Howdy folks,
I'm having an issue with password resets which I'm sorry to say I haven't been able to figure out by google search or searching the mailing list archives.
I tried to make my sssd configuration as minimal as possible following the doc on the wiki about authenticating to 2008 AD server (see [3] below) and I used the keytab method and instead of editing PAM files I ran authconfig because I'm on Red Hat.
When I switch (su - bryan.harris.adm) to my AD user and run passwd, it allows me to type both old and new passwords. Right away it says "Password change failed." Then after about 2 seconds it says "passwd: Authentication token manipulation error" on a new line.
I found [1] and [2] below which seem similar to my issue. I have played a bit with my PAM options, but to no avail. Can anyone tell me what I'm doing wrong? I can post the huge log messages, I just didn't want the email to get too large straight away.
[1] - https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989 [2] - https://lists.fedorahosted.org/pipermail/sssd-users/2012-July/000041.html [3] - https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20...
RHEL 6.4 pam-1.1.1-13 sssd-1.9.2-82
--- first off here is what I added to the my.great.domain zone in BIND ---
_ldap._tcp 1D IN SRV 0 100 389 dc01 _ldap._tcp 1D IN SRV 0 100 389 dc02 _kerberos._tcp 1D IN SRV 0 100 88 dc01 _kerberos._tcp 1D IN SRV 0 100 88 dc02 _kpasswd._tcp 1D IN SRV 0 100 464 dc01 _kpasswd._tcp 1D IN SRV 0 100 464 dc02
_kerberos._udp 1D IN SRV 0 100 88 dc01 _kerberos._udp 1D IN SRV 0 100 88 dc02 _kpasswd._udp 1D IN SRV 0 100 464 dc01 _kpasswd._udp 1D IN SRV 0 100 464 dc02
The rest of the files below are on linux-server.
--- /etc/pam.d/system-auth ---
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow try_first_pass remember=24 use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so
--- /etc/pam.d/password-auth ---
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so
--- /etc/krb5.conf ---
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = MY.GREAT.DOMAIN dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes
[realms] MY.GREAT.DOMAIN = { }
[domain_realm] my.great.domain = MY.GREAT.DOMAIN .my.great.domain = MY.GREAT.DOMAIN
--- /etc/krb5.keytab ---
# This has the keytab from the 2008 AD domain controller.
--- /etc/sssd/sssd.conf ---
[domain/default]
cache_credentials = False krb5_realm = MY.GREAT.DOMAIN auth_provider = krb5 chpass_provider = krb5 debug_level = 9
[sssd] config_file_version = 2 domains = MY.GREAT.DOMAIN services = nss, pam debug_level = 9
[nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 9
[pam] reconnection_retries = 3 debug_level = 9
[domain/MY.GREAT.DOMAIN] enumerate = True cache_credentials = False id_provider = ldap access_provider = ldap ldap_access_filter = memberOf=CN=Linux Admins,OU=Security Groups,OU=Groups,OU=MYGROUP,DC=my,DC=great,DC=domain auth_provider = krb5 chpass_provider = krb5 debug_level = 9
ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_sasl_mech = gssapi ldap_sasl_authid = host/linux-server.my.great.domain@MY.GREAT.DOMAIN ldap_uri = ldap://dc01.my.great.domain/,ldap://dc02.my.great.domain
ldap_user_name = sAMAccountName ldap_user_object_class = person ldap_group_object_class = group ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_gecos = displayName
ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_ticket_lifetime = 86400
krb5_realm = MY.GREAT.DOMAIN #krb5_kpasswd = dc01.my.great.domain #krb5_server = dc01.my.great.domain,dc02.my.great.domain krb5_validate = true krb5_canonicalize = false krb5_renewable_lifetime = 7d krb5_lifetime = 24h krb5_use_fast = try
--- grep -i error /var/log/secure ---
May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)] May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): Password change failed for user bryan.harris.adm: 20 (Authentication token manipulation error
--- /var/log/sss/* ---
I am not sure what's relevant, I just posted some error lines. If needed I can (A) truncate the files + (B) re-run passwd and then post the results. I ignored the DNS errors after I noticed in the logs that it's correctly resolving everything afterwords because it does a lookup on the SRV record (which I added to my BIND server), or at least it looks to be correct AFAICS.
ldap_child.log: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP ldap_child.log: Received error from KDC: -1765328359/Additional pre-authentication required ... sssd_nss.log: Got reply from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not configured sssd_nss.log: Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success ... sssd_MY.GREAT.DOMAIN.log: Could not get fully qualified name for host name linux-server.my.great.domain error [2]: No such file or directory, resolver returned: [4]: Domain name not found
Thanks in advance, Bryan
Sorry about the weird line endings in my first email. Here is the same with the line endings fixed.
I'm having an issue with password resets which I'm sorry to say I haven't been able to figure out by google search or searching the mailing list archives.
I tried to make my sssd configuration as minimal as possible following the doc on the wiki about authenticating to 2008 AD server (see [3] below) and I used the keytab method and instead of editing PAM files I ran authconfig because I'm on Red Hat.
When I switch (su - bryan.harris.adm) to my AD user and run passwd, it allows me to type both old and new passwords. Right away it says "Password change failed." Then after about 2 seconds it says "passwd: Authentication token manipulation error" on a new line.
I found [1] and [2] below which seem similar to my issue. I have played a bit with my PAM options, but to no avail. Can anyone tell me what I'm doing wrong? I can post the huge log messages, I just didn't want the email to get too large straight away.
[1] - https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989 [2] - https://lists.fedorahosted.org/pipermail/sssd-users/2012-July/000041.html [3] - https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20...
RHEL 6.4 pam-1.1.1-13 sssd-1.9.2-82
--- first off here is what I added to the my.great.domain zone in BIND ---
_ldap._tcp 1D IN SRV 0 100 389 dc01 _ldap._tcp 1D IN SRV 0 100 389 dc02 _kerberos._tcp 1D IN SRV 0 100 88 dc01 _kerberos._tcp 1D IN SRV 0 100 88 dc02 _kpasswd._tcp 1D IN SRV 0 100 464 dc01 _kpasswd._tcp 1D IN SRV 0 100 464 dc02
_kerberos._udp 1D IN SRV 0 100 88 dc01 _kerberos._udp 1D IN SRV 0 100 88 dc02 _kpasswd._udp 1D IN SRV 0 100 464 dc01 _kpasswd._udp 1D IN SRV 0 100 464 dc02
The rest of the files below are on linux-server.
--- /etc/pam.d/system-auth ---
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow try_first_pass remember=24 use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so
--- /etc/pam.d/password-auth ---
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so
--- /etc/krb5.conf ---
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = MY.GREAT.DOMAIN dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes
[realms] MY.GREAT.DOMAIN = { }
[domain_realm] my.great.domain = MY.GREAT.DOMAIN .my.great.domain = MY.GREAT.DOMAIN
--- /etc/krb5.keytab ---
# This has the keytab from the 2008 AD domain controller.
--- /etc/sssd/sssd.conf ---
[domain/default]
cache_credentials = False krb5_realm = MY.GREAT.DOMAIN auth_provider = krb5 chpass_provider = krb5 debug_level = 9
[sssd] config_file_version = 2 domains = MY.GREAT.DOMAIN services = nss, pam debug_level = 9
[nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 9
[pam] reconnection_retries = 3 debug_level = 9
[domain/MY.GREAT.DOMAIN] enumerate = True cache_credentials = False id_provider = ldap access_provider = ldap ldap_access_filter = memberOf=CN=Linux Admins,OU=Security Groups,OU=Groups,OU=MYGROUP,DC=my,DC=great,DC=domain auth_provider = krb5 chpass_provider = krb5 debug_level = 9
ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_sasl_mech = gssapi ldap_sasl_authid = host/linux-server.my.great.domain@MY.GREAT.DOMAIN ldap_uri = ldap://dc01.my.great.domain/,ldap://dc02.my.great.domain
ldap_user_name = sAMAccountName ldap_user_object_class = person ldap_group_object_class = group ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_gecos = displayName
ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_ticket_lifetime = 86400
krb5_realm = MY.GREAT.DOMAIN #krb5_kpasswd = dc01.my.great.domain #krb5_server = dc01.my.great.domain,dc02.my.great.domain krb5_validate = true krb5_canonicalize = false krb5_renewable_lifetime = 7d krb5_lifetime = 24h krb5_use_fast = try
--- grep -i error /var/log/secure ---
May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)] May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): Password change failed for user bryan.harris.adm: 20 (Authentication token manipulation error
--- /var/log/sss/* ---
I am not sure what's relevant, I just posted some error lines. If needed I can (A) truncate the files + (B) re-run passwd and then post the results. I ignored the DNS errors after I noticed in the logs that it's correctly resolving everything afterwords because it does a lookup on the SRV record (which I added to my BIND server), or at least it looks to be correct AFAICS.
ldap_child.log: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP ldap_child.log: Received error from KDC: -1765328359/Additional pre-authentication required ... sssd_nss.log: Got reply from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not configured sssd_nss.log: Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success ... sssd_MY.GREAT.DOMAIN.log: Could not get fully qualified name for host name linux-server.my.great.domain error [2]: No such file or directory, resolver returned: [4]: Domain name not found
Thanks in advance, Bryan _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, May 30, 2013 at 02:36:08PM +0000, Harris, Bryan L. wrote:
Sorry about the weird line endings in my first email. Here is the same with the line endings fixed.
I'm having an issue with password resets which I'm sorry to say I haven't been able to figure out by google search or searching the mailing list archives.
I tried to make my sssd configuration as minimal as possible following the doc on the wiki about authenticating to 2008 AD server (see [3] below) and I used the keytab method and instead of editing PAM files I ran authconfig because I'm on Red Hat.
When I switch (su - bryan.harris.adm) to my AD user and run passwd, it allows me to type both old and new passwords. Right away it says "Password change failed." Then after about 2 seconds it says "passwd: Authentication token manipulation error" on a new line.
I found [1] and [2] below which seem similar to my issue. I have played a bit with my PAM options, but to no avail. Can anyone tell me what I'm doing wrong? I can post the huge log messages, I just didn't want the email to get too large straight away.
[1] - https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989 [2] - https://lists.fedorahosted.org/pipermail/sssd-users/2012-July/000041.html [3] - https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20...
RHEL 6.4 pam-1.1.1-13 sssd-1.9.2-82
--- first off here is what I added to the my.great.domain zone in BIND ---
_ldap._tcp 1D IN SRV 0 100 389 dc01 _ldap._tcp 1D IN SRV 0 100 389 dc02 _kerberos._tcp 1D IN SRV 0 100 88 dc01 _kerberos._tcp 1D IN SRV 0 100 88 dc02 _kpasswd._tcp 1D IN SRV 0 100 464 dc01 _kpasswd._tcp 1D IN SRV 0 100 464 dc02
_kerberos._udp 1D IN SRV 0 100 88 dc01 _kerberos._udp 1D IN SRV 0 100 88 dc02 _kpasswd._udp 1D IN SRV 0 100 464 dc01 _kpasswd._udp 1D IN SRV 0 100 464 dc02
The rest of the files below are on linux-server.
--- /etc/pam.d/system-auth ---
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow try_first_pass remember=24 use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so
--- /etc/pam.d/password-auth ---
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so maxrepeat=3 difok=4 lcredit=-1 ocredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_krb5.so
--- /etc/krb5.conf ---
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = MY.GREAT.DOMAIN dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes
[realms] MY.GREAT.DOMAIN = { }
[domain_realm] my.great.domain = MY.GREAT.DOMAIN .my.great.domain = MY.GREAT.DOMAIN
--- /etc/krb5.keytab ---
# This has the keytab from the 2008 AD domain controller.
--- /etc/sssd/sssd.conf ---
[domain/default]
cache_credentials = False krb5_realm = MY.GREAT.DOMAIN auth_provider = krb5 chpass_provider = krb5 debug_level = 9
[sssd] config_file_version = 2 domains = MY.GREAT.DOMAIN services = nss, pam debug_level = 9
[nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 9
[pam] reconnection_retries = 3 debug_level = 9
[domain/MY.GREAT.DOMAIN] enumerate = True cache_credentials = False id_provider = ldap access_provider = ldap ldap_access_filter = memberOf=CN=Linux Admins,OU=Security Groups,OU=Groups,OU=MYGROUP,DC=my,DC=great,DC=domain auth_provider = krb5 chpass_provider = krb5 debug_level = 9
ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_sasl_mech = gssapi ldap_sasl_authid = host/linux-server.my.great.domain@MY.GREAT.DOMAIN ldap_uri = ldap://dc01.my.great.domain/,ldap://dc02.my.great.domain
ldap_user_name = sAMAccountName ldap_user_object_class = person ldap_group_object_class = group ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_gecos = displayName
ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_ticket_lifetime = 86400
krb5_realm = MY.GREAT.DOMAIN #krb5_kpasswd = dc01.my.great.domain #krb5_server = dc01.my.great.domain,dc02.my.great.domain krb5_validate = true krb5_canonicalize = false krb5_renewable_lifetime = 7d krb5_lifetime = 24h krb5_use_fast = try
--- grep -i error /var/log/secure ---
May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): system info: [Generic error (see e-text)] May 30 08:43:26 linux-server passwd: pam_sss(passwd:chauthtok): Password change failed for user bryan.harris.adm: 20 (Authentication token manipulation error
--- /var/log/sss/* ---
I am not sure what's relevant, I just posted some error lines. If needed I can (A) truncate the files + (B) re-run passwd and then post the results. I ignored the DNS errors after I noticed in the logs that it's correctly resolving everything afterwords because it does a lookup on the SRV record (which I added to my BIND server), or at least it looks to be correct AFAICS.
ldap_child.log: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP ldap_child.log: Received error from KDC: -1765328359/Additional pre-authentication required ...
Hi Bryan,
This is interesting, do these occur after every sssd startup or was it just some artifact from before? The ldap_child is used to authenticate with GSSAPI to the LDAP server, if the authentication wouldn't succeed, the SSSD would go offline.
Also typically the host/fqdn@REALM principal is not user, but rather shortname$@REALM, in your case linux$@MY.GREAT.DOMAIN
sssd_nss.log: Got reply from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not configured sssd_nss.log: Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success ... sssd_MY.GREAT.DOMAIN.log: Could not get fully qualified name for host name linux-server.my.great.domain error [2]: No such file or directory, resolver returned: [4]: Domain name not found
Thanks in advance, Bryan
are you sure the new password meets the complexity requirements imposed by AD? Currently SSSD doesn't really report those in a meaningful way.
Also, are there any interesting information in the krb5_child.log ? With debug level as high as yours, I would expect all the trace information present.
NOTE: My email was blocked due to size being >40k. I put my logs on pastebin to get the email to go through, hope it's okay. I didn't cancel my other submission, so I it may eventually go through.
On May 30, 2013, at 10:06 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Thu, May 30, 2013 at 02:36:08PM +0000, Harris, Bryan L. wrote:
ldap_child.log: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP ldap_child.log: Received error from KDC: -1765328359/Additional pre-authentication required ...
This is interesting, do these occur after every sssd startup or was it just some artifact from before? The ldap_child is used to authenticate with GSSAPI to the LDAP server, if the authentication wouldn't succeed, the SSSD would go offline. Yes, I always do a ( service sssd stop ; rm /var/lib/sss/db/* ; service sssd start ) every time I make a change to anything.
Here are the lines from that file when I do a stop / start of sssd.
Also typically the host/fqdn@REALM principal is not user, but rather shortname$@REALM, in your case linux$@MY.GREAT.DOMAIN I'm not exactly 100% sure I understand, I thought from the page [3] above that:
1. If my server name is "linux-server" (without quotes) 2. If my 2008 AD domain is MY.GREAT.DOMAIN 3. Then I should use the text "host/linux-server@MY.GREAT.DOMAIN" (without quote marks) when I do my ktpass.exe on Windows.
Did I do it wrong?
sssd_nss.log: Got reply from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not configured sssd_nss.log: Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success ... sssd_MY.GREAT.DOMAIN.log: Could not get fully qualified name for host name linux-server.my.great.domain error [2]: No such file or directory, resolver returned: [4]: Domain name not found
are you sure the new password meets the complexity requirements imposed by AD? Currently SSSD doesn't really report those in a meaningful way.
My test was to set the password in the Windows server itself by clicking Start > Security > Change Password as the user in question. When I did it in Windows, it was successful. Now that I have that in my previous 24 passwords, Windows doesn't accept that exact same password again. So I came up with another one of a similar pattern/style and same length etc. Maybe I'm doing something wrong here...?
Also, are there any interesting information in the krb5_child.log ? With debug level as high as yours, I would expect all the trace information present. Oh that file is completely empty until I go to my user and run the passwd command. Here is the resulting log when I run passwd as my user.
Bryan
Hi Jakub,
On May 30, 2013, at 10:06 AM, Jakub Hrozek jhrozek@redhat.com wrote:
are you sure the new password meets the complexity requirements imposed by AD? Currently SSSD doesn't really report those in a meaningful way. You were correct, I believe the problem was that I had not waited the 1 day minimum before changing my password. Thanks for your help. Bryan
On Mon, Jun 03, 2013 at 11:08:49AM +0000, Bryan Harris wrote:
Hi Jakub,
On May 30, 2013, at 10:06 AM, Jakub Hrozek jhrozek@redhat.com wrote:
are you sure the new password meets the complexity requirements imposed by AD? Currently SSSD doesn't really report those in a meaningful way. You were correct, I believe the problem was that I had not waited the 1 day minimum before changing my password. Thanks for your help. Bryan
Than you for checking, making the password resets better is something we would be looking into during the 1.10 (or perhaps 1.10.1?) stabilization.
sssd-users@lists.fedorahosted.org