On one computer (Arch) I have misconfigured sssd and when I try to use PAM sssd tries to
get ticket for username\@MYDOMAIN.COM\@MYDOMAIN.COM(a)MYDOMAIN.COM. On others (Gentoo) it
works find.
(Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100):
Principal name is: [MYHOSTNAME$(a)MYDOMAIN.COM]
(Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100):
Using keytab [MEMORY:/etc/krb5.keytab]
(Tue Mar 7 16:10:03 2017) [[sssd[ldap_child[5845]]]] [ldap_child_get_tgt_sync] (0x0100):
Will canonicalize principals
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0100): child
[5845] finished successfully.
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sdap_cli_auth_step] (0x0100): expire
timeout is 900
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sasl_bind_send] (0x0100): Executing
sasl bind mech: gssapi, user: MYHOSTNAME$
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [fo_set_port_status] (0x0100): Marking
port 3268 of server 'DC1.mydomain.com' as 'working'
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [set_server_common_status] (0x0100):
Marking server 'DC1.mydomain.com' as 'working'
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry
[name=username(a)mydomain.com,cn=users,cn=mydomain.com,cn=sysdb] has set [ts_cache] attrs.
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [sysdb_set_entry_attr] (0x0200): Entry
[name=username(a)mydomain.com,cn=users,cn=mydomain.com,cn=sysdb] has set [ts_cache] attrs.
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info
for [username(a)mydomain.com]
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with
the following data:
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): command:
SSS_PAM_AUTHENTICATE
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): domain:
mydomain.com
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
username(a)mydomain.com
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: <RHOST>
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5844
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name:
username(a)mydomain.com
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [dp_pam_handler] (0x0100): Got request
with the following data
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): command:
SSS_PAM_AUTHENTICATE
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): domain:
mydomain.com
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): user:
username(a)mydomain.com
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): service:
sshd
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): tty: ssh
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): ruser:
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): rhost:
<RHOST>
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): authtok
type: 1
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): newauthtok
type: 0
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): priv: 1
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): cli_pid:
5844
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [pam_print_data] (0x0100): logon name:
not set
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [krb5_auth_send] (0x0100): Home
directory for user [username(a)mydomain.com] not known.
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [fo_resolve_service_send] (0x0100):
Trying to resolve service 'AD'
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [resolve_srv_send] (0x0200): The
status of SRV lookup is resolved
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [be_resolve_server_process] (0x0200):
Found address for server
dc3.mydomain.com: [<DC3IP>] TTL 3600
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [unpack_buffer] (0x0100): cmd [241]
uid [1019289252] gid [400513] validate [true] enterprise principal [true] offline [false]
UPN [username\@MYDOMAIN.COM(a)MYDOMAIN.COM]
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [unpack_buffer] (0x0100): ccname:
[FILE:/tmp/krb5cc_1019289252_XXXXXX] old_ccname: [KEYRING:persistent:200389252] keytab:
[/etc/krb5.keytab]
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [check_use_fast] (0x0100): Not using
FAST.
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [switch_creds] (0x0200): Switch user
to [1019289252][400513].
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [switch_creds] (0x0200): Switch user
to [0][0].
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [privileged_krb5_setup] (0x0080):
Cannot open the PAC responder socket
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [become_user] (0x0200): Trying to
become user [1019289252][400513].
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_lifetime_options] (0x0100):
Renewable lifetime is set to [7d]
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_lifetime_options] (0x0100):
Lifetime is set to [3d]
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [set_canonicalize_option] (0x0100):
Canonicalization is set to [true]
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [get_and_save_tgt] (0x0020): 1302:
[-1765328378][Client 'username\@MYDOMAIN.COM\@MYDOMAIN.COM(a)MYDOMAIN.COM' not found
in Kerberos database]
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [map_krb5_error] (0x0020): 1371:
[-1765328378][Client 'username\@MYDOMAIN.COM\@MYDOMAIN.COM(a)MYDOMAIN.COM' not found
in Kerberos database]
(Tue Mar 7 16:10:03 2017) [[sssd[krb5_child[5846]]]] [k5c_send_data] (0x0200): Received
error code 1432158209
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0100): child
[5846] finished successfully.
(Tue Mar 7 16:10:03 2017) [sssd[be[mydomain.com]]] [krb5_auth_done] (0x0040): The
krb5_child process returned an error. Please inspect the krb5_child.log file or the
journal for more information
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4
(System
error)][mydomain.com]
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result
[4]: System error.
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter]
not available, not fatal.
(Tue Mar 7 16:10:03 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 27
(Tue Mar 7 16:10:05 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Tue Mar 7 16:10:08 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
Logging over ssh with GSSAPI works.