On Mon, Apr 01, 2019 at 07:04:01AM -0000, Peter de Groot wrote:
Thank you so much for the reply.. Apologies.. I have not found the option to email me
replies ;-( So was lax in getting back to you
Some interesting stuff... The kinit -C -E gave me a password error. but the kinit clean
did not..
2 loads of debug.. and the /etc/krb5.conf
First for the account that is causing the problem, and for interests sake.. one that does
not.
Thought bubbles.
e4182s01sv023 is a ubuntu box on our network... but is certainly not an AD controller..
Is a vanilla machine with a gui running docker for our Xibo server .. Not sure what the
config is.
our on-site domain controller is a RODC (read only domain controller) Is the
(e4182s01sv001 10.251.17.2 ). The other addresses point "upstream"..and are
commented out...
--------------------------- Not working account ------------------------
root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit
E2052982(a)ORANGE.SCHOOLS.INTERNAL
[5186] 1554101337.247277: Getting initial credentials for
E2052982(a)ORANGE.SCHOOLS.INTERNAL
[5186] 1554101337.247279: Sending unauthenticated request
[5186] 1554101337.247280: Sending request (198 bytes) to ORANGE.SCHOOLS.INTERNAL
[5186] 1554101337.247281: Sending initial UDP request to dgram 10.251.17.2:88
[5186] 1554101337.247282: Received answer (227 bytes) from dgram 10.251.17.2:88
[5186] 1554101337.247283: Response was from master KDC
[5186] 1554101337.247284: Received error from KDC: -1765328359/Additional
pre-authentication required
[5186] 1554101337.247287: Preauthenticating using KDC method data
[5186] 1554101337.247288: Processing preauth types: 16, 15, 19, 2
[5186] 1554101337.247289: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALpeter.de.groot", params ""
^^^
Password for E2052982(a)ORANGE.SCHOOLS.INTERNAL:
[5186] 1554101341.706478: AS key obtained for encrypted timestamp: aes256-cts/8217
[5186] 1554101341.706480: Encrypted timestamp (for 1554101348.551637): plain
301AA011180F32303139303430313036343930385AA1050203086AD5, encrypted
37E0EBC0CA374D8B79089A73622CE2A033D1477A5898474FF1F510DB28BCF562382501BF7FC58FA96EB309288C0CCCC186FF225CC3A1C302
[5186] 1554101341.706481: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
[5186] 1554101341.706482: Produced preauth for next request: 2
[5186] 1554101341.706483: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL
[5186] 1554101341.706484: Sending initial UDP request to dgram 10.251.17.2:88
[5186] 1554101341.706485: Received answer (118 bytes) from dgram 10.251.17.2:88
[5186] 1554101341.706486: Response was from master KDC
[5186] 1554101341.706487: Received error from KDC: -1765328332/Response too big for UDP,
retry with TCP
[5186] 1554101341.706488: Request or response is too big for UDP; retrying with TCP
[5186] 1554101341.706489: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL (tcp
only)
[5186] 1554101341.706490: Initiating TCP connection to stream 10.251.17.2:88
[5186] 1554101341.706491: Sending TCP request to stream 10.251.17.2:88
[5186] 1554101341.706492: Received answer (2057 bytes) from stream 10.251.17.2:88
[5186] 1554101341.706493: Terminating TCP connection to stream 10.251.17.2:88
[5186] 1554101341.706494: Response was from master KDC
[5186] 1554101341.706495: Processing preauth types: 19
[5186] 1554101341.706496: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALpeter.de.groot", params ""
[5186] 1554101341.706497: Produced preauth for next request: (empty)
[5186] 1554101341.706498: AS key determined by preauth: aes256-cts/8217
[5186] 1554101341.706499: Decrypted AS reply; session key is: aes256-cts/31CF
[5186] 1554101341.706500: FAST negotiation: unavailable
[5186] 1554101341.706501: Initializing FILE:/tmp/krb5cc_0 with default princ
E2052982(a)ORANGE.SCHOOLS.INTERNAL
[5186] 1554101341.706502: Storing E2052982(a)ORANGE.SCHOOLS.INTERNAL ->
krbtgt/ORANGE.SCHOOLS.INTERNAL(a)ORANGE.SCHOOLS.INTERNAL in FILE:/tmp/krb5cc_0
[5186] 1554101341.706503: Storing config in FILE:/tmp/krb5cc_0 for
krbtgt/ORANGE.SCHOOLS.INTERNAL(a)ORANGE.SCHOOLS.INTERNAL: pa_type: 2
[5186] 1554101341.706504: Storing E2052982(a)ORANGE.SCHOOLS.INTERNAL ->
krb5_ccache_conf_data/pa_type/krbtgt\/ORANGE.SCHOOLS.INTERNAL\@ORANGE.SCHOOLS.INTERNAL(a)X-CACHECONF:
in FILE:/tmp/krb5cc_0
----------------------------------------------------------------------------------------------------------------
root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit -C -E
E2052982(a)ORANGE.SCHOOLS.INTERNAL
[5188] 1554101419.357336: Getting initial credentials for
E2052982\@ORANGE.SCHOOLS.INTERNAL(a)ORANGE.SCHOOLS.INTERNAL
[5188] 1554101419.357338: Sending unauthenticated request
[5188] 1554101419.357339: Sending request (222 bytes) to ORANGE.SCHOOLS.INTERNAL
[5188] 1554101419.357340: Sending initial UDP request to dgram 10.251.17.2:88
[5188] 1554101419.357341: Received answer (257 bytes) from dgram 10.251.17.2:88
[5188] 1554101419.357342: Response was from master KDC
[5188] 1554101419.357343: Received error from KDC: -1765328359/Additional
pre-authentication required
[5188] 1554101419.357346: Preauthenticating using KDC method data
[5188] 1554101419.357347: Processing preauth types: 16, 15, 19, 2
[5188] 1554101419.357348: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params
""
In theory the salt values here and above should be the same.
Can you send the complete LDAP object of your AD user and the one for
the host e4182s01sv023.orange.schools.internal if is exists?
bye,
Sumit
> Password for E2052982\@ORANGE.SCHOOLS.INTERNAL(a)ORANGE.SCHOOLS.INTERNAL:
> [5188] 1554101423.561284: AS key obtained for encrypted timestamp: aes256-cts/3D4E
> [5188] 1554101423.561286: Encrypted timestamp (for 1554101430.919162): plain
301AA011180F32303139303430313036353033305AA10502030E067A, encrypted
D94687570DB208752390A6133A228CCA354D65B19CDE89148F73AA37699598B25D33F3D3C319DDDE77AFA0D889B903887A7963E9F90F48A7
> [5188] 1554101423.561287: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
> [5188] 1554101423.561288: Produced preauth for next request: 2
> [5188] 1554101423.561289: Sending request (302 bytes) to ORANGE.SCHOOLS.INTERNAL
> [5188] 1554101423.561290: Sending initial UDP request to dgram 10.251.17.2:88
> [5188] 1554101423.561291: Received answer (221 bytes) from dgram 10.251.17.2:88
> [5188] 1554101423.561292: Response was from master KDC
> [5188] 1554101423.561293: Received error from KDC: -1765328360/Preauthentication
failed
> [5188] 1554101423.561296: Preauthenticating using KDC method data
> [5188] 1554101423.561297: Processing preauth types: 19
> [5188] 1554101423.561298: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params
""
> kinit: Password incorrect while getting initial credential
>
> -----------------------------------------------------Working account
---------------------------------------
>
>
> root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit
Ev005629(a)ORANGE.SCHOOLS.INTERNAL
> [5189] 1554101493.100226: Getting initial credentials for
Ev005629(a)ORANGE.SCHOOLS.INTERNAL
> [5189] 1554101493.100228: Sending unauthenticated request
> [5189] 1554101493.100229: Sending request (198 bytes) to ORANGE.SCHOOLS.INTERNAL
> [5189] 1554101493.100230: Sending initial UDP request to dgram 10.251.17.2:88
> [5189] 1554101493.100231: Received answer (227 bytes) from dgram 10.251.17.2:88
> [5189] 1554101493.100232: Response was from master KDC
> [5189] 1554101493.100233: Received error from KDC: -1765328359/Additional
pre-authentication required
> [5189] 1554101493.100236: Preauthenticating using KDC method data
> [5189] 1554101493.100237: Processing preauth types: 16, 15, 19, 2
> [5189] 1554101493.100238: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALtfx.solutions2", params ""
> Password for Ev005629(a)ORANGE.SCHOOLS.INTERNAL:
> [5189] 1554101496.919879: AS key obtained for encrypted timestamp: aes256-cts/D46A
> [5189] 1554101496.919881: Encrypted timestamp (for 1554101504.268445): plain
301AA011180F32303139303430313036353134345AA105020304189D, encrypted
26FF52413B27417C80958CA9278046140009E6D41B704107A83A6FC9D84B1C27DD39B99526D54DC3E9D8F4831231C352CB25272DC675CF4A
> [5189] 1554101496.919882: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
> [5189] 1554101496.919883: Produced preauth for next request: 2
> [5189] 1554101496.919884: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL
> [5189] 1554101496.919885: Sending initial UDP request to dgram 10.251.17.2:88
> [5189] 1554101496.919886: Received answer (118 bytes) from dgram 10.251.17.2:88
> [5189] 1554101496.919887: Response was from master KDC
> [5189] 1554101496.919888: Received error from KDC: -1765328332/Response too big for
UDP, retry with TCP
> [5189] 1554101496.919889: Request or response is too big for UDP; retrying with TCP
> [5189] 1554101496.919890: Sending request (278 bytes) to ORANGE.SCHOOLS.INTERNAL (tcp
only)
> [5189] 1554101496.919891: Initiating TCP connection to stream 10.251.17.2:88
> [5189] 1554101496.919892: Sending TCP request to stream 10.251.17.2:88
> [5189] 1554101496.919893: Received answer (2033 bytes) from stream 10.251.17.2:88
> [5189] 1554101496.919894: Terminating TCP connection to stream 10.251.17.2:88
> [5189] 1554101496.919895: Response was from master KDC
> [5189] 1554101496.919896: Processing preauth types: 19
> [5189] 1554101496.919897: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALtfx.solutions2", params ""
> [5189] 1554101496.919898: Produced preauth for next request: (empty)
> [5189] 1554101496.919899: AS key determined by preauth: aes256-cts/D46A
> [5189] 1554101496.919900: Decrypted AS reply; session key is: aes256-cts/9927
> [5189] 1554101496.919901: FAST negotiation: unavailable
> [5189] 1554101496.919902: Initializing FILE:/tmp/krb5cc_0 with default princ
Ev005629(a)ORANGE.SCHOOLS.INTERNAL
> [5189] 1554101496.919903: Storing Ev005629(a)ORANGE.SCHOOLS.INTERNAL ->
krbtgt/ORANGE.SCHOOLS.INTERNAL(a)ORANGE.SCHOOLS.INTERNAL in FILE:/tmp/krb5cc_0
> [5189] 1554101496.919904: Storing config in FILE:/tmp/krb5cc_0 for
krbtgt/ORANGE.SCHOOLS.INTERNAL(a)ORANGE.SCHOOLS.INTERNAL: pa_type: 2
> [5189] 1554101496.919905: Storing Ev005629(a)ORANGE.SCHOOLS.INTERNAL ->
krb5_ccache_conf_data/pa_type/krbtgt\/ORANGE.SCHOOLS.INTERNAL\@ORANGE.SCHOOLS.INTERNAL(a)X-CACHECONF:
in FILE:/tmp/krb5cc_0
>
>
-----------------------------------------------------------------------------------------------------------
>
>
> root@e4182s01sv025:/home/schadm# env KRB5_TRACE=/dev/stdout kinit -C -E
Ev005629(a)ORANGE.SCHOOLS.INTERNAL
> [5190] 1554101561.515120: Getting initial credentials for
Ev005629\@ORANGE.SCHOOLS.INTERNAL(a)ORANGE.SCHOOLS.INTERNAL
> [5190] 1554101561.515122: Sending unauthenticated request
> [5190] 1554101561.515123: Sending request (222 bytes) to ORANGE.SCHOOLS.INTERNAL
> [5190] 1554101561.515124: Sending initial UDP request to dgram 10.251.17.2:88
> [5190] 1554101561.515125: Received answer (227 bytes) from dgram 10.251.17.2:88
> [5190] 1554101561.515126: Response was from master KDC
> [5190] 1554101561.515127: Received error from KDC: -1765328359/Additional
pre-authentication required
> [5190] 1554101561.515130: Preauthenticating using KDC method data
> [5190] 1554101561.515131: Processing preauth types: 16, 15, 19, 2
> [5190] 1554101561.515132: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALtfx.solutions2", params ""
> Password for Ev005629\@ORANGE.SCHOOLS.INTERNAL(a)ORANGE.SCHOOLS.INTERNAL:
> [5190] 1554101566.134163: AS key obtained for encrypted timestamp: aes256-cts/D46A
> [5190] 1554101566.134165: Encrypted timestamp (for 1554101573.492495): plain
301AA011180F32303139303430313036353235335AA10502030783CF, encrypted
ED85BD609D059F6741BBBCD4505B8CEDAE8A3A0EF7A98987F82C3B93414A61072A11A482370A805BE1D3490EE9CA3E81DD7B10A36E1FAA6B
> [5190] 1554101566.134166: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
> [5190] 1554101566.134167: Produced preauth for next request: 2
> [5190] 1554101566.134168: Sending request (302 bytes) to ORANGE.SCHOOLS.INTERNAL
> [5190] 1554101566.134169: Sending initial UDP request to dgram 10.251.17.2:88
> [5190] 1554101566.134170: Received answer (118 bytes) from dgram 10.251.17.2:88
> [5190] 1554101566.134171: Response was from master KDC
> [5190] 1554101566.134172: Received error from KDC: -1765328332/Response too big for
UDP, retry with TCP
> [5190] 1554101566.134173: Request or response is too big for UDP; retrying with TCP
> [5190] 1554101566.134174: Sending request (302 bytes) to ORANGE.SCHOOLS.INTERNAL (tcp
only)
> [5190] 1554101566.134175: Initiating TCP connection to stream 10.251.17.2:88
> [5190] 1554101566.134176: Sending TCP request to stream 10.251.17.2:88
> [5190] 1554101566.134177: Received answer (2049 bytes) from stream 10.251.17.2:88
> [5190] 1554101566.134178: Terminating TCP connection to stream 10.251.17.2:88
> [5190] 1554101566.134179: Response was from master KDC
> [5190] 1554101566.134180: Processing preauth types: 19
> [5190] 1554101566.134181: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALtfx.solutions2", params ""
> [5190] 1554101566.134182: Produced preauth for next request: (empty)
> [5190] 1554101566.134183: AS key determined by preauth: aes256-cts/D46A
> [5190] 1554101566.134184: Decrypted AS reply; session key is: aes256-cts/A383
> [5190] 1554101566.134185: FAST negotiation: unavailable
> [5190] 1554101566.134186: Initializing FILE:/tmp/krb5cc_0 with default princ
EV005629(a)ORANGE.SCHOOLS.INTERNAL
> [5190] 1554101566.134187: Storing EV005629(a)ORANGE.SCHOOLS.INTERNAL ->
krbtgt/ORANGE.SCHOOLS.INTERNAL(a)ORANGE.SCHOOLS.INTERNAL in FILE:/tmp/krb5cc_0
> [5190] 1554101566.134188: Storing config in FILE:/tmp/krb5cc_0 for
krbtgt/ORANGE.SCHOOLS.INTERNAL(a)ORANGE.SCHOOLS.INTERNAL: pa_type: 2
> [5190] 1554101566.134189: Storing EV005629(a)ORANGE.SCHOOLS.INTERNAL ->
krb5_ccache_conf_data/pa_type/krbtgt\/ORANGE.SCHOOLS.INTERNAL\@ORANGE.SCHOOLS.INTERNAL(a)X-CACHECONF:
in FILE:/tmp/krb5cc_0
>
> ------------------------------------ krb5.conf ---------------------------------
> cat /etc/krb5.conf
> [libdefaults]
> default_realm = ORANGE.SCHOOLS.INTERNAL
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> fcc-mit-ticketflags = true
> # default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> # default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> default_keytab_name = FILE:/etc/krb5.keytab
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns=false
>
> [domain_realm]
> .orange.schools.internal = ORANGE.SCHOOLS.INTERNAL
> orange.schools.internal = ORANGE.SCHOOLS.INTERNAL
>
> #[realms]
> # SCHOOLS.INTERNAL = {
> # kdc = E7359SVINT730.schools.internal
> # kdc = E7359SVINT731.schools.internal
> # kdc = E7359SVINT732.schools.internal
> #}
>
>
> ORANGE.SCHOOLS.INTERNAL = {
> # kdc = E7359SVINT743.orange.schools.internal:88
> kdc = E4182s01sv001.orange.schools.internal:88
> admin_server = E4182s01sv001.orange.schools.internal
> default_domain = orange.schools.internal
> }
>
>
> [logging]
> kdc = FILE:/var/log/krb5kdc/kdc.log
> admin_server = FILE:/var/log/krb5kdc/kadmin.log
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...