After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use sudo for
kerberos-authenticated accounts. However, kinit still succeeds and "getent
passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the
credential cache folder) restores normal operation.
My setup:
I'm running Arch linux, and have PAM set to use sssd. sssd in turn authenticates
against a kerberos instance running on my NAS, and pulls user information from an openldap
instance. PAM, kerberos, and openldap were configured by hand as a learning experience,
and have been running for about a year. DNS and NTP are working, ldap is returning users,
and kinit is succeeding on both my local machine and the server.
This appears to be the relevant section of the logs, from krb5_child.log (with debug_level
10):
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child
started.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x1000): total
buffer size: [147]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): cmd [241]
uid [1042] gid [1001] validate [false] enterprise principal [false] offline [false] UPN
[dave(a)LA-LA.LAN]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): ccname:
[FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1042_93EyUo] keytab:
[/etc/krb5.keytab]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast] (0x0100): Not using
FAST.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user
to [1042][1001].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user
to [0][0].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache] (0x4000):
Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [privileged_krb5_setup] (0x0080):
Cannot open the PAC responder socket
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to
become user [1042][1001].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000): Running as
[1042][1001].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to
become user [1042][1001].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Already user
[1042].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000): Running as
[1042][1001].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_child_set_krb5_tracing]
(0x0100): krb5 tracing is not available
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100):
Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100):
Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_canonicalize_option] (0x0100):
SSSD_KRB5_CANONICALIZE is set to [false]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will perform online
auth
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child] (0x1000): Attempting
to get a TGT
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0400):
Attempting kinit for realm [LA-LA.LAN]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000):
sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x0020): Cannot
handle password prompts.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): Prompt
[0][Password for dave(a)LA-LA.LAN].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0020): 1296:
[-1765328254][Cannot read password]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error] (0x0020): 1365:
[-1765328254][Cannot read password]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x0200): Received
error code 1432158218
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet] (0x2000):
response packet size: [4]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x4000): Response
sent.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child
completed successfully
Please let me know if any other logs or configurations are needed.
Show replies by date