On ma, 24 tammi 2022, Ronald Wimmer wrote:
On 17.01.22 17:53, Alexander Bokovoy wrote:
>On ma, 17 tammi 2022, Rob Crittenden via FreeIPA-users wrote:
>>Ronald Wimmer via FreeIPA-users wrote:
>>>On 13.01.22 09:29, Ronald Wimmer via FreeIPA-users wrote:
>>>>Today the problem reappeared. I cannot login with the admin user. The
>>>>error message I get is "The password or username you entered is
>>>>incorrect". kinit also does not work.
>>>>
>>>>It seems that the password has changed somehow without user
>>>>interaction.
>>>>
>>>>How can we debug this?
>>>>
>>>>Cheers,
>>>>Ronald
>>>
>>>We could verify that the user is neither locked nor disabled. The
>>>password has not changed since we reset it. There is no obvious reason
>>>why the password is not accepted anymore.
>>>
>>>Whats strange is the fact that a particular IPA server says 'Failed
>>>logins: 0' but shows a 'Last failed authentication' timestamp that
is
>>>later than the 'Last successful authentication' timestamp.
>>
>>I suppose what I would do, as DM, is to take a snapshot of one of the
>>broken entries, because you want the userPassword, krbPrincipalKey, etc.
>>Then reset the password. If it breaks again compare the stored and new
>>entry to see what, if anything, is different.
>>
>>Including things like logs for a failing kinit would be useful as well.
>>
>>For login failures, following the sssd troubleshooting guide to bump up
>>the devel level.
>
>I wonder if this is similar to
>https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/
>
>
>but can't confirm without krb5kdc logs.
Which debug level should I set?
There is no separate debug level. You either see an error message
around SIDs being different or not.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland