After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use sudo for kerberos-authenticated accounts. However, kinit still succeeds and "getent passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the credential cache folder) restores normal operation.
My setup: I'm running Arch linux, and have PAM set to use sssd. sssd in turn authenticates against a kerberos instance running on my NAS, and pulls user information from an openldap instance. PAM, kerberos, and openldap were configured by hand as a learning experience, and have been running for about a year. DNS and NTP are working, ldap is returning users, and kinit is succeeding on both my local machine and the server.
This appears to be the relevant section of the logs, from krb5_child.log (with debug_level 10):
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child started. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x1000): total buffer size: [147] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): cmd [241] uid [1042] gid [1001] validate [false] enterprise principal [false] offline [false] UPN [dave@LA-LA.LAN] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1042_93EyUo] keytab: [/etc/krb5.keytab] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast] (0x0100): Not using FAST. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000): Running as [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Already user [1042]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000): Running as [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will perform online auth (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [LA-LA.LAN] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for dave@LA-LA.LAN]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328254][Cannot read password] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error] (0x0020): 1365: [-1765328254][Cannot read password] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x0200): Received error code 1432158218 (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x4000): Response sent. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child completed successfully
Please let me know if any other logs or configurations are needed.
On Fri, Jul 15, 2016 at 04:24:02PM -0000, David Wilhelm wrote:
After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use sudo for kerberos-authenticated accounts. However, kinit still succeeds and "getent passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the credential cache folder) restores normal operation.
My setup: I'm running Arch linux, and have PAM set to use sssd. sssd in turn authenticates against a kerberos instance running on my NAS, and pulls user information from an openldap instance. PAM, kerberos, and openldap were configured by hand as a learning experience, and have been running for about a year. DNS and NTP are working, ldap is returning users, and kinit is succeeding on both my local machine and the server.
I think I have an idea what is wrong. Can you tell me what kind of KDC you are using on the NAS and which Kerberos library is used on the client so that I can try to reproduce it locally?
bye, Sumit
This appears to be the relevant section of the logs, from krb5_child.log (with debug_level 10):
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child started. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x1000): total buffer size: [147] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): cmd [241] uid [1042] gid [1001] validate [false] enterprise principal [false] offline [false] UPN [dave@LA-LA.LAN] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1042_93EyUo] keytab: [/etc/krb5.keytab] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast] (0x0100): Not using FAST. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000): Running as [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Already user [1042]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000): Running as [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will perform online auth (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [LA-LA.LAN] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for dave@LA-LA.LAN]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328254][Cannot read password] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error] (0x0020): 1365: [-1765328254][Cannot read password] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x0200): Received error code 1432158218 (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x4000): Response sent. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child completed successfully
Please let me know if any other logs or configurations are needed. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The NAS is also running Arch, and is the MIT kerberos 1.13.1. The client is using 1.13.4 of the same package.
On Fri, Jul 15, 2016 at 12:57 PM, Sumit Bose sbose@redhat.com wrote:
On Fri, Jul 15, 2016 at 04:24:02PM -0000, David Wilhelm wrote:
After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use sudo for kerberos-authenticated accounts. However, kinit still succeeds and "getent passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the credential cache folder) restores normal operation.
My setup: I'm running Arch linux, and have PAM set to use sssd. sssd in turn authenticates against a kerberos instance running on my NAS, and pulls user information from an openldap instance. PAM, kerberos, and openldap were configured by hand as a learning experience, and have been running for about a year. DNS and NTP are working, ldap is returning users, and kinit is succeeding on both my local machine and the server.
I think I have an idea what is wrong. Can you tell me what kind of KDC you are using on the NAS and which Kerberos library is used on the client so that I can try to reproduce it locally?
bye, Sumit
This appears to be the relevant section of the logs, from krb5_child.log (with debug_level 10):
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child started. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x1000): total buffer size: [147] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): cmd [241] uid [1042] gid [1001] validate [false] enterprise principal [false] offline [false] UPN [dave@LA-LA.LAN] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1042_93EyUo] keytab: [/etc/krb5.keytab] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast] (0x0100): Not using FAST. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000): Running as [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Already user [1042]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000): Running as [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will perform online auth (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [LA-LA.LAN] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for dave@LA-LA.LAN]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328254][Cannot read password] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error] (0x0020): 1365: [-1765328254][Cannot read password] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x0200): Received error code 1432158218 (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x4000): Response sent. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child completed successfully
Please let me know if any other logs or configurations are needed. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Fri, Jul 15, 2016 at 01:04:17PM -0400, David Wilhelm wrote:
The NAS is also running Arch, and is the MIT kerberos 1.13.1. The client is using 1.13.4 of the same package.
On Fri, Jul 15, 2016 at 12:57 PM, Sumit Bose sbose@redhat.com wrote:
On Fri, Jul 15, 2016 at 04:24:02PM -0000, David Wilhelm wrote:
After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use sudo for kerberos-authenticated accounts. However, kinit still succeeds and "getent passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the credential cache folder) restores normal operation.
Thanks I was able to reproduce the issue. After discussing it with a co-worker I opened http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454 because we think it is originally an issue in the responder interface of MIT Kerberos. I would like to hear back from MIT before trying to fix the SSSD side.
I'm pretty sure that authentication would work again if you enable pre-authentication for the user principals on the KDC
# kadmin.local kadmin.local: modprinc +requires_preauth dave@LA-LA.LAN
Is there a reason why pre-authentication is disabled? If not it is very, very, very recommended to enable it (not only to make SSSD work), see e.g. http://superuser.com/questions/200010/how-does-kerberos-preauthentication-in... for some explanations.
bye, Sumit
My setup: I'm running Arch linux, and have PAM set to use sssd. sssd in turn authenticates against a kerberos instance running on my NAS, and pulls user information from an openldap instance. PAM, kerberos, and openldap were configured by hand as a learning experience, and have been running for about a year. DNS and NTP are working, ldap is returning users, and kinit is succeeding on both my local machine and the server.
I think I have an idea what is wrong. Can you tell me what kind of KDC you are using on the NAS and which Kerberos library is used on the client so that I can try to reproduce it locally?
bye, Sumit
This appears to be the relevant section of the logs, from krb5_child.log (with debug_level 10):
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child started. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x1000): total buffer size: [147] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): cmd [241] uid [1042] gid [1001] validate [false] enterprise principal [false] offline [false] UPN [dave@LA-LA.LAN] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1042_93EyUo] keytab: [/etc/krb5.keytab] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast] (0x0100): Not using FAST. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000): Running as [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Already user [1042]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000): Running as [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will perform online auth (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [LA-LA.LAN] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for dave@LA-LA.LAN]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328254][Cannot read password] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error] (0x0020): 1365: [-1765328254][Cannot read password] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x0200): Received error code 1432158218 (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x4000): Response sent. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child completed successfully
Please let me know if any other logs or configurations are needed. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Enabling the preauthentication flag for the principal does indeed get authentication working again.
The only reason it wasn't enabled was the usual poor reason: it wasn't the default.
Thank you for the help and the explanation!
~Dave
On Fri, Jul 15, 2016 at 3:21 PM, Sumit Bose sbose@redhat.com wrote:
On Fri, Jul 15, 2016 at 01:04:17PM -0400, David Wilhelm wrote:
The NAS is also running Arch, and is the MIT kerberos 1.13.1. The client is using 1.13.4 of the same package.
On Fri, Jul 15, 2016 at 12:57 PM, Sumit Bose sbose@redhat.com wrote:
On Fri, Jul 15, 2016 at 04:24:02PM -0000, David Wilhelm wrote:
After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use sudo for kerberos-authenticated accounts. However, kinit still succeeds and "getent passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the credential cache folder) restores normal operation.
Thanks I was able to reproduce the issue. After discussing it with a co-worker I opened http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454 because we think it is originally an issue in the responder interface of MIT Kerberos. I would like to hear back from MIT before trying to fix the SSSD side.
I'm pretty sure that authentication would work again if you enable pre-authentication for the user principals on the KDC
# kadmin.local kadmin.local: modprinc +requires_preauth dave@LA-LA.LANIs there a reason why pre-authentication is disabled? If not it is very, very, very recommended to enable it (not only to make SSSD work), see e.g. http://superuser.com/questions/200010/how-does-kerberos-preauthentication-in... for some explanations.
bye, Sumit
My setup: I'm running Arch linux, and have PAM set to use sssd. sssd in turn authenticates against a kerberos instance running on my NAS, and pulls user information from an openldap instance. PAM, kerberos, and openldap were configured by hand as a learning experience, and have been running for about a year. DNS and NTP are working, ldap is returning users, and kinit is succeeding on both my local machine and the server.
I think I have an idea what is wrong. Can you tell me what kind of KDC you are using on the NAS and which Kerberos library is used on the client so that I can try to reproduce it locally?
bye, Sumit
This appears to be the relevant section of the logs, from krb5_child.log (with debug_level 10):
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child started. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x1000): total buffer size: [147] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): cmd [241] uid [1042] gid [1001] validate [false] enterprise principal [false] offline [false] UPN [dave@LA-LA.LAN] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1042_93EyUo] keytab: [/etc/krb5.keytab] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast] (0x0100): Not using FAST. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000): Running as [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Already user [1042]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000): Running as [1042][1001]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will perform online auth (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [LA-LA.LAN] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for dave@LA-LA.LAN]. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328254][Cannot read password] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error] (0x0020): 1365: [-1765328254][Cannot read password] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x0200): Received error code 1432158218 (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x4000): Response sent. (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child completed successfully
Please let me know if any other logs or configurations are needed. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
David Wilhelm -
Sumit Bose