hi guys
I think it was asked on the list before but I still cannot find the thread.
Should AD's users be able to login to IPA's clients(non-replica) in a pretty vanilla setup? Those users can login to IPA masters okey.
I have not created any HBACs yet, nor added new hostgroups etc.
When I ssh to IPA's client that client denies that user & shows:
pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied)
...
many thanks, L.
On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users wrote:
hi guys
I think it was asked on the list before but I still cannot find the thread.
Should AD's users be able to login to IPA's clients(non-replica) in a pretty vanilla setup? Those users can login to IPA masters okey.
I have not created any HBACs yet, nor added new hostgroups etc.
When I ssh to IPA's client that client denies that user & shows:
pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied)
Hi,
'Permission denied' is typically returned during the PAM access control step 'pam_sss(sshd:account)'. For auth there should be only a few cases like an expired unser in AD, but in this case login to the IPA masters shouldn't work as well.
Please add 'debug_level=9' at least to the [pam] and [domain/...] section of sssd.conf on the client, restart SSSD, try to authentication and send the logs from /var/log/sssd.
bye, Sumit
...
many thanks, L.
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote:
On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users wrote:
hi guys
I think it was asked on the list before but I still cannot find the thread.
Should AD's users be able to login to IPA's clients(non-replica) in a pretty vanilla setup? Those users can login to IPA masters okey.
I have not created any HBACs yet, nor added new hostgroups etc.
When I ssh to IPA's client that client denies that user & shows:
pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied)
Hi,
'Permission denied' is typically returned during the PAM access control step 'pam_sss(sshd:account)'. For auth there should be only a few cases like an expired unser in AD, but in this case login to the IPA masters shouldn't work as well.
Please add 'debug_level=9' at least to the [pam] and [domain/...] section of sssd.conf on the client, restart SSSD, try to authentication and send the logs from /var/log/sssd.
bye, Sumit
hi,
before I dump the whole lot of logs this is a snippet at the moment ssh auth fails after debug_level=9
..
k,cn=users,cn=mine.private,cn=sysdb] has set [ts_cache] attrs. (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [krb5_auth_done] (0x0100): Backend is marked offline, retry later! (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [check_wait_queue] (0x1000): Wait queue for user [pawel@mine.private] is empty. ..
does the above give out any clues?
many thanks, L.
...
many thanks, L.
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Wed, Jun 19, 2019 at 09:26:30AM +0100, lejeczek via FreeIPA-users wrote:
On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote:
On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users wrote:
hi guys
I think it was asked on the list before but I still cannot find the thread.
Should AD's users be able to login to IPA's clients(non-replica) in a pretty vanilla setup? Those users can login to IPA masters okey.
I have not created any HBACs yet, nor added new hostgroups etc.
When I ssh to IPA's client that client denies that user & shows:
pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied)
Hi,
'Permission denied' is typically returned during the PAM access control step 'pam_sss(sshd:account)'. For auth there should be only a few cases like an expired unser in AD, but in this case login to the IPA masters shouldn't work as well.
Please add 'debug_level=9' at least to the [pam] and [domain/...] section of sssd.conf on the client, restart SSSD, try to authentication and send the logs from /var/log/sssd.
bye, Sumit
hi,
before I dump the whole lot of logs this is a snippet at the moment ssh auth fails after debug_level=9
..
k,cn=users,cn=mine.private,cn=sysdb] has set [ts_cache] attrs. (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [krb5_auth_done] (0x0100): Backend is marked offline, retry later! (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [check_wait_queue] (0x1000): Wait queue for user [pawel@mine.private] is empty. ..
does the above give out any clues?
Do you see a message like 'Timeout for child [1234] reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout.' before the ones you have send? If that's the case please add
krb5_auth_timeout = 30
to the [domain/...] section of sssd.conf, restart SSSD and try again. Please note that SSSD does more that just authenticating the user by requesting a Kerberos ticket, the ticket is validate as well which causes additional requests to the IPA server and AD DCs. This might need a bit longer than the default timeout of 6s.
HTH
bye, Sumit
many thanks, L.
...
many thanks, L.
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 19/06/2019 10:09, Sumit Bose via FreeIPA-users wrote:
On Wed, Jun 19, 2019 at 09:26:30AM +0100, lejeczek via FreeIPA-users wrote:
On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote:
On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users wrote:
hi guys
I think it was asked on the list before but I still cannot find the thread.
Should AD's users be able to login to IPA's clients(non-replica) in a pretty vanilla setup? Those users can login to IPA masters okey.
I have not created any HBACs yet, nor added new hostgroups etc.
When I ssh to IPA's client that client denies that user & shows:
pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied)
Hi,
'Permission denied' is typically returned during the PAM access control step 'pam_sss(sshd:account)'. For auth there should be only a few cases like an expired unser in AD, but in this case login to the IPA masters shouldn't work as well.
Please add 'debug_level=9' at least to the [pam] and [domain/...] section of sssd.conf on the client, restart SSSD, try to authentication and send the logs from /var/log/sssd.
bye, Sumit
hi,
before I dump the whole lot of logs this is a snippet at the moment ssh auth fails after debug_level=9
..
k,cn=users,cn=mine.private,cn=sysdb] has set [ts_cache] attrs. (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [krb5_auth_done] (0x0100): Backend is marked offline, retry later! (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [check_wait_queue] (0x1000): Wait queue for user [pawel@mine.private] is empty. ..
does the above give out any clues?
Do you see a message like 'Timeout for child [1234] reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout.' before the ones you have send? If that's the case please add
krb5_auth_timeout = 30
to the [domain/...] section of sssd.conf, restart SSSD and try again. Please note that SSSD does more that just authenticating the user by requesting a Kerberos ticket, the ticket is validate as well which causes additional requests to the IPA server and AD DCs. This might need a bit longer than the default timeout of 6s.
HTH
bye, Sumit
both masters & clients are on the same net fabric. I fear it's something more complex, I've emailed you zipped logs.
To add - putty off the AD DC does ssh to IPA's clients successfully with gssapi, to the same clients which fail when no gssapi but with password is used.
many thanks, L.
many thanks, L.
...
many thanks, L.
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Wed, Jun 19, 2019 at 12:34:54PM +0100, lejeczek via FreeIPA-users wrote:
On 19/06/2019 10:09, Sumit Bose via FreeIPA-users wrote:
On Wed, Jun 19, 2019 at 09:26:30AM +0100, lejeczek via FreeIPA-users wrote:
On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote:
On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users wrote:
hi guys
I think it was asked on the list before but I still cannot find the thread.
Should AD's users be able to login to IPA's clients(non-replica) in a pretty vanilla setup? Those users can login to IPA masters okey.
I have not created any HBACs yet, nor added new hostgroups etc.
When I ssh to IPA's client that client denies that user & shows:
pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied)
Hi,
'Permission denied' is typically returned during the PAM access control step 'pam_sss(sshd:account)'. For auth there should be only a few cases like an expired unser in AD, but in this case login to the IPA masters shouldn't work as well.
Please add 'debug_level=9' at least to the [pam] and [domain/...] section of sssd.conf on the client, restart SSSD, try to authentication and send the logs from /var/log/sssd.
bye, Sumit
hi,
before I dump the whole lot of logs this is a snippet at the moment ssh auth fails after debug_level=9
..
k,cn=users,cn=mine.private,cn=sysdb] has set [ts_cache] attrs. (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [krb5_auth_done] (0x0100): Backend is marked offline, retry later! (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [check_wait_queue] (0x1000): Wait queue for user [pawel@mine.private] is empty. ..
does the above give out any clues?
Do you see a message like 'Timeout for child [1234] reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout.' before the ones you have send? If that's the case please add
krb5_auth_timeout = 30
to the [domain/...] section of sssd.conf, restart SSSD and try again. Please note that SSSD does more that just authenticating the user by requesting a Kerberos ticket, the ticket is validate as well which causes additional requests to the IPA server and AD DCs. This might need a bit longer than the default timeout of 6s.
HTH
bye, Sumit
both masters & clients are on the same net fabric. I fear it's something more complex, I've emailed you zipped logs.
Thanks for the logs. The important message is "Cannot find KDC for realm ...". I guess that you have 'dns_lookup_kdc = false' in /etc/krb5.conf. Typically ipa-client-install with set this to 'dns_lookup_kdc = true' but there are some conditions where it might leave it on 'false'. Please try to set it to 'true' and try again.
If you have set it to 'false' on purpose because you do not want to use DNS to resolve KDC from other realms you have to add a section in the [realms] section for the realm listed in the error message and add at least one 'kdc = fully.qualified.name.or.ip.of.a.kdc.of.the.realm' line in this section.
HTH
bye, Sumit
To add - putty off the AD DC does ssh to IPA's clients successfully with gssapi, to the same clients which fail when no gssapi but with password is used.
many thanks, L.
many thanks, L.
...
many thanks, L.
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 19/06/2019 16:20, Sumit Bose via FreeIPA-users wrote:
On Wed, Jun 19, 2019 at 12:34:54PM +0100, lejeczek via FreeIPA-users wrote:
On 19/06/2019 10:09, Sumit Bose via FreeIPA-users wrote:
On Wed, Jun 19, 2019 at 09:26:30AM +0100, lejeczek via FreeIPA-users wrote:
On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote:
On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users wrote:
hi guys
I think it was asked on the list before but I still cannot find the thread.
Should AD's users be able to login to IPA's clients(non-replica) in a pretty vanilla setup? Those users can login to IPA masters okey.
I have not created any HBACs yet, nor added new hostgroups etc.
When I ssh to IPA's client that client denies that user & shows:
pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied)
Hi,
'Permission denied' is typically returned during the PAM access control step 'pam_sss(sshd:account)'. For auth there should be only a few cases like an expired unser in AD, but in this case login to the IPA masters shouldn't work as well.
Please add 'debug_level=9' at least to the [pam] and [domain/...] section of sssd.conf on the client, restart SSSD, try to authentication and send the logs from /var/log/sssd.
bye, Sumit
hi,
before I dump the whole lot of logs this is a snippet at the moment ssh auth fails after debug_level=9
..
k,cn=users,cn=mine.private,cn=sysdb] has set [ts_cache] attrs. (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [krb5_auth_done] (0x0100): Backend is marked offline, retry later! (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [check_wait_queue] (0x1000): Wait queue for user [pawel@mine.private] is empty. ..
does the above give out any clues?
Do you see a message like 'Timeout for child [1234] reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout.' before the ones you have send? If that's the case please add
krb5_auth_timeout = 30
to the [domain/...] section of sssd.conf, restart SSSD and try again. Please note that SSSD does more that just authenticating the user by requesting a Kerberos ticket, the ticket is validate as well which causes additional requests to the IPA server and AD DCs. This might need a bit longer than the default timeout of 6s.
HTH
bye, Sumit
both masters & clients are on the same net fabric. I fear it's something more complex, I've emailed you zipped logs.
Thanks for the logs. The important message is "Cannot find KDC for realm ...". I guess that you have 'dns_lookup_kdc = false' in /etc/krb5.conf. Typically ipa-client-install with set this to 'dns_lookup_kdc = true' but there are some conditions where it might leave it on 'false'. Please try to set it to 'true' and try again.
If you have set it to 'false' on purpose because you do not want to use DNS to resolve KDC from other realms you have to add a section in the [realms] section for the realm listed in the error message and add at least one 'kdc = fully.qualified.name.or.ip.of.a.kdc.of.the.realm' line in this section.
HTH
bye, Sumit
Ok, the maybe to make it more bizzare, I've had it:
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MINE.PRIVATE dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] MINE.PRIVATE= { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem kdc = 10.5.5.104 } [domain_realm] .MINE.PRIVATE= MINE.PRIVATE MINE.PRIVATE= MINE.PRIVATE halfspeed-r.MINE.PRIVATE= MINE.PRIVATE
and even after adding: kdc = 10.5.5.104
I still get permission denied.
I presume you saw in sssd_pam.log
...
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [9 (Authentication service cannot retrieve authentication info)][ad
.mine.private] (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56399823af70 (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x563998243fe0 (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Running timer event 0x56399823af70 "ltdb_callback" (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x563998243fe0 "ltdb_timeout" (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x56399823af70 "ltdb_callback" (Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [9]: Authentication service cannot retrieve authentication info. (Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_reply] (0x0020): Unknown PAM call [249]. (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56399823ca30
...
What does that mean?
many thanks, L.
To add - putty off the AD DC does ssh to IPA's clients successfully with gssapi, to the same clients which fail when no gssapi but with password is used.
many thanks, L.
many thanks, L.
...
many thanks, L.
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Wed, Jun 19, 2019 at 04:58:32PM +0100, lejeczek via FreeIPA-users wrote:
On 19/06/2019 16:20, Sumit Bose via FreeIPA-users wrote:
On Wed, Jun 19, 2019 at 12:34:54PM +0100, lejeczek via FreeIPA-users wrote:
On 19/06/2019 10:09, Sumit Bose via FreeIPA-users wrote:
On Wed, Jun 19, 2019 at 09:26:30AM +0100, lejeczek via FreeIPA-users wrote:
On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote:
On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users wrote: > hi guys > > I think it was asked on the list before but I still cannot find the thread. > > Should AD's users be able to login to IPA's clients(non-replica) in a > pretty vanilla setup? Those users can login to IPA masters okey. > > I have not created any HBACs yet, nor added new hostgroups etc. > > When I ssh to IPA's client that client denies that user & shows: > > pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied) Hi,
'Permission denied' is typically returned during the PAM access control step 'pam_sss(sshd:account)'. For auth there should be only a few cases like an expired unser in AD, but in this case login to the IPA masters shouldn't work as well.
Please add 'debug_level=9' at least to the [pam] and [domain/...] section of sssd.conf on the client, restart SSSD, try to authentication and send the logs from /var/log/sssd.
bye, Sumit
hi,
before I dump the whole lot of logs this is a snippet at the moment ssh auth fails after debug_level=9
..
k,cn=users,cn=mine.private,cn=sysdb] has set [ts_cache] attrs. (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [krb5_auth_done] (0x0100): Backend is marked offline, retry later! (Wed Jun 19 08:19:13 2019) [sssd[be[ipa.mine.private]]] [check_wait_queue] (0x1000): Wait queue for user [pawel@mine.private] is empty. ..
does the above give out any clues?
Do you see a message like 'Timeout for child [1234] reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout.' before the ones you have send? If that's the case please add
krb5_auth_timeout = 30
to the [domain/...] section of sssd.conf, restart SSSD and try again. Please note that SSSD does more that just authenticating the user by requesting a Kerberos ticket, the ticket is validate as well which causes additional requests to the IPA server and AD DCs. This might need a bit longer than the default timeout of 6s.
HTH
bye, Sumit
both masters & clients are on the same net fabric. I fear it's something more complex, I've emailed you zipped logs.
Thanks for the logs. The important message is "Cannot find KDC for realm ...". I guess that you have 'dns_lookup_kdc = false' in /etc/krb5.conf. Typically ipa-client-install with set this to 'dns_lookup_kdc = true' but there are some conditions where it might leave it on 'false'. Please try to set it to 'true' and try again.
If you have set it to 'false' on purpose because you do not want to use DNS to resolve KDC from other realms you have to add a section in the [realms] section for the realm listed in the error message and add at least one 'kdc = fully.qualified.name.or.ip.of.a.kdc.of.the.realm' line in this section.
HTH
bye, Sumit
Ok, the maybe to make it more bizzare, I've had it:
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MINE.PRIVATE dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] MINE.PRIVATE= {
Is this ^^^ the realm that is mentioned in the 'Cannot find KDC for realm ...' error message in krb5_child.log?
Can you try if kinit from the command line works for the principal shown in the 'Getting initial credentials for ...' debug message in krb5_child.log?
Additionally does 'kinit -k' work from the command line with the principal from the 'Fast principal is set to ...' debug message?
bye, Sumit
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem kdc = 10.5.5.104 } [domain_realm] .MINE.PRIVATE= MINE.PRIVATE MINE.PRIVATE= MINE.PRIVATE halfspeed-r.MINE.PRIVATE= MINE.PRIVATE
and even after adding: kdc = 10.5.5.104
I still get permission denied.
I presume you saw in sssd_pam.log
...
(Wed Jun 19 15:54:56 2019) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [9 (Authentication service cannot retrieve authentication info)][ad
.mine.private] (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56399823af70 (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x563998243fe0 (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Running timer event 0x56399823af70 "ltdb_callback" (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x563998243fe0 "ltdb_timeout" (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x56399823af70 "ltdb_callback" (Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [9]: Authentication service cannot retrieve authentication info. (Wed Jun 19 15:54:56 2019) [sssd[pam]] [pam_reply] (0x0020): Unknown PAM call [249]. (Wed Jun 19 15:54:56 2019) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56399823ca30
...
What does that mean?
many thanks, L.
To add - putty off the AD DC does ssh to IPA's clients successfully with gssapi, to the same clients which fail when no gssapi but with password is used.
many thanks, L.
many thanks, L.
> ... > > many thanks, L. > > pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] > 93059F241EEEE1D0769A85F455918ABF21224EBA > uid lejeczek peljasz@yahoo.co.uk > sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 20/06/2019 14:40, Sumit Bose wrote:
Ok, the maybe to make it more bizzare, I've had it:
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MINE.PRIVATE dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] MINE.PRIVATE= {
Is this ^^^ the realm that is mentioned in the 'Cannot find KDC for realm ...' error message in krb5_child.log?
no, it is for:
(Thu Jun 20 12:16:13 2019) [[sssd[krb5_child[956]]]] [map_krb5_error] (0x0020): 1808: [-1765328230][Cannot find KDC for realm "PRIVATE"]
it's AD's realm
Can you try if kinit from the command line works for the principal shown in the 'Getting initial credentials for ...' debug message in krb5_child.log?
but this is a machine:
Thu Jun 20 09:21:28 2019) [[sssd[ldap_child[515]]]] [sss_child_krb5_trace_cb] (0x4000): [515] 1561022488.21748: Getting initial credentials for host/halfspeed-r.mine.private@MINE.PRIVATE
How can I kinit a host/machine?
Additionally does 'kinit -k' work from the command line with the principal from the 'Fast principal is set to ...' debug message?
That is the same machine/host:
(Thu Jun 20 12:16:13 2019) [[sssd[krb5_child[956]]]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/halfspeed-r.mine.private@MINE.PRIVATE]
$ kinit -k host/halfspeed-r.mine.private@MINE.PRIVAT && echo Y
$ Y
many thanks, L.
bye, Sumit
On Thu, Jun 20, 2019 at 04:50:48PM +0100, lejeczek via FreeIPA-users wrote:
On 20/06/2019 14:40, Sumit Bose wrote:
Ok, the maybe to make it more bizzare, I've had it:
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MINE.PRIVATE dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] MINE.PRIVATE= {
Is this ^^^ the realm that is mentioned in the 'Cannot find KDC for realm ...' error message in krb5_child.log?
no, it is for:
(Thu Jun 20 12:16:13 2019) [[sssd[krb5_child[956]]]] [map_krb5_error] (0x0020): 1808: [-1765328230][Cannot find KDC for realm "PRIVATE"]
it's AD's realm
Can you try if kinit from the command line works for the principal shown in the 'Getting initial credentials for ...' debug message in krb5_child.log?
but this is a machine:
Thu Jun 20 09:21:28 2019) [[sssd[ldap_child[515]]]] [sss_child_krb5_trace_cb] (0x4000): [515] 1561022488.21748: Getting initial credentials for host/halfspeed-r.mine.private@MINE.PRIVATE
You are looking at ldap_child.log, I meant krb5_child.log.
How can I kinit a host/machine?
You did this below with 'kinit -k ...'.
Additionally does 'kinit -k' work from the command line with the principal from the 'Fast principal is set to ...' debug message?
That is the same machine/host:
(Thu Jun 20 12:16:13 2019) [[sssd[krb5_child[956]]]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/halfspeed-r.mine.private@MINE.PRIVATE]
$ kinit -k host/halfspeed-r.mine.private@MINE.PRIVAT && echo Y
$ Y
many thanks, L.
bye, Sumit
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 21/06/2019 09:23, Sumit Bose via FreeIPA-users wrote:
On Thu, Jun 20, 2019 at 04:50:48PM +0100, lejeczek via FreeIPA-users wrote:
On 20/06/2019 14:40, Sumit Bose wrote:
Ok, the maybe to make it more bizzare, I've had it:
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MINE.PRIVATE dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] MINE.PRIVATE= {
Is this ^^^ the realm that is mentioned in the 'Cannot find KDC for realm ...' error message in krb5_child.log?
no, it is for:
(Thu Jun 20 12:16:13 2019) [[sssd[krb5_child[956]]]] [map_krb5_error] (0x0020): 1808: [-1765328230][Cannot find KDC for realm "PRIVATE"]
it's AD's realm
I obfuscated those logs I sent you, maybe not too neatly, apologies.
PRIVATE is AD
MINE.PRIVATE is IPA
Can you try if kinit from the command line works for the principal shown in the 'Getting initial credentials for ...' debug message in krb5_child.log?
but this is a machine:
Thu Jun 20 09:21:28 2019) [[sssd[ldap_child[515]]]] [sss_child_krb5_trace_cb] (0x4000): [515] 1561022488.21748: Getting initial credentials for host/halfspeed-r.mine.private@MINE.PRIVATE
You are looking at ldap_child.log, I meant krb5_child.log.
Yes, on the target IPA client I want to ssh to, I can: kinit pawel@PRIVATE
$ klist Ticket cache: KEYRING:persistent:0:krb_ccache_dKTdeby Default principal: pawel@PRIVATE Valid starting Expires Service principal 21/06/19 09:52:19 21/06/19 19:52:19 krbtgt/PRIVATE@PRIVATE renew until 22/06/19 09:52:16
How can I kinit a host/machine?
You did this below with 'kinit -k ...'.
Additionally does 'kinit -k' work from the command line with the principal from the 'Fast principal is set to ...' debug message?
That is the same machine/host:
(Thu Jun 20 12:16:13 2019) [[sssd[krb5_child[956]]]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/halfspeed-r.mine.private@MINE.PRIVATE]
$ kinit -k host/halfspeed-r.mine.private@MINE.PRIVAT && echo Y
$ Y
many thanks, L.
bye, Sumit
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 21/06/2019 09:23, Sumit Bose via FreeIPA-users wrote:
On Thu, Jun 20, 2019 at 04:50:48PM +0100, lejeczek via FreeIPA-users wrote:
On 20/06/2019 14:40, Sumit Bose wrote:
Ok, the maybe to make it more bizzare, I've had it:
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MINE.PRIVATE dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] MINE.PRIVATE= {
Is this ^^^ the realm that is mentioned in the 'Cannot find KDC for realm ...' error message in krb5_child.log?
no, it is for:
(Thu Jun 20 12:16:13 2019) [[sssd[krb5_child[956]]]] [map_krb5_error] (0x0020): 1808: [-1765328230][Cannot find KDC for realm "PRIVATE"]
it's AD's realm
Can you try if kinit from the command line works for the principal shown in the 'Getting initial credentials for ...' debug message in krb5_child.log?
but this is a machine:
Thu Jun 20 09:21:28 2019) [[sssd[ldap_child[515]]]] [sss_child_krb5_trace_cb] (0x4000): [515] 1561022488.21748: Getting initial credentials for host/halfspeed-r.mine.private@MINE.PRIVATE
You are looking at ldap_child.log, I meant krb5_child.log.
How can I kinit a host/machine?
You did this below with 'kinit -k ...'.
Is it not just a bug I've stumbled upon? And not just in configuration?
My setup would be easy to replicate: Centos 7.6 IPA <= Win2016 , incoming to IPA one-way trust, regarding DNS: ipa is IPA.AD.DOM and win is AD.COM.
Everything seems to work very well but those IPA's clients for AD users with passwords.
Additionally does 'kinit -k' work from the command line with the principal from the 'Fast principal is set to ...' debug message?
That is the same machine/host:
(Thu Jun 20 12:16:13 2019) [[sssd[krb5_child[956]]]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/halfspeed-r.mine.private@MINE.PRIVATE]
$ kinit -k host/halfspeed-r.mine.private@MINE.PRIVAT && echo Y
$ Y
many thanks, L.
bye, Sumit
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17] 93059F241EEEE1D0769A85F455918ABF21224EBA uid lejeczek peljasz@yahoo.co.uk sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org