Thank you Justin. Centos 7, sssd 1.13
Authentication with the consoleworks application uses a yubikey via authlite which basically makes it two-factor authentication. It appends the AD credential password with a onetime password. I tried to login with yubikey and without and get two different errors.
With Yubikey (correct password):
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): Will perform online auth
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [k5c_send_data] (0x0200): Received error code 1432158215
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [pack_response_packet] (0x2000): response packet size: [4]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): krb5_child completed successfully
Without yubikey (wrong password):
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): Will perform online auth
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328372][KDC policy rejects request]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [map_krb5_error] (0x0020): 1303: [-1765328372][KDC policy rejects request]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [k5c_send_data] (0x0200): Received error code 1432158209
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [pack_response_packet] (0x2000): response packet size: [4]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): krb5_child completed successfully
Would it help to remove it from realm and rejoin it to the realm? I have another server where the authentication to the parent domain in working where this one is not. I have compared the configurations but can't find the difference.
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team 3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503 Sonia.Gilbert@HawaiianAir.commailto:Sonia.Gilbert@HawaiianAir.com
[HA Email Signature Logo]
On 01/30/2017 06:14 PM, Gilbert, Sonia wrote:
Thank you Justin.
Centos 7, sssd 1.13
Authentication with the consoleworks application uses a yubikey via authlite which basically makes it two-factor authentication. It appends the AD credential password with a onetime password.
I tried to login with yubikey and without and get two different errors.
With Yubikey (correct password):
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): Will perform online auth
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [k5c_send_data] (0x0200): Received error code 1432158215
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [pack_response_packet] (0x2000): response packet size: [4]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): krb5_child completed successfully
Without yubikey (wrong password):
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): Will perform online auth
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328372][KDC policy rejects request]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [map_krb5_error] (0x0020): 1303: [-1765328372][KDC policy rejects request]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [k5c_send_data] (0x0200): Received error code 1432158209
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [pack_response_packet] (0x2000): response packet size: [4]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): krb5_child completed successfully
Would it help to remove it from realm and rejoin it to the realm? I have another server where the authentication to the parent domain in working where this one is not. I have compared the configurations but can’t find the difference.
It may be worth trying as it is a quick change, but as Jakub mentioned the Preauthentication failed error is usually due to bad password.
If possible, I would suggest testing directly logging in to the OS first before testing with the application. Are you able to try removing the two-factor authentication from the equation and first making sure you can login with your user with a password?
Sorry, I have not seen the error 'KDC policy rejects request' before.
Please also check /etc/krb5.conf matches between working and non-working systems.
Kind regards, Justin Stephenson
*Sonia Gilbert, -Engineer II, Information Protection & Compliance Team*
3375 Koapaka Street, 3^rd Floor, Honolulu, HI 96819 | P: 808.564.7503
Sonia.Gilbert@HawaiianAir.com mailto:Sonia.Gilbert@HawaiianAir.com
HA Email Signature Logo
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org