On Mon, May 23, 2016 at 07:21:56AM -0000, jas.petermac@gmail.com wrote:
Hi All,
Last week I bound my computer to Active Directory and everything was working fine but as of today authentication has started to fail.
SSSD log
In the logs (debug = 7) I see:
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_resolve_server_process] (0x0200): Found address for server pmc-dc2.petermac.org.au: [172.23.8.18] TTL 3600 (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://pmc-dc2.petermac.org.au' (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://pmc-dc2.petermac.org.au' (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): krb5_child started. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x1000): total buffer size: [136] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x0100): cmd [241] uid [1501] gid [1501] validate [true] enterprise principal [true] offline [false] UPN [Ellul Jason@PETERMAC.ORG.AU] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1501] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [check_use_fast] (0x0100): Not using FAST. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [become_user] (0x0200): Trying to become user [1501][1501]. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): Will perform online auth (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [PETERMAC.ORG.AU] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [validate_tgt] (0x0020): TGT failed verification using key for [LA35185$@PETERMAC.ORG.AU]. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [get_and_save_tgt] (0x0020): 1240: [-1765328340][Cannot find key for LA35185$@PETERMAC.ORG.AU kvno 3 in keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [map_krb5_error] (0x0020): 1301: [-1765328340][Cannot find key for LA35185$@PETERMAC.ORG.AU kvno 3 in keytab]
It looks like the host password for you client was updates on the AD server but the new password was not written to the local keytab.
Which version of SSSD are you using? Recent version of SSSD can update the password to meet a AD policy, but SSSD should take care that the new password is written to /etc/krb5.conf as well?
Did you try to export the keytab for this host from AD manually? Maybe the export utility was not able to export the current keys but created a new password and exported the keys based on this new password?
The error happens during the ticket validation, as we workaround you can disable it by setting 'krb5_validate = False' in the [domain/...] section of sssd.conf. But I would not recommend it because SSSD uses the keytab to authenticate itself to AD for LDAP access as well. AD will mostly allow the previous password to be used as well but as soon as the password is updated again the keys with key version number kvno=2 will not work anymore and SSSD will not be able to connect to AD anymore. So you should try to find you why the host password was updates on AD.
HTH
bye, Sumit
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): krb5_child completed successfully (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [parse_krb5_child_response] (0x1000): child response [1432158209][6][8]. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [check_wait_queue] (0x1000): Wait queue for user [Ellul Jason] is empty. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x555f73e8b420] done. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sending result [4][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sent result [4][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [child_sig_handler] (0x1000): Waiting for child [6572]. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [child_sig_handler] (0x0100): child [6572] finished successfully. (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 32 (Mon May 23 17:18:58 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon May 23 17:18:59 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
[root@la35185 jellul]# klist -k -t /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU
Many thanks
Jason _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org