Server is joined to abc.com and authentication is working to abc.com. A child domain was created a.abc.com but authentication is not working to the child domain.
sssd.conf [root@server01 sssd]# more /etc/sssd/sssd.conf [sssd] domains = abc.com config_file_version = 2 services = nss, pam
[domain/abc.com] id_provider = ad access_provider = simple realmd_tags = manages-system joined-with-samba ad_domain = abc.com ad_server = dc01.abc.com,dc02.abc.com,_srv_ krb5_realm = ABC.COM default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d simple_allow_groups = TDI Remote Access Users@abc.com debug_level = 0x07F0
[domain/a.abc.com] ad_server = sdc01.a.abc.com,sdc02.a.abc.com,_srv_
From krb5 log: (Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.682973: Getting initial credentials for 017978@a.abc.com@abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683157: Sending request (217 bytes) to abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683431: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746482: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746600: Response was from master KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746660: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746708: Following referral to realm a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746788: Sending request (233 bytes) to a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.878092: Resolving hostname infsdcpci01.a.abc.com.
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.943098: Sending initial UDP request to dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.13629: Received answer (219 bytes) from dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.77982: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78076: Received error from KDC: -1765328359/Additional pre-authentication required
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78145: Processing preauth types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78192: Selected etype info: etype aes256-cts, salt "a.abc.com017978", params ""
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97413: AS key obtained for encrypted timestamp: aes256-cts/ED73
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97516: Encrypted timestamp (for 1485291543.976086): plain 301AA011180F32303137303132343230353930335AA10502030EE4D6, encrypted C7492B7309B4456330A7EE35DACBF67592D8573801102A3AB633823BE64F94EA7B1726E96F5EDAD9213AD0726D9CF89B214E96B1EB03B5AB
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97559: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97583: Produced preauth for next request: 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97621: Sending request (313 bytes) to a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.230488: Resolving hostname infsdcpci02.a.abc.com.
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.297013: Sending initial UDP request to dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.366557: Received answer (186 bytes) from dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428891: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428975: Received error from KDC: -1765328360/Preauthentication failed
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429029: Preauth tryagain input types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429068: Retrying AS request with master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429096: Getting initial credentials for 017978@a.abc.com@abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429189: Sending request (217 bytes) to abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429275: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494276: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494363: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494397: Following referral to realm a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494467: Sending request (233 bytes) to a.abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x0200): Received error code 1432158215 (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [pack_response_packet] (0x2000): response packet size: [4] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x4000): Response sent. (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [main] (0x0400): krb5_child completed successfully
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.682973: Getting initial credentials for 017978@a.abc.com@abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683157: Sending request (217 bytes) to abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683431: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746482: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746600: Response was from master KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746660: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746708: Following referral to realm a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746788: Sending request (233 bytes) to a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.878092: Resolving hostname infsdcpci01.a.abc.com.
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.943098: Sending initial UDP request to dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.13629: Received answer (219 bytes) from dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.77982: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78076: Received error from KDC: -1765328359/Additional pre-authentication required
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78145: Processing preauth types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78192: Selected etype info: etype aes256-cts, salt "a.abc.com017978", params ""
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97413: AS key obtained for encrypted timestamp: aes256-cts/ED73
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97516: Encrypted timestamp (for 1485291543.976086): plain 301AA011180F32303137303132343230353930335AA10502030EE4D6, encrypted C7492B7309B4456330A7EE35DACBF67592D8573801102A3AB633823BE64F94EA7B1726E96F5EDAD9213AD0726D9CF89B214E96B1EB03B5AB
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97559: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97583: Produced preauth for next request: 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97621: Sending request (313 bytes) to a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.230488: Resolving hostname infsdcpci02.a.abc.com.
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.297013: Sending initial UDP request to dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.366557: Received answer (186 bytes) from dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428891: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428975: Received error from KDC: -1765328360/Preauthentication failed
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429029: Preauth tryagain input types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429068: Retrying AS request with master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429096: Getting initial credentials for 017978@a.abc.com@abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429189: Sending request (217 bytes) to abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429275: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494276: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494363: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494397: Following referral to realm a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494467: Sending request (233 bytes) to a.abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x0200): Received error code 1432158215 (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [pack_response_packet] (0x2000): response packet size: [4] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x4000): Response sent. (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [main] (0x0400): krb5_child completed successfully
From sssd domain log: (Tue Jan 24 13:59:18 2017) [sssd[be[a.hawaiian.aero]]] [be_req_set_domain] (0x0400): Changing request domain from [abc.com] to [a.abc.com] (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): domain: a.abc.com (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): user: 017978@a.abc.com (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): service: conwrks (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): tty: (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): ruser: (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): rhost: (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): cli_pid: 13206 (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): logon name: not set (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [017978@a.abc.com] is empty, running request [0x7f1aae523b70] immediately. (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [krb5_setup] (0x4000): No mapping for: 017978@a.abc.com (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f1aae525c60
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f1aae4e49f0
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Running timer event 0x7f1aae525c60 "ltdb_callback"
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Destroying timer event 0x7f1aae4e49f0 "ltdb_timeout"
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Ending timer event 0x7f1aae525c60 "ltdb_callback"
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [krb5_auth_send] (0x0100): Home directory for user [017978@a.abc.com] not known. (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc01.abc.com' is 'working' (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x0200): Found address for server dc01.abc.com: [x.x.161.251] TTL 3600 (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [25955] (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [25955] (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [child_sig_handler] (0x1000): Waiting for child [25955]. (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [child_sig_handler] (0x0100): child [25955] finished successfully. (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [check_wait_queue] (0x1000): Wait queue for user [017978@a.abc.com] is empty. (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f1aae523b70] done. (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>) [Success (Failure setting user credentials)] (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Sending result [17][a.abc.com] (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Sent result [17][a.abc.com]
On 01/24/2017 05:06 PM, sonia.gilbert@hawaiianair.com wrote:
Server is joined to abc.com and authentication is working to abc.com. A child domain was created a.abc.com but authentication is not working to the child domain.
sssd.conf [root@server01 sssd]# more /etc/sssd/sssd.conf [sssd] domains = abc.com config_file_version = 2 services = nss, pam
[domain/abc.com] id_provider = ad access_provider = simple realmd_tags = manages-system joined-with-samba ad_domain = abc.com ad_server = dc01.abc.com,dc02.abc.com,_srv_ krb5_realm = ABC.COM default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d simple_allow_groups = TDI Remote Access Users@abc.com debug_level = 0x07F0
[domain/a.abc.com] ad_server = sdc01.a.abc.com,sdc02.a.abc.com,_srv_
From krb5 log: (Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.682973: Getting initial credentials for 017978@a.abc.com@abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683157: Sending request (217 bytes) to abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683431: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746482: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746600: Response was from master KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746660: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746708: Following referral to realm a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746788: Sending request (233 bytes) to a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.878092: Resolving hostname infsdcpci01.a.abc.com.
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.943098: Sending initial UDP request to dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.13629: Received answer (219 bytes) from dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.77982: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78076: Received error from KDC: -1765328359/Additional pre-authentication required
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78145: Processing preauth types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78192: Selected etype info: etype aes256-cts, salt "a.abc.com017978", params ""
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97413: AS key obtained for encrypted timestamp: aes256-cts/ED73
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97516: Encrypted timestamp (for 1485291543.976086): plain 301AA011180F32303137303132343230353930335AA10502030EE4D6, encrypted C7492B7309B4456330A7EE35DACBF67592D8573801102A3AB633823BE64F94EA7B1726E96F5EDAD9213AD0726D9CF89B214E96B1EB03B5AB
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97559: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97583: Produced preauth for next request: 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97621: Sending request (313 bytes) to a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.230488: Resolving hostname infsdcpci02.a.abc.com.
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.297013: Sending initial UDP request to dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.366557: Received answer (186 bytes) from dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428891: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428975: Received error from KDC: -1765328360/Preauthentication failed
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429029: Preauth tryagain input types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429068: Retrying AS request with master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429096: Getting initial credentials for 017978@a.abc.com@abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429189: Sending request (217 bytes) to abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429275: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494276: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494363: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494397: Following referral to realm a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494467: Sending request (233 bytes) to a.abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x0200): Received error code 1432158215 (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [pack_response_packet] (0x2000): response packet size: [4] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x4000): Response sent. (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [main] (0x0400): krb5_child completed successfully
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.682973: Getting initial credentials for 017978@a.abc.com@abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683157: Sending request (217 bytes) to abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.683431: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746482: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746600: Response was from master KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746660: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746708: Following referral to realm a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.746788: Sending request (233 bytes) to a.abc.com
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.878092: Resolving hostname infsdcpci01.a.abc.com.
(Tue Jan 24 13:59:18 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291558.943098: Sending initial UDP request to dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.13629: Received answer (219 bytes) from dgram x.x.166.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.77982: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78076: Received error from KDC: -1765328359/Additional pre-authentication required
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78145: Processing preauth types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.78192: Selected etype info: etype aes256-cts, salt "a.abc.com017978", params ""
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97413: AS key obtained for encrypted timestamp: aes256-cts/ED73
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97516: Encrypted timestamp (for 1485291543.976086): plain 301AA011180F32303137303132343230353930335AA10502030EE4D6, encrypted C7492B7309B4456330A7EE35DACBF67592D8573801102A3AB633823BE64F94EA7B1726E96F5EDAD9213AD0726D9CF89B214E96B1EB03B5AB
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97559: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97583: Produced preauth for next request: 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.97621: Sending request (313 bytes) to a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.230488: Resolving hostname infsdcpci02.a.abc.com.
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.297013: Sending initial UDP request to dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.366557: Received answer (186 bytes) from dgram x.x.166.252:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428891: Response was not from master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.428975: Received error from KDC: -1765328360/Preauthentication failed
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429029: Preauth tryagain input types: 16, 15, 19, 2
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429068: Retrying AS request with master KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429096: Getting initial credentials for 017978@a.abc.com@abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429189: Sending request (217 bytes) to abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.429275: Sending initial UDP request to dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494276: Received answer (129 bytes) from dgram x.x.161.251:88
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494363: Received error from KDC: -1765328316/Realm not local to KDC
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494397: Following referral to realm a.abc.com
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [sss_child_krb5_trace_cb] (0x4000): [25955] 1485291559.494467: Sending request (233 bytes) to a.abc.com (master)
(Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x0200): Received error code 1432158215 (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [pack_response_packet] (0x2000): response packet size: [4] (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [k5c_send_data] (0x4000): Response sent. (Tue Jan 24 13:59:19 2017) [[sssd[krb5_child[25955]]]] [main] (0x0400): krb5_child completed successfully
From sssd domain log: (Tue Jan 24 13:59:18 2017) [sssd[be[a.hawaiian.aero]]] [be_req_set_domain] (0x0400): Changing request domain from [abc.com] to [a.abc.com] (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): domain: a.abc.com (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): user: 017978@a.abc.com (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): service: conwrks (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): tty: (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): ruser: (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): rhost: (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): cli_pid: 13206 (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): logon name: not set (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [017978@a.abc.com] is empty, running request [0x7f1aae523b70] immediately. (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [krb5_setup] (0x4000): No mapping for: 017978@a.abc.com (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f1aae525c60
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f1aae4e49f0
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Running timer event 0x7f1aae525c60 "ltdb_callback"
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Destroying timer event 0x7f1aae4e49f0 "ltdb_timeout"
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [ldb] (0x4000): Ending timer event 0x7f1aae525c60 "ltdb_callback"
(Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [krb5_auth_send] (0x0100): Home directory for user [017978@a.abc.com] not known. (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'dc01.abc.com' is 'working' (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x0200): Found address for server dc01.abc.com: [x.x.161.251] TTL 3600 (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [25955] (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [25955] (Tue Jan 24 13:59:18 2017) [sssd[be[abc.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [child_sig_handler] (0x1000): Waiting for child [25955]. (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [child_sig_handler] (0x0100): child [25955] finished successfully. (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [check_wait_queue] (0x1000): Wait queue for user [017978@a.abc.com] is empty. (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f1aae523b70] done. (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>) [Success (Failure setting user credentials)] (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Sending result [17][a.abc.com] (Tue Jan 24 13:59:19 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Sent result [17][a.abc.com]
The main error to focus on is the 'Realm not local to KDC' error in the krb5_child.log leading to failed authentication.
Can you check if you have 'dns_lookup_kdc = true' set in /etc/krb5.conf?
Also, SSSD will automatically discover trusted domains for trusted domains in the same forest therefore you do not need another domain section in sssd.conf:
[domain/a.abc.com] ad_server = sdc01.a.abc.com,sdc02.a.abc.com,_srv_
These lines were likely ignored by SSSD because you only had specified the single domain for the 'domains' option:
domains = abc.com
Kind regards, Justin Stephenson
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thank you Justin for responding. I checked the krb5.conf and it was not configured for 'dns_lookup_kdc = true'. I added it in. I restarted sssd service but still no change. Also along the way during this troubleshooting I have no broken the authentication to the parent domain and am now getting the following error in the krb5_child.log.
Received error from KDC: -1765328360/Preauthentication failed
Could you provide updated sssd_<domain> and krb5_child logs from the reproduced login failure after making that change?
It would be great if you can remove any existing logs first.
Kind regards, Justin Stephenson
On 01/27/2017 03:30 PM, sonia.gilbert@hawaiianair.com wrote:
Thank you Justin for responding. I checked the krb5.conf and it was not configured for 'dns_lookup_kdc = true'. I added it in. I restarted sssd service but still no change. Also along the way during this troubleshooting I have no broken the authentication to the parent domain and am now getting the following error in the krb5_child.log.
Received error from KDC: -1765328360/Preauthentication failed _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Okay, Thank you for helping!
krb5_child.log
(Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x0400): krb5_child started. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [unpack_buffer] (0x1000): total buffer size: [225] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [unpack_buffer] (0x0100): cmd [241] uid [1213401232] gid [1213400513] validate [true] enterprise principal [true] offline [false] UPN [018843@ABC.COM] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1213401232] old_ccname: [KEYRING:persistent:1213401232] keytab: [/etc/krb5.keytab] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [check_use_fast] (0x0100): Not using FAST. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [switch_creds] (0x0200): Switch user to [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [become_user] (0x0200): Trying to become user [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x2000): Running as [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [k5c_setup] (0x2000): Running as [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x0400): Will perform online auth (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [k5c_send_data] (0x0200): Received error code 1432158215 (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [pack_response_packet] (0x2000): response packet size: [4] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x0400): krb5_child completed successfully
sssd_abc.com.log
(Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee608340], connected[1], ops[0x7fa8ee60a960], ldap[0x7fa8ee60ae70] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://AuthLite.abc.com/DC=AuthLite,DC=abc,DC=com (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee608340], connected[1], ops[0x7fa8ee60a960], ldap[0x7fa8ee60ae70] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://a.abc.com/DC=a,DC=abc,DC=com (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee608340], connected[1], ops[0x7fa8ee60a960], ldap[0x7fa8ee60ae70] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ForestDnsZones.abc.com/DC=ForestDnsZones,DC=abc,DC=com (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee608340], connected[1], ops[0x7fa8ee60a960], ldap[0x7fa8ee60ae70] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.abc.com/DC=DomainDnsZones,DC=abc,DC=com (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee608340], connected[1], ops[0x7fa8ee60a960], ldap[0x7fa8ee60ae70] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://abc.com/CN=Configuration,DC=abc,DC=com (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee608340], connected[1], ops[0x7fa8ee60a960], ldap[0x7fa8ee60ae70] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_op_destructor] (0x2000): Operation 5 finished (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Save user (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_primary_name] (0x0400): Processing object 018843 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Processing user 018843 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x1000): Mapping user [018843] objectSID [S-1-5-21-4282302023-42197789-350709537-1232] to unix ID (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x2000): Adding originalDN [CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com] to attributes of [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20170119225413.0Z] to attributes of [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Adding user principal [018843@abc.com] to attributes of [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [512] to attributes of [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_attrs_add_ldap_attr] (0x2000): userCertificate is not available for [018843]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_save_user] (0x0400): Storing info for user 018843 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [018843] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [homeDirectory] from [018843] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [loginShell] from [018843] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee608340], connected[1], ops[(nil)], ldap[0x7fa8ee60ae70] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=018843] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [be_req_set_domain] (0x0400): Changing request domain from [abc.com] to [abc.com] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x0200): Found address for server dc01.abc.com: [x.x.161.251] TTL 3600 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc01.abc.com' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc01.abc.com:3268' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://dc01.abc.com:3268/??base] with fd [24]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_print_server] (0x2000): Searching x.x.161.251 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_op_add] (0x2000): New operation 1 timeout 6 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60cc00], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_entry] (0x1000): OriginalDN: []. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [currentTime] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [subschemaSubentry] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [dsServiceName] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultNamingContext] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [schemaNamingContext] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [configurationNamingContext] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [rootDomainNamingContext] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPPolicies] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [highestCommittedUSN] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [dnsHostName] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ldapServiceName] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverName] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedCapabilities] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [isSynchronized] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [isGlobalCatalogReady] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [domainFunctionality] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [forestFunctionality] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [domainControllerFunctionality] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60cc00], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_op_destructor] (0x2000): Operation 1 finished (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, LOCALSERVER$, abc.com, 86400) (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service AD (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x0200): Found address for server dc01.abc.com: [x.x.161.251] TTL 3600 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc01.abc.com' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc01.abc.com' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 51 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5529] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Signal ha (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_op_destructor] (0x2000): Operation 1 finished (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, LOCALSERVER$, abc.com, 86400) (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service AD (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x0200): Found address for server dc01.abc.com: [x.x.161.251] TTL 3600 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc01.abc.com' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc01.abc.com' (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 51 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5529] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [5529] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[(nil)], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [child_sig_handler] (0x1000): Waiting for child [5529]. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [child_sig_handler] (0x0100): child [5529] finished successfully. (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_abc.com], expired on [1485593615] (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1485558515 (Fri Jan 27 15:53:35 2017) [sssd[be[abc.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: LOCALSERVER$ (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'dc01.abc.com' as 'working' (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [set_server_common_status] (0x0100): Marking server 'dc01.abc.com' as 'working' (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'dc01.abc.com' as 'working' (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_id_op_connect_done] (0x2000): Old USN: 4718311, New USN: 4719151 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=abc,DC=com] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_print_server] (0x2000): Searching x.x.161.251 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=018843)(objectclass=user)(objectSID=*))][DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_op_add] (0x2000): New operation 5 timeout 6 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=a,DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_op_destructor] (0x2000): Operation 5 finished (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_user] (0x0040): Expected one user entry and got 2 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_user] (0x0040): No matching DN found. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_add_timeout] (0x2000): 0x7fa8ef626070 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[(nil)], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_remove_timeout] (0x2000): 0x7fa8ef626070 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,Init group lookup failed (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [be_req_set_domain] (0x0400): Changing request domain from [abc.com] to [abc.com] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [be_pam_handler] (0x0100): Got request with the following data (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): domain: abc.com (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): user: 018843 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): service: conwrks (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): tty: (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): ruser: (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): rhost: (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): authtok type: 1 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): priv: 1 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): cli_pid: 557 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [pam_print_data] (0x0100): logon name: not set (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [018843] is empty, running request [0x7fa8ee60ffe0] immediately. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [krb5_auth_send] (0x0100): Home directory for user [018843] not known. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [get_server_status] (0x1000): Status of server 'dc01.abc.com' is 'working' (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [be_resolve_server_process] (0x0200): Found address for server dc01.abc.com: [x.x.161.251] TTL 3600 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dc01.abc.com' (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dc01.abc.com' (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sss_krb5_realm_has_proxy] (0x0040): profile_get_values failed. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5530] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [5530] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [child_sig_handler] (0x1000): Waiting for child [5530]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [child_sig_handler] (0x0100): child [5530] finished successfully. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [check_wait_queue] (0x1000): Wait queue for user [018843] is empty. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7fa8ee60ffe0] done. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>) [Success (Failure setting user credentials)] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Sending result [17][abc.com] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [be_pam_handler_callback] (0x0100): Sent result [17][abc.com] (Fri Jan 27 15:53:38 2017) [sssd[be[abc.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Fri Jan 27 15:53:38 2017) [sssd[be[abc.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
On Fri, Jan 27, 2017 at 11:28:30PM -0000, sonia.gilbert@hawaiianair.com wrote:
Okay, Thank you for helping!
krb5_child.log
(Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x0400): krb5_child started. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [unpack_buffer] (0x1000): total buffer size: [225] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [unpack_buffer] (0x0100): cmd [241] uid [1213401232] gid [1213400513] validate [true] enterprise principal [true] offline [false] UPN [018843@ABC.COM] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1213401232] old_ccname: [KEYRING:persistent:1213401232] keytab: [/etc/krb5.keytab] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [check_use_fast] (0x0100): Not using FAST. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [switch_creds] (0x0200): Switch user to [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [become_user] (0x0200): Trying to become user [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x2000): Running as [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [k5c_setup] (0x2000): Running as [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x0400): Will perform online auth (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed]
This really sounds like a wrong password was entered...
(Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [k5c_send_data] (0x0200): Received error code 1432158215 (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [pack_response_packet] (0x2000): response packet size: [4] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x0400): krb5_child completed successfully
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=abc,DC=com] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_print_server] (0x2000): Searching x.x.161.251 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=018843)(objectclass=user)(objectSID=*))][DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_op_add] (0x2000): New operation 5 timeout 6 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=a,DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_op_destructor] (0x2000): Operation 5 finished (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_user] (0x0040): Expected one user entry and got 2 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_user] (0x0040): No matching DN found. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_add_timeout] (0x2000): 0x7fa8ef626070 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[(nil)], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_remove_timeout] (0x2000): 0x7fa8ef626070 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,Init group lookup failed
This also looks like a problem, a search with sAMAccountName=018843 is returning two objects but then matching to an expected base DN fails:
CN=Sonia G,OU=Employees,OU=User Accounts,DC=a,DC=abc,DC=com
and
CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com
I see the following on my SSSD 1.13 system:
(Mon Jan 30 14:24:41 2017) [sssd[be[jstephen.local]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Mon Jan 30 14:24:41 2017) [sssd[be[jstephen.local]]] [sdap_get_initgr_user] (0x0040): Expected one user entry and got 2 (Mon Jan 30 14:24:41 2017) [sssd[be[jstephen.local]]] [sdap_get_initgr_user] (0x4000): Expected BaseDN is [cn=users,dc=jstephen,dc=local]. (Mon Jan 30 14:24:41 2017) [sssd[be[jstephen.local]]] [sdap_get_initgr_user] (0x4000): Found matching dn [CN=sssduser,CN=Users,DC=jstephen,DC=local].
Kind regards, Justin Stephenson
On 01/28/2017 04:57 AM, Jakub Hrozek wrote:
On Fri, Jan 27, 2017 at 11:28:30PM -0000, sonia.gilbert@hawaiianair.com wrote:
Okay, Thank you for helping!
krb5_child.log
(Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x0400): krb5_child started. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [unpack_buffer] (0x1000): total buffer size: [225] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [unpack_buffer] (0x0100): cmd [241] uid [1213401232] gid [1213400513] validate [true] enterprise principal [true] offline [false] UPN [018843@ABC.COM] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1213401232] old_ccname: [KEYRING:persistent:1213401232] keytab: [/etc/krb5.keytab] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [check_use_fast] (0x0100): Not using FAST. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [switch_creds] (0x0200): Switch user to [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [become_user] (0x0200): Trying to become user [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x2000): Running as [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [k5c_setup] (0x2000): Running as [1213401232][1213400513]. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x0400): Will perform online auth (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed]
This really sounds like a wrong password was entered...
(Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [k5c_send_data] (0x0200): Received error code 1432158215 (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [pack_response_packet] (0x2000): response packet size: [4] (Fri Jan 27 15:53:36 2017) [[sssd[krb5_child[5530]]]] [main] (0x0400): krb5_child completed successfully
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thank you Justin. Centos 7, sssd 1.13
Authentication with the consoleworks application uses a yubikey via authlite which basically makes it two-factor authentication. It appends the AD credential password with a onetime password. I tried to login with yubikey and without and get two different errors.
With Yubikey (correct password): (Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): Will perform online auth (Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM] (Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328360][Preauthentication failed] (Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [map_krb5_error] (0x0020): 1303: [-1765328360][Preauthentication failed] (Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [k5c_send_data] (0x0200): Received error code 1432158215 (Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [pack_response_packet] (0x2000): response packet size: [4] (Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): krb5_child completed successfully
Without yubikey (wrong password): (Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): Will perform online auth (Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ABC.COM] (Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0020): 1234: [-1765328372][KDC policy rejects request] (Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [map_krb5_error] (0x0020): 1303: [-1765328372][KDC policy rejects request] (Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [pack_response_packet] (0x2000): response packet size: [4] (Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): krb5_child completed successfully
Would it help to remove it from realm and rejoin it to the realm? I have another server where the authentication to the parent domain in working where this one is not. I have compared the configurations but can’t find the difference.
On Mon, Jan 30, 2017 at 02:39:04PM -0500, Justin Stephenson wrote:
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=abc,DC=com] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_print_server] (0x2000): Searching x.x.161.251 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=018843)(objectclass=user)(objectSID=*))][DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_op_add] (0x2000): New operation 5 timeout 6 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=a,DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_op_destructor] (0x2000): Operation 5 finished (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_user] (0x0040): Expected one user entry and got 2 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_user] (0x0040): No matching DN found. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_add_timeout] (0x2000): 0x7fa8ef626070 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[(nil)], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_remove_timeout] (0x2000): 0x7fa8ef626070 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,Init group lookup failed
This also looks like a problem, a search with sAMAccountName=018843 is returning two objects but then matching to an expected base DN fails:
CN=Sonia G,OU=Employees,OU=User Accounts,DC=a,DC=abc,DC=comand
CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com
Ah, I think this is the root cause. And it might explain why we saw preauthnentication failed, perhaps the password was just sent to a wrong account.
What sssd version are you running? This bug sounds a bit like https://bugzilla.redhat.com/show_bug.cgi?id=1293168
Can't open the bug. I get the following error.
"You are not authorized to access bug #1293168.
Most likely the bug has been restricted for internal development processes and we cannot grant access.
If you are a Red Hat customer with an active subscription, please visit the Red Hat Customer Portal for assistance with your issue
If you are a Fedora Project user and require assistance, please consider using one of the mailing lists we host for the Fedora Project."
Update on current situation: Removed it from the realm but now it will not rejoin. Removed two-factor for the server in AD but still will not accept administrator's password. Suspect that some firewall rules were removed. Had FW engineer check and he saw 389 blocked. Put in a request for ports TCP 53, 389, 3268 and UDP 389, 138, 123, 53, 88, and 137 from centos server to AD server. Waiting for him to implement the rules and will try again.
[root@PHXRASPCI01 ~]# realm join -v -U domainadmin@abc.com abc.com * Resolving: _ldap._tcp.abc.com * Performing LDAP DSE lookup on: x.x.161.252 * Performing LDAP DSE lookup on: x.x.161.251 * Successfully discovered: abc.com Password for domainadmin@abc.com: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.WENPUY -U domainadmin@abc.com ads join abc.com Enter domainadmin@abc.com's password:kerberos_kinit_password domainadmin@ABC.COM failed: KDC policy rejects request
Failed to join domain: failed to connect to AD: KDC policy rejects request ! Joining the domain abc.com failed realm: Couldn't join realm: Joining the domain abc.com failed
Sonia
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Tuesday, January 31, 2017 10:12 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: account not authenticating in child domain
On Mon, Jan 30, 2017 at 02:39:04PM -0500, Justin Stephenson wrote:
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=abc,DC=com] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_print_server] (0x2000): Searching x.x.161.251 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=018843)(objectclass=user)(objectSID=*))][DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_op_add] (0x2000): New operation 5 timeout 6 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=a,DC=abc,DC=com]. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_op_destructor] (0x2000): Operation 5 finished (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_user] (0x0040): Expected one user entry and got 2 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_user] (0x0040): No matching DN found. (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_add_timeout] (0x2000): 0x7fa8ef626070 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[(nil)], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_remove_timeout] (0x2000): 0x7fa8ef626070 (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,Init group lookup failed
This also looks like a problem, a search with sAMAccountName=018843 is returning two objects but then matching to an expected base DN fails:
CN=Sonia G,OU=Employees,OU=User Accounts,DC=a,DC=abc,DC=comand
CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com
Ah, I think this is the root cause. And it might explain why we saw preauthnentication failed, perhaps the password was just sent to a wrong account.
What sssd version are you running? This bug sounds a bit like https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.re... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Wed, Feb 01, 2017 at 08:06:53PM +0000, Gilbert, Sonia wrote:
Can't open the bug. I get the following error.
"You are not authorized to access bug #1293168.
Most likely the bug has been restricted for internal development processes and we cannot grant access.
If you are a Red Hat customer with an active subscription, please visit the Red Hat Customer Portal for assistance with your issue
If you are a Fedora Project user and require assistance, please consider using one of the mailing lists we host for the Fedora Project."
Update on current situation: Removed it from the realm but now it will not rejoin. Removed two-factor for the server in AD but still will not accept administrator's password. Suspect that some firewall rules were removed. Had FW engineer check and he saw 389 blocked. Put in a request for ports TCP 53, 389, 3268 and UDP 389, 138, 123, 53, 88, and 137 from centos server to AD server. Waiting for him to implement the rules and will try again.
[root@PHXRASPCI01 ~]# realm join -v -U domainadmin@abc.com abc.com
- Resolving: _ldap._tcp.abc.com
- Performing LDAP DSE lookup on: x.x.161.252
- Performing LDAP DSE lookup on: x.x.161.251
- Successfully discovered: abc.com
Password for domainadmin@abc.com:
- Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
- LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.WENPUY -U domainadmin@abc.com ads join abc.com
Enter domainadmin@abc.com's password:kerberos_kinit_password domainadmin@ABC.COM failed: KDC policy rejects request
Are you able to kinit as domainadmin@ABC.COM at all?
No. Also they said that they opened up the firewall for all the ports.
[root@server01 /]# kinit 018443@abc.com Password for 018443@abc.com: kinit: KDC policy rejects request while getting initial credentials
Could it be trying to use krb5.keytab? Is it unique to each instance. Since it was removed from the realm, will it need to have a new keytab generated. Is that a local verification or do we also have to do something on the AD server?
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team 3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503 Sonia.Gilbert@HawaiianAir.com
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Wednesday, February 01, 2017 10:35 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: account not authenticating in child domain
On Wed, Feb 01, 2017 at 08:06:53PM +0000, Gilbert, Sonia wrote:
Can't open the bug. I get the following error.
"You are not authorized to access bug #1293168.
Most likely the bug has been restricted for internal development processes and we cannot grant access.
If you are a Red Hat customer with an active subscription, please visit the Red Hat Customer Portal for assistance with your issue
If you are a Fedora Project user and require assistance, please consider using one of the mailing lists we host for the Fedora Project."
Update on current situation: Removed it from the realm but now it will not rejoin. Removed two-factor for the server in AD but still will not accept administrator's password. Suspect that some firewall rules were removed. Had FW engineer check and he saw 389 blocked. Put in a request for ports TCP 53, 389, 3268 and UDP 389, 138, 123, 53, 88, and 137 from centos server to AD server. Waiting for him to implement the rules and will try again.
[root@PHXRASPCI01 ~]# realm join -v -U domainadmin@abc.com abc.com
- Resolving: _ldap._tcp.abc.com
- Performing LDAP DSE lookup on: x.x.161.252
- Performing LDAP DSE lookup on: x.x.161.251
- Successfully discovered: abc.com
Password for domainadmin@abc.com:
- Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir,
/usr/sbin/sssd, /usr/bin/net
- LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.WENPUY -U domainadmin@abc.com ads join abc.com Enter domainadmin@abc.com's password:kerberos_kinit_password domainadmin@ABC.COM failed: KDC policy rejects request
Are you able to kinit as domainadmin@ABC.COM at all? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On (02/02/17 19:55), Gilbert, Sonia wrote:
No. Also they said that they opened up the firewall for all the ports.
[root@server01 /]# kinit 018443@abc.com Password for 018443@abc.com: kinit: KDC policy rejects request while getting initial credentials
Could it be trying to use krb5.keytab? Is it unique to each instance. Since it was removed from the realm, will it need to have a new keytab generated. Is that a local verification or do we also have to do something on the AD server?
Use KRB5_TRACE for extra tracing information. e.g. KRB5_TRACE=/dev/stderr kinit 018443@abc.com
LS
Thanks for helping out Lukas.
Kinit resolves to dc02 then fails pre-authentication because it was not the master KDC, after providing password, then resolves to dc01 and then gets the policy rejects again. Tried a few times and it seems that it does not matter which server it resolves, get the same messages about not being master and policy reject. I also tried to set the " dns_lookup_kdc = false" but just caused it not find a server. Klist, only see the server object in the a.abc.com domain.
Below are the results of KRB5_TRACE=/dev/stderr kinit 018443@abc.com:
[root@server01 etc]# KRB5_TRACE=/dev/stderr kinit 018443@abc.com [17578] 1486068170.688787: Getting initial credentials for 018443@abc.com [17578] 1486068170.689166: Sending request (193 bytes) to abc.com [17578] 1486068170.818519: Resolving hostname infdcpci02.abc.com. [17578] 1486068170.883645: Sending initial UDP request to dgram x.x.161.252:88 (dc02) [17578] 1486068170.946802: Received answer (195 bytes) from dgram x.x.161.252:88 [17578] 1486068171.9293: Response was not from master KDC [17578] 1486068171.9356: Received error from KDC: -1765328359/Additional pre-authentication required [17578] 1486068171.9425: Processing preauth types: 16, 15, 19, 2 [17578] 1486068171.9456: Selected etype info: etype aes256-cts, salt "abc.com018443", params ""
[17578] 1486068435.915755: AS key obtained for encrypted timestamp: aes256-cts/B3B5 [17578] 1486068435.915855: Encrypted timestamp (for 1486068405.778558): plain 301AA011180F32303137303230323230343634355AA10502030BE13E, encrypted B9066FF3F56DC8C931B4AA95937AE59185BCE87FDC1D2BF482A575B8166CEDA85E95D7EF5F36253F77D6674F208413BF079CEB6B45CBB101 [17578] 1486068435.915914: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [17578] 1486068435.915931: Produced preauth for next request: 2 [17578] 1486068435.915978: Sending request (273 bytes) to abc.com [17578] 1486068436.45327: Resolving hostname infdcpci01.abc.com. [17578] 1486068436.110256: Sending initial UDP request to dgram x.x.161.251:88 (different server dc01) [17578] 1486068436.191100: Received answer (102 bytes) from dgram x.x.161.251:88 [17578] 1486068436.256271: Response was not from master KDC [17578] 1486068436.256323: Received error from KDC: -1765328372/KDC policy rejects request [17578] 1486068436.256366: Retrying AS request with master KDC [17578] 1486068436.256381: Getting initial credentials for 018443@abc.com [17578] 1486068436.256480: Sending request (193 bytes) to abc.com (master) kinit: KDC policy rejects request while getting initial credentials
With krb5.conf: dns_lookup_kdc = false
[root@server01 etc]# KRB5_TRACE=/dev/stderr kinit 018443@abc.com [17798] 1486068606.982122: Getting initial credentials for 018443@abc.com [17798] 1486068606.982485: Sending request (193 bytes) to abc.com [17798] 1486068606.982757: Retrying AS request with master KDC [17798] 1486068606.982798: Getting initial credentials for 018443@abc.com [17798] 1486068606.982864: Sending request (193 bytes) to abc.com (master) kinit: Cannot find KDC for realm "abc.com" while getting initial credentials
[root@server01 etc]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team 3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503 Sonia.Gilbert@HawaiianAir.com
-----Original Message----- From: Lukas Slebodnik [mailto:lslebodn@redhat.com] Sent: Thursday, February 02, 2017 10:41 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: account not authenticating in child domain
On (02/02/17 19:55), Gilbert, Sonia wrote:
No. Also they said that they opened up the firewall for all the ports.
[root@server01 /]# kinit 018443@abc.com Password for 018443@abc.com: kinit: KDC policy rejects request while getting initial credentials
Could it be trying to use krb5.keytab? Is it unique to each instance. Since it was removed from the realm, will it need to have a new keytab generated. Is that a local verification or do we also have to do something on the AD server?
Use KRB5_TRACE for extra tracing information. e.g. KRB5_TRACE=/dev/stderr kinit 018443@abc.com
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Thu, Feb 02, 2017 at 09:11:39PM +0000, Gilbert, Sonia wrote:
Thanks for helping out Lukas.
Kinit resolves to dc02 then fails pre-authentication because it was not the master KDC, after providing password, then resolves to dc01 and then gets the policy rejects again. Tried a few times and it seems that it does not matter which server it resolves, get the same messages about not being master and policy reject. I also tried to set the " dns_lookup_kdc = false" but just caused it not find a server. Klist, only see the server object in the a.abc.com domain.
Below are the results of KRB5_TRACE=/dev/stderr kinit 018443@abc.com:
[root@server01 etc]# KRB5_TRACE=/dev/stderr kinit 018443@abc.com
In general, I think you should either use -E/-C or use upper-case realm.
[17578] 1486068170.688787: Getting initial credentials for 018443@abc.com [17578] 1486068170.689166: Sending request (193 bytes) to abc.com [17578] 1486068170.818519: Resolving hostname infdcpci02.abc.com. [17578] 1486068170.883645: Sending initial UDP request to dgram x.x.161.252:88 (dc02) [17578] 1486068170.946802: Received answer (195 bytes) from dgram x.x.161.252:88 [17578] 1486068171.9293: Response was not from master KDC [17578] 1486068171.9356: Received error from KDC: -1765328359/Additional pre-authentication required [17578] 1486068171.9425: Processing preauth types: 16, 15, 19, 2 [17578] 1486068171.9456: Selected etype info: etype aes256-cts, salt "abc.com018443", params ""
[17578] 1486068435.915755: AS key obtained for encrypted timestamp: aes256-cts/B3B5 [17578] 1486068435.915855: Encrypted timestamp (for 1486068405.778558): plain 301AA011180F32303137303230323230343634355AA10502030BE13E, encrypted B9066FF3F56DC8C931B4AA95937AE59185BCE87FDC1D2BF482A575B8166CEDA85E95D7EF5F36253F77D6674F208413BF079CEB6B45CBB101 [17578] 1486068435.915914: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [17578] 1486068435.915931: Produced preauth for next request: 2 [17578] 1486068435.915978: Sending request (273 bytes) to abc.com [17578] 1486068436.45327: Resolving hostname infdcpci01.abc.com. [17578] 1486068436.110256: Sending initial UDP request to dgram x.x.161.251:88 (different server dc01) [17578] 1486068436.191100: Received answer (102 bytes) from dgram x.x.161.251:88
Is this a DC from the same realm?
[17578] 1486068436.256271: Response was not from master KDC [17578] 1486068436.256323: Received error from KDC: -1765328372/KDC policy rejects request [17578] 1486068436.256366: Retrying AS request with master KDC [17578] 1486068436.256381: Getting initial credentials for 018443@abc.com [17578] 1486068436.256480: Sending request (193 bytes) to abc.com (master) kinit: KDC policy rejects request while getting initial credentials
With krb5.conf: dns_lookup_kdc = false
[root@server01 etc]# KRB5_TRACE=/dev/stderr kinit 018443@abc.com [17798] 1486068606.982122: Getting initial credentials for 018443@abc.com [17798] 1486068606.982485: Sending request (193 bytes) to abc.com [17798] 1486068606.982757: Retrying AS request with master KDC [17798] 1486068606.982798: Getting initial credentials for 018443@abc.com [17798] 1486068606.982864: Sending request (193 bytes) to abc.com (master) kinit: Cannot find KDC for realm "abc.com" while getting initial credentials
Does it work if you define a 'known good' DC in krb5.conf ?
[root@server01 etc]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal
2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team 3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503 Sonia.Gilbert@HawaiianAir.com
-----Original Message----- From: Lukas Slebodnik [mailto:lslebodn@redhat.com] Sent: Thursday, February 02, 2017 10:41 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: account not authenticating in child domain
On (02/02/17 19:55), Gilbert, Sonia wrote:
No. Also they said that they opened up the firewall for all the ports.
[root@server01 /]# kinit 018443@abc.com Password for 018443@abc.com: kinit: KDC policy rejects request while getting initial credentials
Could it be trying to use krb5.keytab? Is it unique to each instance. Since it was removed from the realm, will it need to have a new keytab generated. Is that a local verification or do we also have to do something on the AD server?
Use KRB5_TRACE for extra tracing information. e.g. KRB5_TRACE=/dev/stderr kinit 018443@abc.com
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Update:
Still getting error when trying to join the realm. Not getting much support from the Active directory folks either, suspected maybe timing mismatch, so asked for time and got response that it was correct.... I don't want to give up here but not sure what else to do ... linux books ordered.
##############################
With no computer account object in active directory get this error (user is not a domain admin): KDC policy rejects request
[root@PHXRASPCI01 bin]# realm join -v --user=username@abc.com abc.com * Resolving: _ldap._tcp.abc.com * Performing LDAP DSE lookup on: x.x.166.251 * Performing LDAP DSE lookup on: x.x.166.252 * Successfully discovered: abc.com Password for user@abc.com: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.I7G6UY -U username@abc.com ads join abc.com Enter username@abc.com's password:kerberos_kinit_password username@ABC.COM failed: KDC policy rejects request
Failed to join domain: failed to connect to AD: KDC policy rejects request ! Joining the domain abc.com failed realm: Couldn't join realm: Joining the domain abc.com failed ######################################################
Asked a domain admin to create a computer account in AD and now get insufficient privileges......yay right??? No :( [root@PHXRASPCI01 bin]# realm join -v --user=username@abc.com abc.com * Resolving: _ldap._tcp. abc.com * Performing LDAP DSE lookup on: x.x.161.252 * Performing LDAP DSE lookup on: x.x.161.251 * Successfully discovered: abc.com Password for username@ abc.com: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.Y8U2UY -U username@abc.com ads join abc.com Enter username@abc.com's password: Failed to join domain: Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED)
! Insufficient permissions to join the domain abc.com realm: Couldn't join realm: Insufficient permissions to join the domain abc.com ###########################################################################
Had domain admin use his credentials and get constraint violation error. [root@PHXRASPCI01 log]# realm join -v --user=domainadmin@abc.com abc.com * Resolving: _ldap._tcp. abc.com * Performing LDAP DSE lookup on: x.x.161.251 * Performing LDAP DSE lookup on: x.x.161.252 * Successfully discovered: abc.com Password for domainadmin@ abc.com: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.R8T4UY -U domainadmin@ abc.com ads join abc.com Enter domainadmin@abc.com's password: Failed to join domain: Failed to set machine spn: Constraint violation Do you have sufficient permissions to create machine accounts? ! Joining the domain abc.com failed realm: Couldn't join realm: Joining the domain abc.com failed #####################################################
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team 3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503 Sonia.Gilbert@HawaiianAir.com
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Thursday, February 02, 2017 10:36 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: account not authenticating in child domain
On Thu, Feb 02, 2017 at 09:11:39PM +0000, Gilbert, Sonia wrote:
Thanks for helping out Lukas.
Kinit resolves to dc02 then fails pre-authentication because it was not the master KDC, after providing password, then resolves to dc01 and then gets the policy rejects again. Tried a few times and it seems that it does not matter which server it resolves, get the same messages about not being master and policy reject. I also tried to set the " dns_lookup_kdc = false" but just caused it not find a server. Klist, only see the server object in the a.abc.com domain.
Below are the results of KRB5_TRACE=/dev/stderr kinit 018443@abc.com:
[root@server01 etc]# KRB5_TRACE=/dev/stderr kinit 018443@abc.com
In general, I think you should either use -E/-C or use upper-case realm.
[17578] 1486068170.688787: Getting initial credentials for 018443@abc.com [17578] 1486068170.689166: Sending request (193 bytes) to abc.com [17578] 1486068170.818519: Resolving hostname infdcpci02.abc.com. [17578] 1486068170.883645: Sending initial UDP request to dgram x.x.161.252:88 (dc02) [17578] 1486068170.946802: Received answer (195 bytes) from dgram x.x.161.252:88 [17578] 1486068171.9293: Response was not from master KDC [17578] 1486068171.9356: Received error from KDC: -1765328359/Additional pre-authentication required [17578] 1486068171.9425: Processing preauth types: 16, 15, 19, 2 [17578] 1486068171.9456: Selected etype info: etype aes256-cts, salt "abc.com018443", params ""
[17578] 1486068435.915755: AS key obtained for encrypted timestamp: aes256-cts/B3B5 [17578] 1486068435.915855: Encrypted timestamp (for 1486068405.778558): plain 301AA011180F32303137303230323230343634355AA10502030BE13E, encrypted B9066FF3F56DC8C931B4AA95937AE59185BCE87FDC1D2BF482A575B8166CEDA85E95D7 EF5F36253F77D6674F208413BF079CEB6B45CBB101 [17578] 1486068435.915914: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [17578] 1486068435.915931: Produced preauth for next request: 2 [17578] 1486068435.915978: Sending request (273 bytes) to abc.com [17578] 1486068436.45327: Resolving hostname infdcpci01.abc.com. [17578] 1486068436.110256: Sending initial UDP request to dgram x.x.161.251:88 (different server dc01) [17578] 1486068436.191100: Received answer (102 bytes) from dgram x.x.161.251:88
Is this a DC from the same realm?
[17578] 1486068436.256271: Response was not from master KDC [17578] 1486068436.256323: Received error from KDC: -1765328372/KDC policy rejects request [17578] 1486068436.256366: Retrying AS request with master KDC [17578] 1486068436.256381: Getting initial credentials for 018443@abc.com [17578] 1486068436.256480: Sending request (193 bytes) to abc.com (master) kinit: KDC policy rejects request while getting initial credentials
With krb5.conf: dns_lookup_kdc = false
[root@server01 etc]# KRB5_TRACE=/dev/stderr kinit 018443@abc.com [17798] 1486068606.982122: Getting initial credentials for 018443@abc.com [17798] 1486068606.982485: Sending request (193 bytes) to abc.com [17798] 1486068606.982757: Retrying AS request with master KDC [17798] 1486068606.982798: Getting initial credentials for 018443@abc.com [17798] 1486068606.982864: Sending request (193 bytes) to abc.com (master) kinit: Cannot find KDC for realm "abc.com" while getting initial credentials
Does it work if you define a 'known good' DC in krb5.conf ?
[root@server01 etc]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal
2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01.a.abc.com@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 host/server01@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com 2 server01$@a.abc.com
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team 3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503 Sonia.Gilbert@HawaiianAir.com
-----Original Message----- From: Lukas Slebodnik [mailto:lslebodn@redhat.com] Sent: Thursday, February 02, 2017 10:41 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: account not authenticating in child domain
On (02/02/17 19:55), Gilbert, Sonia wrote:
No. Also they said that they opened up the firewall for all the ports.
[root@server01 /]# kinit 018443@abc.com Password for 018443@abc.com: kinit: KDC policy rejects request while getting initial credentials
Could it be trying to use krb5.keytab? Is it unique to each instance. Since it was removed from the realm, will it need to have a new keytab generated. Is that a local verification or do we also have to do something on the AD server?
Use KRB5_TRACE for extra tracing information. e.g. KRB5_TRACE=/dev/stderr kinit 018443@abc.com
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Update: Made some progress. I reinstalled all the sssd and realm packages, created a realmd.conf file and configured krb5.conf. It now creates the computer account but then can not set the password for the computer account. Error: Cannot contact any KDC for requested realm.
kinit domainadmin
[root@server01 etc]# realm join -v abc.com * Resolving: _ldap._tcp.abc.com * Performing LDAP DSE lookup on: x.x.161.252 * Performing LDAP DSE lookup on: x.x.161.251 * Successfully discovered: abc.com * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli * LANG=C /usr/sbin/adcli join --verbose --domain abc.com --domain-realm abc.com --domain-controller x.x.161.252 --computer-ou OU=Linux Servers,OU=Servers,DC=abc,DC=com --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-1RWWUY * Using domain name: abc.com * Calculated computer account name from fqdn: server01 * Using domain realm: abc.com * Sending netlogon pings to domain controller: cldap://x.x.161.252 * Received NetLogon info from: dc02.abc.com * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-YXbCzH/krb5.d/adcli-krb5-conf-sHH9Wy * Looked up short domain name: abcAir * Using fully qualified name: server01 * Using domain name: abc.com * Using computer account name: server01 * Using domain realm: abc.com * Calculated computer account name from fqdn: server01 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Using fully qualified name: server01 * Using domain name: abc.com * Using computer account name: server01 * Using domain realm: abc.com * Looked up short domain name: Abc * Computer account for server01$ does not exist ! Couldn't find a computer container in the ou, creating computer account directly in: OU=Linux Servers,OU=Servers,DC=abc,DC=com * Calculated computer account: CN=server01,OU=Linux Servers,OU=Servers,DC=abc,DC=com * Created computer account: CN=server01,OU=Linux Servers,OU=Servers,DC=abc,DC=com ! Couldn't set password for computer account: server01$: Cannot contact any KDC for requested realm adcli: joining domain abc.com failed: Couldn't set password for computer account: server01$: Cannot contact any KDC for requested realm ! Failed to join the domain realm: Couldn't join realm: Failed to join the domain
realmd.conf [root@server01 sssd]# more /etc/realmd.conf [service] automatic-install = no
[users] default-home = /home/%D/%U default-shell = /bin/bash
[a.hawaiian.aero] computer-ou = OU=Linux Servers,OU=Servers,DC=abc,DC=com automatic-id-mapping = yes fully-qualified-names = no
[root@PHXRASPCI01 log]# more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d # forwardable = true rdns = false default_realm = ABC.COM # default_ccache_name = KEYRING:persistent:%{uid} # kdc_timesync = 1
[realms] ABC.COM = { kdc = dc01.abc.com kdc = dc02.abc.com admin_server = dc01.abc.com # default_domain = ABC.COM }
[domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM
On Wed, Feb 08, 2017 at 10:17:41PM -0000, sonia.gilbert@hawaiianair.com wrote:
Update: Made some progress. I reinstalled all the sssd and realm packages, created a realmd.conf file and configured krb5.conf. It now creates the computer account but then can not set the password for the computer account. Error: Cannot contact any KDC for requested realm.
kinit domainadmin
[root@server01 etc]# realm join -v abc.com
- Resolving: _ldap._tcp.abc.com
- Performing LDAP DSE lookup on: x.x.161.252
- Performing LDAP DSE lookup on: x.x.161.251
- Successfully discovered: abc.com
- Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
- LANG=C /usr/sbin/adcli join --verbose --domain abc.com --domain-realm abc.com --domain-controller x.x.161.252 --computer-ou OU=Linux Servers,OU=Servers,DC=abc,DC=com --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-1RWWUY
- Using domain name: abc.com
- Calculated computer account name from fqdn: server01
- Using domain realm: abc.com
- Sending netlogon pings to domain controller: cldap://x.x.161.252
- Received NetLogon info from: dc02.abc.com
- Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-YXbCzH/krb5.d/adcli-krb5-conf-sHH9Wy
- Looked up short domain name: abcAir
- Using fully qualified name: server01
- Using domain name: abc.com
- Using computer account name: server01
- Using domain realm: abc.com
- Calculated computer account name from fqdn: server01
- Generated 120 character computer password
- Using keytab: FILE:/etc/krb5.keytab
- Using fully qualified name: server01
- Using domain name: abc.com
- Using computer account name: server01
- Using domain realm: abc.com
- Looked up short domain name: Abc
- Computer account for server01$ does not exist
! Couldn't find a computer container in the ou, creating computer account directly in: OU=Linux Servers,OU=Servers,DC=abc,DC=com
- Calculated computer account: CN=server01,OU=Linux Servers,OU=Servers,DC=abc,DC=com
- Created computer account: CN=server01,OU=Linux Servers,OU=Servers,DC=abc,DC=com
! Couldn't set password for computer account: server01$: Cannot contact any KDC for requested realm
Is SSSD still running or are there still /var/lib/sss/pubconf/kdcinfo.* files? If yes, please stop SSSD and/or remove the /var/lib/sss/pubconf/kdcinfo.* files since they might contain old data which might confuse adcli.
If this does not help you might want to add a file like
/etc/systemd/system/realmd.service.d/krb5_trace.conf: [Service] Environment=KRB5_TRACE=/dev/stdout
which should add some extra libkrb5 debug output to the logs.
HTH
bye, Sumit
adcli: joining domain abc.com failed: Couldn't set password for computer account: server01$: Cannot contact any KDC for requested realm ! Failed to join the domain realm: Couldn't join realm: Failed to join the domain
realmd.conf [root@server01 sssd]# more /etc/realmd.conf [service] automatic-install = no
[users] default-home = /home/%D/%U default-shell = /bin/bash
[a.hawaiian.aero] computer-ou = OU=Linux Servers,OU=Servers,DC=abc,DC=com automatic-id-mapping = yes fully-qualified-names = no
[root@PHXRASPCI01 log]# more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d # forwardable = true rdns = false default_realm = ABC.COM # default_ccache_name = KEYRING:persistent:%{uid} # kdc_timesync = 1
[realms] ABC.COM = { kdc = dc01.abc.com kdc = dc02.abc.com admin_server = dc01.abc.com # default_domain = ABC.COM }
[domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Gilbert, Sonia -
Jakub Hrozek -
Jakub Hrozek -
Justin Stephenson -
Lukas Slebodnik -
sonia.gilbert@hawaiianair.com
-
Sumit Bose