February 2019 - FreeIPA-users - Fedora Mailing-Lists

by Harald Dunkel

Hi folks, maybe I missed something, but shouldn't admin have sufficient privileges to run # ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp # reboot : : # kinit admin # ipa-getkeytab -s ipa1.example.de -p HTTP/stretch1.vs.example.de -k /etc/apache2/apache2.keytab ? ipa-getkeytab failed with Failed to parse result: PrincipalName not found. I would have expected it to create the principal on the fly. "admin" was created at freeipa install time on the first server, AFAIR. It is member of the "admins" and "trust admins" groups. I am concerned that I corrupted something. Every helpful comment is highly appreciated. Harri

5 years

3
5
0 / 0

FreeIPA AD Trust with Samba4 ... is it possible?

by D Anderson

Hello all, I am confused by some of the conflicting documentation about whether this is possible or not. Almost all of the documentation/working examples seem to use an actual Windows Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has several know limitations. https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Limitations| >The internal DNS does not support: >zone transfers https://wiki.samba.org/index.php/DNS_Administration#Administering_DNS_on_... >Conditional forwarders are not implemented yet I THINK I got DNS actually working , but had to use solution like here https://www.redhat.com/archives/freeipa-users/2012-October/msg00194.html Although Petr says to stay away from forwarders in IPA Is it better to attempt AD as subdomain of IPA (which I'm currently doing) , or IPA as subdomain of AD ? On both samba4 and freeipa machine I can currently dig SRV records for both domains , but when I attempt ipa add-trust, I see in httpd error logs >[Fri Aug 10 11:58:43.122526 2018] [:error] [pid 6169] ipa: ERROR: Attempt to solve forest trust topology conflicts >[Fri Aug 10 11:58:43.125865 2018] [:error] [pid 6169] ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The specified domain did not exist.') Which leads me to believe that no, DNS is not working correctly ( I have all firewall/iptables off and selinux off). I can give more concrete/examples , but before get lost in the weeds wanted to know on broad consensus is it even possible or known bad issues with Samba AD ? Like here https://www.freeipa.org/page/IPAv3_AD_trust#Samba , it says >In order to get properly working MIT krb5-based Samba4 build one have to use --without-ad-dc --with-system-mitkrb5 options when configuring WAF top level build. Which I'm confused ... how to get I get AD trust, if I'm setting up samba without AD abilities?? Yet here https://www.freeipa.org/page/Windows_authentication_against_FreeIPA It recommends a. If you have an AD ( Microsoft ) , use it b. If you don't have a Microsoft AD , setup Samba4 >but it can be configured to trust FreeIPA Does anyone know of a complete A..Z example of how to do that? (what options were used to configure Samba and Freeipa, etc) Thanks

5 years

5
7
0 / 0

ipa-replica-manage --force replica.server fails

by Ralph Crongeyer

Hi List, I have a master server that had a replica installed. The replica has been uninstalled. When I try to run "ipa-replica-manage del --force replica.server" it fails with: invalid 'PKINIT enabled server': all masters must have IPA master role enabled How can I delete this replica? Thanks, Ralph

5 years, 1 month

7
22
0 / 0

Ad user password authentication doesn't work

by Patrick Irish

I've been fighting with this for 2 months. I've rebuilt both the ad and ip server twice. Currently ipa and ad only contain a single unique user. AD and ipa are on separate dns domains (ad.domain.com and int.domain.com respectively). AD domain has windows pc joined to it. IPA server has linux server joined to it. Any help is greatly appreciated. AD server Server: dc0.ad.domain.com Domain: ad.domain.com IP: 10.10.60.81 IPA server Server: identity.int.domain.com domain int.domain.com IP: 10.10.60.61 What works on ipa server: id aduser getent passwd aduser kinit aduser(a)ad.domain.com what doesn't work ssh 'aduse(a)ad.domain.com'@ipaserver Password: Password: Password: [localuser@ipaserver] su - aduser(a)ad.domain.com Password: su: Authentication failure logs: ldap_child.log (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [main] (0x0400): ldap_child started. (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [main] (0x2000): context initialized (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [unpack_buffer] (0x1000): total buffer size: 70 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [unpack_buffer] (0x1000): realm_str size: 16 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [unpack_buffer] (0x1000): got realm_str: INT.DOMAIN.COM (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [unpack_buffer] (0x1000): princ_str size: 30 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [unpack_buffer] (0x1000): got princ_str: host/identity.int.domain.com (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [unpack_buffer] (0x0200): Will run as [0][0]. (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [privileged_krb5_setup] (0x2000): Kerberos context initialized (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [main] (0x2000): Kerberos context initialized (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [become_user] (0x0200): Trying to become user [0][0]. (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [become_user] (0x0200): Already user [0]. (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [main] (0x2000): Running as [0][0]. (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [main] (0x2000): getting TGT sync (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [INT.DOMAIN.COM] (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/identity.int.domain.com(a)INT.DOMAIN.COM] (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14735: Getting initial credentials for host/identity.int.domain.com(a)INT.DOMAIN.COM (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14736: Looked up etypes in keytab: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14738: Sending unauthenticated request (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14739: Sending request (219 bytes) to INT.DOMAIN.COM (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14740: Initiating TCP connection to stream 10.10.60.61:88 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14741: ending TCP request to stream 10.10.60.61:88 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14742: Received answer (593 bytes) from stream 10.10.60.61:88 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14743: Terminating TCP connection to stream 10.10.60.61:88 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14744: Response was from master KDC (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14745: Received error from KDC: -1765328359/Additional pre-authentication required (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14748: Preauthenticating using KDC method data (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14749: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14750: Selected etype info: etype aes256-cts, salt "INT.DOMAIN.COMhostidentity.int.domain.com", params "" (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14751: Received cookie: MIT1\x00\x00\x00\x01\x86\x9a\x8e>yI7\xe0\x9a\xa5xym\xa2,F{`d\xe7 N \x12\xef\xf1\x09)\x09:y\xc7J\xc8\xcd0U\x01\xacs\xbc\x02\x9a\xae\xfc\xe0\xa6\x0c\xe0\x96\x04e\xde\xc5?\xa0:U\xb8\xcdm\xbe\x0e\xf5\x9eW`\xa1\xd0\xcd\xed\xcd\xd0\x1a\xbb\xcfz\xe3\x91T\x03\xba\x05J\x8cz\xe3\x90\xe6\x8f\xa1\xf23\xea\xf8\x97\x12\xb7}\x15.\xd06$\x1aZ\xe7\xd5\xfd\x09D\xb2n\xafV\xb3\xc9\xab\xf8\xe7\xd3h-\xac?\x87\x15>\xd3G (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14752: PKINIT client has no configured identity; giving up (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14753: Preauth module pkinit (147) (info) returned: 0/Success (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14754: PKINIT client received freshness token from KDC (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14755: Preauth module pkinit (150) (info) returned: 0/Success (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14756: PKINIT client has no configured identity; giving up (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14757: Preauth module pkinit (16) (real) returned: 22/Invalid argument (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14758: PKINIT client ignoring draft 9 offer from RFC 4556 KDC (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14759: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14760: PKINIT client ignoring draft 9 offer from RFC 4556 KDC (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14761: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14762: PAKE challenge received with group 1, pubkey 400BEA93DC1F29293028E9CBDAB7FE7649318A0DBF7AF492C319ADA76A4B59F4 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14763: Retrieving host/identity.int.domain.com(a)INT.DOMAIN.COM from MEMORY:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Success (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14764: SPAKE key generated with pubkey 9BE6AA79E0B53D1B97641EB9FA6A27D0EE7C0387B05032B85920E190546464A6 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14765: SPAKE algorithm result: A501375464DD840A9E83F2038D18FE4AE664D3E8676983319E38E4D443476779 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14766: SPAKE final transcript hash: 27EB757B9F468B2A657293FB37623F3E7D47179A7A11B85D898D95011449DA2C (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14767: Sending SPAKE response (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14768: Preauth module spake (151) (real) returned: 0/Success (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14770: Sending request (478 bytes) to INT.DOMAIN.COM (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14771: Initiating TCP connection to stream 10.10.60.61:88 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14772: Sending TCP request to stream 10.10.60.61:88 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14773: Received answer (1496 bytes) from stream 10.10.60.61:88 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14774: Terminating TCP connection to stream 10.10.60.61:88 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14775: Response was from master KDC (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14776: Processing preauth types: PA-ETYPE-INFO2 (19) (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14777: Selected etype info: etype aes256-cts, salt "INT.DOMAIN.COMhostidentity.int.domain.com", params "" (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14778: Produced preauth for next request: (empty) (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14779: AS key determined by preauth: aes256-cts/5039 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14780: Decrypted AS reply; session key is: aes256-cts/4179 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14781: FAST negotiation: available (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_INT.DOMAIN.COM_YzeV0z] (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14782: Initializing FILE:/var/lib/sss/db/ccache_INT.DOMAIN.COM_YzeV0z with default princ host/identity.int.domain.com(a)INT.DOMAIN.COM (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [sss_child_krb5_trace_cb] (0x4000): [2798] 1550983820.14783: Storing host/identity.int.domain.com(a)INT.DOMAIN.COM -> krbtgt/INT.DOMAIN.COM(a)INT.DOMAIN.COM in FILE:/var/lib/sss/db/ccache_INT.DOMAIN.COM_YzeV0z (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [ldap_child_get_tgt_sync] (0x2000): Renaming [/var/lib/sss/db/ccache_INT.DOMAIN.COM_YzeV0z] to [/var/lib/sss/db/ccache_INT.DOMAIN.COM] (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/db/ccache_INT.DOMAIN.COM_YzeV0z] (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/db/ccache_INT.DOMAIN.COM_YzeV0z] (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [prepare_response] (0x0400): Building response for result [0] (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [pack_buffer] (0x2000): response size: 64 (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [44] msg [FILE:/var/lib/sss/db/ccache_INT.DOMAIN.COM] (Sat Feb 23 23:50:20 2019) [[sssd[ldap_child[2798]]]] [main] (0x0400): ldap_child completed successfully (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [main] (0x0400): ldap_child started. (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [main] (0x2000): context initialized (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [unpack_buffer] (0x1000): total buffer size: 94 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [unpack_buffer] (0x1000): realm_str size: 15 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [unpack_buffer] (0x1000): got realm_str: AD.DOMAIN.COM (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [unpack_buffer] (0x1000): princ_str size: 12 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [unpack_buffer] (0x1000): got princ_str: INTDOMAIN$ (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [unpack_buffer] (0x1000): keytab_name size: 43 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [unpack_buffer] (0x1000): got keytab_name: /var/lib/sss/keytabs/ad.domain.com.keytab (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [unpack_buffer] (0x0200): Will run as [0][0]. (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [privileged_krb5_setup] (0x2000): Kerberos context initialized (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [main] (0x2000): Kerberos context initialized (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [become_user] (0x0200): Trying to become user [0][0]. (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [become_user] (0x0200): Already user [0]. (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [main] (0x2000): Running as [0][0]. (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [main] (0x2000): getting TGT sync (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [AD.DOMAIN.COM] (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [INTDOMAIN$(a)AD.DOMAIN.COM] (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/var/lib/sss/keytabs/ad.domain.com.keytab] (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234657: Getting initial credentials for INTDOMAIN$(a)AD.DOMAIN.COM (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234658: Looked up etypes in keytab: aes256-cts, aes128-cts, rc4-hmac (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234660: Sending unauthenticated request (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234661: Sending request (198 bytes) to AD.DOMAIN.COM (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234662: Initiating TCP connection to stream 10.10.60.81:88 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234663: Sending TCP request to stream 10.10.60.81:88 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234664: Received answer (206 bytes) from stream 10.10.60.81:88 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234665: Terminating TCP connection to stream 10.10.60.81:88 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234666: Response was from master KDC (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234667: Received error from KDC: -1765328359/Additional pre-authentication required (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234670: Preauthenticating using KDC method data (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234671: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234672: Selected etype info: etype aes256-cts, salt "AD.DOMAIN.COMkrbtgtINTDOMAIN", params "" (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234673: PKINIT client has no configured identity; giving up (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234674: PKINIT client has no configured identity; giving up (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234675: Preauth module pkinit (16) (real) returned: 22/Invalid argument (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234676: PKINIT client ignoring draft 9 offer from RFC 4556 KDC (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234677: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234678: Retrieving INTDOMAIN$(a)AD.DOMAIN.COM from MEMORY:/var/lib/sss/keytabs/ad.domain.com.keytab (vno 0, enctype aes256-cts) with result: 0/Success (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234679: AS key obtained for encrypted timestamp: aes256-cts/18D5 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234681: Encrypted timestamp (for 1550983885.896873): plain 301AA011180F32303139303232343034353132355AA10502030DAF69, encrypted F264C965CF31F9501C9942AFEBF282493E712F282BBB6B47C1F7417317F6334B814F2E7CAB6FE13117A3BC3B8F8E91F5D0576E7957684AB3 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234682: Preauth module encrypted_timestamp (2) (real) returned: 0/Success (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234683: Produced preauth for next request: PA-ENC-TIMESTAMP (2) (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234684: Sending request (278 bytes) to AD.DOMAIN.COM (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234685: Initiating TCP connection to stream 10.10.60.81:88 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234686: Sending TCP request to stream 10.10.60.81:88 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234685: Initiating TCP connection to stream 10.10.60.81:88 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234686: Sending TCP request to stream 10.10.60.81:88 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234687: Received answer (1585 bytes) from stream 10.10.60.81:88 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234688: Terminating TCP connection to stream 10.10.60.81:88 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234689: Response was from master KDC (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234690: Processing preauth types: PA-ETYPE-INFO2 (19) (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234691: Selected etype info: etype aes256-cts, salt "AD.DOMAIN.COMkrbtgtINTDOMAIN", params "" (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234692: Produced preauth for next request: (empty) (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234693: AS key determined by preauth: aes256-cts/18D5 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234694: Decrypted AS reply; session key is: aes256-cts/AE91 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234695: FAST negotiation: unavailable (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_AD.DOMAIN.COM_ZuI79F] (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234696: Initializing FILE:/var/lib/sss/db/ccache_AD.DOMAIN.COM_ZuI79F with default princ INTDOMAIN$(a)AD.DOMAIN.COM (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [sss_child_krb5_trace_cb] (0x4000): [2802] 1550983884.234697: Storing INTDOMAIN$(a)AD.DOMAIN.COM -> krbtgt/AD.DOMAIN.COM(a)AD.DOMAIN.COM in FILE:/var/lib/sss/db/ccache_AD.DOMAIN.COM_ZuI79F (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [ldap_child_get_tgt_sync] (0x2000): Renaming [/var/lib/sss/db/ccache_AD.DOMAIN.COM_ZuI79F] to [/var/lib/sss/db/ccache_AD.DOMAIN.COM] (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/db/ccache_AD.DOMAIN.COM_ZuI79F] (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/db/ccache_AD.DOMAIN.COM_ZuI79F] (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [prepare_response] (0x0400): Building response for result [0] (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [pack_buffer] (0x2000): response size: 63 (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [43] msg [FILE:/var/lib/sss/db/ccache_AD.DOMAIN.COM] (Sat Feb 23 23:51:24 2019) [[sssd[ldap_child[2802]]]] [main] (0x0400): ldap_child completed successfully krb5_child.log: empty during log in attempts sssd_int.domain.com.log (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_done] (0x4000): releasing operation connection (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_done] (0x0400): DP Request [Subdomains #15]: Request handler finished [0]: Success (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [_dp_req_recv] (0x0400): DP Request [Subdomains #15]: Receiving request data. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_reply_list_success] (0x0400): DP Request [Subdomains #15]: Finished. Success. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_reply_std] (0x1000): DP Request [Subdomains #15]: Returning [Success]: 0,0,Success (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_table_value_destructor] (0x0400): Removing [8:8:0000:ad.domain.com'] from reply table (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_destructor] (0x0400): DP Request [Subdomains #15]: Request removed. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c16110], connected[1], ops[(nil)], ldap[0x561795c1df90] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x561795bad8d0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sbus_dispatch] (0x4000): Dispatching. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name='aduser(a)ad.domain.com'] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_attach_req] (0x0400): DP Request [Account #16]: New request. Flags [0x0001]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sss_domain_get_state] (0x1000): Domain int.domain.com is Active (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sss_domain_get_state] (0x1000): Domain int.domain.com is Active (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=int,dc=domain,dc=com] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_print_server] (0x2000): Searching 10.10.60.61:389 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName='aduser(a)ad.domain.com')(mail='aduser(a)ad.domain.com')(krbPrincipalName='aduser\\(a)ad.domain.com'@INT.domain.COM))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=int,dc=domain,dc=com]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c16110], connected[1], ops[0x561795c0d3a0], ldap[0x561795c1df90] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=trusts,dc=int,dc=domain,dc=com] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_print_server] (0x2000): Searching 10.10.60.61:389 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(|(krbPrincipalName='aduser(a)ad.domain.com')(mail='aduser(a)ad.domain.com')(krbPrincipalName='aduser\\(a)ad.domain.com'@INT.domain.COM))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))(objectClass=ipaIDObject))][cn=trusts,dc=int,dc=domain,dc=com]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c16110], connected[1], ops[0x561795c0d3a0], ldap[0x561795c1df90] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c16110], connected[1], ops[0x561795c0d3a0], ldap[0x561795c1df90] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_done] (0x4000): releasing operation connection (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x561795c16e00 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x561795c16cf0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Running timer event 0x561795c16e00 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Destroying timer event 0x561795c16cf0 "ltdb_timeout" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Ending timer event 0x561795c16e00 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sysdb_search_by_name] (0x0400): No such entry (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost='aduser(a)ad.domain.com')) (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x561795c1c110 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x561795c16cf0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Running timer event 0x561795c1c110 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Destroying timer event 0x561795c16cf0 "ltdb_timeout" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Ending timer event 0x561795c1c110 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sysdb_cache_search_groups] (0x2000): No such entry (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x561795c16e00 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x561795c16cf0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Running timer event 0x561795c16e00 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Destroying timer event 0x561795c16cf0 "ltdb_timeout" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Ending timer event 0x561795c16e00 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn ['aduser(a)ad.domain.com'] found. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_done] (0x0400): DP Request [Account #16]: Request handler finished [0]: Success (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [_dp_req_recv] (0x0400): DP Request [Account #16]: Receiving request data. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #16]: Finished. Success. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_reply_std] (0x1000): DP Request [Account #16]: Returning [Success]: 0,0,Success (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1:U:int.domain.com:name='aduser(a)ad.domain.com'] from reply table (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_destructor] (0x0400): DP Request [Account #16]: Request removed. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c16110], connected[1], ops[(nil)], ldap[0x561795c1df90] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x561795bad8d0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sbus_dispatch] (0x4000): Dispatching. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name='aduser(a)ad.domain.com'] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_attach_req] (0x0400): DP Request [Account #17]: New request. Flags [0x0001]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sss_domain_get_state] (0x1000): Domain int.domain.com is Active (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sss_domain_get_state] (0x1000): Domain ad.domain.com is Active (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sss_domain_get_state] (0x1000): Domain int.domain.com is Active (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sss_domain_get_state] (0x1000): Domain ad.domain.com is Active (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid='aduser))]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_print_server] (0x2000): Searching 10.10.60.61:389 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid='aduser))][cn=Default Trust View,cn=views,cn=accounts,dc=int,dc=domain,dc=com]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 16 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_add] (0x2000): New operation 16 timeout 6 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c16110], connected[1], ops[0x561795c0b230], ldap[0x561795c1df90] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_destructor] (0x2000): Operation 16 finished (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid='aduser))]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sss_domain_get_state] (0x1000): Domain int.domain.com is Active (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sss_domain_get_state] (0x1000): Domain ad.domain.com is Active (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sss_domain_get_state] (0x1000): Domain int.domain.com is Active (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sss_domain_get_state] (0x1000): Domain ad.domain.com is Active (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sss_domain_get_state] (0x1000): Domain ad.domain.com is Active (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_connect_step] (0x4000): beginning to connect (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'sd_ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [get_server_status] (0x1000): Status of server 'dc0.ad.domain.com' is 'working' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [get_server_status] (0x0100): Hostname resolution expired, resetting the server status of 'dc0.ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [set_server_common_status] (0x0100): Marking server 'dc0.ad.domain.com' as 'name not resolved' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc0.ad.domain.com' is 'working' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is expired (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [collapse_srv_lookup] (0x0100): Need to refresh SRV lookup for domain ad.domain.com (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ad_srv_plugin_send] (0x0400): About to find domain controllers (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain ad.domain.com and site Default-First-Site-Name (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'Default-First-Site-Name._sites.ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.Default-First-Site-Name._sites.ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c16110], connected[1], ops[(nil)], ldap[0x561795c1df90] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_discover_srv_done] (0x0040): SRV query failed [4]: Domain name not found (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_getsrv_done] (0x1000): Using TTL [600] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_discover_srv_done] (0x0400): Got 1 servers (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ad_get_dc_servers_done] (0x0400): Found 1 domain controllers in domain ad.domain.com (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ad_srv_plugin_dcs_done] (0x0400): About to locate suitable site (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_connect_host_send] (0x0400): Resolving host dc0.ad.domain.com (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_is_address] (0x4000): [dc0.ad.domain.com] does not look like an IP address (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc0.ad.domain.com' in files (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc0.ad.domain.com' in files (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc0.ad.domain.com' in DNS (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://dc0.ad.domain.com:389 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sssd_async_socket_init_send] (0x4000): Using file descriptor [30] for the connection. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://dc0.ad.domain.com:389/??base] with fd [30]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_connect_host_done] (0x0400): Successful connection to ldap://dc0.ad.domain.com:389 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_print_server] (0x2000): Searching 10.10.60.81:389 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=ad.domain.com)(NtVer=\14\00\00\00))][]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [netlogon] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_add] (0x2000): New operation 1 timeout 6 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795bb41c0], connected[1], ops[0x561795c1ad50], ldap[0x561795bc93c0] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: []. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [netlogon] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795bb41c0], connected[1], ops[0x561795c1ad50], ldap[0x561795bc93c0] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_destructor] (0x2000): Operation 1 finished (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_handle_release] (0x2000): Trace: sh[0x561795bb41c0], connected[1], ops[(nil)], ldap[0x561795bc93c0], destructor_lock[0], release_memory[0] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ad_get_client_site_done] (0x0400): Found site: Default-First-Site-Name (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ad_get_client_site_done] (0x0400): Found forest: ad.domain.com (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_discover_servers_send] (0x0400): Looking up primary servers (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'Default-First-Site-Name._sites.ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.Default-First-Site-Name._sites.ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_discover_srv_done] (0x0040): SRV query failed [4]: Domain name not found (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_getsrv_done] (0x1000): Using TTL [600] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_discover_srv_done] (0x0400): Got 1 servers (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ad_srv_plugin_servers_done] (0x0400): Got 1 primary and 0 backup servers (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dc0.ad.domain.com:389' to service 'sd_ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'sd_ad.domain.com' as 'resolved' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [get_server_status] (0x1000): Status of server 'dc0.ad.domain.com' is 'name not resolved' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_is_address] (0x4000): [dc0.ad.domain.com] does not look like an IP address (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc0.ad.domain.com' in files (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [set_server_common_status] (0x0100): Marking server 'dc0.ad.domain.com' as 'resolving name' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc0.ad.domain.com' in files (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc0.ad.domain.com' in DNS (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [set_server_common_status] (0x0100): Marking server 'dc0.ad.domain.com' as 'name resolved' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [be_resolve_server_process] (0x0200): Found address for server dc0.ad.domain.com: [10.10.60.81] TTL 600 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc0.ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc0.ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [krb5_add_krb5info_offline_callback] (0x4000): Removal callback already available for service [sd_ad.domain.com]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_2flUNz] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_2flUNz] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sssd_async_socket_init_send] (0x4000): Using file descriptor [25] for the connection. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://dc0.ad.domain.com:389/??base] with fd [25]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_rootdse_send] (0x4000): Getting rootdse (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_print_server] (0x2000): Searching 10.10.60.81:389 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_add] (0x2000): New operation 1 timeout 6 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c078f0], connected[1], ops[0x561795c15290], ldap[0x561795bc93c0] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: []. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [currentTime] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [subschemaSubentry] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [dsServiceName] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultNamingContext] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [schemaNamingContext] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [configurationNamingContext] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [rootDomainNamingContext] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPPolicies] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [highestCommittedUSN] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [dnsHostName] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ldapServiceName] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverName] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedCapabilities] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [isSynchronized] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [isGlobalCatalogReady] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [domainFunctionality] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [forestFunctionality] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [domainControllerFunctionality] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c078f0], connected[1], ops[0x561795c15290], ldap[0x561795bc93c0] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_destructor] (0x2000): Operation 1 finished (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_server_opts_from_rootdse] (0x4000): USN value: 49446 (int: 49446) (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [7] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,DC=ad,DC=domain,DC=com] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (/var/lib/sss/keytabs/ad.domain.com.keytab, INTdomain$, AD.domain.COM, 86400) (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service sd_ad.domain.com (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'sd_ad.domain.com' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [get_server_status] (0x1000): Status of server 'dc0.ad.domain.com' is 'name resolved' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [get_server_status] (0x1000): Status of server 'dc0.ad.domain.com' is 'name resolved' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [be_resolve_server_process] (0x0200): Found address for server dc0.ad.domain.com: [10.10.60.81] TTL 600 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 94 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [2802] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for TGT child (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c078f0], connected[1], ops[(nil)], ldap[0x561795bc93c0] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_AD.domain.COM], expired on [1551019884] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1550984784 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: INTdomain$ (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [child_sig_handler] (0x1000): Waiting for child [2802]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [child_sig_handler] (0x0100): child [2802] finished successfully. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_cli_connect_recv] (0x0400): Connection established. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2086 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dc0.ad.domain.com' as 'working' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [set_server_common_status] (0x0100): Marking server 'dc0.ad.domain.com' as 'working' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'dc0.ad.domain.com' as 'working' (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_connect_done] (0x2000): Old USN: 49438, New USN: 49446 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_connect_done] (0x4000): notify connected to op #1 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=ad,dc=domain,dc=com] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_print_server] (0x2000): Searching 10.10.60.81:389 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(userPrincipalName='aduser(a)ad.domain.com')(mail='aduser(a)ad.domain.com')(userPrincipalName='aduser\\(a)ad.domain.com'@AD.domain.COM))(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=ad,dc=domain,dc=com]. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_add] (0x2000): New operation 5 timeout 6 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_connect_done] (0x4000): caching successful connection after 1 notifies (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [be_run_unconditional_online_cb] (0x4000): List of unconditional online callbacks is empty, nothing to do. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c078f0], connected[1], ops[0x561795c298a0], ldap[0x561795bc93c0] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ForestDnsZones.ad.domain.com/DC=ForestDnsZones,DC=ad,DC=domain,DC=com (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c078f0], connected[1], ops[0x561795c298a0], ldap[0x561795bc93c0] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.ad.domain.com/DC=DomainDnsZones,DC=ad,DC=domain,DC=com (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c078f0], connected[1], ops[0x561795c298a0], ldap[0x561795bc93c0] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ad.domain.com/CN=Configuration,DC=ad,DC=domain,DC=com (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c078f0], connected[1], ops[0x561795c298a0], ldap[0x561795bc93c0] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_op_destructor] (0x2000): Operation 5 finished (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.ad.domain.com/DC=ForestDnsZones,DC=ad,DC=domain,DC=com (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.ad.domain.com/DC=DomainDnsZones,DC=ad,DC=domain,DC=com (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ad.domain.com/CN=Configuration,DC=ad,DC=domain,DC=com (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_done] (0x4000): releasing operation connection (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x561795c16cf0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x561795c2a8f0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Running timer event 0x561795c16cf0 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Destroying timer event 0x561795c2a8f0 "ltdb_timeout" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Ending timer event 0x561795c16cf0 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sysdb_search_by_name] (0x0400): No such entry (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost='aduser(a)ad.domain.com')) (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x561795c1c110 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x561795c2a8f0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Running timer event 0x561795c1c110 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Destroying timer event 0x561795c2a8f0 "ltdb_timeout" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Ending timer event 0x561795c1c110 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sysdb_cache_search_groups] (0x2000): No such entry (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x561795c16cf0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x561795c2a8f0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Running timer event 0x561795c16cf0 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Destroying timer event 0x561795c2a8f0 "ltdb_timeout" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ldb] (0x4000): Ending timer event 0x561795c16cf0 "ltdb_callback" (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn ['aduser(a)ad.domain.com'] found. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [ipa_get_ad_acct_ad_part_done] (0x0080): Object not found, ending request (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_done] (0x0400): DP Request [Account #17]: Request handler finished [0]: Success (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [_dp_req_recv] (0x0400): DP Request [Account #17]: Receiving request data. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #17]: Finished. Success. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_reply_std] (0x1000): DP Request [Account #17]: Returning [Success]: 0,0,Success (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1:U:ad.domain.com:name='aduser(a)ad.domain.com'] from reply table (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_destructor] (0x0400): DP Request [Account #17]: Request removed. (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561795c078f0], connected[1], ops[(nil)], ldap[0x561795bc93c0] (Sat Feb 23 23:51:24 2019) [sssd[be[int.domain.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list

5 years, 1 month

4
15
0 / 0

nfsidmap/nss_getpwnam fails to resolve users with IPA/NFSv4+krb5

by Robert Sturrock

Hi All. We have IPA setup in an AD trust to support our Linux fleet. I’m running into a problem trying to get Ubuntu (16.04) clients to resolve names/ids on an NFS-mounted filesystem from an NFS server using NFSv4/krb5. Files and directories show up as ‘nobody’ or an incorrect numerical ID when listed with ‘ls’. RHEL7 clients seem to working fine with a very similar configuration (as far as I can tell). The particulars are: - AD forest has domains ‘localdomain’ and ‘student.localdomain’ (my user identity is ‘user@localdomain’) - IPA domain is ‘ipa.localdomain’ - The NFS server (RHEL7) and clients (Ubu16.04, RHEL7) are both enrolled to IPA (with 'Domain=ipa.localdomain’ in /etc/idmapd.conf). I have mounted the NFS volume on the clients with a simple: mount -t nfs4 nfs-server.ipa.localdomain:/export /mnt Listing my directory as myself (‘rns@localdomain’) on the Ubuntu client, I see: $ ls -ld rns drwx------ 18 nobody 4294967294 4096 Oct 25 15:18 rns .. with these corresponding nfsidmap messages: Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: key: 0x2c254c26 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600 Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: calling nsswitch->name_to_uid Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname '(null)' Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' does not map into domain 'ipa.localdomain' Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: nsswitch->name_to_uid returned -22 Oct 25 16:49:42 ubuntu-16.04-client.sub.localdomain nfsidmap[6163]: nfs4_name_to_uid: final return value is -22 .. whereas on the RHEL7 client, I see: $ ls -ld rns drwx------. 18 rns@localdomain rns@localdomain 4096 Oct 25 15:18 rns Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: key: 0xf113fd2 type: uid value: rns@localdomain(a)ipa.localdomain timeout 600 Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: calling nsswitch->name_to_uid Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nss_getpwnam: name 'rns@localdomain(a)ipa.localdomain' domain 'ipa.localdomain': resulting localname 'rns@localdomain' Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0 Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30590]: nfs4_name_to_uid: final return value is 0 Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: key: 0x2125a5d2 type: gid value: rns@localdomain(a)ipa.localdomain timeout 600 Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: calling nsswitch->name_to_gid Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0 Oct 25 16:56:23 rhel-7-client.sub.localdomain nfsidmap[30592]: nfs4_name_to_gid: final return value is 0 Why does the Ubuntu client's nfsidmap think that my identity doesn’t map into ‘ipa.localdomain’ and therefore (presumably) returns the error code ‘-22’? (My identity resolves ok from the shell, using ‘id rns@localdomain’ and I can login and use local filesystems without issue). The idmapd.conf looks like this: [General] Verbosity = 4 Pipefs-Directory = /run/rpc_pipefs Domain = ipa.localdomain Local-Realms = LOCALDOMAIN, STUDENT.LOCALDOMAIN, IPA.LOCALDOMAIN [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Translation] Method = nsswitch Any pointers appreciated! Regards, Robert.

5 years, 1 month

3
5
0 / 0

Unable to login via ssh with AD credentials after upgrade FreeIPA

by Morgan Marodin

Hi everybody. I have just upgraded my cluster from FreeIPA 4.4.0-14 to 4.6.4-10. All is good, logging via IPA credentials, HBAC and sudo rules are working. I have only a issue logging via SSH with AD credentials. Before the upgrade all was working well. I think that the trust is ok, because *kinit*, *ipa hbactest* and *ipa trustdomain-find* (on both ipa servers) are working well: *[root@mlv-ipasrv01 ~]# ipa trustdomain-find MYDOMAIN.COM <http://MYDOMAIN.COM> Domain name: mydomain.com <http://mydomain.com> Domain NetBIOS name: MYDOMAIN Domain Security Identifier: S-1-5-21-3367759252-2451474351-126822339 Domain enabled: True----------------------------Number of entries returned 1----------------------------[root@mlv-ipasrv01 ~]# ipa hbactest --user=morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com> --host=mlv-testipa01.ipa.mydomain.com <http://mlv-testipa01.ipa.mydomain.com>Service: sshd--------------------Access granted: True-------------------- Matched rules: allow_ad_ipa_admins Not matched rules: allow_ad_ipa_apps Not matched rules: allow_ipa_it_mysite[root@mlv-testipa01 ~]# kinit morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>Password for morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>:[root@mlv-testipa01 ~]# klistTicket cache: KEYRING:persistent:0:0Default principal: morgan.marodin(a)MYDOMAIN.COM <morgan.marodin(a)MYDOMAIN.COM>Valid starting Expires Service principal02/19/2019 17:55:23 02/20/2019 03:55:23 krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM <MYDOMAIN.COM(a)MYDOMAIN.COM> renew until 02/20/2019 17:55:18* This is the error log: *[root@mlv-testipa01 ~]# tail -f /var/log/secureFeb 19 18:03:21 mlv-testipa01 sshd[378408]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user=morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>Feb 19 18:03:21 mlv-testipa01 sshd[378408]: pam_sss(sshd:account): Access denied for user morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com>: 6 (Permission denied)Feb 19 18:03:21 mlv-testipa01 sshd[378401]: error: PAM: User account has expired for morgan.marodin(a)mydomain.com <morgan.marodin(a)mydomain.com> from 192.168.100.252Feb 19 18:03:21 mlv-testipa01 sshd[378401]: fatal: monitor_read: unpermitted request 104* It seems a problem with pam and sssd. Do you have any suggestions? Thanks, bye. Morgan

5 years, 1 month

2
18
0 / 0

Web app integration

by Alex Corcoles

Hi, I've read: https://www.freeipa.org/page/Web_App_Authentication , but there is some stuff that is not clear to me. 1) SAML As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and Keycloak is the way to go, right? However, Keycloak setup is not trivial, correct? Running CentOS there is no straightforward way to install and integrate it with a FreeIPA domain, correct? 2) SSO What is the special sauce for users using a browser on an IPA-joined system to log in to apps without even seeing a login form? SPNEGO? I'm using mod_auth_gssapi for some apps, having httpd do the authentication and forward it through REMOTE_USER, but it doesn't do the magic. There are some hints on mod_auth_gssapi's docs, but nothing really clear. 3) How should you deliver apps? Suppose you are a web app developer and you want to deliver a web application which can easily integrate with FreeIPA. What's the most comfortable option you can give? (assuming, for instance, that you want the SSO magic sauce). Is there any difference between apps that will run on the FreeIPA's domain owner's systems or third party apps? Cheers, Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/

5 years, 1 month

3
12
0 / 0

ipa service vault - cannot find

by Dmitry Perets

Hi, Sorry, I am probably missing something very basic in the way how the vault should work for services... So my task is simple: let's say I want to store a secret for a script. That is, the script must be able to retrieve it in an unattended way. The script is running on a Linux server server.mydomain.com, which is enrolled in FreeIPA domain. The script is running under user "svc-user" which I've created on the FreeIPA just for that (so, its principal is svc-user(a)MYDOMAIN.COM). Additionally, I've also created a service "MYSVC" on the FreeIPA (so I now also have the principal MYSVC\server.mydomain.com(a)MYDOMAIN.COM). Finally, I did not set any password for the user "svc-user" and I've configured its shell to be /sbin/nologin. Not sure if it will make any difference. And now, with all this ready, I am trying to store my secret as admin, so that my script can retrieve it. I create a vault (I tried also standard one, but here I am showing an example with asymmetrical one, because all examples I found use it): kinit admin <Entering password for admin> ipa vault-add svc-vault --service MYSVC\server.mydomain.com --type asymmetric --public-key-file svc.pub.pem ipa vault-archive svc-vault --service MYSVC\server.mydomain.com --data <secret_data_in_base64> OK, secret is stored. And here is my vault: # ipa vault-find --services --------------- 1 vault matched --------------- Vault name: svc-vault Type: asymmetric Vault service: MYSVC\server.mydomain.com(a)MYDOMAIN.COM ---------------------------- Number of entries returned 1 ---------------------------- Finally, I generate a keytab for my script: ipa-getkeytab -p MYSVC\server.mydomain.com -k /var/kerberos/krb5/user/856500016/client.keytab OK... now I clean up with "kdestroy" and try to run my script as a user "svc-user". And the script is trying to do this: kinit MYSVC\server.mydomain.com -k -t /var/kerberos/krb5/user/856500016/client.keytab klist ipa vault-find --services ... And the problem is that it simply doesn't find the svc-vault. It does seem like it manages to get the Kerberos ticket, this is the output from klist (inside the script): Default principal: MYSVC\server.mydomain.com(a)MYDOMAIN.COM Valid starting Expires Service principal 02/27/2019 17:04:58 02/28/2019 17:04:58 krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM Now... If I add the user "svc-user" as a member to my svc-vault, add the svc-user to the keytab and then use "kinit svc-user" in my script, then it seems to work. But I don't understand then the whole point of "service vault"... what's the purpose of the MYSVC/server.mydomain.com principle here actually...? And another question - can't exactly the same (with "svc-user" in keytab) work also for a standard vault, without keys...? Because it looks like it becomes exactly the same usecase as if I just interactively use the vault shared with svc-user... Thanks!

5 years, 1 month

1
2
0 / 0

Autofs maps for students directories divided by first letter of username

by Kristian Petersen

Is there a way to set up the maps to mount a users home directory if they are divided up under a directory that is the first letter of their username without mounting all such directories for every user? We have thousands of students needing home directories and so they have divided up this way. Example: /home/students/a/aardvark or /home/students/b/bugsbunny. The docs I have read on autofs maps haven't been very clear on how to define this kind of mapping, especially in FreeIPA. -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry

5 years, 1 month

4
4
0 / 0

Can not find slapi-plugin.h file in FreeIPA 4.6.4 install

by Elena Fedorov

Hello, It's puzzling but the file required to be included in any custom plugin, slapi-plugin.h, is nowhere to be found in the FreeIPA 4.6.4 install, API_VERSION: 2.229 The documentation refers to this file being either in: /usr/lib64/dirsrv/plugins/slapi-plugin.h. or in /usr/include/dirsrv/slapi-plugin.h. But it's not in either of this location. It's not at all on the box - I searched from the top. Please advise where I can find this header file? What package do I need to install on RedHat 7.6 to get this file? Thanks, Elena.

5 years, 1 month

2
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users February 2019