This is a good question.
Is it wrong?
Computer should always have valid TGT .
What happens if computer’s TGT expires – or rather , if it expires does user still have access to all services?
Do I need some tuning in config to prevent that?
I catched in ldap_child.log precise change from preauthentication successà
preauthentication faile
ls –l /etc/krb5.keytab
-rw------- 1 root root 894 Nov 07:48 /etc/krb5.keytab
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [main] (0x2000): getting TGT sync
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [NAT.C.SDU.DK]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [VICTORIA$@NAT.C.SDU.DK]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [prepare_response] (0x0400): Building response for result [0]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [pack_buffer] (0x2000): response size: 60
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [40] msg [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK]
(Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [main] (0x0400): ldap_child completed successfully
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x0400): ldap_child started.
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x2000): context initialized
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): total buffer size: 37
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): realm_str size: 12
Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): got realm_str: NAT.C.SDU.DK
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): princ_str size: 9
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): got princ_str: VICTORIA$
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): keytab_name size: 0
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] (0x1000): lifetime: 86400
(Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x2000): getting TGT sync:
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [unpack_buffer] (0x1000): keytab_name size: 0
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [unpack_buffer] (0x1000): lifetime: 86400
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x2000): getting TGT sync
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [NAT.C.SDU.DK]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [VICTORIA$@NAT.C.SDU.DK]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [prepare_response] (0x0400): Building response for result [-1765328360]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [pack_buffer] (0x2000): response size: 44
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication
failed]
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x0400): ldap_child completed successfully
(Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8138]]]] [main] (0x0400): ldap_child started.
Longina
From: sssd-users-bounces@lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 29. november 2012 14:27
To: sssd-users@lists.fedorahosted.org
Subject: Re: [SSSD-users] problems sssd-1.9.2
Why do you need a TGT generated from a machine account principal?
Use your own instead.
O.
On 11/29/2012 12:12 PM, Longina Przybyszewska wrote:
Can sssd do it for me ? Do I miss some options configured properly ?