On 17.01.22 17:48, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
> On 13.01.22 09:29, Ronald Wimmer via FreeIPA-users wrote:
>> Today the problem reappeared. I cannot login with the admin user. The
>> error message I get is "The password or username you entered is
>> incorrect". kinit also does not work.
>>
>> It seems that the password has changed somehow without user interaction.
>>
>> How can we debug this?
>>
>> Cheers,
>> Ronald
>
> We could verify that the user is neither locked nor disabled. The
> password has not changed since we reset it. There is no obvious reason
> why the password is not accepted anymore.
>
> Whats strange is the fact that a particular IPA server says 'Failed
> logins: 0' but shows a 'Last failed authentication' timestamp that is
> later than the 'Last successful authentication' timestamp.
I suppose what I would do, as DM, is to take a snapshot of one of the
broken entries, because you want the userPassword, krbPrincipalKey, etc.
Then reset the password. If it breaks again compare the stored and new
entry to see what, if anything, is different.
We compared the user's LDAP attributes and not a single one changed. The
password hash stayed exactly what it was and the modification timestamps
did not alter.
Running kinit with KRB5_TRACE showed:
[3947831] 1643013400.799117: Response was from master KDC
[3947831] 1643013400.799118: Received error from KDC:
-1765328360/Preauthentication failed
kinit: Password incorrect while getting initial credentials
In which SSSD section does it make sense to increase the debug_level?
Cheers,
Ronald