-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
This may or may not be related to FreeIPA, but it definitely is related to SSSD, so I reckoned I would start here.
I have two FreeIPA servers, after a password change for my account, one FreeIPA server works with the new password, and the other only works with the old password.
However, kinit works fine on both, and if I understand all the moving parts correctly a kinit is going to go against the KDC on the respective IPA server, which backs into LDAP, yadda yadda, in short my password IS changed on both, it is not a sync issue (I believe), but SSSD is flunking out.
Now I have run a debug session for SSSD and I THINK the following is the relevant part:
(Mon May 18 18:57:52 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0100): Exe cuting sasl bind mech: GSSAPI, user: host/ipa2.example.com (Mon May 18 18:57:53 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (49)[Invalid credentials] (Mon May 18 18:57:53 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-14): authorization failure: mech ANONYMOUS is too weak]
Now I haven't tracked all this down, but I figured I would ask while I was looking it all up, lest anyone have any great ideas.
Why one IPA server is working and the other isn't, well, clearly there must be a config difference, but I am not sure what it is yet.
Thanks, - -Erinn
On Mon, Jun 01, 2015 at 11:11:51AM -0600, Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
This may or may not be related to FreeIPA, but it definitely is related to SSSD, so I reckoned I would start here.
I have two FreeIPA servers, after a password change for my account, one FreeIPA server works with the new password, and the other only works with the old password.
However, kinit works fine on both, and if I understand all the moving parts correctly a kinit is going to go against the KDC on the respective IPA server, which backs into LDAP, yadda yadda, in short my password IS changed on both, it is not a sync issue (I believe), but SSSD is flunking out.
Now I have run a debug session for SSSD and I THINK the following is the relevant part:
(Mon May 18 18:57:52 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0100): Exe cuting sasl bind mech: GSSAPI, user: host/ipa2.example.com (Mon May 18 18:57:53 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (49)[Invalid credentials]
I think this just means the keytab is wrong, can you kinit with the keytab (kinit -k) ?
I think the simplest way to fix the problem is fetch a new one or re-enroll the client.
(Mon May 18 18:57:53 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-14): authorization failure: mech ANONYMOUS is too weak]
I'm suprised that 1) the code carried on with anonymous bind and that 2) anonymous bind is not allowed with IPA, did you harden the server?
Now I haven't tracked all this down, but I figured I would ask while I was looking it all up, lest anyone have any great ideas.
Why one IPA server is working and the other isn't, well, clearly there must be a config difference, but I am not sure what it is yet.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 06/02/2015 01:20 AM, Jakub Hrozek wrote:
On Mon, Jun 01, 2015 at 11:11:51AM -0600, Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
This may or may not be related to FreeIPA, but it definitely is related to SSSD, so I reckoned I would start here.
I have two FreeIPA servers, after a password change for my account, one FreeIPA server works with the new password, and the other only works with the old password.
However, kinit works fine on both, and if I understand all the moving parts correctly a kinit is going to go against the KDC on the respective IPA server, which backs into LDAP, yadda yadda, in short my password IS changed on both, it is not a sync issue (I believe), but SSSD is flunking out.
Now I have run a debug session for SSSD and I THINK the following is the relevant part:
(Mon May 18 18:57:52 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0100): Exe cuting sasl bind mech: GSSAPI, user: host/ipa2.example.com (Mon May 18 18:57:53 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (49)[Invalid credentials]
I think this just means the keytab is wrong, can you kinit with the keytab (kinit -k) ?
Yep, works without issue.
I think the simplest way to fix the problem is fetch a new one or re-enroll the client.
(Mon May 18 18:57:53 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-14): authorization failure: mech ANONYMOUS is too weak]
I'm suprised that 1) the code carried on with anonymous bind and that 2) anonymous bind is not allowed with IPA, did you harden the server?
I have hardened the server to disallow anonymous binds: nsslapd-allow-anonymous-access: rootdse
The setting is same on both the working and non-working IPA servers.
Now I haven't tracked all this down, but I figured I would ask while I was looking it all up, lest anyone have any great ideas.
Why one IPA server is working and the other isn't, well, clearly there must be a config difference, but I am not sure what it is yet.
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thanks, - -Erinn
On Tue, Jun 02, 2015 at 05:12:17PM -0600, Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 06/02/2015 01:20 AM, Jakub Hrozek wrote:
On Mon, Jun 01, 2015 at 11:11:51AM -0600, Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
This may or may not be related to FreeIPA, but it definitely is related to SSSD, so I reckoned I would start here.
I have two FreeIPA servers, after a password change for my account, one FreeIPA server works with the new password, and the other only works with the old password.
However, kinit works fine on both, and if I understand all the moving parts correctly a kinit is going to go against the KDC on the respective IPA server, which backs into LDAP, yadda yadda, in short my password IS changed on both, it is not a sync issue (I believe), but SSSD is flunking out.
Now I have run a debug session for SSSD and I THINK the following is the relevant part:
(Mon May 18 18:57:52 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0100): Exe cuting sasl bind mech: GSSAPI, user: host/ipa2.example.com (Mon May 18 18:57:53 2015) [sssd[be[example.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (49)[Invalid credentials]
I think this just means the keytab is wrong, can you kinit with the keytab (kinit -k) ?
Yep, works without issue.
Interesting, can you then compare: KRB5_TRACE=/dev/stderr kinit -k with debug_level=10 logs you'll find in ldap_child.log ?
Mainly, are the same servers used?
sssd-users@lists.fedorahosted.org