On Fri, Sep 25, 2015 at 10:30:51AM +0000, Ondrej Valousek wrote:
Here is the krb5_child.log:
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.917796: TGS request result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.917822: Received creds for desired service
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.917850: Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.917878: Storing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.917924: Creating authenticator for
ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, seqnum 0, subkey (null),
session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918003: Retrieving
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno
59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918061: Decrypted AP-REQ with specified server principal
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM: rc4-hmac/0336
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918092: AP-REQ ticket: ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918267: Negotiated enctype based on authenticator: rc4-hmac
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918299: Initializing MEMORY:rd_req2 with default princ
ondrejv(a)DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918330: Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918357: Storing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918390: Destroying ccache MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0400): TGT
verified using key for [host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918470: Retrieving ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2 with result:
0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918565: Retrieving
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno
59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][2].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0040):
sss_send_pac failed, group membership for user with principal
[ondrejv\@DUBLIN.AD.S3GROUP.COM(a)DUBLIN.AD.S3GROUP.COM] might not be correct.
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918705: Destroying ccache MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [become_user] (0x0200): Trying to
become user [14019][10000].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:14019]
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed:
[-1765328243][Can't find client principal ondrejv(a)DUBLIN.AD.S3GROUP.COM in cache
collection]
Not sure if it helps.
I'm sorry, but it does not help. Both messages about
'sss_pac_make_request failed' and 'Can't find client principal' will
not
cause the authentication to fail. So more log data is needed here. As
said, feel free to send the full logs to me directly.
bye,
Sumit