We have an IPA-AD trust up and running. The IPA domain is
idm.fnr.gub.uy and the AD (Samba) domain is smb.fnr.gub.uy. Our users
belong to AD.
We have a couple of Ubuntu 22.04 IPA clients configured. In the first
one, all works like a charm, and AD users can login without problems.
In the second one, AD users can login sometimes, and sometimes not.
The log /var/log/sssd/krb5_child.log is completely empty in the first
case. In the second one, we have the following when a user cannot
login:
(2023-01-04 11:42:11): [krb5_child[4430]] [get_and_save_tgt] (0x0020):
[RID#19] 1725: [-1765328353][Decrypt integrity check failed]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400):
[RID#19] krb5_child started.
* (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer]
(0x1000): [RID#19] total buffer size: [134]
* (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer]
(0x0100): [RID#19] cmd [241 (auth)] uid [700000003] gid [700000005]
validate [true] enterprise principal [false] offline [false] UPN
[mduffour(a)SMB.FNR.GUB.UY]
* (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer]
(0x2000): [RID#19] No old ccache
* (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer]
(0x0100): [RID#19] ccname: [KEYRING:persistent:700000003] old_ccname:
[not set] keytab: [/etc/krb5.keytab]
* (2023-01-04 11:42:10): [krb5_child[4430]] [k5c_precreate_ccache]
(0x4000): [RID#19] Recreating ccache
* (2023-01-04 11:42:10): [krb5_child[4430]] [k5c_setup_fast]
(0x0100): [RID#19] Fast principal is set to
[host/laptingw02.idm.fnr.gub.uy(a)IDM.FNR.GUB.UY]
* (2023-01-04 11:42:10): [krb5_child[4430]]
[find_principal_in_keytab] (0x4000): [RID#19] Trying to find principal
host/laptingw02.idm.fnr.gub.uy(a)IDM.FNR.GUB.UY in keytab.
* (2023-01-04 11:42:10): [krb5_child[4430]] [match_principal]
(0x1000): [RID#19] Principal matched to the sample
(host/laptingw02.idm.fnr.gub.uy(a)IDM.FNR.GUB.UY)
* (2023-01-04 11:42:10): [krb5_child[4430]] [check_fast_ccache]
(0x0200): [RID#19] FAST TGT is still valid.
* (2023-01-04 11:42:10): [krb5_child[4430]]
[privileged_krb5_setup] (0x0080): [RID#19] Cannot open the PAC
responder socket
* (2023-01-04 11:42:10): [krb5_child[4430]] [become_user]
(0x0200): [RID#19] Trying to become user [700000003][700000005].
* (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x2000):
[RID#19] Running as [700000003][700000005].
* (2023-01-04 11:42:10): [krb5_child[4430]] [set_lifetime_options]
(0x0100): [RID#19] No specific renewable lifetime requested.
* (2023-01-04 11:42:10): [krb5_child[4430]] [set_lifetime_options]
(0x0100): [RID#19] No specific lifetime requested.
* (2023-01-04 11:42:10): [krb5_child[4430]]
[set_canonicalize_option] (0x0100): [RID#19] Canonicalization is set
to [true]
* (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400):
[RID#19] Will perform auth
* (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400):
[RID#19] Will perform online auth
* (2023-01-04 11:42:10): [krb5_child[4430]] [tgt_req_child]
(0x1000): [RID#19] Attempting to get a TGT
* (2023-01-04 11:42:10): [krb5_child[4430]] [get_and_save_tgt]
(0x0400): [RID#19] Attempting kinit for realm [SMB.FNR.GUB.UY]
* (2023-01-04 11:42:11): [krb5_child[4430]] [sss_krb5_responder]
(0x4000): [RID#19] Got question [password].
* (2023-01-04 11:42:11): [krb5_child[4430]] [get_and_save_tgt]
(0x0020): [RID#19] 1725: [-1765328353][Decrypt integrity check failed]
********************** BACKTRACE DUMP ENDS HERE
*********************************
(2023-01-04 11:42:11): [krb5_child[4430]] [map_krb5_error] (0x0020):
[RID#19] 1854: [-1765328353][Decrypt integrity check failed]
And the following when the same user is able to login:
(2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt] (0x0040):
[RID#21] sss_send_pac failed, group membership for user with principal
[mduffour(a)SMB.FNR.GUB.UY] might not be correct.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400):
[RID#21] krb5_child started.
* (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer]
(0x1000): [RID#21] total buffer size: [134]
* (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer]
(0x0100): [RID#21] cmd [241 (auth)] uid [700000003] gid [700000005]
validate [true] enterprise principal [false] offline [false] UPN
[mduffour(a)SMB.FNR.GUB.UY]
* (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer]
(0x2000): [RID#21] No old ccache
* (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer]
(0x0100): [RID#21] ccname: [KEYRING:persistent:700000003] old_ccname:
[not set] keytab: [/etc/krb5.keytab]
* (2023-01-04 11:42:28): [krb5_child[4432]] [k5c_precreate_ccache]
(0x4000): [RID#21] Recreating ccache
* (2023-01-04 11:42:28): [krb5_child[4432]] [k5c_setup_fast]
(0x0100): [RID#21] Fast principal is set to
[host/laptingw02.idm.fnr.gub.uy(a)IDM.FNR.GUB.UY]
* (2023-01-04 11:42:28): [krb5_child[4432]]
[find_principal_in_keytab] (0x4000): [RID#21] Trying to find principal
host/laptingw02.idm.fnr.gub.uy(a)IDM.FNR.GUB.UY in keytab.
* (2023-01-04 11:42:28): [krb5_child[4432]] [match_principal]
(0x1000): [RID#21] Principal matched to the sample
(host/laptingw02.idm.fnr.gub.uy(a)IDM.FNR.GUB.UY)
* (2023-01-04 11:42:28): [krb5_child[4432]] [check_fast_ccache]
(0x0200): [RID#21] FAST TGT is still valid.
* (2023-01-04 11:42:28): [krb5_child[4432]]
[privileged_krb5_setup] (0x0080): [RID#21] Cannot open the PAC
responder socket
* (2023-01-04 11:42:28): [krb5_child[4432]] [become_user]
(0x0200): [RID#21] Trying to become user [700000003][700000005].
* (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x2000):
[RID#21] Running as [700000003][700000005].
* (2023-01-04 11:42:28): [krb5_child[4432]] [set_lifetime_options]
(0x0100): [RID#21] No specific renewable lifetime requested.
* (2023-01-04 11:42:28): [krb5_child[4432]] [set_lifetime_options]
(0x0100): [RID#21] No specific lifetime requested.
* (2023-01-04 11:42:28): [krb5_child[4432]]
[set_canonicalize_option] (0x0100): [RID#21] Canonicalization is set
to [true]
* (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400):
[RID#21] Will perform auth
* (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400):
[RID#21] Will perform online auth
* (2023-01-04 11:42:28): [krb5_child[4432]] [tgt_req_child]
(0x1000): [RID#21] Attempting to get a TGT
* (2023-01-04 11:42:28): [krb5_child[4432]] [get_and_save_tgt]
(0x0400): [RID#21] Attempting kinit for realm [SMB.FNR.GUB.UY]
* (2023-01-04 11:42:28): [krb5_child[4432]] [sss_krb5_responder]
(0x4000): [RID#21] Got question [password].
* (2023-01-04 11:42:28): [krb5_child[4432]]
[sss_krb5_expire_callback_func] (0x2000): [RID#21] exp_time:
[10276087]
* (2023-01-04 11:42:28): [krb5_child[4432]] [validate_tgt]
(0x2000): [RID#21] Keytab entry with the realm of the credential not
found in keytab. Using the last entry.
* (2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt]
(0x0400): [RID#21] TGT verified using key for
[host/laptingw02.idm.fnr.gub.uy(a)IDM.FNR.GUB.UY]
* (2023-01-04 11:42:29): [krb5_child[4432]] [sss_send_pac]
(0x0080): [RID#21] failed to contact PAC responder
* (2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt]
(0x0040): [RID#21] sss_send_pac failed, group membership for user with
principal [mduffour(a)SMB.FNR.GUB.UY] might not be correct.
********************** BACKTRACE DUMP ENDS HERE
*********************************
I have tried clearing all sssd caches (even removing
/var/lib/sss/db/*), restarting all the servers, uninstalling ipa
client and configuring it again, etc. The behaviour is always the
same.
Any help is appreciated. Thanks very much,
tizo