8:58 a.m.
Hi List,
I am running into problem with pam_sss. It is unable to authenticate user against AD via
Kerberos.
Log files:
Sssd_default.log
(Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x0100): No ccache file
for user [ondrejv] found.
(Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x4000): Ccache_file is
[not set] and is not active and TGT is not valid.
Pam.log:
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ondrejv] added to
PAM initgroup cache
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with
the following data:
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: default
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): user: ondrejv
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: login03
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 27660
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x22b2a10
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request:
[0x417d60:3:ondrejv@default]
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x22b2a10
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x22b1f10
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[4][default]
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result
[4].
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 68
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for
client [0x22bcec0][18]
(Thu Sep 24 14:14:21 2015) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [ondrejv]
removed from PAM initgroup cache
/var/log/authlog:
ep 24 14:14:16 nitrogen sshd[27660]: pam_sss(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=login03 user=ondrejv
Sep 24 14:14:16 nitrogen sshd[27660]: pam_sss(sshd:auth): received for user ondrejv: 4
(System error)
I am bit lost here - neither friend Google helps. Does anyone know?
I can run 'kinit <username>' happily, so Kerberos library seems to be
configured fine. System is Ubuntu 14.04.
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
11:04 a.m.
On Thu, Sep 24, 2015 at 01:58:34PM +0000, Ondrej Valousek wrote:
Hi List,
I am running into problem with pam_sss. It is unable to authenticate user against AD via
Kerberos.
Log files:
Sssd_default.log
(Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x0100): No ccache file
for user [ondrejv] found.
(Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x4000): Ccache_file is
[not set] and is not active and TGT is not valid.
Those messages are expected info messages, they do not indicate an
error. Do you have any content in the krb5_child.log ? Feel free to
forward the full logs to me directly.
bye,
Sumit
Pam.log:
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ondrejv] added
to PAM initgroup cache
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with
the following data:
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: default
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): user: ondrejv
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: login03
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 27660
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x22b2a10
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x417d60:3:ondrejv@default]
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x22b2a10
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x22b1f10
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received:
[4][default]
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result
[4].
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 68
(Thu Sep 24 14:14:16 2015) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for
client [0x22bcec0][18]
(Thu Sep 24 14:14:21 2015) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [ondrejv]
removed from PAM initgroup cache
/var/log/authlog:
ep 24 14:14:16 nitrogen sshd[27660]: pam_sss(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=login03 user=ondrejv
Sep 24 14:14:16 nitrogen sshd[27660]: pam_sss(sshd:auth): received for user ondrejv: 4
(System error)
I am bit lost here - neither friend Google helps. Does anyone know?
I can run 'kinit <username>' happily, so Kerberos library seems to be
configured fine. System is Ubuntu 14.04.
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
3:13 a.m.
On (24/09/15 18:04), Sumit Bose wrote:
On Thu, Sep 24, 2015 at 01:58:34PM +0000, Ondrej Valousek wrote:
> Hi List,
>
> I am running into problem with pam_sss. It is unable to authenticate user against AD
via Kerberos.
> Log files:
>
> Sssd_default.log
> (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x0100): No ccache
file for user [ondrejv] found.
> (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x4000): Ccache_file
is [not set] and is not active and TGT is not valid.
Those messages are expected info messages, they do not indicate an
error. Do you have any content in the krb5_child.log ? Feel free to
forward the full logs to me directly.
bye,
Sumit
>
> Pam.log:
>
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ondrejv]
added to PAM initgroup cache
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request
with the following data:
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: default
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): user: ondrejv
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: login03
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 27660
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x22b2a10
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x417d60:3:ondrejv@default]
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x22b2a10
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
0x22b1f10
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
> (Thu Sep 24 14:14:16 2015) [sssd[pam]]
> [pam_dp_process_reply] (0x0100): received: [4][default]
> (Thu Sep 24 14:14:16 2015) [sssd[pam]]
> [pam_reply] (0x0200): pam_reply called with result [4].
^^
pam responder received
PAM_SYSTEM_ERR from default domain
The debug mesasge is improved in newer sssd.
Which version of sssd do you use?
I agree with Sumit. We will need to see the krb5_child.log
(log file from default domain might be useful as well)
LS
5:30 a.m.
Here is the krb5_child.log:
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.917796: TGS request result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.917822: Received creds for desired service
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.917850: Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.917878: Storing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.917924: Creating authenticator for ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, seqnum 0, subkey (null),
session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918003: Retrieving
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno
59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918061: Decrypted AP-REQ with specified server principal
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM: rc4-hmac/0336
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918092: AP-REQ ticket: ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918267: Negotiated enctype based on authenticator: rc4-hmac
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918299: Initializing MEMORY:rd_req2 with default princ
ondrejv(a)DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918330: Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918357: Storing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918390: Destroying ccache MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0400): TGT
verified using key for [host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918470: Retrieving ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2 with result:
0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918565: Retrieving
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno
59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][2].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0040):
sss_send_pac failed, group membership for user with principal
[ondrejv\@DUBLIN.AD.S3GROUP.COM(a)DUBLIN.AD.S3GROUP.COM] might not be correct.
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb] (0x4000):
[27674] 1443100456.918705: Destroying ccache MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [become_user] (0x0200): Trying to
become user [14019][10000].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal]
(0x4000): Location: [KEYRING:persistent:14019]
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal]
(0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal
ondrejv(a)DUBLIN.AD.S3GROUP.COM in cache collection]
Not sure if it helps.
O.
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik
Sent: Friday, September 25, 2015 9:14 AM
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: Re: [SSSD-users] Problem authenticating user
On (24/09/15 18:04), Sumit Bose wrote:
On Thu, Sep 24, 2015 at 01:58:34PM +0000, Ondrej Valousek wrote:
> Hi List,
>
> I am running into problem with pam_sss. It is unable to authenticate user against AD
via Kerberos.
> Log files:
>
> Sssd_default.log
> (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x0100): No ccache
file for user [ondrejv] found.
> (Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x4000): Ccache_file
is [not set] and is not active and TGT is not valid.
Those messages are expected info messages, they do not indicate an
error. Do you have any content in the krb5_child.log ? Feel free to
forward the full logs to me directly.
bye,
Sumit
>
> Pam.log:
>
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_initgr_cache_set]
> (0x2000): [ondrejv] added to PAM initgroup cache (Thu Sep 24 14:14:16 2015)
[sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100):
> command: PAM_AUTHENTICATE (Thu Sep 24 14:14:16 2015) [sssd[pam]]
> [pam_print_data] (0x0100): domain: default (Thu Sep 24 14:14:16 2015)
> [sssd[pam]] [pam_print_data] (0x0100): user: ondrejv (Thu Sep 24
> 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
> (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100):
> tty: ssh (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data]
> (0x0100): ruser: not set (Thu Sep 24 14:14:16 2015) [sssd[pam]]
> [pam_print_data] (0x0100): rhost: login03 (Thu Sep 24 14:14:16 2015)
> [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Thu Sep 24
> 14:14:16 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
> type: 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]] [pam_print_data]
> (0x0100): priv: 1 (Thu Sep 24 14:14:16 2015) [sssd[pam]]
> [pam_print_data] (0x0100): cli_pid: 27660 (Thu Sep 24 14:14:16 2015)
> [sssd[pam]] [sbus_add_timeout] (0x2000): 0x22b2a10 (Thu Sep 24
> 14:14:16 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> pam_dp_send_req returned 0 (Thu Sep 24 14:14:16 2015) [sssd[pam]]
[sss_dp_req_destructor] (0x0400): Deleting request: [0x417d60:3:ondrejv@default] (Thu Sep
24 14:14:16 2015) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x22b2a10 (Thu Sep 24
14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x22b1f10 (Thu Sep 24
14:14:16 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
> (Thu Sep 24 14:14:16 2015) [sssd[pam]]
> [pam_dp_process_reply] (0x0100): received: [4][default] (Thu Sep
> 24 14:14:16 2015) [sssd[pam]]
> [pam_reply] (0x0200): pam_reply called with result [4].
^^
pam responder received
PAM_SYSTEM_ERR from default domain
The debug mesasge is improved in newer sssd.
Which version of sssd do you use?
I agree with Sumit. We will need to see the krb5_child.log (log file from default domain
might be useful as well)
LS
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
6:01 a.m.
On Fri, Sep 25, 2015 at 10:30:51AM +0000, Ondrej Valousek wrote:
Here is the krb5_child.log:
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.917796: TGS request result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.917822: Received creds for desired service
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.917850: Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.917878: Storing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.917924: Creating authenticator for
ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, seqnum 0, subkey (null),
session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918003: Retrieving
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno
59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918061: Decrypted AP-REQ with specified server principal
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM: rc4-hmac/0336
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918092: AP-REQ ticket: ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918267: Negotiated enctype based on authenticator: rc4-hmac
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918299: Initializing MEMORY:rd_req2 with default princ
ondrejv(a)DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918330: Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918357: Storing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918390: Destroying ccache MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0400): TGT
verified using key for [host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918470: Retrieving ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from MEMORY:rd_req2 with result:
0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918565: Retrieving
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from FILE:/etc/krb5.keytab (vno
59, enctype rc4-hmac) with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][2].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0040):
sss_send_pac failed, group membership for user with principal
[ondrejv\@DUBLIN.AD.S3GROUP.COM(a)DUBLIN.AD.S3GROUP.COM] might not be correct.
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_child_krb5_trace_cb]
(0x4000): [27674] 1443100456.918705: Destroying ccache MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [become_user] (0x0200): Trying to
become user [14019][10000].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:14019]
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed:
[-1765328243][Can't find client principal ondrejv(a)DUBLIN.AD.S3GROUP.COM in cache
collection]
Not sure if it helps.
I'm sorry, but it does not help. Both messages about
'sss_pac_make_request failed' and 'Can't find client principal' will
not
cause the authentication to fail. So more log data is needed here. As
said, feel free to send the full logs to me directly.
bye,
Sumit
8:12 a.m.
Hi Sumit,
Ok please let me know which debug level I should be on and I will send you everything
privately.
Thanks for the effort.
Ondrej
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Sumit Bose
Sent: Friday, September 25, 2015 12:01 PM
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: Re: [SSSD-users] Problem authenticating user
On Fri, Sep 25, 2015 at 10:30:51AM +0000, Ondrej Valousek wrote:
Here is the krb5_child.log:
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917796: TGS
request result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917822:
Received creds for desired service
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917850:
Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from
MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917878: Storing
ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in
MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917924:
Creating authenticator for ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, seqnum 0,
subkey (null), session key rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918003:
Retrieving host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM
from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result:
0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918061:
Decrypted AP-REQ with specified server principal
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM:
rc4-hmac/0336
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918092: AP-REQ
ticket: ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, session key
rc4-hmac/E2F3
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918267:
Negotiated enctype based on authenticator: rc4-hmac
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918299:
Initializing MEMORY:rd_req2 with default princ
ondrejv(a)DUBLIN.AD.S3GROUP.COM
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918330:
Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from
MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918357: Storing
ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in
MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918390:
Destroying ccache MEMORY:rtAZ4cX
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0400): TGT
verified using key for [host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918470:
Retrieving ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from
MEMORY:rd_req2 with result: 0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918565:
Retrieving host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM
from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result:
0/Success
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][2].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0040):
sss_send_pac failed, group membership for user with principal
[ondrejv\@DUBLIN.AD.S3GROUP.COM(a)DUBLIN.AD.S3GROUP.COM] might not be correct.
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918705:
Destroying ccache MEMORY:rd_req2
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [become_user] (0x0200): Trying to
become user [14019][10000].
(Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
[sss_get_ccache_name_for_principal] (0x4000): Location:
[KEYRING:persistent:14019] (Thu Sep 24 14:14:16 2015)
[[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal]
(0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client
principal ondrejv(a)DUBLIN.AD.S3GROUP.COM in cache collection]
Not sure if it helps.
I'm sorry, but it does not help. Both messages about 'sss_pac_make_request
failed' and 'Can't find client principal' will not cause the
authentication to fail. So more log data is needed here. As said, feel free to send the
full logs to me directly.
bye,
Sumit
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
8:22 a.m.
On Fri, Sep 25, 2015 at 01:12:45PM +0000, Ondrej Valousek wrote:
Hi Sumit,
Ok please let me know which debug level I should be on and I will send you everything
privately.
just use 10 to be on the safe side.
Thanks for the effort.
yw
bye,
Sumit
Ondrej
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Sumit Bose
Sent: Friday, September 25, 2015 12:01 PM
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: Re: [SSSD-users] Problem authenticating user
On Fri, Sep 25, 2015 at 10:30:51AM +0000, Ondrej Valousek wrote:
> Here is the krb5_child.log:
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917796: TGS
> request result: 0/Success
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917822:
> Received creds for desired service
> host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917850:
> Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
> host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from
> MEMORY:rtAZ4cX
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917878: Storing
> ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
> host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in
> MEMORY:rtAZ4cX
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.917924:
> Creating authenticator for ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
> host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, seqnum 0,
> subkey (null), session key rc4-hmac/E2F3
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918003:
> Retrieving host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM
> from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result:
> 0/Success
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918061:
> Decrypted AP-REQ with specified server principal
> host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM:
> rc4-hmac/0336
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918092: AP-REQ
> ticket: ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
> host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM, session key
> rc4-hmac/E2F3
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918267:
> Negotiated enctype based on authenticator: rc4-hmac
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918299:
> Initializing MEMORY:rd_req2 with default princ
> ondrejv(a)DUBLIN.AD.S3GROUP.COM
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918330:
> Removing ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
> host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from
> MEMORY:rd_req2
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918357: Storing
> ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
> host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM in
> MEMORY:rd_req2
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918390:
> Destroying ccache MEMORY:rtAZ4cX
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0400): TGT
verified using key for [host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM].
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918470:
> Retrieving ondrejv(a)DUBLIN.AD.S3GROUP.COM ->
> host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM from
> MEMORY:rd_req2 with result: 0/Success
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918565:
> Retrieving host/nitrogen.dublin.ad.s3group.com(a)DUBLIN.AD.S3GROUP.COM
> from FILE:/etc/krb5.keytab (vno 59, enctype rc4-hmac) with result:
> 0/Success
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [sss_send_pac] (0x0040):
sss_pac_make_request failed [-1][2].
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [validate_tgt] (0x0040):
sss_send_pac failed, group membership for user with principal
[ondrejv\@DUBLIN.AD.S3GROUP.COM(a)DUBLIN.AD.S3GROUP.COM] might not be correct.
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_child_krb5_trace_cb] (0x4000): [27674] 1443100456.918705:
> Destroying ccache MEMORY:rd_req2
>
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]] [become_user] (0x0200):
Trying to become user [14019][10000].
> (Thu Sep 24 14:14:16 2015) [[sssd[krb5_child[27674]]]]
> [sss_get_ccache_name_for_principal] (0x4000): Location:
> [KEYRING:persistent:14019] (Thu Sep 24 14:14:16 2015)
> [[sssd[krb5_child[27674]]]] [sss_get_ccache_name_for_principal]
> (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client
> principal ondrejv(a)DUBLIN.AD.S3GROUP.COM in cache collection]
>
> Not sure if it helps.
I'm sorry, but it does not help. Both messages about 'sss_pac_make_request
failed' and 'Can't find client principal' will not cause the
authentication to fail. So more log data is needed here. As said, feel free to send the
full logs to me directly.
bye,
Sumit
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
11:16 a.m.
Ok found the problem.
I do not know why, but SSSD seems to be bit picky about /etc/krb5.conf:
Non working one:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = <MYREALM>
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
<MYREALM> = {
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
<myrealm> = <MYREALM>
.<myrealm> = <MYREALM>
Working one:
[libdefaults]
default_realm = <MYREALM>
# The following krb5.conf variables are only for MIT Kerberos.
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
[domain_realm]
I guess it is picky about the default_ccache_name parameter as that is the only difference
I could see.
O.
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
3:13 a.m.
On Tue, Sep 29, 2015 at 04:16:37PM +0000, Ondrej Valousek wrote:
Ok found the problem.
I do not know why, but SSSD seems to be bit picky about /etc/krb5.conf:
Non working one:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = <MYREALM>
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
<MYREALM> = {
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
<myrealm> = <MYREALM>
.<myrealm> = <MYREALM>
Working one:
[libdefaults]
default_realm = <MYREALM>
# The following krb5.conf variables are only for MIT Kerberos.
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
[domain_realm]
I guess it is picky about the default_ccache_name parameter as that is the only
difference I could see.
iirc you are using Ubuntu. I do not know if Ubuntu support KEYRING
credential caches which need support in the kernel or not. If not, then
the 'default_ccache_name = KEYRING:persistent:%{uid}' line might have
casued the issues.
bye,
Sumit
O.
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
3124
days inactive
3130
days old
sssd-users@lists.fedorahosted.org
8 comments
3 participants
participants (3)
-
Lukas Slebodnik -
Ondrej Valousek -
Sumit Bose