Hi List,
I am running into problem with pam_sss. It is unable to authenticate user against AD via Kerberos. Log files:
Sssd_default.log (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x0100): No ccache file for user [ondrejv] found. (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x4000): Ccache_file is [not set] and is not active and TGT is not valid.
Pam.log:
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ondrejv] added to PAM initgroup cache (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: default (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): user: ondrejv (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: login03 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 27660 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x22b2a10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x417d60:3:ondrejv@default] (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x22b2a10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x22b1f10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][default] (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 68 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x22bcec0][18] (Thu Sep 24 14:14:21 2015) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [ondrejv] removed from PAM initgroup cache
/var/log/authlog: ep 24 14:14:16 nitrogen sshd[27660]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=login03 user=ondrejv Sep 24 14:14:16 nitrogen sshd[27660]: pam_sss(sshd:auth): received for user ondrejv: 4 (System error)
I am bit lost here - neither friend Google helps. Does anyone know? I can run 'kinit <username>' happily, so Kerberos library seems to be configured fine. System is Ubuntu 14.04.
Thanks, Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Thu, Sep 24, 2015 at 01:58:34PM +0000, Ondrej Valousek wrote:
Hi List,
I am running into problem with pam_sss. It is unable to authenticate user against AD via Kerberos. Log files:
Sssd_default.log (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x0100): No ccache file for user [ondrejv] found. (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x4000): Ccache_file is [not set] and is not active and TGT is not valid.
Those messages are expected info messages, they do not indicate an error. Do you have any content in the krb5_child.log ? Feel free to forward the full logs to me directly.
bye, Sumit
Pam.log:
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ondrejv] added to PAM initgroup cache (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: default (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): user: ondrejv (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: login03 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 27660 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x22b2a10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x417d60:3:ondrejv@default] (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x22b2a10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x22b1f10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][default] (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 68 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x22bcec0][18] (Thu Sep 24 14:14:21 2015) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [ondrejv] removed from PAM initgroup cache
/var/log/authlog: ep 24 14:14:16 nitrogen sshd[27660]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=login03 user=ondrejv Sep 24 14:14:16 nitrogen sshd[27660]: pam_sss(sshd:auth): received for user ondrejv: 4 (System error)
I am bit lost here - neither friend Google helps. Does anyone know? I can run 'kinit <username>' happily, so Kerberos library seems to be configured fine. System is Ubuntu 14.04.
Thanks, Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On (24/09/15 18:04), Sumit Bose wrote:
On Thu, Sep 24, 2015 at 01:58:34PM +0000, Ondrej Valousek wrote:
Hi List,
I am running into problem with pam_sss. It is unable to authenticate user against AD via Kerberos. Log files:
Sssd_default.log (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x0100): No ccache file for user [ondrejv] found. (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x4000): Ccache_file is [not set] and is not active and TGT is not valid.
Those messages are expected info messages, they do not indicate an error. Do you have any content in the krb5_child.log ? Feel free to forward the full logs to me directly.
bye, Sumit
Pam.log:
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ondrejv] added to PAM initgroup cache (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: default (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): user: ondrejv (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: login03 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 27660 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x22b2a10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x417d60:3:ondrejv@default] (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x22b2a10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x22b1f10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][default] (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4].
^^ pam responder received PAM_SYSTEM_ERR from default domain
The debug mesasge is improved in newer sssd.
Which version of sssd do you use? I agree with Sumit. We will need to see the krb5_child.log (log file from default domain might be useful as well)
LS
Here is the krb5_child.log:
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917796: TGS request result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917822: Received creds for desired service host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917850: Removing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917878: Storing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM in MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917924: Creating authenticator for ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM, seqnum 0, subkey (null), session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918003: Retrieving host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918061: Decrypted AP-REQ with specified server principal host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM: rc4-hmac/0336
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918092: AP-REQ ticket: ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM, session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918267: Negotiated enctype based on authenticator: rc4-hmac
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918299: Initializing MEMORY:rd_req2 with default princ ondrejv@DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918330: Removing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918357: Storing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM in MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918390: Destroying ccache MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0400): TGT verified using key for [host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918470: Retrieving ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2 with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918565: Retrieving host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ondrejv@DUBLIN.AD.S3GROUP.COM@DUBLIN.AD.S3GROUP.COM] might not be correct. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918705: Destroying ccache MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [become_user] (0x0200): Trying to become user [14019][10000]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:14019] (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal ondrejv@DUBLIN.AD.S3GROUP.COM in cache collection]
Not sure if it helps. O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik Sent: Friday, September 25, 2015 9:14 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Problem authenticating user
On (24/09/15 18:04), Sumit Bose wrote:
On Thu, Sep 24, 2015 at 01:58:34PM +0000, Ondrej Valousek wrote:
Hi List,
I am running into problem with pam_sss. It is unable to authenticate user against AD via Kerberos. Log files:
Sssd_default.log (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x0100): No ccache file for user [ondrejv] found. (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x4000): Ccache_file is [not set] and is not active and TGT is not valid.
Those messages are expected info messages, they do not indicate an error. Do you have any content in the krb5_child.log ? Feel free to forward the full logs to me directly.
bye, Sumit
Pam.log:
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ondrejv] added to PAM initgroup cache (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: default (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): user: ondrejv (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: login03 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 27660 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x22b2a10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x417d60:3:ondrejv@default] (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x22b2a10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x22b1f10 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][default] (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4].
^^ pam responder received PAM_SYSTEM_ERR from default domain
The debug mesasge is improved in newer sssd.
Which version of sssd do you use? I agree with Sumit. We will need to see the krb5_child.log (log file from default domain might be useful as well)
LS
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Fri, Sep 25, 2015 at 10:30:51AM +0000, Ondrej Valousek wrote:
Here is the krb5_child.log:
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917796: TGS request result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917822: Received creds for desired service host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917850: Removing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917878: Storing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM in MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917924: Creating authenticator for ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM, seqnum 0, subkey (null), session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918003: Retrieving host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918061: Decrypted AP-REQ with specified server principal host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM: rc4-hmac/0336
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918092: AP-REQ ticket: ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM, session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918267: Negotiated enctype based on authenticator: rc4-hmac
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918299: Initializing MEMORY:rd_req2 with default princ ondrejv@DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918330: Removing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918357: Storing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM in MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918390: Destroying ccache MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0400): TGT verified using key for [host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918470: Retrieving ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2 with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918565: Retrieving host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ondrejv@DUBLIN.AD.S3GROUP.COM@DUBLIN.AD.S3GROUP.COM] might not be correct. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918705: Destroying ccache MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [become_user] (0x0200): Trying to become user [14019][10000]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:14019] (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal ondrejv@DUBLIN.AD.S3GROUP.COM in cache collection]
Not sure if it helps.
I'm sorry, but it does not help. Both messages about 'sss_pac_make_request failed' and 'Can't find client principal' will not cause the authentication to fail. So more log data is needed here. As said, feel free to send the full logs to me directly.
bye, Sumit
Hi Sumit,
Ok please let me know which debug level I should be on and I will send you everything privately. Thanks for the effort.
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Sumit Bose Sent: Friday, September 25, 2015 12:01 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Problem authenticating user
On Fri, Sep 25, 2015 at 10:30:51AM +0000, Ondrej Valousek wrote:
Here is the krb5_child.log:
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917796: TGS request result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917822: Received creds for desired service host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917850: Removing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917878: Storing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM in MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917924: Creating authenticator for ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM, seqnum 0, subkey (null), session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918003: Retrieving host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918061: Decrypted AP-REQ with specified server principal host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM: rc4-hmac/0336
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918092: AP-REQ ticket: ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM, session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918267: Negotiated enctype based on authenticator: rc4-hmac
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918299: Initializing MEMORY:rd_req2 with default princ ondrejv@DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918330: Removing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918357: Storing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM in MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918390: Destroying ccache MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0400): TGT verified using key for [host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918470: Retrieving ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2 with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918565: Retrieving host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ondrejv@DUBLIN.AD.S3GROUP.COM@DUBLIN.AD.S3GROUP.COM] might not be correct. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918705: Destroying ccache MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [become_user] (0x0200): Trying to become user [14019][10000]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:14019] (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal ondrejv@DUBLIN.AD.S3GROUP.COM in cache collection]
Not sure if it helps.
I'm sorry, but it does not help. Both messages about 'sss_pac_make_request failed' and 'Can't find client principal' will not cause the authentication to fail. So more log data is needed here. As said, feel free to send the full logs to me directly.
bye, Sumit _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Fri, Sep 25, 2015 at 01:12:45PM +0000, Ondrej Valousek wrote:
Hi Sumit,
Ok please let me know which debug level I should be on and I will send you everything privately.
just use 10 to be on the safe side.
Thanks for the effort.
yw
bye, Sumit
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Sumit Bose Sent: Friday, September 25, 2015 12:01 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Problem authenticating user
On Fri, Sep 25, 2015 at 10:30:51AM +0000, Ondrej Valousek wrote:
Here is the krb5_child.log:
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917796: TGS request result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917822: Received creds for desired service host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917850: Removing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917878: Storing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM in MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917924: Creating authenticator for ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM, seqnum 0, subkey (null), session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918003: Retrieving host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918061: Decrypted AP-REQ with specified server principal host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM: rc4-hmac/0336
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918092: AP-REQ ticket: ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM, session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918267: Negotiated enctype based on authenticator: rc4-hmac
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918299: Initializing MEMORY:rd_req2 with default princ ondrejv@DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918330: Removing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918357: Storing ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM in MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918390: Destroying ccache MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0400): TGT verified using key for [host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918470: Retrieving ondrejv@DUBLIN.AD.S3GROUP.COM -> host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2 with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918565: Retrieving host/nitrogen.dublin.ad.s3group.com@DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ondrejv@DUBLIN.AD.S3GROUP.COM@DUBLIN.AD.S3GROUP.COM] might not be correct. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918705: Destroying ccache MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [become_user] (0x0200): Trying to become user [14019][10000]. (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:14019] (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal ondrejv@DUBLIN.AD.S3GROUP.COM in cache collection]
Not sure if it helps.
I'm sorry, but it does not help. Both messages about 'sss_pac_make_request failed' and 'Can't find client principal' will not cause the authentication to fail. So more log data is needed here. As said, feel free to send the full logs to me directly.
bye, Sumit _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Ok found the problem. I do not know why, but SSSD seems to be bit picky about /etc/krb5.conf:
Non working one: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid}
default_realm = <MYREALM> [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # }
<MYREALM> = { }
[domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM <myrealm> = <MYREALM> .<myrealm> = <MYREALM>
Working one: [libdefaults] default_realm = <MYREALM>
# The following krb5.conf variables are only for MIT Kerberos. forwardable = true proxiable = true
# The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos. [realms]
[domain_realm]
I guess it is picky about the default_ccache_name parameter as that is the only difference I could see. O.
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Tue, Sep 29, 2015 at 04:16:37PM +0000, Ondrej Valousek wrote:
Ok found the problem. I do not know why, but SSSD seems to be bit picky about /etc/krb5.conf:
Non working one: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid}
default_realm = <MYREALM> [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # }
<MYREALM> = { }
[domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM <myrealm> = <MYREALM> .<myrealm> = <MYREALM>
Working one: [libdefaults] default_realm = <MYREALM>
# The following krb5.conf variables are only for MIT Kerberos. forwardable = true proxiable = true
# The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos. [realms]
[domain_realm]
I guess it is picky about the default_ccache_name parameter as that is the only difference I could see.
iirc you are using Ubuntu. I do not know if Ubuntu support KEYRING credential caches which need support in the kernel or not. If not, then the 'default_ccache_name = KEYRING:persistent:%{uid}' line might have casued the issues.
bye, Sumit
O.
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org