Please help.. desperate..
Installed sssd (version 1.16.1) on ubuntu authing against AD.
Problem .. and this appears to be only one user..
1. Login with the user.. No trouble 2. log out and try to login again. 3. Before even asking for a password, it comes up with access denied.
The only way I can fix this is to do a sssctl cache-remove. And then I can log in again. Rinse and repeat. It seems to be a dud entry in the cache ?
After days of trawling the logs... the only thing that seem to leap out is this in the krb5 logs. That entry in the salt is e4182s01sv023. The machine is called e418201sv025 ??? Where is it getting the 23 from ? We do have a host with that name on the network.. but not this one...
(Mon Dec 3 15:29:29 2018) [[sssd[krb5_child[11596]]]] [sss_child_krb5_trace_cb] (0x4000): [11596] 1543822169.407460: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params "" (Mon Dec 3 15:29:29 2018) [[sssd[krb5_child[11596]]]] [sss_child_krb5_trace_cb] (0x4000): [11596] 1543822169.407479: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params "" (Mon Dec 3 15:30:13 2018) [[sssd[krb5_child[11746]]]] [sss_child_krb5_trace_cb] (0x4000): [11746] 1543822213.745198: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params "" (Mon Dec 3 15:30:13 2018) [[sssd[krb5_child[11746]]]] [sss_child_krb5_trace_cb] (0x4000): [11746] 1543822213.745213: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params "" (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851028: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params "" (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851043: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params ""
The bottom of the log file
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851023: Received error from KDC: -1765328359/Additional pre-authenticat ion required
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851026: Preauthenticating using KDC method data
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851027: Processing preauth types: 16, 15, 19, 2
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851028: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INT ERNALhoste4182s01sv023.orange.schools.internal", params ""
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_krb5_responder] (0x4000): Got question [password]. (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851029: AS key obtained for encrypted timestamp: aes256-cts/BBF9
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851031: Encrypted timestamp (for 1543822221.598566): plain 301AA011180F 32303138313230333037333032315AA1050203092226, encrypted 89607EC763BD323A282F20C7ED58C75EA84F1638692A5CBCBF13BCF6F079891B1E2D140825C5E518334D7B138560D6E8ACA09F77315D131B
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851032: Preauth module encrypted_timestamp (2) (real) returned: 0/Succe ss
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851033: Produced preauth for next request: 2
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851034: Sending request (302 bytes) to ORANGE.SCHOOLS.INTERNAL
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851035: Sending initial UDP request to dgram 10.251.17.2:88
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851036: Received answer (221 bytes) from dgram 10.251.17.2:88
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851037: Response was from master KDC
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851038: Received error from KDC: -1765328360/Preauthentication failed
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851041: Preauthenticating using KDC method data
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851042: Processing preauth types: 19
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851043: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INT ERNALhoste4182s01sv023.orange.schools.internal", params ""
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_krb5_get_init_creds_password] (0x0020): 1618: [-1765328360][Preauthentication failed] (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [get_and_save_tgt] (0x0020): 1695: [-1765328360][Preauthentication failed] (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [map_krb5_error] (0x0020): 1808: [-1765328360][Preauthentication failed] (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [k5c_send_data] (0x0200): Received error code 1432158221 (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [pack_response_packet] (0x2000): response packet size: [4] (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [k5c_send_data] (0x4000): Response sent. (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [main] (0x0400): krb5_child completed successfully
roo
On Mon, Dec 03, 2018 at 08:00:51AM -0000, Peter de Groot wrote:
Please help.. desperate..
Installed sssd (version 1.16.1) on ubuntu authing against AD.
Problem .. and this appears to be only one user..
- Login with the user.. No trouble
- log out and try to login again.
- Before even asking for a password, it comes up with access denied.
The only way I can fix this is to do a sssctl cache-remove. And then I can log in again. Rinse and repeat. It seems to be a dud entry in the cache ?
After days of trawling the logs... the only thing that seem to leap out is this in the krb5 logs. That entry in the salt is e4182s01sv023. The machine is called e418201sv025 ??? Where is it getting the 23 from ? We do have a host with that name on the network.. but not this one...
(Mon Dec 3 15:29:29 2018) [[sssd[krb5_child[11596]]]] [sss_child_krb5_trace_cb] (0x4000): [11596] 1543822169.407460: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params "" (Mon Dec 3 15:29:29 2018) [[sssd[krb5_child[11596]]]] [sss_child_krb5_trace_cb] (0x4000): [11596] 1543822169.407479: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALpeter.de.groot", params "" (Mon Dec 3 15:30:13 2018) [[sssd[krb5_child[11746]]]] [sss_child_krb5_trace_cb] (0x4000): [11746] 1543822213.745198: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params "" (Mon Dec 3 15:30:13 2018) [[sssd[krb5_child[11746]]]] [sss_child_krb5_trace_cb] (0x4000): [11746] 1543822213.745213: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params "" (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851028: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params "" (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851043: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params ""
Do you have entries for e4182s01sv023 in the keytab? You can check with 'klist -k'
HTH
bye, Sumit
The bottom of the log file
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851023: Received error from KDC: -1765328359/Additional pre-authenticat ion required
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851026: Preauthenticating using KDC method data
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851027: Processing preauth types: 16, 15, 19, 2
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851028: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INT ERNALhoste4182s01sv023.orange.schools.internal", params ""
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_krb5_responder] (0x4000): Got question [password]. (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851029: AS key obtained for encrypted timestamp: aes256-cts/BBF9
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851031: Encrypted timestamp (for 1543822221.598566): plain 301AA011180F 32303138313230333037333032315AA1050203092226, encrypted 89607EC763BD323A282F20C7ED58C75EA84F1638692A5CBCBF13BCF6F079891B1E2D140825C5E518334D7B138560D6E8ACA09F77315D131B
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851032: Preauth module encrypted_timestamp (2) (real) returned: 0/Succe ss
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851033: Produced preauth for next request: 2
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851034: Sending request (302 bytes) to ORANGE.SCHOOLS.INTERNAL
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851035: Sending initial UDP request to dgram 10.251.17.2:88
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851036: Received answer (221 bytes) from dgram 10.251.17.2:88
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851037: Response was from master KDC
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851038: Received error from KDC: -1765328360/Preauthentication failed
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851041: Preauthenticating using KDC method data
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851042: Processing preauth types: 19
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb] (0x4000): [11747] 1543822219.851043: Selected etype info: etype aes256-cts, salt "ORANGE.SCHOOLS.INT ERNALhoste4182s01sv023.orange.schools.internal", params ""
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_krb5_get_init_creds_password] (0x0020): 1618: [-1765328360][Preauthentication failed] (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [get_and_save_tgt] (0x0020): 1695: [-1765328360][Preauthentication failed] (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [map_krb5_error] (0x0020): 1808: [-1765328360][Preauthentication failed] (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [k5c_send_data] (0x0200): Received error code 1432158221 (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [pack_response_packet] (0x2000): response packet size: [4] (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [k5c_send_data] (0x4000): Response sent. (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [main] (0x0400): krb5_child completed successfully
roo _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org