11:24 a.m.
After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use sudo for
kerberos-authenticated accounts. However, kinit still succeeds and "getent
passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the
credential cache folder) restores normal operation.
My setup:
I'm running Arch linux, and have PAM set to use sssd. sssd in turn authenticates
against a kerberos instance running on my NAS, and pulls user information from an openldap
instance. PAM, kerberos, and openldap were configured by hand as a learning experience,
and have been running for about a year. DNS and NTP are working, ldap is returning users,
and kinit is succeeding on both my local machine and the server.
This appears to be the relevant section of the logs, from krb5_child.log (with debug_level
10):
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child
started.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x1000): total
buffer size: [147]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): cmd [241]
uid [1042] gid [1001] validate [false] enterprise principal [false] offline [false] UPN
[dave(a)LA-LA.LAN]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): ccname:
[FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1042_93EyUo] keytab:
[/etc/krb5.keytab]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast] (0x0100): Not using
FAST.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user
to [1042][1001].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch user
to [0][0].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache] (0x4000):
Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [privileged_krb5_setup] (0x0080):
Cannot open the PAC responder socket
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to
become user [1042][1001].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000): Running as
[1042][1001].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying to
become user [1042][1001].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Already user
[1042].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000): Running as
[1042][1001].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_child_set_krb5_tracing]
(0x0100): krb5 tracing is not available
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100):
Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options] (0x0100):
Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_canonicalize_option] (0x0100):
SSSD_KRB5_CANONICALIZE is set to [false]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will perform online
auth
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child] (0x1000): Attempting
to get a TGT
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0400):
Attempting kinit for realm [LA-LA.LAN]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000):
sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x0020): Cannot
handle password prompts.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000): Prompt
[0][Password for dave(a)LA-LA.LAN].
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0020): 1296:
[-1765328254][Cannot read password]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error] (0x0020): 1365:
[-1765328254][Cannot read password]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x0200): Received
error code 1432158218
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet] (0x2000):
response packet size: [4]
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x4000): Response
sent.
(Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child
completed successfully
Please let me know if any other logs or configurations are needed.
11:57 a.m.
New subject: sssd authentication fails with "Cannot read password" after upgrading to 1.14
On Fri, Jul 15, 2016 at 04:24:02PM -0000, David Wilhelm wrote:
After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use
sudo for kerberos-authenticated accounts. However, kinit still succeeds and "getent
passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the
credential cache folder) restores normal operation.
My setup:
I'm running Arch linux, and have PAM set to use sssd. sssd in turn authenticates
against a kerberos instance running on my NAS, and pulls user information from an openldap
instance. PAM, kerberos, and openldap were configured by hand as a learning experience,
and have been running for about a year. DNS and NTP are working, ldap is returning users,
and kinit is succeeding on both my local machine and the server.
I think I have an idea what is wrong. Can you tell me what kind of KDC
you are using on the NAS and which Kerberos library is used on the
client so that I can try to reproduce it locally?
bye,
Sumit
>
> This appears to be the relevant section of the logs, from krb5_child.log (with
debug_level 10):
>
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child
started.
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x1000): total
buffer size: [147]
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100): cmd
[241] uid [1042] gid [1001] validate [false] enterprise principal [false] offline [false]
UPN [dave(a)LA-LA.LAN]
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100):
ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1042_93EyUo] keytab:
[/etc/krb5.keytab]
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast] (0x0100): Not
using FAST.
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch
user to [1042][1001].
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200): Switch
user to [0][0].
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache]
(0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid.
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [privileged_krb5_setup]
(0x0080): Cannot open the PAC responder socket
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying
to become user [1042][1001].
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000): Running as
[1042][1001].
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Trying
to become user [1042][1001].
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200): Already
user [1042].
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000): Running
as [1042][1001].
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_child_set_krb5_tracing]
(0x0100): krb5 tracing is not available
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_canonicalize_option]
(0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will perform
online auth
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child] (0x1000):
Attempting to get a TGT
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0400):
Attempting kinit for realm [LA-LA.LAN]
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000):
sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x0020):
Cannot handle password prompts.
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter] (0x4000):
Prompt [0][Password for dave(a)LA-LA.LAN].
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt] (0x0020):
1296: [-1765328254][Cannot read password]
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error] (0x0020):
1365: [-1765328254][Cannot read password]
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x0200):
Received error code 1432158218
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet]
(0x2000): response packet size: [4]
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x4000):
Response sent.
> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child
completed successfully
>
> Please let me know if any other logs or configurations are needed.
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
12:04 p.m.
New subject: sssd authentication fails with "Cannot read password" after upgrading to 1.14
The NAS is also running Arch, and is the MIT kerberos 1.13.1. The
client is using 1.13.4 of the same package.
On Fri, Jul 15, 2016 at 12:57 PM, Sumit Bose <sbose(a)redhat.com> wrote:
> On Fri, Jul 15, 2016 at 04:24:02PM -0000, David Wilhelm wrote:
>> After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use sudo for
kerberos-authenticated accounts. However, kinit still succeeds and "getent
passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the
credential cache folder) restores normal operation.
>>
>> My setup:
>> I'm running Arch linux, and have PAM set to use sssd. sssd in turn
authenticates against a kerberos instance running on my NAS, and pulls user information
from an openldap instance. PAM, kerberos, and openldap were configured by hand as a
learning experience, and have been running for about a year. DNS and NTP are working,
ldap is returning users, and kinit is succeeding on both my local machine and the server.
>
> I think I have an idea what is wrong. Can you tell me what kind of KDC
> you are using on the NAS and which Kerberos library is used on the
> client so that I can try to reproduce it locally?
>
> bye,
> Sumit
>
>>
>> This appears to be the relevant section of the logs, from krb5_child.log (with
debug_level 10):
>>
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child
started.
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x1000):
total buffer size: [147]
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100):
cmd [241] uid [1042] gid [1001] validate [false] enterprise principal [false] offline
[false] UPN [dave(a)LA-LA.LAN]
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer] (0x0100):
ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1042_93EyUo] keytab:
[/etc/krb5.keytab]
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast] (0x0100):
Not using FAST.
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200):
Switch user to [1042][1001].
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds] (0x0200):
Switch user to [0][0].
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache]
(0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid.
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [privileged_krb5_setup]
(0x0080): Cannot open the PAC responder socket
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200):
Trying to become user [1042][1001].
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000): Running as
[1042][1001].
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200):
Trying to become user [1042][1001].
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user] (0x0200):
Already user [1042].
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000):
Running as [1042][1001].
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_canonicalize_option]
(0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will
perform online auth
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child] (0x1000):
Attempting to get a TGT
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [LA-LA.LAN]
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter]
(0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter]
(0x0020): Cannot handle password prompts.
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter]
(0x4000): Prompt [0][Password for dave(a)LA-LA.LAN].
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt]
(0x0020): 1296: [-1765328254][Cannot read password]
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error] (0x0020):
1365: [-1765328254][Cannot read password]
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x0200):
Received error code 1432158218
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet]
(0x2000): response packet size: [4]
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data] (0x4000):
Response sent.
>> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): krb5_child
completed successfully
>>
>> Please let me know if any other logs or configurations are needed.
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
2:21 p.m.
New subject: sssd authentication fails with "Cannot read password" after upgrading to 1.14
On Fri, Jul 15, 2016 at 01:04:17PM -0400, David Wilhelm wrote:
The NAS is also running Arch, and is the MIT kerberos 1.13.1. The
client is using 1.13.4 of the same package.
On Fri, Jul 15, 2016 at 12:57 PM, Sumit Bose <sbose(a)redhat.com> wrote:
> On Fri, Jul 15, 2016 at 04:24:02PM -0000, David Wilhelm wrote:
>> After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use sudo for
kerberos-authenticated accounts. However, kinit still succeeds and "getent
passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the
credential cache folder) restores normal operation.
Thanks I was able to reproduce the issue. After discussing it with a
co-worker I opened http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454
because we think it is originally an issue in the responder interface of
MIT Kerberos. I would like to hear back from MIT before trying to fix
the SSSD side.
I'm pretty sure that authentication would work again if you enable
pre-authentication for the user principals on the KDC
# kadmin.local
kadmin.local: modprinc +requires_preauth dave(a)LA-LA.LAN
Is there a reason why pre-authentication is disabled? If not it is very,
very, very recommended to enable it (not only to make SSSD work), see
e.g.
http://superuser.com/questions/200010/how-does-kerberos-preauthentication...
for some explanations.
bye,
Sumit
> >>
> >> My setup:
> >> I'm running Arch linux, and have PAM set to use sssd. sssd in turn
authenticates against a kerberos instance running on my NAS, and pulls user information
from an openldap instance. PAM, kerberos, and openldap were configured by hand as a
learning experience, and have been running for about a year. DNS and NTP are working,
ldap is returning users, and kinit is succeeding on both my local machine and the server.
> >
> > I think I have an idea what is wrong. Can you tell me what kind of KDC
> > you are using on the NAS and which Kerberos library is used on the
> > client so that I can try to reproduce it locally?
> >
> > bye,
> > Sumit
> >
> >>
> >> This appears to be the relevant section of the logs, from krb5_child.log
(with debug_level 10):
> >>
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400):
krb5_child started.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x1000): total buffer size: [147]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1042] gid [1001] validate [false] enterprise principal [false]
offline [false] UPN [dave(a)LA-LA.LAN]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname:
[FILE:/tmp/krb5cc_1042_93EyUo] keytab: [/etc/krb5.keytab]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast]
(0x0100): Not using FAST.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds]
(0x0200): Switch user to [1042][1001].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds]
(0x0200): Switch user to [0][0].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_check_old_ccache]
(0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is active and TGT is valid.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Trying to become user [1042][1001].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000):
Running as [1042][1001].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Trying to become user [1042][1001].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Already user [1042].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup] (0x2000):
Running as [1042][1001].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [set_lifetime_options]
(0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400): Will
perform online auth
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [LA-LA.LAN]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter]
(0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter]
(0x0020): Cannot handle password prompts.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [sss_krb5_prompter]
(0x4000): Prompt [0][Password for dave(a)LA-LA.LAN].
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt]
(0x0020): 1296: [-1765328254][Cannot read password]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error]
(0x0020): 1365: [-1765328254][Cannot read password]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data]
(0x0200): Received error code 1432158218
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [pack_response_packet]
(0x2000): response packet size: [4]
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data]
(0x4000): Response sent.
> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400):
krb5_child completed successfully
> >>
> >> Please let me know if any other logs or configurations are needed.
> >> _______________________________________________
> >> sssd-users mailing list
> >> sssd-users(a)lists.fedorahosted.org
> >>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> > _______________________________________________
> > sssd-users mailing list
> > sssd-users(a)lists.fedorahosted.org
> > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
4:33 p.m.
New subject: sssd authentication fails with "Cannot read password" after upgrading to 1.14
Enabling the preauthentication flag for the principal does indeed get
authentication working again.
The only reason it wasn't enabled was the usual poor reason: it wasn't
the default.
Thank you for the help and the explanation!
~Dave
On Fri, Jul 15, 2016 at 3:21 PM, Sumit Bose <sbose(a)redhat.com> wrote:
> On Fri, Jul 15, 2016 at 01:04:17PM -0400, David Wilhelm wrote:
>> The NAS is also running Arch, and is the MIT kerberos 1.13.1. The
>> client is using 1.13.4 of the same package.
>>
>> On Fri, Jul 15, 2016 at 12:57 PM, Sumit Bose <sbose(a)redhat.com> wrote:
>> > On Fri, Jul 15, 2016 at 04:24:02PM -0000, David Wilhelm wrote:
>> >> After upgrading from 1.13.4 to 1.14.0, I am unable to sign in or use
sudo for kerberos-authenticated accounts. However, kinit still succeeds and "getent
passwd" still lists all network users. Downgrading to 1.13.4 (after clearing the
credential cache folder) restores normal operation.
>
> Thanks I was able to reproduce the issue. After discussing it with a
> co-worker I opened http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454
> because we think it is originally an issue in the responder interface of
> MIT Kerberos. I would like to hear back from MIT before trying to fix
> the SSSD side.
>
> I'm pretty sure that authentication would work again if you enable
> pre-authentication for the user principals on the KDC
>
> # kadmin.local
> kadmin.local: modprinc +requires_preauth dave(a)LA-LA.LAN
>
> Is there a reason why pre-authentication is disabled? If not it is very,
> very, very recommended to enable it (not only to make SSSD work), see
> e.g.
>
http://superuser.com/questions/200010/how-does-kerberos-preauthentication...
> for some explanations.
>
> bye,
> Sumit
>
>
>> >>
>> >> My setup:
>> >> I'm running Arch linux, and have PAM set to use sssd. sssd in turn
authenticates against a kerberos instance running on my NAS, and pulls user information
from an openldap instance. PAM, kerberos, and openldap were configured by hand as a
learning experience, and have been running for about a year. DNS and NTP are working,
ldap is returning users, and kinit is succeeding on both my local machine and the server.
>> >
>> > I think I have an idea what is wrong. Can you tell me what kind of KDC
>> > you are using on the NAS and which Kerberos library is used on the
>> > client so that I can try to reproduce it locally?
>> >
>> > bye,
>> > Sumit
>> >
>> >>
>> >> This appears to be the relevant section of the logs, from krb5_child.log
(with debug_level 10):
>> >>
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400):
krb5_child started.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x1000): total buffer size: [147]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1042] gid [1001] validate [false] enterprise principal [false]
offline [false] UPN [dave(a)LA-LA.LAN]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_1042_XXXXXX] old_ccname:
[FILE:/tmp/krb5cc_1042_93EyUo] keytab: [/etc/krb5.keytab]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [check_use_fast]
(0x0100): Not using FAST.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds]
(0x0200): Switch user to [1042][1001].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [switch_creds]
(0x0200): Switch user to [0][0].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1042_93EyUo] and is
active and TGT is valid.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Trying to become user [1042][1001].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x2000):
Running as [1042][1001].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Trying to become user [1042][1001].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [become_user]
(0x0200): Already user [1042].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_setup]
(0x2000): Running as [1042][1001].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from
environment.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400):
Will perform online auth
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [LA-LA.LAN]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts
[1] EINVAL.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[sss_krb5_prompter] (0x0020): Cannot handle password prompts.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[sss_krb5_prompter] (0x4000): Prompt [0][Password for dave(a)LA-LA.LAN].
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [get_and_save_tgt]
(0x0020): 1296: [-1765328254][Cannot read password]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [map_krb5_error]
(0x0020): 1365: [-1765328254][Cannot read password]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data]
(0x0200): Received error code 1432158218
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]]
[pack_response_packet] (0x2000): response packet size: [4]
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [k5c_send_data]
(0x4000): Response sent.
>> >> (Thu Jul 14 16:47:32 2016) [[sssd[krb5_child[2461]]]] [main] (0x0400):
krb5_child completed successfully
>> >>
>> >> Please let me know if any other logs or configurations are needed.
>> >> _______________________________________________
>> >> sssd-users mailing list
>> >> sssd-users(a)lists.fedorahosted.org
>> >>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
>> > _______________________________________________
>> > sssd-users mailing list
>> > sssd-users(a)lists.fedorahosted.org
>> >
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
2846
days inactive
2846
days old
sssd-users@lists.fedorahosted.org
4 comments
2 participants
participants (2)
-
David Wilhelm -
Sumit Bose