On 06/29/2017 10:15 AM, Abhijit Tikekar wrote:

...

Hi,

Attached are the logs files, all taken for the same auth attempt.

In the krb5_child.log you can see:

(Thu Jun 29 08:49:23 2017) [[sssd[krb5_child[2358]]]] [validate_tgt] (0x0020): TGT failed verification using key for [host/hostname.def.xyz.local@ABC.XYZ.LOCAL]. (Thu Jun 29 08:49:23 2017) [[sssd[krb5_child[2358]]]] [get_and_save_tgt] (0x0020): 1240: [-1765328154][Key version number for principal in key table is incorrect] (Thu Jun 29 08:49:23 2017) [[sssd[krb5_child[2358]]]] [map_krb5_error] (0x0020): 1301: [-1765328154][Key version number for principal in key table is incorrect]

The error message here points to a kvno mismatch for the principal in the keytab used to validation and the KDC.

You can try debugging further with:

# kdestroy -A # kinit aduser@DEF.XYZ.LOCAL # KRB5_TRACE=/dev/stdout kvno 'host/hostname.def.xyz.local@ABC.XYZ.LOCAL'

As a guess it could be a problem with invalid entries in the keytab from repeated join attempts, a quick solution in this situation would be to try leaving the domain, remove the /etc/krb5.keytab, and join the domain again.

Note the validation is what failed here, validation can be disabled temporarily but for testing purpose only because it should be enabled for security.

krb5_validate (boolean) Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. The keytab is checked for entries sequentially, and the first entry with a matching realm is used for validation. If no entry matches the realm, the last entry in the keytab is used. This process can be used to validate environments using cross-realm trust by placing the appropriate keytab entry as the last entry or the only entry in the keytab file.

Kind regards, Justin Stephenson

...

Also, if this is due to a timeout, is there any setting to control that?

...

Thanks,

~ Abhi

---

sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org