On Wed, Jun 28, 2017 at 11:09:38PM +0200, Lukas Slebodnik wrote:
On (28/06/17 16:51), Abhijit Tikekar wrote:
>Hi Jakub,
>
>Thanks for the response.
>
>After enabling ldap_use_tokengroups = true, "id" command is now able to
>retrieve all the group memberships for that user. But Authentication still
>doesn't work.
>
>Also tried setting ad_gpo_access_control = permissive / access_provider =
>permit but that didn't help.
>
>I am attaching both krb5_child.log and sssd_domain.log ( Both with Logon
>level 10) here. These were captures during the authentication attempt.
>
Logs are not from the same time. There is 8 minutes between authentication
attempt an krb5_child.log.
But I smell a crash in krb5_child.log
(Wed Jun 28 16:02:27 2017) [[sssd[krb5_child[23140]]]] [sss_child_krb5_trace_cb]
(0x4000): [23140] 1498680147.720777: Requesting tickets for
host/hostname.def.xyz.local(a)ABC.XYZ.LOCAL,
+referrals on
(Wed Jun 28 16:02:27 2017) [[sssd[krb5_child[23140]]]] [sss_child_krb5_trace_cb]
(0x4000): [23140] 1498680147.720845: Generated subkey for TGS request: aes256-cts/D868
(Wed Jun 28 16:02:27 2017) [[sssd[krb5_child[23140]]]] [sss_child_krb5_trace_cb]
(0x4000): [23140] 1498680147.720891: etypes requested in TGS request: aes256-cts,
aes128-cts,
+des3-cbc-sha1, rc4-hmac
(Wed Jun 28 16:02:27 2017) [[sssd[krb5_child[23140]]]] [sss_child_krb5_trace_cb]
(0x4000): [23140] 1498680147.721078: Sending request (1750 bytes) to ABC.XYZ.LOCAL
(Wed Jun 28 16:02:29 2017) [[sssd[krb5_child[23141]]]] [main] (0x0400): krb5_child
started.
(Wed Jun 28 16:02:29 2017) [[sssd[krb5_child[23141]]]] [unpack_buffer] (0x1000): total
buffer size: [181]
Because I would expect different messages at the end "16:02:27"
and we can see only that new child started.
Yes, either a crash, or the back end killed the krb5_child because of a
timeout. This could be seen in the matching domain log --either you
would see that the child was killed by signal 6 or 11 or similar
(=crash) or you would see that the child was killed by the back end due
to a time out.