Hi,
I'm trying to configure smartcard (pkinit) authentication against Active
Directory on latest CentOS without success.
AD authentication without smartcard works without problems and standalone
kinit with smartcard also works but I can't managed to login with smartcard
and sssd.
Is it supposed to work in current state? What problem does mentioned patch
addresses?
I included krb5.conf, sssd.conf and krb5_child.log. What I considered
strange is this part:
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_responder]
(0x4000): Got question [pkinit].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit]
(0x4000): [0] Identity
[PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags
[0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit]
(0x4000): Setting pkinit_prompting.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1]
EINVAL.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): Prompt [0][Pavel Arnošt PIN].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x0020): Cannot handle password prompts.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87842: PKINIT client
has no configured identity; giving up
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87843: Preauth module
pkinit (16) (real) returned: -1765328360/Preauthentication failed
i.e. X509 identity is found but not used and prompt for PIN is ignored?
What can be wrong? Thanks.
krb5.conf:
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
dns_canonicalize_hostname = false
rdns = false
default_realm = VALVERA.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
VALVERA.LOCAL = {
kdc = 172.30.30.30
admin_server = 172.30.30.30
pkinit_anchors = FILE:/etc/ca.crt
pkinit_eku_checking = kpServerAuth
pkinit_kdc_hostname = valvera.local
pkinit_identities = PKCS11:libcoolkeypk11.so
}
sssd.conf:
[sssd]
debug_level = 9
domains = valvera.local
config_file_version = 2
services = nss, pam
[pam]
pam_cert_auth = True
[domain/valvera.local]
debug_level = 9
ad_domain = valvera.local
krb5_realm = VALVERA.LOCAL
ldap_user_certificate = userCertificate;binary
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad
krb5_child.log:
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400):
krb5_child started.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer]
(0x1000): total buffer size: [202]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer]
(0x0100): cmd [249] uid [650201177] gid [650200513] validate [true]
enterprise principal [true] offline [false] UPN [arnost(a)VALVERA.LOCAL]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:650201177] old_ccname:
[KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [check_use_fast]
(0x0100): Not using FAST.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [k5c_setup] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_lifetime_options]
(0x0100): No specific renewable lifetime requested.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_lifetime_options]
(0x0100): No specific lifetime requested.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): Will
perform pre-auth
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt]
(0x4000): Found Smartcard credentials, trying pkinit.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_pkinit_identity]
(0x4000): Got [Pavel Arnošt][libcoolkeypk11.so].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_pkinit_identity]
(0x4000): Using pkinit identity
[PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [VALVERA.LOCAL]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480064: Getting
initial credentials for arnost\@VALVERA.LOCAL@VALVERA.LOCAL
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480066: Sending
request (209 bytes) to VALVERA.LOCAL
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480067: Initiating TCP
connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480068: Sending TCP
request to stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480069: Received
answer (189 bytes) from stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480070: Terminating
TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480071: Response was
from master KDC
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480072: Received error
from KDC: -1765328359/Additional pre-authentication required
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480075: Processing
preauth types: 16, 15, 19, 2
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480076: Selected etype
info: etype aes256-cts, salt "VALVERA.LOCALarnost", params ""
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_responder]
(0x4000): Got question [pkinit].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit]
(0x4000): [0] Identity
[PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags
[0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit]
(0x4000): Setting pkinit_prompting.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1]
EINVAL.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): Prompt [0][Pavel Arnošt PIN].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x0020): Cannot handle password prompts.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87842: PKINIT client
has no configured identity; giving up
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87843: Preauth module
pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87844: PKINIT client
has no configured identity; giving up
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87845: Preauth module
pkinit (14) (real) returned: -1765328360/Preauthentication failed
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1]
EINVAL.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x4000): Prompt [0][Password for arnost\@VALVERA.LOCAL@VALVERA.LOCAL].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter]
(0x0020): Cannot handle password prompts.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87846: Preauth module
encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt]
(0x0400): krb5_get_init_creds_password returned [-1765328174] during
pre-auth.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data]
(0x0200): Received error code 0
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [pack_response_packet]
(0x2000): response packet size: [12]
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data]
(0x4000): Response sent.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400):
krb5_child completed successfully
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400):
krb5_child started.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x1000): total buffer size: [208]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x0100): cmd [241] uid [650201177] gid [650200513] validate [true]
enterprise principal [true] offline [false] UPN [arnost(a)VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:650201177] old_ccname:
[KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [check_use_fast]
(0x0100): Not using FAST.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds]
(0x0200): Switch user to [650201177][650200513].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_check_old_ccache]
(0x4000): Ccache_file is [KEYRING:persistent:650201177] and is not active
and TGT is valid.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_precreate_ccache]
(0x4000): Recreating ccache
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_setup] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options]
(0x0100): No specific renewable lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options]
(0x0100): No specific lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): Will
perform online auth
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt]
(0x4000): Found Smartcard credentials, trying pkinit.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity]
(0x4000): Got [Pavel Arnošt][libcoolkeypk11.so].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity]
(0x4000): Using pkinit identity
[PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364762: Getting
initial credentials for arnost\@VALVERA.LOCAL@VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364764: Sending
request (209 bytes) to VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364765: Initiating TCP
connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364766: Sending TCP
request to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364767: Received
answer (189 bytes) from stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364768: Terminating
TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364769: Response was
from master KDC
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364770: Received error
from KDC: -1765328359/Additional pre-authentication required
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364773: Processing
preauth types: 16, 15, 19, 2
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364774: Selected etype
info: etype aes256-cts, salt "VALVERA.LOCALarnost", params ""
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_responder]
(0x4000): Got question [pkinit].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [answer_pkinit]
(0x4000): [0] Identity
[PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags
[0].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]]
[sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87846: Preauth module
encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt]
(0x0400): krb5_get_init_creds_password returned [-1765328174] during
pre-auth.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data]
(0x0200): Received error code 0
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [pack_response_packet]
(0x2000): response packet size: [12]
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data]
(0x4000): Response sent.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400):
krb5_child completed successfully
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400):
krb5_child started.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x1000): total buffer size: [208]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x0100): cmd [241] uid [650201177] gid [650200513] validate [true]
enterprise principal [true] offline [false] UPN [arnost(a)VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:650201177] old_ccname:
[KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [check_use_fast]
(0x0100): Not using FAST.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds]
(0x0200): Switch user to [650201177][650200513].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_check_old_ccache]
(0x4000): Ccache_file is [KEYRING:persistent:650201177] and is not active
and TGT is valid.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_precreate_ccache]
(0x4000): Recreating ccache
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_setup] (0x2000):
Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options]
(0x0100): No specific renewable lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options]
(0x0100): No specific lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): Will
perform online auth
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt]
(0x4000): Found Smartcard credentials, trying pkinit.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity]
(0x4000): Got [Pavel Arnošt][libcoolkeypk11.so].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity]
(0x4000): Using pkinit identity
[PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364762: Getting
initial credentials for arnost\@VALVERA.LOCAL@VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364764: Sending
request (209 bytes) to VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364765: Initiating TCP
connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364766: Sending TCP
request to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364767: Received
answer (189 bytes) from stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364768: Terminating
TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364769: Response was
from master KDC
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364770: Received error
from KDC: -1765328359/Additional pre-authentication required
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364773: Processing
preauth types: 16, 15, 19, 2
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]]
[sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364774: Selected etype
info: etype aes256-cts, salt "VALVERA.LOCALarnost", params ""
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_responder]
(0x4000): Got question [pkinit].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [answer_pkinit]
(0x4000): [0] Identity
[PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags
[0].
Thanks,
Regards,
Pavel