Here is the krb5_child.log:
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.917796: TGS request result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.917822: Received creds for desired service
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.917850: Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.917878: Storing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.917924: Creating authenticator for ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, seqnum 0, subkey (null),
session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918003: Retrieving
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno
59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918061: Decrypted AP-REQ with specified server principal
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM: rc4-hmac/0336
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918092: AP-REQ ticket: ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918267: Negotiated enctype based on authenticator: rc4-hmac
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918299: Initializing MEMORY:rd_req2 with default princ
ondrejv(a)DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918330: Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918357: Storing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918390: Destroying ccache MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0400): TGT
verified using key for [host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918470: Retrieving ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2 with result:
0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918565: Retrieving
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno
59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][2].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0040):
sss_send_pac failed, group membership for user with principal
[ondrejv\@DUBLIN.AD.S3GROUP.COM(a)DUBLIN.AD.S3GROUP.COM] might not be correct.
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918705: Destroying ccache MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [become_user] (0x0200): Trying to
become user [14019][10000].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal]
(0x4000): Location: [KEYRING:persistent:14019]
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal]
(0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal
ondrejv(a)DUBLIN.AD.S3GROUP.COM in cache collection]
Not sure if it helps.
O.
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik
Sent: Friday, September 25, 2015 9:14 AM
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: Re: [SSSD-users] Problem authenticating user
On (24/09/15 18:04), Sumit Bose wrote:
On Thu, Sep 24, 2015 at 01:58:34PM +0000, Ondrej Valousek wrote:
> Hi List,
>
> I am running into problem with pam_sss. It is unable to authenticate user against AD
via Kerberos.
> Log files:
>
> Sssd_default.log
> (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x0100): No ccache
file for user [ondrejv] found.
> (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x4000): Ccache_file
is [not set] and is not active and TGT is not valid.
Those messages are expected info messages, they do not indicate an
error. Do you have any content in the krb5_child.log ? Feel free to
forward the full logs to me directly.
bye,
Sumit
>
> Pam.log:
>
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_initgr_cache_set]
> (0x2000): [ondrejv] added to PAM initgroup cache (Thu Sep 24 14:14:16 2015)
[sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100):
> command: PAM_AUTHENTICATE (Thu Sep 24 14:14:16 2015) [sssd[pam]]
> [pam_print_data] (0x0100): domain: default (Thu Sep 24 14:14:16 2015)
> [sssd[pam]] [pam_print_data] (0x0100): user: ondrejv (Thu Sep 24
> 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100):
> tty: ssh (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data]
> (0x0100): ruser: not set (Thu Sep 24 14:14:16 2015) [sssd[pam]]
> [pam_print_data] (0x0100): rhost: login03 (Thu Sep 24 14:14:16 2015)
> [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Thu Sep 24
> 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
> type: 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data]
> (0x0100): priv: 1 (Thu Sep 24 14:14:16 2015) [sssd[pam]]
> [pam_print_data] (0x0100): cli_pid: 27660 (Thu Sep 24 14:14:16 2015)
> [sssd[pam]] [sbus_add_timeout] (0x2000): 0x22b2a10 (Thu Sep 24
> 14:14:16 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> pam_dp_send_req returned 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]]
[sss_dp_req_destructor] (0x0400): Deleting request: [0x417d60:3:ondrejv@default] (Thu Sep
24 14:14:16 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x22b2a10 (Thu Sep 24
14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x22b1f10 (Thu Sep 24
14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
> (Thu Sep 24 14:14:16 2015) [sssd[pam]]
> [pam_dp_process_reply] (0x0100): received: [4][default] (Thu Sep
> 24 14:14:16 2015) [sssd[pam]]
> [pam_reply] (0x0200): pam_reply called with result [4].
^^
pam responder received
PAM_SYSTEM_ERR from default domain
The debug mesasge is improved in newer sssd.
Which version of sssd do you use?
I agree with Sumit. We will need to see the krb5_child.log (log file from default domain
might be useful as well)
LS
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.