On Mon, Dec 03, 2018 at 08:00:51AM -0000, Peter de Groot wrote:
Please help.. desperate..
Installed sssd (version 1.16.1) on ubuntu authing against AD.
Problem .. and this appears to be only one user..
1. Login with the user.. No trouble
2. log out and try to login again.
3. Before even asking for a password, it comes up with access denied.
The only way I can fix this is to do a sssctl cache-remove. And then I can log in
again.
Rinse and repeat. It seems to be a dud entry in the cache ?
After days of trawling the logs... the only thing that seem to leap out is this in the
krb5 logs. That entry in the salt is e4182s01sv023. The machine is called e418201sv025
??? Where is it getting the 23 from ? We do have a host with that name on the network..
but not this one...
(Mon Dec 3 15:29:29 2018) [[sssd[krb5_child[11596]]]] [sss_child_krb5_trace_cb]
(0x4000): [11596] 1543822169.407460: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALpeter.de.groot", params ""
(Mon Dec 3 15:29:29 2018) [[sssd[krb5_child[11596]]]] [sss_child_krb5_trace_cb]
(0x4000): [11596] 1543822169.407479: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALpeter.de.groot", params ""
(Mon Dec 3 15:30:13 2018) [[sssd[krb5_child[11746]]]] [sss_child_krb5_trace_cb]
(0x4000): [11746] 1543822213.745198: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params
""
(Mon Dec 3 15:30:13 2018) [[sssd[krb5_child[11746]]]] [sss_child_krb5_trace_cb]
(0x4000): [11746] 1543822213.745213: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params
""
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851028: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params
""
(Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851043: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INTERNALhoste4182s01sv023.orange.schools.internal", params
""
Do you have entries for e4182s01sv023 in the keytab? You can check with
'klist -k'
HTH
bye,
Sumit
>
> The bottom of the log file
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851023: Received error from KDC: -1765328359/Additional
pre-authenticat
> ion required
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851026: Preauthenticating using KDC method data
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851027: Processing preauth types: 16, 15, 19, 2
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851028: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INT
> ERNALhoste4182s01sv023.orange.schools.internal", params ""
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_krb5_responder] (0x4000):
Got question [password].
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851029: AS key obtained for encrypted timestamp:
aes256-cts/BBF9
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851031: Encrypted timestamp (for 1543822221.598566): plain
301AA011180F
> 32303138313230333037333032315AA1050203092226, encrypted
89607EC763BD323A282F20C7ED58C75EA84F1638692A5CBCBF13BCF6F079891B1E2D140825C5E518334D7B138560D6E8ACA09F77315D131B
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851032: Preauth module encrypted_timestamp (2) (real)
returned: 0/Succe
> ss
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851033: Produced preauth for next request: 2
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851034: Sending request (302 bytes) to
ORANGE.SCHOOLS.INTERNAL
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851035: Sending initial UDP request to dgram 10.251.17.2:88
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851036: Received answer (221 bytes) from dgram
10.251.17.2:88
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851037: Response was from master KDC
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851038: Received error from KDC:
-1765328360/Preauthentication failed
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851041: Preauthenticating using KDC method data
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851042: Processing preauth types: 19
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [sss_child_krb5_trace_cb]
(0x4000): [11747] 1543822219.851043: Selected etype info: etype aes256-cts, salt
"ORANGE.SCHOOLS.INT
> ERNALhoste4182s01sv023.orange.schools.internal", params ""
>
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]]
[sss_krb5_get_init_creds_password] (0x0020): 1618: [-1765328360][Preauthentication
failed]
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [get_and_save_tgt] (0x0020):
1695: [-1765328360][Preauthentication failed]
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [map_krb5_error] (0x0020):
1808: [-1765328360][Preauthentication failed]
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [k5c_send_data] (0x0200):
Received error code 1432158221
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [pack_response_packet]
(0x2000): response packet size: [4]
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [k5c_send_data] (0x4000):
Response sent.
> (Mon Dec 3 15:30:19 2018) [[sssd[krb5_child[11747]]]] [main] (0x0400): krb5_child
completed successfully
>
> roo
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...