_option] (0x0100):
Canonicalization is set to [true]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [main] (0x0400): Will perform
ticket renewal
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [renew_tgt_child] (0x1000):
Renewing a ticket
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.647807: Retrieving jocke(a)INFINERA.COM ->
krbtgt/INFINERA.COM(a)INFINERA.COM from FILE:/tmp/krb5cc_1001 with result: 0/Success
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.647819: Get cred via TGT krbtgt/INFINERA.COM(a)INFINERA.COM after
requesting krbtgt/INFINERA.COM(a)INFINERA.COM (canonicalize off)
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.647845: Generated subkey for TGS request: aes256-cts/37F1
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.647884: etypes requested in TGS request: aes256-cts, aes128-cts,
des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.647941: Encoding request body and padata into FAST request
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.647990: Sending request (1901 bytes) to
INFINERA.COM
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.648096: Resolving hostname
se-dc01.infinera.com
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.648529: Initiating TCP connection to stream 10.210.34.21:88
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.648973: Sending TCP request to stream 10.210.34.21:88
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.649464: Received answer (123 bytes) from stream 10.210.34.21:88
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.649480: Terminating TCP connection to stream 10.210.34.21:88
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.649516: Response was not from master KDC
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [sss_child_krb5_trace_cb] (0x4000):
[30165] 1495527829.649532: Got cred; -1765328352/Ticket expired
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [map_krb5_error] (0x0020): 1643:
[-1765328352][Ticket expired]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [k5c_send_data] (0x0200): Received
error code 1432158229
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [pack_response_packet] (0x2000):
response packet size: [4]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [k5c_send_data] (0x4000): Response
sent.
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30165]]]] [main] (0x0400): krb5_child
completed successfully
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [main] (0x0400): krb5_child
started.
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [unpack_buffer] (0x1000): total
buffer size: [154]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [unpack_buffer] (0x0100): cmd [248]
uid [1001] gid [100] validate [true] enterprise principal [false] offline [false] UPN
[jocke(a)INFINERA.COM]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [unpack_buffer] (0x0100): ccname:
[FILE:/tmp/krb5cc_1001] old_ccname: [FILE:/tmp/krb5cc_1001] keytab: [/etc/krb5.keytab]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [check_use_fast] (0x0100): Not
using FAST.
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [switch_creds] (0x0200): Switch
user to [1001][100].
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [sss_krb5_cc_verify_ccache]
(0x2000): TGT not found or expired.
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [switch_creds] (0x0200): Switch
user to [0][0].
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [k5c_check_old_ccache] (0x4000):
Ccache_file is [FILE:/tmp/krb5cc_1001] and is active and TGT is valid.
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [privileged_krb5_setup] (0x0080):
Cannot open the PAC responder socket
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [become_user] (0x0200): Trying to
become user [1001][100].
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [main] (0x2000): Running as
[1001][100].
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [k5c_setup] (0x2000): Running as
[1001][100].
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [set_lifetime_options] (0x0100):
Renewable lifetime is set to [7d]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [set_lifetime_options] (0x0100):
Lifetime is set to [24h]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [set_canonicalize_option] (0x0100):
Canonicalization is set to [true]
(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30166]]]] [main] (0x0400): Will perform
ticket renewal
The network is just fine.
Jocke