On 24.01.22 09:55, Alexander Bokovoy wrote:
On ma, 24 tammi 2022, Ronald Wimmer wrote:
> On 17.01.22 17:53, Alexander Bokovoy wrote:
>> On ma, 17 tammi 2022, Rob Crittenden via FreeIPA-users wrote:
>>> Ronald Wimmer via FreeIPA-users wrote:
>>>> On 13.01.22 09:29, Ronald Wimmer via FreeIPA-users wrote:
>>>>> Today the problem reappeared. I cannot login with the admin user.
>>>>> The
>>>>> error message I get is "The password or username you entered is
>>>>> incorrect". kinit also does not work.
>>>>>
>>>>> It seems that the password has changed somehow without user
>>>>> interaction.
>>>>>
>>>>> How can we debug this?
>>>>>
>>>>> Cheers,
>>>>> Ronald
>>>>
>>>> We could verify that the user is neither locked nor disabled. The
>>>> password has not changed since we reset it. There is no obvious reason
>>>> why the password is not accepted anymore.
>>>>
>>>> Whats strange is the fact that a particular IPA server says 'Failed
>>>> logins: 0' but shows a 'Last failed authentication' timestamp
that is
>>>> later than the 'Last successful authentication' timestamp.
>>>
>>> I suppose what I would do, as DM, is to take a snapshot of one of the
>>> broken entries, because you want the userPassword, krbPrincipalKey,
>>> etc.
>>> Then reset the password. If it breaks again compare the stored and new
>>> entry to see what, if anything, is different.
>>>
>>> Including things like logs for a failing kinit would be useful as well.
>>>
>>> For login failures, following the sssd troubleshooting guide to bump up
>>> the devel level.
>>
>> I wonder if this is similar to
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
>>
>>
>> but can't confirm without krb5kdc logs.
>
> Which debug level should I set?
There is no separate debug level. You either see an error message
around SIDs being different or not.
That's what I see:
Jan 24 10:02:18 pipa08.linux.mydomain.at krb5kdc[4152](info): AS_REQ (7
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25),
DEPRECATED:arcfour-hmac(23)}) 10.66.39.142: NEEDED_PREAUTH:
admin(a)LINUX.MYDOMAIN.AT for krbtgt/LINUX.MYDOMAIN.AT(a)LINUX.MYDOMAIN.AT,
Additional pre-authentication required
Jan 24 10:02:18 pipa08.linux.mydomain.at krb5kdc[4152](info): closing
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): AS_REQ (7
etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25),
DEPRECATED:arcfour-hmac(23)}) 10.66.16.39: NEEDED_PREAUTH:
host/as40202.linux.mydomain.at(a)LINUX.MYDOMAIN.AT for
krbtgt/LINUX.MYDOMAIN.AT(a)LINUX.MYDOMAIN.AT, Additional
pre-authentication required
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): closing
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4150](info): AS_REQ (7
etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25),
DEPRECATED:arcfour-hmac(23)}) 10.66.16.39: ISSUE: authtime 1643014943,
etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
host/as40202.linux.mydomain.at(a)LINUX.MYDOMAIN.AT for
krbtgt/LINUX.MYDOMAIN.AT(a)LINUX.MYDOMAIN.AT
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4150](info): closing
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4152](info): TGS_REQ (7
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25),
DEPRECATED:arcfour-hmac(23)}) 10.66.16.39: ISSUE: authtime 1643014943,
etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
host/as40202.linux.mydomain.at(a)LINUX.MYDOMAIN.AT for
ldap/pipa08.linux.mydomain.at(a)LINUX.MYDOMAIN.AT
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4152](info): closing
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): preauth
(spake) verify failure: Preauthentication failed
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): AS_REQ (7
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25),
DEPRECATED:arcfour-hmac(23)}) 10.66.39.142: PREAUTH_FAILED:
admin(a)LINUX.MYDOMAIN.AT for krbtgt/LINUX.MYDOMAIN.AT(a)LINUX.MYDOMAIN.AT,
Preauthentication failed
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): closing
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): AS_REQ (8
etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.66.43.162:
NEEDED_PREAUTH: host/as13399.org.mydomain.at(a)LINUX.MYDOMAIN.AT for
krbtgt/LINUX.MYDOMAIN.AT(a)LINUX.MYDOMAIN.AT, Additional
pre-authentication required
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): closing
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4148](info): AS_REQ (8
etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.66.43.162:
ISSUE: authtime 1643014943, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
host/as13399.org.mydomain.at(a)LINUX.MYDOMAIN.AT for
krbtgt/LINUX.MYDOMAIN.AT(a)LINUX.MYDOMAIN.AT
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4148](info): closing
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4150](info): TGS_REQ (8
etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.66.43.162:
ISSUE: authtime 1643014943, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
host/as13399.org.mydomain.at(a)LINUX.MYDOMAIN.AT for
ldap/pipa08.linux.mydomain.at(a)LINUX.MYDOMAIN.AT
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4150](info): closing
down fd 12