On one computer (Arch) I have misconfigured sssd and when I try to use PAM sssd tries to get ticket for username@MYDOMAIN.COM@MYDOMAIN.COM@MYDOMAIN.COM. On others (Gentoo) it works find.
(Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [MYHOSTNAME$@MYDOMAIN.COM] (Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] (Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0100): child [5845] finished successfully. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: MYHOSTNAME$ (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'DC1.mydomain.com' as 'working' (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'DC1.mydomain.com' as 'working' (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=username@mydomain.com,cn=users,cn=mydomain.com,cn=sysdb] has set [ts_cache] attrs. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=username@mydomain.com,cn=users,cn=mydomain.com,cn=sysdb] has set [ts_cache] attrs. (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [username@mydomain.com] (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): user: username@mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: <RHOST> (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5844 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: username@mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [dp_pam_handler] (0x0100): Got request with the following data (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: username@mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sshd (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: ssh (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: <RHOST> (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 5844 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): logon name: not set (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [krb5_auth_send] (0x0100): Home directory for user [username@mydomain.com] not known. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server dc3.mydomain.com: [<DC3IP>] TTL 3600 (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [unpack_buffer] (0x0100): cmd [241] uid [1019289252] gid [400513] validate [true] enterprise principal [true] offline [false] UPN [username@MYDOMAIN.COM@MYDOMAIN.COM] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1019289252_XXXXXX] old_ccname: [KEYRING:persistent:200389252] keytab: [/etc/krb5.keytab] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [check_use_fast] (0x0100): Not using FAST. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [switch_creds] (0x0200): Switch user to [1019289252][400513]. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [become_user] (0x0200): Trying to become user [1019289252][400513]. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_lifetime_options] (0x0100): Lifetime is set to [3d] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328378][Client 'username@MYDOMAIN.COM@MYDOMAIN.COM@MYDOMAIN.COM' not found in Kerberos database] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [map_krb5_error] (0x0020): 1371: [-1765328378][Client 'username@MYDOMAIN.COM@MYDOMAIN.COM@MYDOMAIN.COM' not found in Kerberos database] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0100): child [5846] finished successfully. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][mydomain.com] (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Tue Mar 7 16:10:03 2017) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 27 (Tue Mar 7 16:10:05 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Tue Mar 7 16:10:08 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
Logging over ssh with GSSAPI works.
On Thu, Mar 09, 2017 at 12:14:08AM -0000, Maciej Piechotka wrote:
On one computer (Arch) I have misconfigured sssd and when I try to use PAM sssd tries to get ticket for username@MYDOMAIN.COM@MYDOMAIN.COM@MYDOMAIN.COM. On others (Gentoo) it works find.
It looks like due to the misconfiguration(?) SSSD stored a wrong representation of the canonical Kerberos principal in its cache. I think the only way to get around this is to remove the entry from the cache and the easiest way to do this is to remove the cache with rm. Please note that this will remove all cached password for the offline usage as well. If this is not acceptable you can use the ldbedit utility to only remove the offending entry.
HTH
bye, Sumit
(Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [MYHOSTNAME$@MYDOMAIN.COM] (Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] (Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0100): child [5845] finished successfully. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: MYHOSTNAME$ (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'DC1.mydomain.com' as 'working' (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'DC1.mydomain.com' as 'working' (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=username@mydomain.com,cn=users,cn=mydomain.com,cn=sysdb] has set [ts_cache] attrs. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=username@mydomain.com,cn=users,cn=mydomain.com,cn=sysdb] has set [ts_cache] attrs. (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [username@mydomain.com] (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): user: username@mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: <RHOST> (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5844 (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: username@mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [dp_pam_handler] (0x0100): Got request with the following data (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain: mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user: username@mydomain.com (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service: sshd (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: ssh (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser: (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost: <RHOST> (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid: 5844 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): logon name: not set (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [krb5_auth_send] (0x0100): Home directory for user [username@mydomain.com] not known. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server dc3.mydomain.com: [<DC3IP>] TTL 3600 (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [unpack_buffer] (0x0100): cmd [241] uid [1019289252] gid [400513] validate [true] enterprise principal [true] offline [false] UPN [username@MYDOMAIN.COM@MYDOMAIN.COM] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1019289252_XXXXXX] old_ccname: [KEYRING:persistent:200389252] keytab: [/etc/krb5.keytab] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [check_use_fast] (0x0100): Not using FAST. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [switch_creds] (0x0200): Switch user to [1019289252][400513]. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [become_user] (0x0200): Trying to become user [1019289252][400513]. (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_lifetime_options] (0x0100): Lifetime is set to [3d] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328378][Client 'username@MYDOMAIN.COM@MYDOMAIN.COM@MYDOMAIN.COM' not found in Kerberos database] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [map_krb5_error] (0x0020): 1371: [-1765328378][Client 'username@MYDOMAIN.COM@MYDOMAIN.COM@MYDOMAIN.COM' not found in Kerberos database] (Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0100): child [5846] finished successfully. (Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][mydomain.com] (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Tue Mar 7 16:10:03 2017) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 27 (Tue Mar 7 16:10:05 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Tue Mar 7 16:10:08 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
Logging over ssh with GSSAPI works. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Ok. Removing and recreating /var/lib/sssd worked.
Thank you very much
On Thu, Mar 09, 2017 at 12:14:08AM -0000, Maciej Piechotka wrote:
It looks like due to the misconfiguration(?) SSSD stored a wrong representation of the canonical Kerberos principal in its cache. I think the only way to get around this is to remove the entry from the cache and the easiest way to do this is to remove the cache with rm. Please note that this will remove all cached password for the offline usage as well. If this is not acceptable you can use the ldbedit utility to only remove the offending entry.
HTH
bye, Sumit
sssd-users@lists.fedorahosted.org
-
Maciej Piechotka -
Sumit Bose