On 12/09/2013 12:25 PM, Dan Candea
wrote:
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605000:
Getting initial credentials for testuser@2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605161: FAST
armor ccache: FILE:/var/lib/sss/db/fast_ccache_2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605262:
Retrieving ldapauth@2FA.TEST ->
krb5_ccache_conf_data/fast_avail/krbtgt\/2FA.TEST\@2FA.TEST@X-CACHECONF:
from FILE:/var/lib/sss/db/fast_ccache_2FA.TEST with result:
-1765328243/Matching credential not found
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605391:
Sending request (171 bytes) to 2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605496:
Resolving hostname 2fa-ad.2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.605791:
Sending initial UDP request to dgram 10.52.13.190:88
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.607384:
Received answer from dgram 10.52.13.190:88
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.677781:
Response was not from master KDC
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.677933: Salt
derived from principal: 2FA.TESTtestuser
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.677953:
Getting AS key, salt "2FA.TESTtestuser", params ""
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678158: AS
key obtained from gak_fct: rc4-hmac/9C81
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678303: Retrying
AS request with master KDC
Why sssd is doing this retry?
Here is how kinit is doing
KRB5_TRACE=/dev/stderr kinit testuser
[5332] 1386592069.283264: Getting initial credentials for
testuser@2FA.TEST
[5332] 1386592069.283720: Sending request (150 bytes) to 2FA.TEST
[5332] 1386592069.283838: Resolving hostname 2fa-ad.2FA.TEST
[5332] 1386592069.284143: Sending initial UDP request to dgram
10.52.13.190:88
[5332] 1386592069.289908: Received answer from dgram 10.52.13.190:88
[5332] 1386592069.335244: Response was not from master KDC
[5332] 1386592069.335375: Salt derived from principal:
2FA.TESTtestuser
[5332] 1386592069.335438: Getting AS key, salt "2FA.TESTtestuser",
params ""
Password for testuser@2FA.TEST:
[5332] 1386592072.864966: AS key obtained from gak_fct:
rc4-hmac/53BB
[5332] 1386592072.865226: Decrypted AS reply; session key is:
rc4-hmac/8DBC
[5332] 1386592072.865349: FAST negotiation: unavailable
[5332] 1386592072.865491: Initializing FILE:/tmp/krb5cc_0 with
default princ testuser@2FA.TEST
[5332] 1386592072.866066: Removing testuser@2FA.TEST ->
krbtgt/2FA.TEST@2FA.TEST from FILE:/tmp/krb5cc_0
[5332] 1386592072.866184: Storing testuser@2FA.TEST ->
krbtgt/2FA.TEST@2FA.TEST in FILE:/tmp/krb5cc_0
(Mon
Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678379:
Getting initial credentials for testuser@2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678501: FAST
armor ccache: FILE:/var/lib/sssdb/fast_ccache_2FA.TEST
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678737:
Retrieving ldapauth@2FA.TEST ->
krb5_ccache_conf_data/fast_avail/krbtgt\/2FA.TEST\@2FA.TEST@X-CACHECONF:
from FILE:/var/lib/sss/db/fast_ccache_2FA.TEST with result:
-1765328243/Matching credential not found
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[sss_child_krb5_trace_cb] (0x4000): [1335] 1386584323.678843:
Sending request (171 bytes) to 2FA.TEST (master)
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[get_and_save_tgt] (0x0020): 918: [-1765328353][Decrypt integrity
check failed]
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[map_krb5_error] (0x0020): 979: [-1765328353][Decrypt integrity
check failed]
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[pack_response_packet] (0x2000): response packet size: [4]
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]]
[k5c_send_data] (0x4000): Response sent.
(Mon Dec 9 10:18:43 2013) [[sssd[krb5_child[1335]]]] [main]
(0x0400): krb5_child completed successfully
--
Dan Cândea
Does God Play Dice?