Hello, I am experiencing some issues with this version of sssd in ad mode. I am unable to connect to a computer. But when using the previous version on another computer (sssd-1.11.6-30.el6.x86_64) it's working fine.
DC : Windows 2012R2 client 1 : centos 6.6 - sssd-1.11.6-30.el6.x86_64 client 2 centos 6.7- sssd-1.12.4-47.el6_7.7.x86_64
I am attaching the krb5_child.log file.
Has anyone got the same issues ?
Thanks
Regards,
On Thu, Mar 10, 2016 at 05:13:49PM +0000, Fabien CARRE wrote:
Hello, I am experiencing some issues with this version of sssd in ad mode. I am unable to connect to a computer. But when using the previous version on another computer (sssd-1.11.6-30.el6.x86_64) it's working fine.
DC : Windows 2012R2 client 1 : centos 6.6 - sssd-1.11.6-30.el6.x86_64 client 2 centos 6.7- sssd-1.12.4-47.el6_7.7.x86_64
I am attaching the krb5_child.log file.
Has anyone got the same issues ?
According to the logs the error happens during the validation of the Kerberos ticket. For this SSSD tries to get a service ticket for the local client and check if this service ticket can be decrypted with the keys from the local keytab.
It looks like the AD DC does not know about the service principal 'host/itserver05.mikros.int@EU.DOMAIN.COM'. This principal is typically created when you join the AD domain. Is itserver05.mikros.int the name of the client where authentication fails? How did you join the domain, did you use any special options?
bye, Sumit
Thanks
Regards,
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main] (0x0400): krb5_child started. (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] (0x1000): total buffer size: [125] (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] (0x0100): cmd [241] uid [111111] gid [1111111] validate [true] enterprise principal [true] offline [false] UPN [mytest@EU.DOMAIN.COM] (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] (0x2000): No old ccache (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:111111] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [check_use_fast] (0x0100): Not using FAST. (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [become_user] (0x0200): Trying to become user [111111][1111111]. (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main] (0x2000): Running as [111111][1111111]. (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_setup] (0x2000): Running as [111111][1111111]. (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main] (0x0400): Will perform online auth (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [EU.DOMAIN.COM] (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.664492: Getting initial credentials for mytest@EU.DOMAIN.COM@EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.664581: Sending request (219 bytes) to EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.664766: Sending initial UDP request to dgram 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.665964: Received answer from dgram 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.666054: Response was from master KDC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.666074: Received error from KDC: -1765328359/Additional pre-authentication required
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.666129: Processing preauth types: 16, 15, 19, 2
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.666141: Selected etype info: etype aes256-cts, salt "EU.DOMAIN.COMmytest", params ""
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674366: AS key obtained for encrypted timestamp: aes256-cts/4CD3
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674405: Encrypted timestamp (for 1457629646.674380): plain 301AA011180F32303136303331303137303732365AA10502030A4A4C, encrypted 9AB9B53DFE7ABD21B60679A76950A7CFF70A466FF4455D666D9788720BA9B7EA67F4A9A1C9CBB9DC9A09170ABCEFA1B1C811994E7BFF29AC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674417: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674428: Produced preauth for next request: 2
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674443: Sending request (299 bytes) to EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.674491: Sending initial UDP request to dgram 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.675920: Received answer from dgram 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.675993: Response was from master KDC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.676009: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.676017: Request or response is too big for UDP; retrying with TCP
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.676023: Sending request (299 bytes) to EU.DOMAIN.COM (tcp only)
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.676055: Initiating TCP connection to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.676340: Sending TCP request to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677624: Received answer from stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677685: Response was from master KDC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677734: Processing preauth types: 19
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677756: Selected etype info: etype aes256-cts, salt "EU.DOMAIN.COMmytest", params ""
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677763: Produced preauth for next request: (empty)
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677788: AS key determined by preauth: aes256-cts/4CD3
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677871: Decrypted AS reply; session key is: rc4-hmac/A720
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677901: FAST negotiation: unavailable
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [4314436] (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677957: Retrieving host/itserver05.mikros.int@EU.DOMAIN.COM from MEMORY:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677966: Resolving unique ccache of type MEMORY
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677980: Initializing MEMORY:ZIyWoF4 with default princ mytest@EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677989: Removing mytest@EU.DOMAIN.COM -> krbtgt/EU.DOMAIN.COM@EU.DOMAIN.COM from MEMORY:ZIyWoF4
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.677996: Storing mytest@EU.DOMAIN.COM -> krbtgt/EU.DOMAIN.COM@EU.DOMAIN.COM in MEMORY:ZIyWoF4
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678029: Getting credentials mytest@EU.DOMAIN.COM -> host/itserver05.mikros.int@EU.DOMAIN.COM using ccache MEMORY:ZIyWoF4
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678049: Retrieving mytest@EU.DOMAIN.COM -> host/itserver05.mikros.int@EU.DOMAIN.COM from MEMORY:ZIyWoF4 with result: -1765328243/Matching credential not found
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678062: Retrieving mytest@EU.DOMAIN.COM -> krbtgt/EU.DOMAIN.COM@EU.DOMAIN.COM from MEMORY:ZIyWoF4 with result: 0/Success
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678069: Found cached TGT for service realm: mytest@EU.DOMAIN.COM -> krbtgt/EU.DOMAIN.COM@EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678075: Requesting tickets for host/itserver05.mikros.int@EU.DOMAIN.COM, referrals on
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678089: Generated subkey for TGS request: rc4-hmac/4993
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678098: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678185: Sending request (1683 bytes) to EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678249: Initiating TCP connection to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.678480: Sending TCP request to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741482: Received answer from stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741654: Response was from master KDC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741706: TGS request result: -1765328377/Server not found in Kerberos database
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741718: Requesting tickets for host/itserver05.mikros.int@EU.DOMAIN.COM, referrals off
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741769: Generated subkey for TGS request: rc4-hmac/2A08
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741784: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741859: Sending request (1683 bytes) to EU.DOMAIN.COM
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.741913: Initiating TCP connection to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.742169: Sending TCP request to stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.805000: Received answer from stream 10.218.194.10:88
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.805208: Response was from master KDC
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.805261: TGS request result: -1765328377/Server not found in Kerberos database
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [sss_child_krb5_trace_cb] (0x4000): [9342] 1457629646.805312: Destroying ccache MEMORY:ZIyWoF4
(Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [validate_tgt] (0x0020): TGT failed verification using key for [host/itserver05.mikros.int@EU.DOMAIN.COM]. (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [get_and_save_tgt] (0x0020): 1007: [-1765328377][Server not found in Kerberos database] (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [map_krb5_error] (0x0020): 1069: [-1765328377][Server not found in Kerberos database] (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [pack_response_packet] (0x2000): response packet size: [20] (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [k5c_send_data] (0x4000): Response sent. (Thu Mar 10 18:07:26 2016) [[sssd[krb5_child[9342]]]] [main] (0x0400): krb5_child completed successfully
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hello,
As I am working with Fabien on this issue, I take the liberty to answer.
- itserver05.mikros.int is the client where the authentication fails.
- The domain has been joined using the following command :
adcli join -D eu.domain.com -S mondceu05.eu.domain.com -O OU=PARI,OU=UnixWorkstations,OU=Devices,DC=EU,DC=DOMAIN,DC=COM -U admin -W
As you can see, there is no special options except specifying the computers OU.
John
On Fri, Mar 11, 2016 at 11:40:30AM -0000, johnlehardos@hotmail.com wrote:
Hello,
As I am working with Fabien on this issue, I take the liberty to answer.
itserver05.mikros.int is the client where the authentication fails.
The domain has been joined using the following command :
adcli join -D eu.domain.com -S mondceu05.eu.domain.com -O OU=PARI,OU=UnixWorkstations,OU=Devices,DC=EU,DC=DOMAIN,DC=COM -U admin -W
As you can see, there is no special options except specifying the computers OU.
Which version of adcli was used? Chances are you hit https://bugzilla.redhat.com/show_bug.cgi?id=1061371. There is a new version available in epel https://dl.fedoraproject.org/pub/epel/6/x86_64/adcli-0.8.0-1.el6.x86_64.rpm which should fix the issue.
HTH
bye, Sumit
John _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Unfortunetly we already are on the Epel version :
Installed Packages Name : adcli Arch : x86_64 Version : 0.8.0 Release : 1.el6 Size : 230 k Repo : installed From repo : epel
sssd-users@lists.fedorahosted.org
-
Fabien CARRE -
john lehardos -
Sumit Bose