On Fri, Jul 15, 2016 at 01:04:17PM -0400, David Wilhelm wrote:
The NAS is also running Arch, and is the MIT kerberos 1.13.1. The
client is using 1.13.4 of the same package.
On Fri, Jul 15, 2016 at 12:57 PM, Sumit Bose <sbose(a)redhat.com> wrote:
> On Fri, Jul 15, 2016 at 04:24:02PM -0000, David Wilhelm wrote:
>> After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use sudo for
kerberos-authenticated accounts. However, kinit still succeeds and "getent
passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the
credential cache folder) restores normal operation.
Thanks I was able to reproduce the issue. After discussing it with a
co-worker I opened
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454
because we think it is originally an issue in the responder interface of
MIT Kerberos. I would like to hear back from MIT before trying to fix
the SSSD side.
I'm pretty sure that authentication would work again if you enable
pre-authentication for the user principals on the KDC
# kadmin.local
kadmin.local: modprinc +requires_preauth dave(a)LA-LA.LAN
Is there a reason why pre-authentication is disabled? If not it is very,
very, very recommended to enable it (not only to make SSSD work), see
e.g.
http://superuser.com/questions/200010/how-does-kerberos-preauthentication...
for some explanations.
bye,
Sumit
> >>
> >> My setup:
> >> I'm running Arch linux, and have PAM set to use sssd. sssd in turn
authenticates against a kerberos instance running on my NAS, and pulls user information
from an openldap instance. PAM, kerberos, and openldap were configured by hand as a
learning experience, and have been running for about a year. DNS and NTP are working,
ldap is returning users, and kinit is succeeding on both my local machine and the server.
> >
> > I think I have an idea what is wrong. Can you tell me what kind of KDC
> > you are using on the NAS and which Kerberos library is used on the
> > client so that I can try to reproduce it locally?
> >
> > bye,
> > Sumit
> >
> >>
> >> This appears to be the relevant section of the logs, from krb5_child.log
(with debug_level 10):
> >>
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400):
krb5_child started.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x1000): total buffer size: [147]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1042] gid [1001] validate [false] enterprise principal [false]
offline [false] UPN [dave(a)LA-LA.LAN]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname:
[FILE:/tmp/krb5cc_1042_93EyUo] keytab: [/etc/krb5.keytab]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast]
(0x0100): Not using FAST.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds]
(0x0200): Switch user to [1042][1001].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds]
(0x0200): Switch user to [0][0].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache]
(0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Trying to become user [1042][1001].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000):
Running as [1042][1001].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Trying to become user [1042][1001].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Already user [1042].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000):
Running as [1042][1001].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will
perform online auth
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [LA-LA.LAN]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter]
(0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter]
(0x0020): Cannot handle password prompts.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter]
(0x4000): Prompt [0][Password for dave(a)LA-LA.LAN].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt]
(0x0020): 1296: [-1765328254][Cannot read password]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error]
(0x0020): 1365: [-1765328254][Cannot read password]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data]
(0x0200): Received error code 1432158218
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet]
(0x2000): response packet size: [4]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data]
(0x4000): Response sent.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400):
krb5_child completed successfully
> >>
> >> Please let me know if any other logs or configurations are needed.
> >> _______________________________________________
> >> sssd-users mailing list
> >> sssd-users(a)lists.fedorahosted.org
> >>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> > _______________________________________________
> > sssd-users mailing list
> > sssd-users(a)lists.fedorahosted.org
> >
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org