Thank you Justin.

Centos 7, sssd 1.13

 

Authentication with the consoleworks application uses a yubikey via authlite which basically makes it two-factor authentication.  It appends the AD credential password with a onetime password.

I tried to login with yubikey and without and get two different errors.

 

With Yubikey (correct password):

(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): Will perform online auth

(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [tgt_req_child] (0x1000): Attempting to get a TGT

(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]

(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed]

(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed]

(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [k5c_send_data] (0x0200): Received error code 1432158215

(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [pack_response_packet] (0x2000): response packet size: [4]

(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): krb5_child completed successfully

 

Without yubikey (wrong password):

(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.

(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.

(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]

(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): Will perform online auth

(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [tgt_req_child] (0x1000): Attempting to get a TGT

(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM]

(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328372][KDC policy rejects request]

(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [map_krb5_error] (0x0020): 1303: [-1765328372][KDC policy rejects request]

(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [k5c_send_data] (0x0200): Received error code 1432158209

(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [pack_response_packet] (0x2000): response packet size: [4]

(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): krb5_child completed successfully

 

Would it help to remove it from realm and rejoin it to the realm?  I have another server where the authentication to the parent domain in working where this one is not.  I have compared the configurations but can’t find the difference.

 

Sonia Gilbert, -Engineer II, Information Protection & Compliance Team

3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503

Sonia.Gilbert@HawaiianAir.com

 

HA Email Signature Logo