On Mon, May 23, 2016 at 07:21:56AM -0000, jas.petermac(a)gmail.com wrote:
Hi All,
Last week I bound my computer to Active Directory and everything was working fine but as
of today authentication has started to fail.
SSSD log
In the logs (debug = 7) I see:
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_resolve_server_process]
(0x0200): Found address for server pmc-dc2.petermac.org.au: [172.23.8.18] TTL 3600
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [ad_resolve_callback] (0x0100):
Constructed uri 'ldap://pmc-dc2.petermac.org.au'
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [ad_resolve_callback] (0x0100):
Constructed GC uri 'ldap://pmc-dc2.petermac.org.au'
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [write_pipe_handler] (0x0400): All
data has been sent!
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): krb5_child
started.
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x1000): total
buffer size: [136]
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x0100): cmd [241]
uid [1501] gid [1501] validate [true] enterprise principal [true] offline [false] UPN
[Ellul Jason(a)PETERMAC.ORG.AU]
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x0100): ccname:
[KEYRING:persistent:1501] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [check_use_fast] (0x0100): Not
using FAST.
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [privileged_krb5_setup] (0x0080):
Cannot open the PAC responder socket
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [become_user] (0x0200): Trying to
become user [1501][1501].
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] (0x0100):
Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] (0x0100):
Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_canonicalize_option] (0x0100):
SSSD_KRB5_CANONICALIZE is set to [true]
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): Will perform
online auth
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [tgt_req_child] (0x1000):
Attempting to get a TGT
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [get_and_save_tgt] (0x0400):
Attempting kinit for realm [PETERMAC.ORG.AU]
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [validate_tgt] (0x0020): TGT failed
verification using key for [LA35185$(a)PETERMAC.ORG.AU].
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [get_and_save_tgt] (0x0020): 1240:
[-1765328340][Cannot find key for LA35185$(a)PETERMAC.ORG.AU kvno 3 in keytab]
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [map_krb5_error] (0x0020): 1301:
[-1765328340][Cannot find key for LA35185$(a)PETERMAC.ORG.AU kvno 3 in keytab]
It looks like the host password for you client was updates on the AD
server but the new password was not written to the local keytab.
Which version of SSSD are you using? Recent version of SSSD can update
the password to meet a AD policy, but SSSD should take care that the new
password is written to /etc/krb5.conf as well?
Did you try to export the keytab for this host from AD manually?
Maybe the export utility was not able to export the current keys but
created a new password and exported the keys based on this new password?
The error happens during the ticket validation, as we workaround you can
disable it by setting 'krb5_validate = False' in the [domain/...]
section of sssd.conf. But I would not recommend it because SSSD uses
the keytab to authenticate itself to AD for LDAP access as well. AD
will mostly allow the previous password to be used as well but as soon
as the password is updated again the keys with key version number kvno=2
will not work anymore and SSSD will not be able to connect to AD
anymore. So you should try to find you why the host password was updates
on AD.
HTH
bye,
Sumit
> (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [k5c_send_data] (0x0200):
Received error code 1432158209
> (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): krb5_child
completed successfully
> (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [read_pipe_handler] (0x0400):
EOF received, client finished
> (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [parse_krb5_child_response]
(0x1000): child response [1432158209][6][8].
> (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [check_wait_queue] (0x1000):
Wait queue for user [Ellul Jason] is empty.
> (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [krb5_auth_queue_done]
(0x1000): krb5_auth_queue request [0x555f73e8b420] done.
> (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 4, <NULL>) [Success]
> (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback]
(0x0100): Sending result [4][petermac.org.au]
> (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback]
(0x0100): Sent result [4][petermac.org.au]
> (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [child_sig_handler] (0x1000):
Waiting for child [6572].
> (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [child_sig_handler] (0x0100):
child [6572] finished successfully.
> (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4
(System error)][petermac.org.au]
> (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with
result [4]: System error.
> (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 32
> (Mon May 23 17:18:58 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
> (Mon May 23 17:18:59 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
>
> [root@la35185 jellul]# klist -k -t /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 2 23/05/16 12:55:53 LA35185$(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 LA35185$(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 LA35185$(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 LA35185$(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 LA35185$(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 HOST/LA35185(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 HOST/LA35185(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 HOST/LA35185(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 HOST/LA35185(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 HOST/LA35185(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:53 RestrictedKrbHost/la35185.petermac.org.au(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au(a)PETERMAC.ORG.AU
> 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au(a)PETERMAC.ORG.AU
>
> Many thanks
>
> Jason
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org