please help.
On ubuntu against AD. Logging in with an AD account works fine.. EXCEPT for just ONE account. The other AD accounts work fine
It will let me login once.. and when I try to login again, it comes up with access denied.
BUT... if I do a sssctl cache-remove, it works again .. the first time.
id, and related diagnostics on this account come up fine..
Used realmd to add the machine to AD. sssd.conf below.
Level 10 logs for at first working and not working can be downloaded from
https://intranet.egc.wa.edu.au/downloads/sssd.tar.gz
Please help .. driving me insane :-)
Peter
root@e4182s01sv025:/etc/sssd# more sssd.conf
[sssd] domains = orange.schools.internal config_file_version = 2 services = nss, pam ,ifp, sudo default_domain_suffix = ORANGE.SCHOOLS.INTERNAL
[domain/orange.schools.internal] ad_domain = orange.schools.internal krb5_realm = ORANGE.SCHOOLS.INTERNAL realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad ad_gpo_access_control = permissive root@e4182s01sv025:/etc/sssd#
On Fri, Mar 22, 2019 at 06:05:53AM -0000, Peter de Groot wrote:
please help.
On ubuntu against AD. Logging in with an AD account works fine.. EXCEPT for just ONE account. The other AD accounts work fine
It will let me login once.. and when I try to login again, it comes up with access denied.
BUT... if I do a sssctl cache-remove, it works again .. the first time.
id, and related diagnostics on this account come up fine..
Used realmd to add the machine to AD. sssd.conf below.
Level 10 logs for at first working and not working can be downloaded from
Hi,
the logs are quite interesting.
You try to log in as user e2052982 which SSSD found as CN=E2052982,OU=Staff,OU=School Users,DC=orange,DC=schools,DC=internal which has the userPrincipalName attribute set to peter.de.groot@EDUCATION.WA.EDU.AU. The principal is used by SSSD for the first attempt to get a Kerberos TGT from an AD DC and to authenticate the use
Getting initial credentials for peter.de.groot@EDUCATION.WA.EDU.AU@ORANGE.SCHOOLS.INTERNAL".
For this principal the AD DC returns a salt as
Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params ""
The Kerberos ticket is then issued for E2052982@ORANGE.SCHOOLS.INTERNAL the expected canonical principal (which SSSD would have used if there was not userPrincipalName attribute defined for the user.
SSSD stores the canonical principal in its cache as well so that upcoming authentications can use this principal directly.
But when you authenticate for a second time and this principal is used:
Getting initial credentials for E2052982@ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL
the AD DC returns the salt as
Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params ""
which is the expected salt for the host e4182s01sv023.orange.schools.internal but not for a user.
Can you check if
kinit E2052982@ORANGE.SCHOOLS.INTERNAL
and
kinit -E -C E2052982@ORANGE.SCHOOLS.INTERNAL
work as expected? In that case it would be nice to see the full output of
KRB5_TRACE=/dev/stdout kinit .....
of the workings case(s) and /etc/krb5.conf.
bye, Sumit
Please help .. driving me insane :-)
Peter
root@e4182s01sv025:/etc/sssd# more sssd.conf
[sssd] domains = orange.schools.internal config_file_version = 2 services = nss, pam ,ifp, sudo default_domain_suffix = ORANGE.SCHOOLS.INTERNAL
[domain/orange.schools.internal] ad_domain = orange.schools.internal krb5_realm = ORANGE.SCHOOLS.INTERNAL realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad ad_gpo_access_control = permissive root@e4182s01sv025:/etc/sssd#
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Thank you so much for the reply.. Apologies.. I have not found the option to email me replies ;-( So was lax in getting back to you
Some interesting stuff... The kinit -C -E gave me a password error. but the kinit clean did not..
2 loads of debug.. and the /etc/krb5.conf First for the account that is causing the problem, and for interests sake.. one that does not.
Thought bubbles.
e4182s01sv023 is a ubuntu box on our network... but is certainly not an AD controller.. Is a vanilla machine with a gui running docker for our Xibo server .. Not sure what the config is.
our on-site domain controller is a RODC (read only domain controller) Is the (e4182s01sv001 10.251.17.2 ). The other addresses point "upstream"..and are commented out...
--------------------------- Not working account ------------------------
root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit E2052982@ORANGE.SCHOOLS.INTERNAL [5186] 1554101337.247277: Getting initial credentials for E2052982@ORANGE.SCHOOLS.INTERNAL [5186] 1554101337.247279: Sending unauthenticated request [5186] 1554101337.247280: Sending request (198 bytes) to ORANGE.SCHOOLS.INTERNAL [5186] 1554101337.247281: Sending initial UDP request to dgram 10.251.17.2:88 [5186] 1554101337.247282: Received answer (227 bytes) from dgram 10.251.17.2:88 [5186] 1554101337.247283: Response was from master KDC [5186] 1554101337.247284: Received error from KDC: -1765328359/Additional pre-authentication required [5186] 1554101337.247287: Preauthenticating using KDC method data [5186] 1554101337.247288: Processing preauth types: 16, 15, 19, 2 [5186] 1554101337.247289: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params "" Password for E2052982@ORANGE.SCHOOLS.INTERNAL: [5186] 1554101341.706478: AS key obtained for encrypted timestamp: aes256-cts/8217 [5186] 1554101341.706480: Encrypted timestamp (for 1554101348.551637): plain 301AA011180F32303139303430313036343930385AA1050203086AD5, encrypted 37E0EBC0CA374D8B79089A73622CE2A033D1477A5898474FF1F510DB28BCF562382501BF7FC58FA96EB309288C0CCCC186FF225CC3A1C302 [5186] 1554101341.706481: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [5186] 1554101341.706482: Produced preauth for next request: 2 [5186] 1554101341.706483: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL [5186] 1554101341.706484: Sending initial UDP request to dgram 10.251.17.2:88 [5186] 1554101341.706485: Received answer (118 bytes) from dgram 10.251.17.2:88 [5186] 1554101341.706486: Response was from master KDC [5186] 1554101341.706487: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [5186] 1554101341.706488: Request or response is too big for UDP; retrying with TCP [5186] 1554101341.706489: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL (tcp only) [5186] 1554101341.706490: Initiating TCP connection to stream 10.251.17.2:88 [5186] 1554101341.706491: Sending TCP request to stream 10.251.17.2:88 [5186] 1554101341.706492: Received answer (2057 bytes) from stream 10.251.17.2:88 [5186] 1554101341.706493: Terminating TCP connection to stream 10.251.17.2:88 [5186] 1554101341.706494: Response was from master KDC [5186] 1554101341.706495: Processing preauth types: 19 [5186] 1554101341.706496: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params "" [5186] 1554101341.706497: Produced preauth for next request: (empty) [5186] 1554101341.706498: AS key determined by preauth: aes256-cts/8217 [5186] 1554101341.706499: Decrypted AS reply; session key is: aes256-cts/31CF [5186] 1554101341.706500: FAST negotiation: unavailable [5186] 1554101341.706501: Initializing FILE:/tmp/krb5cc_0 with default princ E2052982@ORANGE.SCHOOLS.INTERNAL [5186] 1554101341.706502: Storing E2052982@ORANGE.SCHOOLS.INTERNAL -> krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL in FILE:/tmp/krb5cc_0 [5186] 1554101341.706503: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL: pa_type: 2 [5186] 1554101341.706504: Storing E2052982@ORANGE.SCHOOLS.INTERNAL -> krb5_ccache_conf_data/pa_type/krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL@X-CACHECONF: in FILE:/tmp/krb5cc_0
----------------------------------------------------------------------------------------------------------------
root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit -C -E E2052982@ORANGE.SCHOOLS.INTERNAL [5188] 1554101419.357336: Getting initial credentials for E2052982@ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL [5188] 1554101419.357338: Sending unauthenticated request [5188] 1554101419.357339: Sending request (222 bytes) to ORANGE.SCHOOLS.INTERNAL [5188] 1554101419.357340: Sending initial UDP request to dgram 10.251.17.2:88 [5188] 1554101419.357341: Received answer (257 bytes) from dgram 10.251.17.2:88 [5188] 1554101419.357342: Response was from master KDC [5188] 1554101419.357343: Received error from KDC: -1765328359/Additional pre-authentication required [5188] 1554101419.357346: Preauthenticating using KDC method data [5188] 1554101419.357347: Processing preauth types: 16, 15, 19, 2 [5188] 1554101419.357348: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params "" Password for E2052982@ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL: [5188] 1554101423.561284: AS key obtained for encrypted timestamp: aes256-cts/3D4E [5188] 1554101423.561286: Encrypted timestamp (for 1554101430.919162): plain 301AA011180F32303139303430313036353033305AA10502030E067A, encrypted D94687570DB208752390A6133A228CCA354D65B19CDE89148F73AA37699598B25D33F3D3C319DDDE77AFA0D889B903887A7963E9F90F48A7 [5188] 1554101423.561287: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [5188] 1554101423.561288: Produced preauth for next request: 2 [5188] 1554101423.561289: Sending request (302 bytes) to ORANGE.SCHOOLS.INTERNAL [5188] 1554101423.561290: Sending initial UDP request to dgram 10.251.17.2:88 [5188] 1554101423.561291: Received answer (221 bytes) from dgram 10.251.17.2:88 [5188] 1554101423.561292: Response was from master KDC [5188] 1554101423.561293: Received error from KDC: -1765328360/Preauthentication failed [5188] 1554101423.561296: Preauthenticating using KDC method data [5188] 1554101423.561297: Processing preauth types: 19 [5188] 1554101423.561298: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params "" kinit: Password incorrect while getting initial credential
-----------------------------------------------------Working account ---------------------------------------
root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit Ev005629@ORANGE.SCHOOLS.INTERNAL [5189] 1554101493.100226: Getting initial credentials for Ev005629@ORANGE.SCHOOLS.INTERNAL [5189] 1554101493.100228: Sending unauthenticated request [5189] 1554101493.100229: Sending request (198 bytes) to ORANGE.SCHOOLS.INTERNAL [5189] 1554101493.100230: Sending initial UDP request to dgram 10.251.17.2:88 [5189] 1554101493.100231: Received answer (227 bytes) from dgram 10.251.17.2:88 [5189] 1554101493.100232: Response was from master KDC [5189] 1554101493.100233: Received error from KDC: -1765328359/Additional pre-authentication required [5189] 1554101493.100236: Preauthenticating using KDC method data [5189] 1554101493.100237: Processing preauth types: 16, 15, 19, 2 [5189] 1554101493.100238: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" Password for Ev005629@ORANGE.SCHOOLS.INTERNAL: [5189] 1554101496.919879: AS key obtained for encrypted timestamp: aes256-cts/D46A [5189] 1554101496.919881: Encrypted timestamp (for 1554101504.268445): plain 301AA011180F32303139303430313036353134345AA105020304189D, encrypted 26FF52413B27417C80958CA9278046140009E6D41B704107A83A6FC9D84B1C27DD39B99526D54DC3E9D8F4831231C352CB25272DC675CF4A [5189] 1554101496.919882: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [5189] 1554101496.919883: Produced preauth for next request: 2 [5189] 1554101496.919884: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL [5189] 1554101496.919885: Sending initial UDP request to dgram 10.251.17.2:88 [5189] 1554101496.919886: Received answer (118 bytes) from dgram 10.251.17.2:88 [5189] 1554101496.919887: Response was from master KDC [5189] 1554101496.919888: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [5189] 1554101496.919889: Request or response is too big for UDP; retrying with TCP [5189] 1554101496.919890: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL (tcp only) [5189] 1554101496.919891: Initiating TCP connection to stream 10.251.17.2:88 [5189] 1554101496.919892: Sending TCP request to stream 10.251.17.2:88 [5189] 1554101496.919893: Received answer (2033 bytes) from stream 10.251.17.2:88 [5189] 1554101496.919894: Terminating TCP connection to stream 10.251.17.2:88 [5189] 1554101496.919895: Response was from master KDC [5189] 1554101496.919896: Processing preauth types: 19 [5189] 1554101496.919897: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" [5189] 1554101496.919898: Produced preauth for next request: (empty) [5189] 1554101496.919899: AS key determined by preauth: aes256-cts/D46A [5189] 1554101496.919900: Decrypted AS reply; session key is: aes256-cts/9927 [5189] 1554101496.919901: FAST negotiation: unavailable [5189] 1554101496.919902: Initializing FILE:/tmp/krb5cc_0 with default princ Ev005629@ORANGE.SCHOOLS.INTERNAL [5189] 1554101496.919903: Storing Ev005629@ORANGE.SCHOOLS.INTERNAL -> krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL in FILE:/tmp/krb5cc_0 [5189] 1554101496.919904: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL: pa_type: 2 [5189] 1554101496.919905: Storing Ev005629@ORANGE.SCHOOLS.INTERNAL -> krb5_ccache_conf_data/pa_type/krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL@X-CACHECONF: in FILE:/tmp/krb5cc_0
-----------------------------------------------------------------------------------------------------------
root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit -C -E Ev005629@ORANGE.SCHOOLS.INTERNAL [5190] 1554101561.515120: Getting initial credentials for Ev005629@ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL [5190] 1554101561.515122: Sending unauthenticated request [5190] 1554101561.515123: Sending request (222 bytes) to ORANGE.SCHOOLS.INTERNAL [5190] 1554101561.515124: Sending initial UDP request to dgram 10.251.17.2:88 [5190] 1554101561.515125: Received answer (227 bytes) from dgram 10.251.17.2:88 [5190] 1554101561.515126: Response was from master KDC [5190] 1554101561.515127: Received error from KDC: -1765328359/Additional pre-authentication required [5190] 1554101561.515130: Preauthenticating using KDC method data [5190] 1554101561.515131: Processing preauth types: 16, 15, 19, 2 [5190] 1554101561.515132: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" Password for Ev005629@ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL: [5190] 1554101566.134163: AS key obtained for encrypted timestamp: aes256-cts/D46A [5190] 1554101566.134165: Encrypted timestamp (for 1554101573.492495): plain 301AA011180F32303139303430313036353235335AA10502030783CF, encrypted ED85BD609D059F6741BBBCD4505B8CEDAE8A3A0EF7A98987F82C3B93414A61072A11A482370A805BE1D3490EE9CA3E81DD7B10A36E1FAA6B [5190] 1554101566.134166: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [5190] 1554101566.134167: Produced preauth for next request: 2 [5190] 1554101566.134168: Sending request (302 bytes) to ORANGE.SCHOOLS.INTERNAL [5190] 1554101566.134169: Sending initial UDP request to dgram 10.251.17.2:88 [5190] 1554101566.134170: Received answer (118 bytes) from dgram 10.251.17.2:88 [5190] 1554101566.134171: Response was from master KDC [5190] 1554101566.134172: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [5190] 1554101566.134173: Request or response is too big for UDP; retrying with TCP [5190] 1554101566.134174: Sending request (302 bytes) to ORANGE.SCHOOLS.INTERNAL (tcp only) [5190] 1554101566.134175: Initiating TCP connection to stream 10.251.17.2:88 [5190] 1554101566.134176: Sending TCP request to stream 10.251.17.2:88 [5190] 1554101566.134177: Received answer (2049 bytes) from stream 10.251.17.2:88 [5190] 1554101566.134178: Terminating TCP connection to stream 10.251.17.2:88 [5190] 1554101566.134179: Response was from master KDC [5190] 1554101566.134180: Processing preauth types: 19 [5190] 1554101566.134181: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" [5190] 1554101566.134182: Produced preauth for next request: (empty) [5190] 1554101566.134183: AS key determined by preauth: aes256-cts/D46A [5190] 1554101566.134184: Decrypted AS reply; session key is: aes256-cts/A383 [5190] 1554101566.134185: FAST negotiation: unavailable [5190] 1554101566.134186: Initializing FILE:/tmp/krb5cc_0 with default princ EV005629@ORANGE.SCHOOLS.INTERNAL [5190] 1554101566.134187: Storing EV005629@ORANGE.SCHOOLS.INTERNAL -> krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL in FILE:/tmp/krb5cc_0 [5190] 1554101566.134188: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL: pa_type: 2 [5190] 1554101566.134189: Storing EV005629@ORANGE.SCHOOLS.INTERNAL -> krb5_ccache_conf_data/pa_type/krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL@X-CACHECONF: in FILE:/tmp/krb5cc_0
------------------------------------ krb5.conf --------------------------------- cat /etc/krb5.conf [libdefaults] default_realm = ORANGE.SCHOOLS.INTERNAL kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true # default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 # default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_keytab_name = FILE:/etc/krb5.keytab dns_lookup_realm = true dns_lookup_kdc = true rdns=false
[domain_realm] .orange.schools.internal = ORANGE.SCHOOLS.INTERNAL orange.schools.internal = ORANGE.SCHOOLS.INTERNAL
#[realms] # SCHOOLS.INTERNAL = { # kdc = E7359SVINT730.schools.internal # kdc = E7359SVINT731.schools.internal # kdc = E7359SVINT732.schools.internal #}
ORANGE.SCHOOLS.INTERNAL = { # kdc = E7359SVINT743.orange.schools.internal:88 kdc = E4182s01sv001.orange.schools.internal:88 admin_server = E4182s01sv001.orange.schools.internal default_domain = orange.schools.internal }
[logging] kdc = FILE:/var/log/krb5kdc/kdc.log admin_server = FILE:/var/log/krb5kdc/kadmin.log
On Mon, Apr 01, 2019 at 07:04:01AM -0000, Peter de Groot wrote:
Thank you so much for the reply.. Apologies.. I have not found the option to email me replies ;-( So was lax in getting back to you
Some interesting stuff... The kinit -C -E gave me a password error. but the kinit clean did not..
2 loads of debug.. and the /etc/krb5.conf First for the account that is causing the problem, and for interests sake.. one that does not.
Thought bubbles.
e4182s01sv023 is a ubuntu box on our network... but is certainly not an AD controller.. Is a vanilla machine with a gui running docker for our Xibo server .. Not sure what the config is.
our on-site domain controller is a RODC (read only domain controller) Is the (e4182s01sv001 10.251.17.2 ). The other addresses point "upstream"..and are commented out...
--------------------------- Not working account ------------------------
root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit E2052982@ORANGE.SCHOOLS.INTERNAL [5186] 1554101337.247277: Getting initial credentials for E2052982@ORANGE.SCHOOLS.INTERNAL [5186] 1554101337.247279: Sending unauthenticated request [5186] 1554101337.247280: Sending request (198 bytes) to ORANGE.SCHOOLS.INTERNAL [5186] 1554101337.247281: Sending initial UDP request to dgram 10.251.17.2:88 [5186] 1554101337.247282: Received answer (227 bytes) from dgram 10.251.17.2:88 [5186] 1554101337.247283: Response was from master KDC [5186] 1554101337.247284: Received error from KDC: -1765328359/Additional pre-authentication required [5186] 1554101337.247287: Preauthenticating using KDC method data [5186] 1554101337.247288: Processing preauth types: 16, 15, 19, 2 [5186] 1554101337.247289: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params ""
^^^
Password for E2052982@ORANGE.SCHOOLS.INTERNAL: [5186] 1554101341.706478: AS key obtained for encrypted timestamp: aes256-cts/8217 [5186] 1554101341.706480: Encrypted timestamp (for 1554101348.551637): plain 301AA011180F32303139303430313036343930385AA1050203086AD5, encrypted 37E0EBC0CA374D8B79089A73622CE2A033D1477A5898474FF1F510DB28BCF562382501BF7FC58FA96EB309288C0CCCC186FF225CC3A1C302 [5186] 1554101341.706481: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [5186] 1554101341.706482: Produced preauth for next request: 2 [5186] 1554101341.706483: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL [5186] 1554101341.706484: Sending initial UDP request to dgram 10.251.17.2:88 [5186] 1554101341.706485: Received answer (118 bytes) from dgram 10.251.17.2:88 [5186] 1554101341.706486: Response was from master KDC [5186] 1554101341.706487: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [5186] 1554101341.706488: Request or response is too big for UDP; retrying with TCP [5186] 1554101341.706489: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL (tcp only) [5186] 1554101341.706490: Initiating TCP connection to stream 10.251.17.2:88 [5186] 1554101341.706491: Sending TCP request to stream 10.251.17.2:88 [5186] 1554101341.706492: Received answer (2057 bytes) from stream 10.251.17.2:88 [5186] 1554101341.706493: Terminating TCP connection to stream 10.251.17.2:88 [5186] 1554101341.706494: Response was from master KDC [5186] 1554101341.706495: Processing preauth types: 19 [5186] 1554101341.706496: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params "" [5186] 1554101341.706497: Produced preauth for next request: (empty) [5186] 1554101341.706498: AS key determined by preauth: aes256-cts/8217 [5186] 1554101341.706499: Decrypted AS reply; session key is: aes256-cts/31CF [5186] 1554101341.706500: FAST negotiation: unavailable [5186] 1554101341.706501: Initializing FILE:/tmp/krb5cc_0 with default princ E2052982@ORANGE.SCHOOLS.INTERNAL [5186] 1554101341.706502: Storing E2052982@ORANGE.SCHOOLS.INTERNAL -> krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL in FILE:/tmp/krb5cc_0 [5186] 1554101341.706503: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL: pa_type: 2 [5186] 1554101341.706504: Storing E2052982@ORANGE.SCHOOLS.INTERNAL -> krb5_ccache_conf_data/pa_type/krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL@X-CACHECONF: in FILE:/tmp/krb5cc_0
root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit -C -E E2052982@ORANGE.SCHOOLS.INTERNAL [5188] 1554101419.357336: Getting initial credentials for E2052982@ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL [5188] 1554101419.357338: Sending unauthenticated request [5188] 1554101419.357339: Sending request (222 bytes) to ORANGE.SCHOOLS.INTERNAL [5188] 1554101419.357340: Sending initial UDP request to dgram 10.251.17.2:88 [5188] 1554101419.357341: Received answer (257 bytes) from dgram 10.251.17.2:88 [5188] 1554101419.357342: Response was from master KDC [5188] 1554101419.357343: Received error from KDC: -1765328359/Additional pre-authentication required [5188] 1554101419.357346: Preauthenticating using KDC method data [5188] 1554101419.357347: Processing preauth types: 16, 15, 19, 2 [5188] 1554101419.357348: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params ""
In theory the salt values here and above should be the same.
Can you send the complete LDAP object of your AD user and the one for the host e4182s01sv023.orange.schools.internal if is exists?
bye, Sumit
Password for E2052982@ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL: [5188] 1554101423.561284: AS key obtained for encrypted timestamp: aes256-cts/3D4E [5188] 1554101423.561286: Encrypted timestamp (for 1554101430.919162): plain 301AA011180F32303139303430313036353033305AA10502030E067A, encrypted D94687570DB208752390A6133A228CCA354D65B19CDE89148F73AA37699598B25D33F3D3C319DDDE77AFA0D889B903887A7963E9F90F48A7 [5188] 1554101423.561287: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [5188] 1554101423.561288: Produced preauth for next request: 2 [5188] 1554101423.561289: Sending request (302 bytes) to ORANGE.SCHOOLS.INTERNAL [5188] 1554101423.561290: Sending initial UDP request to dgram 10.251.17.2:88 [5188] 1554101423.561291: Received answer (221 bytes) from dgram 10.251.17.2:88 [5188] 1554101423.561292: Response was from master KDC [5188] 1554101423.561293: Received error from KDC: -1765328360/Preauthentication failed [5188] 1554101423.561296: Preauthenticating using KDC method data [5188] 1554101423.561297: Processing preauth types: 19 [5188] 1554101423.561298: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params "" kinit: Password incorrect while getting initial credential
-----------------------------------------------------Working account ---------------------------------------
root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit Ev005629@ORANGE.SCHOOLS.INTERNAL [5189] 1554101493.100226: Getting initial credentials for Ev005629@ORANGE.SCHOOLS.INTERNAL [5189] 1554101493.100228: Sending unauthenticated request [5189] 1554101493.100229: Sending request (198 bytes) to ORANGE.SCHOOLS.INTERNAL [5189] 1554101493.100230: Sending initial UDP request to dgram 10.251.17.2:88 [5189] 1554101493.100231: Received answer (227 bytes) from dgram 10.251.17.2:88 [5189] 1554101493.100232: Response was from master KDC [5189] 1554101493.100233: Received error from KDC: -1765328359/Additional pre-authentication required [5189] 1554101493.100236: Preauthenticating using KDC method data [5189] 1554101493.100237: Processing preauth types: 16, 15, 19, 2 [5189] 1554101493.100238: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" Password for Ev005629@ORANGE.SCHOOLS.INTERNAL: [5189] 1554101496.919879: AS key obtained for encrypted timestamp: aes256-cts/D46A [5189] 1554101496.919881: Encrypted timestamp (for 1554101504.268445): plain 301AA011180F32303139303430313036353134345AA105020304189D, encrypted 26FF52413B27417C80958CA9278046140009E6D41B704107A83A6FC9D84B1C27DD39B99526D54DC3E9D8F4831231C352CB25272DC675CF4A [5189] 1554101496.919882: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [5189] 1554101496.919883: Produced preauth for next request: 2 [5189] 1554101496.919884: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL [5189] 1554101496.919885: Sending initial UDP request to dgram 10.251.17.2:88 [5189] 1554101496.919886: Received answer (118 bytes) from dgram 10.251.17.2:88 [5189] 1554101496.919887: Response was from master KDC [5189] 1554101496.919888: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [5189] 1554101496.919889: Request or response is too big for UDP; retrying with TCP [5189] 1554101496.919890: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL (tcp only) [5189] 1554101496.919891: Initiating TCP connection to stream 10.251.17.2:88 [5189] 1554101496.919892: Sending TCP request to stream 10.251.17.2:88 [5189] 1554101496.919893: Received answer (2033 bytes) from stream 10.251.17.2:88 [5189] 1554101496.919894: Terminating TCP connection to stream 10.251.17.2:88 [5189] 1554101496.919895: Response was from master KDC [5189] 1554101496.919896: Processing preauth types: 19 [5189] 1554101496.919897: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" [5189] 1554101496.919898: Produced preauth for next request: (empty) [5189] 1554101496.919899: AS key determined by preauth: aes256-cts/D46A [5189] 1554101496.919900: Decrypted AS reply; session key is: aes256-cts/9927 [5189] 1554101496.919901: FAST negotiation: unavailable [5189] 1554101496.919902: Initializing FILE:/tmp/krb5cc_0 with default princ Ev005629@ORANGE.SCHOOLS.INTERNAL [5189] 1554101496.919903: Storing Ev005629@ORANGE.SCHOOLS.INTERNAL -> krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL in FILE:/tmp/krb5cc_0 [5189] 1554101496.919904: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL: pa_type: 2 [5189] 1554101496.919905: Storing Ev005629@ORANGE.SCHOOLS.INTERNAL -> krb5_ccache_conf_data/pa_type/krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL@X-CACHECONF: in FILE:/tmp/krb5cc_0
root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit -C -E Ev005629@ORANGE.SCHOOLS.INTERNAL [5190] 1554101561.515120: Getting initial credentials for Ev005629@ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL [5190] 1554101561.515122: Sending unauthenticated request [5190] 1554101561.515123: Sending request (222 bytes) to ORANGE.SCHOOLS.INTERNAL [5190] 1554101561.515124: Sending initial UDP request to dgram 10.251.17.2:88 [5190] 1554101561.515125: Received answer (227 bytes) from dgram 10.251.17.2:88 [5190] 1554101561.515126: Response was from master KDC [5190] 1554101561.515127: Received error from KDC: -1765328359/Additional pre-authentication required [5190] 1554101561.515130: Preauthenticating using KDC method data [5190] 1554101561.515131: Processing preauth types: 16, 15, 19, 2 [5190] 1554101561.515132: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" Password for Ev005629@ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL: [5190] 1554101566.134163: AS key obtained for encrypted timestamp: aes256-cts/D46A [5190] 1554101566.134165: Encrypted timestamp (for 1554101573.492495): plain 301AA011180F32303139303430313036353235335AA10502030783CF, encrypted ED85BD609D059F6741BBBCD4505B8CEDAE8A3A0EF7A98987F82C3B93414A61072A11A482370A805BE1D3490EE9CA3E81DD7B10A36E1FAA6B [5190] 1554101566.134166: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [5190] 1554101566.134167: Produced preauth for next request: 2 [5190] 1554101566.134168: Sending request (302 bytes) to ORANGE.SCHOOLS.INTERNAL [5190] 1554101566.134169: Sending initial UDP request to dgram 10.251.17.2:88 [5190] 1554101566.134170: Received answer (118 bytes) from dgram 10.251.17.2:88 [5190] 1554101566.134171: Response was from master KDC [5190] 1554101566.134172: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [5190] 1554101566.134173: Request or response is too big for UDP; retrying with TCP [5190] 1554101566.134174: Sending request (302 bytes) to ORANGE.SCHOOLS.INTERNAL (tcp only) [5190] 1554101566.134175: Initiating TCP connection to stream 10.251.17.2:88 [5190] 1554101566.134176: Sending TCP request to stream 10.251.17.2:88 [5190] 1554101566.134177: Received answer (2049 bytes) from stream 10.251.17.2:88 [5190] 1554101566.134178: Terminating TCP connection to stream 10.251.17.2:88 [5190] 1554101566.134179: Response was from master KDC [5190] 1554101566.134180: Processing preauth types: 19 [5190] 1554101566.134181: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALtfx.solutions2", params "" [5190] 1554101566.134182: Produced preauth for next request: (empty) [5190] 1554101566.134183: AS key determined by preauth: aes256-cts/D46A [5190] 1554101566.134184: Decrypted AS reply; session key is: aes256-cts/A383 [5190] 1554101566.134185: FAST negotiation: unavailable [5190] 1554101566.134186: Initializing FILE:/tmp/krb5cc_0 with default princ EV005629@ORANGE.SCHOOLS.INTERNAL [5190] 1554101566.134187: Storing EV005629@ORANGE.SCHOOLS.INTERNAL -> krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL in FILE:/tmp/krb5cc_0 [5190] 1554101566.134188: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL: pa_type: 2 [5190] 1554101566.134189: Storing EV005629@ORANGE.SCHOOLS.INTERNAL -> krb5_ccache_conf_data/pa_type/krbtgt/ORANGE.SCHOOLS.INTERNAL@ORANGE.SCHOOLS.INTERNAL@X-CACHECONF: in FILE:/tmp/krb5cc_0
------------------------------------ krb5.conf --------------------------------- cat /etc/krb5.conf [libdefaults] default_realm = ORANGE.SCHOOLS.INTERNAL kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true # default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 # default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_keytab_name = FILE:/etc/krb5.keytab dns_lookup_realm = true dns_lookup_kdc = true rdns=false
[domain_realm] .orange.schools.internal = ORANGE.SCHOOLS.INTERNAL orange.schools.internal = ORANGE.SCHOOLS.INTERNAL
#[realms] # SCHOOLS.INTERNAL = { # kdc = E7359SVINT730.schools.internal # kdc = E7359SVINT731.schools.internal # kdc = E7359SVINT732.schools.internal #}
ORANGE.SCHOOLS.INTERNAL = { # kdc = E7359SVINT743.orange.schools.internal:88 kdc = E4182s01sv001.orange.schools.internal:88 admin_server = E4182s01sv001.orange.schools.internal default_domain = orange.schools.internal }
[logging] kdc = FILE:/var/log/krb5kdc/kdc.log admin_server = FILE:/var/log/krb5kdc/kadmin.log
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org