On 03/30/2015 01:55 AM, Jakub Hrozek wrote:
On Fri, Mar 27, 2015 at 10:09:43PM +0100, Lukas Slebodnik wrote:
On (27/03/15 14:01), Orion Poplawski wrote:
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
I know that you fixed your problem, but pam error code 4 (System error) should not happend in sssd It means some serious problem.
It can be related to the pevious debug message "krb5_auth_recv request failed."
Could you provide domain log file and krb5_child.log with enabled verbose logging? (put debug_level = 0xfff0 into domain section.
Yes, in addition, it would be nice to see the output of KRB5_TRACE=/dev/stderr kinit -E -C orion@ad.nwra.com
Also, the UPN attribute of your user is really "Orion Poplawski@AD.NWRA.COM" ?
I reset the UPN attribute back to this, so:
# KRB5_TRACE=/dev/stderr kinit -E -C orion@ad.nwra.com [14682] 1427923299.541804: Getting initial credentials for orion@ad.nwra.com@AD.NWRA.COM [14682] 1427923299.542508: Sending request (177 bytes) to AD.NWRA.COM [14682] 1427923299.544866: Resolving hostname XXXX.ad.nwra.com. [14682] 1427923299.546848: Sending initial UDP request to dgram X.X.X.X:88 [14682] 1427923299.595880: Received answer (181 bytes) from dgram X.X.X:88 [14682] 1427923299.597244: Response was not from master KDC [14682] 1427923299.597840: Received error from KDC: -1765328359/Additional pre-authentication required [14682] 1427923299.598759: Processing preauth types: 16, 15, 19, 2 [14682] 1427923299.599345: Selected etype info: etype aes256-cts, salt "NWRA.LOCALorion", params "" Password for orion@ad.nwra.com@AD.NWRA.COM: [14682] 1427923307.894606: AS key obtained for encrypted timestamp: aes256-cts/EB95 [14682] 1427923307.895120: Encrypted timestamp (for 1427923308.62326): plain 301AA011180F32303135303430313231323134385AA105020300F376, encrypted A0B0AD5BD340BBB7F2D4AC53F36AAF5BA7C3015EECCF8BA45AD9E7588402CCCEBD4AE88675FB49C17552BC867B0B7A2858A20B03E6538456 [14682] 1427923307.895352: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [14682] 1427923307.895803: Produced preauth for next request: 2 [14682] 1427923307.896316: Sending request (255 bytes) to AD.NWRA.COM [14682] 1427923307.898545: Resolving hostname XXXXX.ad.nwra.com. [14682] 1427923307.899718: Sending initial UDP request to dgram X.X.X.X:88 [14682] 1427923307.965212: Received answer (94 bytes) from dgram X.X.X.X:88 [14682] 1427923307.966477: Response was not from master KDC [14682] 1427923307.967176: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [14682] 1427923307.967478: Request or response is too big for UDP; retrying with TCP [14682] 1427923307.968229: Sending request (255 bytes) to AD.NWRA.COM (tcp only) [14682] 1427923307.969800: Resolving hostname XXXXXX.ad.nwra.com. [14682] 1427923307.972228: Initiating TCP connection to stream X.X.X.X:88 [14682] 1427923308.15548: Sending TCP request to stream X.X.X.X:88 [14682] 1427923308.104200: Received answer (1503 bytes) from stream X.X.X.X:88 [14682] 1427923308.104497: Terminating TCP connection to stream X.X.X.X:88 [14682] 1427923308.106137: Response was not from master KDC [14682] 1427923308.106752: Processing preauth types: 19 [14682] 1427923308.107281: Selected etype info: etype aes256-cts, salt "NWRA.LOCALorion", params "" [14682] 1427923308.107819: Produced preauth for next request: (empty) [14682] 1427923308.108421: AS key determined by preauth: aes256-cts/EB95 [14682] 1427923308.109253: Decrypted AS reply; session key is: aes256-cts/300B [14682] 1427923308.109691: FAST negotiation: unavailable [14682] 1427923308.110190: Initializing KEYRING:persistent:0:0 with default princ orion@AD.NWRA.COM [14682] 1427923308.110709: Removing orion@AD.NWRA.COM -> krbtgt/AD.NWRA.COM@AD.NWRA.COM from KEYRING:persistent:0:0 [14682] 1427923308.111274: Storing orion@AD.NWRA.COM -> krbtgt/AD.NWRA.COM@AD.NWRA.COM in KEYRING:persistent:0:0 [14682] 1427923308.111718: Storing config in KEYRING:persistent:0:0 for krbtgt/AD.NWRA.COM@AD.NWRA.COM: pa_type: 2 [14682] 1427923308.111953: Removing orion@AD.NWRA.COM -> krb5_ccache_conf_data/pa_type/krbtgt/AD.NWRA.COM@AD.NWRA.COM@X-CACHECONF: from KEYRING:persistent:0:0 [14682] 1427923308.112255: Storing orion@AD.NWRA.COM -> krb5_ccache_conf_data/pa_type/krbtgt/AD.NWRA.COM@AD.NWRA.COM@X-CACHECONF: in KEYRING:persistent:0:0
So one interesting thing I see is mention of NWRA.LOCAL. This is what our AD domain used to be before we renamed it AD.NWRA.COM, so perhaps there are still some remnants in there.
Also, while the UPN was Orion Poplawski@AD.NWRA.COM, the "pre-2000" logon name was still "NWRA\orion".