[SSSD-users] Re: sssd authentication fails with "Cannot read password" after upgrading to 1.14

On Fri, Jul 15, 2016 at 01:04:17PM -0400, David Wilhelm wrote: Thanks I was able to reproduce the issue. After discussing it with a co-worker I opened http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454 because we think it is originally an issue in the responder interface of MIT Kerberos. I would like to hear back from MIT before trying to fix the SSSD side. I'm pretty sure that authentication would work again if you enable pre-authentication for the user principals on the KDC # kadmin.local kadmin.local: modprinc +requires_preauth dave(a)LA-LA.LAN Is there a reason why pre-authentication is disabled? If not it is very, very, very recommended to enable it (not only to make SSSD work), see e.g. http://superuser.com/questions/200010/how-does-kerberos-preauthentication... for some explanations. bye, Sumit > >> > >> My setup: > >> I'm running Arch linux, and have PAM set to use sssd. sssd in turn authenticates against a kerberos instance running on my NAS, and pulls user information from an openldap instance. PAM, kerberos, and openldap were configured by hand as a learning experience, and have been running for about a year. DNS and NTP are working, ldap is returning users, and kinit is succeeding on both my local machine and the server. > > > > I think I have an idea what is wrong. Can you tell me what kind of KDC > > you are using on the NAS and which Kerberos library is used on the > > client so that I can try to reproduce it locally? > > > > bye, > > Sumit > > > >> > >> This appears to be the relevant section of the logs, from krb5_child.log (with debug_level 10): > >> > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child started. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x1000): total buffer size: [147] > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): cmd [241] uid [1042] gid [1001] validate [false] enterprise principal [false] offline [false] UPN [dave(a)LA-LA.LAN] > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1042_93EyUo] keytab: [/etc/krb5.keytab] > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast] (0x0100): Not using FAST. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [1042][1001]. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user to [0][0]. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000): Running as [1042][1001]. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to become user [1042][1001]. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Already user [1042]. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000): Running as [1042][1001]. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false] > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will perform online auth > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child] (0x1000): Attempting to get a TGT > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [LA-LA.LAN] > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for dave(a)LA-LA.LAN]. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328254][Cannot read password] > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error] (0x0020): 1365: [-1765328254][Cannot read password] > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x0200): Received error code 1432158218 > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet] (0x2000): response packet size: [4] > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x4000): Response sent. > >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child completed successfully > >> > >> Please let me know if any other logs or configurations are needed. > >> _______________________________________________ > >> sssd-users mailing list > >> sssd-users(a)lists.fedorahosted.org > >> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org > > _______________________________________________ > > sssd-users mailing list > > sssd-users(a)lists.fedorahosted.org > > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org > _______________________________________________ > sssd-users mailing list > sssd-users(a)lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org