Hi Team, i have two forests both working fine in terms of authentication. I added a user to sudoers from one of the domains and he is getting access denied. the user is able to login with no problem, sudo is not working. in the secure log it shows "account is expired"
in the SSSD logs it shows error "attempting to kinit for realm xxxxxx" then "clients credentials has been revoked"
i checked the account and it is not expired nor locked. additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false but the problem remains.
what could be the reason behind being able to access and later getting clients credential revoked for sudoes?
Thanks
On Thu, Nov 20, 2014 at 01:46:29AM -0800, Karim wrote:
Hi Team, i have two forests both working fine in terms of authentication. I added a user to sudoers from one of the domains and he is getting access denied. the user is able to login with no problem, sudo is not working. in the secure log it shows "account is expired"
in the SSSD logs it shows error "attempting to kinit for realm xxxxxx" then "clients credentials has been revoked"
i checked the account and it is not expired nor locked. additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false but the problem remains.
what could be the reason behind being able to access and later getting clients credential revoked for sudoes?
Thanks
I suspect sssd just logged you in offline.
Can you run kinit from the command line?
Thanks Jakub,
I noticed in the logs that kinit is being done from the other realm user is member of Domain B, Forest A, in the log immediately before returning "clients credentials has been revoked" the kinit is being done on Domain A, Forest A
could that be the problem, going to the wrong realm?
I deleted all the cache and user is able to access via ssh but still no elevation via sudo.
Thanks
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 01:46:29 -0800
Hi Team, i have two forests both working fine in terms of authentication. I added a user to sudoers from one of the domains and he is getting access denied. the user is able to login with no problem, sudo is not working. in the secure log it shows "account is expired"
in the SSSD logs it shows error "attempting to kinit for realm xxxxxx" then "clients credentials has been revoked"
i checked the account and it is not expired nor locked. additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false but the problem remains.
what could be the reason behind being able to access and later getting clients credential revoked for sudoes?
Thanks
sorry for typo user is member of domain B, Forest B and kinit is being done against Domain A, Forest B
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 08:08:28 -0800
Thanks Jakub,
I noticed in the logs that kinit is being done from the other realm user is member of Domain B, Forest A, in the log immediately before returning "clients credentials has been revoked" the kinit is being done on Domain A, Forest A
could that be the problem, going to the wrong realm?
I deleted all the cache and user is able to access via ssh but still no elevation via sudo.
Thanks
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 01:46:29 -0800
Hi Team, i have two forests both working fine in terms of authentication. I added a user to sudoers from one of the domains and he is getting access denied. the user is able to login with no problem, sudo is not working. in the secure log it shows "account is expired"
in the SSSD logs it shows error "attempting to kinit for realm xxxxxx" then "clients credentials has been revoked"
i checked the account and it is not expired nor locked. additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false but the problem remains.
what could be the reason behind being able to access and later getting clients credential revoked for sudoes?
Thanks
looking further in the log confirm this
the working user in domain B forest B when i'm doing sudo for it it says attempting to kinit the correct realm DOMAINB.COM
the non working users in the same domain it says attempting to kinit for DOMAINA realm and not the correct one
what could be the reason?
Thanks.
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 08:10:25 -0800
sorry for typo user is member of domain B, Forest B and kinit is being done against Domain A, Forest B
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 08:08:28 -0800
Thanks Jakub,
I noticed in the logs that kinit is being done from the other realm user is member of Domain B, Forest A, in the log immediately before returning "clients credentials has been revoked" the kinit is being done on Domain A, Forest A
could that be the problem, going to the wrong realm?
I deleted all the cache and user is able to access via ssh but still no elevation via sudo.
Thanks
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 01:46:29 -0800
Hi Team, i have two forests both working fine in terms of authentication. I added a user to sudoers from one of the domains and he is getting access denied. the user is able to login with no problem, sudo is not working. in the secure log it shows "account is expired"
in the SSSD logs it shows error "attempting to kinit for realm xxxxxx" then "clients credentials has been revoked"
i checked the account and it is not expired nor locked. additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false but the problem remains.
what could be the reason behind being able to access and later getting clients credential revoked for sudoes?
Thanks
to add one thing i tried that may shed some lights,
if i add default_domain_suffix = DOMAINB.FORESTB.COM
but now the other forest users unable to even login.
so the thing is: Kerberos is using the principal from the other domain in the other forest. so instead of appending DOMAINB suffix, it append the other DOMAINA suffix.
is there any way we can correct that?
Thanks.
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 09:05:20 -0800
looking further in the log confirm this
the working user in domain B forest B when i'm doing sudo for it it says attempting to kinit the correct realm DOMAINB.COM
the non working users in the same domain it says attempting to kinit for DOMAINA realm and not the correct one
what could be the reason?
Thanks.
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 08:10:25 -0800
sorry for typo user is member of domain B, Forest B and kinit is being done against Domain A, Forest B
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 08:08:28 -0800
Thanks Jakub,
I noticed in the logs that kinit is being done from the other realm user is member of Domain B, Forest A, in the log immediately before returning "clients credentials has been revoked" the kinit is being done on Domain A, Forest A
could that be the problem, going to the wrong realm?
I deleted all the cache and user is able to access via ssh but still no elevation via sudo.
Thanks
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 01:46:29 -0800
Hi Team, i have two forests both working fine in terms of authentication. I added a user to sudoers from one of the domains and he is getting access denied. the user is able to login with no problem, sudo is not working. in the secure log it shows "account is expired"
in the SSSD logs it shows error "attempting to kinit for realm xxxxxx" then "clients credentials has been revoked"
i checked the account and it is not expired nor locked. additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false but the problem remains.
what could be the reason behind being able to access and later getting clients credential revoked for sudoes?
Thanks
anyone?
thnx.
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 20:03:35 -0800
to add one thing i tried that may shed some lights,
if i add default_domain_suffix = DOMAINB.FORESTB.COM
but now the other forest users unable to even login.
so the thing is: Kerberos is using the principal from the other domain in the other forest. so instead of appending DOMAINB suffix, it append the other DOMAINA suffix.
is there any way we can correct that?
Thanks.
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 09:05:20 -0800
looking further in the log confirm this
the working user in domain B forest B when i'm doing sudo for it it says attempting to kinit the correct realm DOMAINB.COM
the non working users in the same domain it says attempting to kinit for DOMAINA realm and not the correct one
what could be the reason?
Thanks.
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 08:10:25 -0800
sorry for typo user is member of domain B, Forest B and kinit is being done against Domain A, Forest B
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 08:08:28 -0800
Thanks Jakub,
I noticed in the logs that kinit is being done from the other realm user is member of Domain B, Forest A, in the log immediately before returning "clients credentials has been revoked" the kinit is being done on Domain A, Forest A
could that be the problem, going to the wrong realm?
I deleted all the cache and user is able to access via ssh but still no elevation via sudo.
Thanks
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: sssd able to login the user but failed on sudo Date: Thu, 20 Nov 2014 01:46:29 -0800
Hi Team, i have two forests both working fine in terms of authentication. I added a user to sudoers from one of the domains and he is getting access denied. the user is able to login with no problem, sudo is not working. in the secure log it shows "account is expired"
in the SSSD logs it shows error "attempting to kinit for realm xxxxxx" then "clients credentials has been revoked"
i checked the account and it is not expired nor locked. additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false but the problem remains.
what could be the reason behind being able to access and later getting clients credential revoked for sudoes?
Thanks
hey guys,
today sssd seems stop working and seems i'm not able to recover it the relevant portion of the log is:
looks like some Kerberos argument errors this is on RHEL7 and sssd package 1.12.0
Thanks
(Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [write_pipe_handler] (0x0400): All data has been sent! Invalid option --debug-to-stderr: unknown option Usage: krb5_child [-?] [-?|--help] [--usage] [-d|--debug-level INT] [--debug-timestamps=INT] [--debug-microseconds=INT] [--debug-fd=INT] (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [parse_krb5_child_response] (0x0020): message too short. (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [krb5_auth_done] (0x0040): Could not parse child response [22]: Invalid argument (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [check_wait_queue] (0x1000): Wait queue for user [useracct] is empty. (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [be_pam_handler_callback] (0x0100): Sending result [4][domain.forest.com] (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [be_pam_handler_callback] (0x0100): Sent result [4][domain.forest.com] (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [child_sig_handler] (0x1000): Waiting for child [12532]. (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [child_sig_handler] (0x0020): child [12532] failed with status [255]. (Wed Feb 4 15:01:37 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x7fbd48fd6c60 (Wed Feb 4 15:01:37 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x7fbd48fd2fe0 (Wed Feb 4 15:01:37 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Feb 4 15:01:37 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][domain.forest.com] (Wed Feb 4 15:01:37 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. (Wed Feb 4 15:01:37 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 30 (Wed Feb 4 15:01:37 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7fbd48fdca00][17] (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [fo_resolve_service_timeout] (0x0080): Service resolving timeout reached (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [sdap_handle_release] (0x2000): Trace: sh[0x7f49bd834e50], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0] (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [be_resolve_server_done] (0x1000): Server resolution failed: 14 (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158221](Network I/O Error) (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [be_fo_set_port_status] (0x0040): The server 0x7f49bd834700 is not valid anymore, cannot set its status (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [sdap_handle_release] (0x2000): Trace: sh[0x7f49bd82f2a0], connected[1], ops[(nil)], ldap[0x7f49bd8330d0], destructor_lock[0], release_memory[0] (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Wed Feb 4 15:01:37 2015) [sssd[be[domain.forest.com]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #1
On (04/02/15 12:11), Karim wrote:
hey guys,
today sssd seems stop working and seems i'm not able to recover it the relevant portion of the log is:
looks like some Kerberos argument errors this is on RHEL7 and sssd package 1.12.0
RHEL7 does not contain sssd-1.12.* Did you build sssd from source code? I would recommend you t o use either the latest 1.11 version or the latest 1.12 version. The sssd 1.12.0 is quite old.
LS
Hi Team, we are planning to implement two factor Auth on our AD authenticated RHELs is there any guide available online on how to configure SSSD to use smart card for AD login?
Thanks
On 05/06/2015 01:53 PM, Karim wrote:
Hi Team, we are planning to implement two factor Auth on our AD authenticated RHELs is there any guide available online on how to configure SSSD to use smart card for AD login?
The SSSD support of the smart card login is being worked on for 1.13. https://fedorahosted.org/sssd/ticket/546
Thanks
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Dmitri Pal -
Jakub Hrozek -
Karim -
Lukas Slebodnik