This is a good question.

 

Is it wrong?

 

Computer should always have valid TGT .

What happens if computer’s TGT   expires – or rather , if it expires   does user still have  access to all services?

 

Do I need some tuning in config  to prevent that?

 

I catched in ldap_child.log precise change from preauthentication successà preauthentication faile

 

ls –l /etc/krb5.keytab

-rw------- 1 root root 894 Nov 07:48 /etc/krb5.keytab

 

 

 

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [main] (0x2000): getting TGT sync

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [NAT.C.SDU.DK]

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [VICTORIA$@NAT.C.SDU.DK]

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK]

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [prepare_response] (0x0400): Building response for result [0]

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [pack_buffer] (0x2000): response size: 60

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [40] msg [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK]

(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [main] (0x0400): ldap_child completed successfully

(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x0400): ldap_child started.

(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x2000): context initialized

(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): total buffer size: 37

(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): realm_str size: 12

Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): got realm_str: NAT.C.SDU.DK

(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): princ_str size: 9

(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): got princ_str: VICTORIA$

(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): keytab_name size: 0

(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): lifetime: 86400

(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x2000): getting TGT sync:

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [unpack_buffer] (0x1000): keytab_name size: 0

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [unpack_buffer] (0x1000): lifetime: 86400

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x2000): getting TGT sync

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [NAT.C.SDU.DK]

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [VICTORIA$@NAT.C.SDU.DK]

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK]

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [prepare_response] (0x0400): Building response for result [-1765328360]

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [pack_buffer] (0x2000): response size: 44

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed]

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x0400): ldap_child completed successfully

(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8138]]]] [main] (0x0400): ldap_child started.

 

Longina

From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 29. november 2012 14:27
To: sssd-users@lists.fedorahosted.org
Subject: Re: [SSSD-users] problems sssd-1.9.2

 

Why do you need a TGT generated from a machine account principal?
Use your own instead.

O.

On 11/29/2012 12:12 PM, Longina Przybyszewska wrote: 

Can sssd do it for me ? Do I miss some options configured properly ?