Hi,
I'm trying to configure smartcard (pkinit) authentication against Active Directory on latest CentOS without success.
AD authentication without smartcard works without problems and standalone kinit with smartcard also works but I can't managed to login with smartcard and sssd.
Is it supposed to work in current state? What problem does mentioned patch addresses?
I included krb5.conf, sssd.conf and krb5_child.log. What I considered strange is this part:
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_responder] (0x4000): Got question [pkinit].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags [0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Pavel Arnošt PIN].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87842: PKINIT client has no configured identity; giving up
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87843: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
i.e. X509 identity is found but not used and prompt for PIN is ignored?
What can be wrong? Thanks.
krb5.conf:
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
dns_canonicalize_hostname = false
rdns = false
default_realm = VALVERA.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
VALVERA.LOCAL = {
kdc = 172.30.30.30
admin_server = 172.30.30.30
pkinit_anchors = FILE:/etc/ca.crt
pkinit_eku_checking = kpServerAuth
pkinit_kdc_hostname = valvera.local
pkinit_identities = PKCS11:libcoolkeypk11.so
}
sssd.conf:
[sssd]
debug_level = 9
domains = valvera.local
config_file_version = 2
services = nss, pam
[pam]
pam_cert_auth = True
[domain/valvera.local]
debug_level = 9
ad_domain = valvera.local
krb5_realm = VALVERA.LOCAL
ldap_user_certificate = userCertificate;binary
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad
krb5_child.log:
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): krb5_child started.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer] (0x1000): total buffer size: [202]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer] (0x0100): cmd [249] uid [650201177] gid [650200513] validate [true] enterprise principal [true] offline [false] UPN [arnost@VALVERA.LOCAL]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:650201177] old_ccname: [KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [check_use_fast] (0x0100): Not using FAST.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x2000): Running as [0][0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [k5c_setup] (0x2000): Running as [0][0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_lifetime_options] (0x0100): No specific lifetime requested.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): Will perform pre-auth
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit.
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_pkinit_identity] (0x4000): Got [Pavel Arnošt][libcoolkeypk11.so].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_pkinit_identity] (0x4000): Using pkinit identity [PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [VALVERA.LOCAL]
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480064: Getting initial credentials for arnost@VALVERA.LOCAL@VALVERA.LOCAL
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480066: Sending request (209 bytes) to VALVERA.LOCAL
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480067: Initiating TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480068: Sending TCP request to stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480069: Received answer (189 bytes) from stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480070: Terminating TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480071: Response was from master KDC
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480072: Received error from KDC: -1765328359/Additional pre-authentication required
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480075: Processing preauth types: 16, 15, 19, 2
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589653.480076: Selected etype info: etype aes256-cts, salt "VALVERA.LOCALarnost", params ""
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_responder] (0x4000): Got question [pkinit].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags [0].
(Mon Oct 15 09:47:33 2018) [[sssd[krb5_child[7776]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Pavel Arnošt PIN].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87842: PKINIT client has no configured identity; giving up
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87843: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87844: PKINIT client has no configured identity; giving up
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87845: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for arnost@VALVERA.LOCAL@VALVERA.LOCAL].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87846: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data] (0x0200): Received error code 0
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [pack_response_packet] (0x2000): response packet size: [12]
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data] (0x4000): Response sent.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): krb5_child completed successfully
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): krb5_child started.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x1000): total buffer size: [208]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x0100): cmd [241] uid [650201177] gid [650200513] validate [true] enterprise principal [true] offline [false] UPN [arnost@VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:650201177] old_ccname: [KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [check_use_fast] (0x0100): Not using FAST.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds] (0x0200): Switch user to [650201177][650200513].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:650201177] and is not active and TGT is valid.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x2000): Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_setup] (0x2000): Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options] (0x0100): No specific lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): Will perform online auth
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity] (0x4000): Got [Pavel Arnošt][libcoolkeypk11.so].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity] (0x4000): Using pkinit identity [PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364762: Getting initial credentials for arnost@VALVERA.LOCAL@VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364764: Sending request (209 bytes) to VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364765: Initiating TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364766: Sending TCP request to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364767: Received answer (189 bytes) from stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364768: Terminating TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364769: Response was from master KDC
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364770: Received error from KDC: -1765328359/Additional pre-authentication required
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364773: Processing preauth types: 16, 15, 19, 2
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364774: Selected etype info: etype aes256-cts, salt "VALVERA.LOCALarnost", params ""
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_responder] (0x4000): Got question [pkinit].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags [0].
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [sss_child_krb5_trace_cb] (0x4000): [7776] 1539589654.87846: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data] (0x0200): Received error code 0
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [pack_response_packet] (0x2000): response packet size: [12]
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [k5c_send_data] (0x4000): Response sent.
(Mon Oct 15 09:47:34 2018) [[sssd[krb5_child[7776]]]] [main] (0x0400): krb5_child completed successfully
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): krb5_child started.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x1000): total buffer size: [208]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x0100): cmd [241] uid [650201177] gid [650200513] validate [true] enterprise principal [true] offline [false] UPN [arnost@VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:650201177] old_ccname: [KEYRING:persistent:650201177] keytab: [/etc/krb5.keytab]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [check_use_fast] (0x0100): Not using FAST.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds] (0x0200): Switch user to [650201177][650200513].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:650201177] and is not active and TGT is valid.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x2000): Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [k5c_setup] (0x2000): Running as [0][0].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_lifetime_options] (0x0100): No specific lifetime requested.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [main] (0x0400): Will perform online auth
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit.
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity] (0x4000): Got [Pavel Arnošt][libcoolkeypk11.so].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_pkinit_identity] (0x4000): Using pkinit identity [PKCS11:module_name=libcoolkeypk11.so:token=Pavel Arnošt:certid=0001].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [VALVERA.LOCAL]
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364762: Getting initial credentials for arnost@VALVERA.LOCAL@VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364764: Sending request (209 bytes) to VALVERA.LOCAL
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364765: Initiating TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364766: Sending TCP request to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364767: Received answer (189 bytes) from stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364768: Terminating TCP connection to stream 172.30.30.30:88
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364769: Response was from master KDC
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364770: Received error from KDC: -1765328359/Additional pre-authentication required
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364773: Processing preauth types: 16, 15, 19, 2
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_child_krb5_trace_cb] (0x4000): [7779] 1539589656.364774: Selected etype info: etype aes256-cts, salt "VALVERA.LOCALarnost", params ""
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [sss_krb5_responder] (0x4000): Got question [pkinit].
(Mon Oct 15 09:47:36 2018) [[sssd[krb5_child[7779]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=libcoolkeypk11.so:slotid=1:token=Pavel Arnošt] flags [0].
Thanks,
Regards,
Pavel
sssd-users@lists.fedorahosted.org