Hi, Sumit.
Thanks for the reply. This morning, I found a support article behind the RHEL paywall that
closely resembles this error. One of the suggested workarounds was to delete
secrets.ldb:
# systemctl stop sssd # systemctl stop sssd-kcm.service
# cp -av /var/lib/sss/secrets /var/lib/sss/secrets-backup
# rm /var/lib/sss/secrets/secrets.ldb /var/lib/sss/secrets/.secrets.mkey
# kinit "User principal" as a test.
# rm -fr /var/lib/sss/{mc,db}/* ; systemctl start sssd
That worked. Oddly, this problem was with a specific ipa account on this particular
machine. Other ipa accounts could log into this machine just fine. The same problem
account could log into other ipa machines just fine, so it was not a password problem.
After completing the steps above, the problem account could log into the machine.
-Scott
-----Original Message-----
From: Sumit Bose via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Tuesday, August 17, 2021 9:50 AM
To: freeipa-users(a)lists.fedorahosted.org
Cc: Sumit Bose <sbose(a)redhat.com>
Subject: [Freeipa-users] Re: krb5_child.log - Internal credentials cache error
Am Mon, Aug 16, 2021 at 10:49:18PM +0000 schrieb Dungan, Scott A. via FreeIPA-users:
Hello.
We have a client system (client1) that refuses login and throws an error in the
krb5_child.log only when a particular account tries to log in (user1). The same account
can log into other ipa domain client machines just fine. Other ipa accounts can log in to
this machine, just not the user1 account. In /var/log/secure we see:
Aug 16 15:16:56 client1 sshd[13173]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=xxx.xxx.xxx.xxx user=user1 Aug 16 15:16:56 client1 sshd[13173]:
pam_sss(sshd:auth): received for user user1: 4 (System error) Aug 16
15:16:59 client1 sshd[13171]: error: PAM: Authentication failure for
user1 from xxx.xxx.xxx.xxx
sssd_domain_withheld.log:
(2021-08-16 15:16:56): [be[]] [krb5_auth_done]
(0x0040): The krb5_child process returned an error. Please inspect the
krb5_child.log file or the journal for more information
krb5_child.log:
(2021-08-16 15:16:56): [krb5_child[13176]] [create_ccache] (0x0020):
1039: [-1765328188][Internal credentials cache error]
(2021-08-16 15:16:56): [krb5_child[13176]] [map_krb5_error] (0x0020):
1849: [-1765328188][Internal credentials cache error]
Hi,
can you add 'debug_level = 9' to the [domain/...] section of sssd.conf, restart
SSSD and try again to get more debug information into the logs?
If possible please send the full log of the failed krb5_child run.
Sometimes we see this in krb5_child.log as well:
(2021-08-16 12:32:13): [krb5_child[6232]] [get_and_save_tgt] (0x0020):
1720: [-1765328360][Preauthentication failed]
(2021-08-16 12:32:13): [krb5_child[6232]] [map_krb5_error] (0x0020):
1849: [-1765328360][Preauthentication failed]
This typically indicates a wrong password.
bye,
Sumit
Steps taken to clear the issue with no results:
1. sss_cache -E
2. systemctl stop sssd
rm -rf /var/lib/sss/db/*
systemctl start sssd
3. ipa-client-install -uninstall and then rejoin
Environment:
RHEL8.4 - 4.18.0-305.12.1.el8_4.x86_64
ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64
Contents of /etc/krb5.conf:
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = DOMAIN.WITHHELD.LOCAL
dns_lookup_realm = true
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.WITHHELD.LOCAL = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.domain.withheld.local = DOMAIN.WITHHELD.LOCAL
domain.withheld.local = DOMAIN.WITHHELD.LOCAL
client1.domain.withheld.local = DOMAIN.WITHHELD.LOCAL
.withheld.local = DOMAIN.WITHHELD.LOCAL
withheld.local = DOMAIN.WITHHELD.LOCAL
Contents of /etc/sssd/sssd.conf:
[domain/domain.withheld.local]
id_provider = ipa
dns_discovery_domain = domain.withheld.local ipa_server = _srv_,
idm2.domain.withheld.local ipa_domain = domain.withheld.local
ipa_hostname = client1.domain.withheld.local auth_provider = ipa
chpass_provider = ipa access_provider = ipa cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline =
True sudo_provider = ipa autofs_provider = ipa subdomains_provider =
ipa session_provider = ipa hostid_provider = ipa
ipa_automount_location = default [sssd] services = nss, pam, ssh,
sudo, autofs
domains = domain.withheld.local
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
Any help would be appreciated.
-Scott
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor
ahosted.org Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure