On 12/09/2013 12:25 PM, Dan Candea wrote:
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605000: Getting
initial credentials for testuser(a)2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605161: FAST
armor ccache: FILE:/var/lib/sss/db/fast_ccache_2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605262:
Retrieving ldapauth(a)2FA.TEST ->
krb5_ccache_conf_data/fast_avail/krbtgt\/2FA.TEST\@2FA.TEST(a)X-CACHECONF:
from FILE:/var/lib/sss/db/fast_ccache_2FA.TEST with result:
-1765328243/Matching credential not found
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605391: Sending
request (171 bytes) to 2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605496:
Resolving hostname 2fa-ad.2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605791: Sending
initial UDP request to dgram 10.52.13.190:88
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.607384: Received
answer from dgram 10.52.13.190:88
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.677781: Response
was not from master KDC
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.677933: Salt
derived from principal: 2FA.TESTtestuser
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.677953: Getting
AS key, salt "2FA.TESTtestuser", params ""
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678158: AS key
obtained from gak_fct: rc4-hmac/9C81
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678303:
*Retrying AS request with master KDC *
Why sssd is doing this retry?
Here is how kinit is doing
KRB5_TRACE=/dev/stderr kinit testuser
[5332] 1386592069.283264: Getting initial credentials for testuser(a)2FA.TEST
[5332] 1386592069.283720: Sending request (150 bytes) to 2FA.TEST
[5332] 1386592069.283838: Resolving hostname 2fa-ad.2FA.TEST
[5332] 1386592069.284143: Sending initial UDP request to dgram
10.52.13.190:88
[5332] 1386592069.289908: Received answer from dgram 10.52.13.190:88
[5332] 1386592069.335244: Response was not from master KDC
[5332] 1386592069.335375: Salt derived from principal: 2FA.TESTtestuser
[5332] 1386592069.335438: Getting AS key, salt "2FA.TESTtestuser", params
""
Password for testuser(a)2FA.TEST:
[5332] 1386592072.864966: AS key obtained from gak_fct: rc4-hmac/53BB
[5332] 1386592072.865226: Decrypted AS reply; session key is: rc4-hmac/8DBC
[5332] 1386592072.865349: FAST negotiation: unavailable
[5332] 1386592072.865491: Initializing FILE:/tmp/krb5cc_0 with default
princ testuser(a)2FA.TEST
[5332] 1386592072.866066: Removing testuser(a)2FA.TEST ->
krbtgt/2FA.TEST(a)2FA.TEST from FILE:/tmp/krb5cc_0
[5332] 1386592072.866184: Storing testuser(a)2FA.TEST ->
krbtgt/2FA.TEST(a)2FA.TEST in FILE:/tmp/krb5cc_0
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678379: Getting
initial credentials for testuser(a)2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678501: FAST
armor ccache: FILE:/var/lib/sssdb/fast_ccache_2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678737:
Retrieving ldapauth(a)2FA.TEST ->
krb5_ccache_conf_data/fast_avail/krbtgt\/2FA.TEST\@2FA.TEST(a)X-CACHECONF:
from FILE:/var/lib/sss/db/fast_ccache_2FA.TEST with result:
-1765328243/Matching credential not found
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678843: Sending
request (171 bytes) to 2FA.TEST (master)
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[get_and_save_tgt] (0x0020): 918: [-1765328353][Decrypt integrity
check failed]
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]] [map_krb5_error]
(0x0020): 979: [-1765328353][Decrypt integrity check failed]
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[pack_response_packet] (0x2000): response packet size: [4]
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]] [k5c_send_data]
(0x4000): Response sent.
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]] [main] (0x0400):
krb5_child completed successfully
--
Dan Cândea
Does God Play Dice?