Hi,

Can you help me with a problem I struggle quite a time, that appeared after upgrade to sssd-13.4 (Ubuntu Xenial):

User can not login;

Home directory (nfs) secured with Kerberos, is mounted, with proper idmapping, but user is refused to login to the desktop (lightdm).

Ssh login is possible, but permission denied to access the  home directory.

 

This is setup with:

..

id_provider=ad

use_fully_qualified_names = true

ldap_id_mapping = false

..

In the krb5_child.log I can see suspicious sequence about “krb5_cc_cache_match failed”;

 

Output from the log:

--

 

   Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.933479: Sending request (8186 bytes) to A

DM.C.DOMAIN (tcp only)

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.934588: Resolving hostname host0a.adm.

c.domain.

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.936998: Initiating TCP connection to stre

am 10.144.5.5:88

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.938147: Sending TCP request to stream 10.

144.5.5:88

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.946674: Received answer (8380 bytes) from

stream 10.144.5.5:88

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.946720: Terminating TCP connection to str

eam 10.144.5.5:88

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948199: Response was not from master KDC

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948264: Decoding FAST response

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948342: FAST reply key: rc4-hmac/12E4

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948366: TGS reply is for user@NAT.C.SD

U.DK -> host/lnx-adm557.a.c.domain@A.C.DOMAIN with session key aes256-cts/31E4

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948401: TGS request result: 0/Success

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948407: Received creds for desired servic

e host/lnx-adm557.a.c.domain@A.C.DOMAIN

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948416: Storing user@N.C.DOMAIN -> h

ost/lnx-adm557.a.c.domain@A.C.DOMAIN in MEMORY:gNruZJ9

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948440: Creating authenticator for user@N.C.DOMAIN -> host/lnx-adm557.a.c.domain@A.C.DOMAIN, seqnum 0, subkey (null), session key aes256-cts/31E4

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948500: Retrieving host/lnx-adm557.a.c.domain@A.C.DOMAIN from MEMORY:/etc/krb5.keytab (vno 6, enctype aes256-cts) with result: 0/Success

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948585: Decrypted AP-REQ with specified server principal host/lnx-adm557.a.c.domain@A.C.DOMAIN: aes256-cts/DDBF

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948594: AP-REQ ticket: user@N.C.DOMAIN -> host/lnx-adm557.a.c.domain@A.C.DOMAIN, session key aes256-cts/31E4

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948813: Negotiated enctype based on authenticator: aes256-cts

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948828: Initializing MEMORY:rd_req2 with default princ user@N.C.DOMAIN

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948837: Storing user@N.C.DOMAIN -> host/lnx-adm557.a.c.domain@A.C.DOMAIN in MEMORY:rd_req2

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948849: Destroying ccache MEMORY:gNruZJ9

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [validate_tgt] (0x0400): TGT verified using key for [host/lnx-adm557.a.c.domain@A.C.DOMAIN].

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948876: Retrieving user@N.C.DOMAIN -> host/lnx-adm557.a.c.domain@A.C.DOMAIN from MEMORY:rd_req2 with result: 0/Success

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948967: Retrieving LNX-ADM557$@A.C.DOMAIN from MEMORY:/etc/krb5.keytab (vno 6, enctype aes256-cts) with result: 0/Success

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [user\@N.C.DOMAIN@A.C.DOMAIN] might not be correct.

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.949031: Destroying ccache MEMORY:rd_req2

 

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_10002_XXXXXX]

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal user@N.C.DOMAIN in cache collection]

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [create_ccache] (0x4000): Initializing ccache of type [FILE]

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [create_ccache] (0x4000): returning: 0

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [switch_creds] (0x0200): Switch user to [10002][30000000].

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [switch_creds] (0x0200): Already user [10002].

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [k5c_send_data] (0x0200): Received error code 0

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [pack_response_packet] (0x2000): response packet size: [138]

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [k5c_send_data] (0x4000): Response sent.

(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [main] (0x0400): krb5_child completed successfully

 

 

--

ls -l /tmp/krb5cc_10002_gIeneD

-rw------- 1 user@n.c.domain lnx-primary@a.c.domain 16482 Oct 25 16:14 /tmp/krb5cc_10002_gIeneD

 

klist -c /tmp/krb5cc_10002_gIeneD

Ticket cache: FILE:/tmp/krb5cc_10002_gIeneD

Default principal: user@N.C.DOMAIN

 

Valid starting       Expires              Service principal

10/25/2016 16:14:35  10/26/2016 02:14:35  krbtgt/N.C.DOMAIN@N.C.DOMAIN

        renew until 10/26/2016 02:14:35

10/25/2016 16:14:36  10/26/2016 02:14:35  krbtgt/C.SDU.DK@N.C.DOMAIN

        renew until 10/26/2016 02:14:35

10/25/2016 16:14:36  10/26/2016 02:14:35  nfs/adm-lnx-nfs0a.a.c.domain@

        renew until 10/26/2016 02:14:35

10/25/2016 16:14:36  10/26/2016 02:14:35  nfs/adm-lnx-nfs0a.a.c.domain@A.C.DOMAIN

 

        renew until 10/26/2016 02:14:35

 

Best,

Longina