Hi All,
Last week I bound my computer to Active Directory and everything was working fine but as of today authentication has started to fail.
SSSD log
In the logs (debug = 7) I see:
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_resolve_server_process] (0x0200): Found address for server pmc-dc2.petermac.org.au: [172.23.8.18] TTL 3600 (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://pmc-dc2.petermac.org.au' (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://pmc-dc2.petermac.org.au' (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): krb5_child started. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x1000): total buffer size: [136] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x0100): cmd [241] uid [1501] gid [1501] validate [true] enterprise principal [true] offline [false] UPN [Ellul Jason@PETERMAC.ORG.AU] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1501] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [check_use_fast] (0x0100): Not using FAST. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [become_user] (0x0200): Trying to become user [1501][1501]. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): Will perform online auth (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [PETERMAC.ORG.AU] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [validate_tgt] (0x0020): TGT failed verification using key for [LA35185$@PETERMAC.ORG.AU]. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [get_and_save_tgt] (0x0020): 1240: [-1765328340][Cannot find key for LA35185$@PETERMAC.ORG.AU kvno 3 in keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [map_krb5_error] (0x0020): 1301: [-1765328340][Cannot find key for LA35185$@PETERMAC.ORG.AU kvno 3 in keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): krb5_child completed successfully (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [parse_krb5_child_response] (0x1000): child response [1432158209][6][8]. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [check_wait_queue] (0x1000): Wait queue for user [Ellul Jason] is empty. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x555f73e8b420] done. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sending result [4][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sent result [4][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [child_sig_handler] (0x1000): Waiting for child [6572]. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [child_sig_handler] (0x0100): child [6572] finished successfully. (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 32 (Mon May 23 17:18:58 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon May 23 17:18:59 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
[root@la35185 jellul]# klist -k -t /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU
Many thanks
Jason
Can you do "kinit -k LA35185$@PETERMAC.ORG.AU" A good test if trust with AD works well - if not, sssd can not do much about it... O.
-----Original Message----- From: jas.petermac@gmail.com [mailto:jas.petermac@gmail.com] Sent: Monday, May 23, 2016 9:22 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] SSSD AD Login problems
Hi All,
Last week I bound my computer to Active Directory and everything was working fine but as of today authentication has started to fail.
SSSD log
In the logs (debug = 7) I see:
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_resolve_server_process] (0x0200): Found address for server pmc-dc2.petermac.org.au: [172.23.8.18] TTL 3600 (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://pmc-dc2.petermac.org.au' (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://pmc-dc2.petermac.org.au' (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): krb5_child started. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x1000): total buffer size: [136] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x0100): cmd [241] uid [1501] gid [1501] validate [true] enterprise principal [true] offline [false] UPN [Ellul Jason@PETERMAC.ORG.AU] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1501] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [check_use_fast] (0x0100): Not using FAST. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [become_user] (0x0200): Trying to become user [1501][1501]. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): Will perform online auth (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [PETERMAC.ORG.AU] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [validate_tgt] (0x0020): TGT failed verification using key for [LA35185$@PETERMAC.ORG.AU]. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [get_and_save_tgt] (0x0020): 1240: [-1765328340][Cannot find key for LA35185$@PETERMAC.ORG.AU kvno 3 in keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [map_krb5_error] (0x0020): 1301: [-1765328340][Cannot find key for LA35185$@PETERMAC.ORG.AU kvno 3 in keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): krb5_child completed successfully (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [parse_krb5_child_response] (0x1000): child response [1432158209][6][8]. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [check_wait_queue] (0x1000): Wait queue for user [Ellul Jason] is empty. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x555f73e8b420] done. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sending result [4][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sent result [4][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [child_sig_handler] (0x1000): Waiting for child [6572]. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [child_sig_handler] (0x0100): child [6572] finished successfully. (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 32 (Mon May 23 17:18:58 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon May 23 17:18:59 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
[root@la35185 jellul]# klist -k -t /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU
Many thanks
Jason _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Mon, May 23, 2016 at 07:21:56AM -0000, jas.petermac@gmail.com wrote:
Hi All,
Last week I bound my computer to Active Directory and everything was working fine but as of today authentication has started to fail.
SSSD log
In the logs (debug = 7) I see:
(Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_resolve_server_process] (0x0200): Found address for server pmc-dc2.petermac.org.au: [172.23.8.18] TTL 3600 (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://pmc-dc2.petermac.org.au' (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://pmc-dc2.petermac.org.au' (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): krb5_child started. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x1000): total buffer size: [136] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x0100): cmd [241] uid [1501] gid [1501] validate [true] enterprise principal [true] offline [false] UPN [Ellul Jason@PETERMAC.ORG.AU] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1501] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [check_use_fast] (0x0100): Not using FAST. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [become_user] (0x0200): Trying to become user [1501][1501]. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): Will perform online auth (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [PETERMAC.ORG.AU] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [validate_tgt] (0x0020): TGT failed verification using key for [LA35185$@PETERMAC.ORG.AU]. (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [get_and_save_tgt] (0x0020): 1240: [-1765328340][Cannot find key for LA35185$@PETERMAC.ORG.AU kvno 3 in keytab] (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [map_krb5_error] (0x0020): 1301: [-1765328340][Cannot find key for LA35185$@PETERMAC.ORG.AU kvno 3 in keytab]
It looks like the host password for you client was updates on the AD server but the new password was not written to the local keytab.
Which version of SSSD are you using? Recent version of SSSD can update the password to meet a AD policy, but SSSD should take care that the new password is written to /etc/krb5.conf as well?
Did you try to export the keytab for this host from AD manually? Maybe the export utility was not able to export the current keys but created a new password and exported the keys based on this new password?
The error happens during the ticket validation, as we workaround you can disable it by setting 'krb5_validate = False' in the [domain/...] section of sssd.conf. But I would not recommend it because SSSD uses the keytab to authenticate itself to AD for LDAP access as well. AD will mostly allow the previous password to be used as well but as soon as the password is updated again the keys with key version number kvno=2 will not work anymore and SSSD will not be able to connect to AD anymore. So you should try to find you why the host password was updates on AD.
HTH
bye, Sumit
(Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Mon May 23 17:18:58 2016) [[sssd[krb5_child[6572]]]] [main] (0x0400): krb5_child completed successfully (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [parse_krb5_child_response] (0x1000): child response [1432158209][6][8]. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [check_wait_queue] (0x1000): Wait queue for user [Ellul Jason] is empty. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x555f73e8b420] done. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sending result [4][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sent result [4][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [child_sig_handler] (0x1000): Waiting for child [6572]. (Mon May 23 17:18:58 2016) [sssd[be[petermac.org.au]]] [child_sig_handler] (0x0100): child [6572] finished successfully. (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][petermac.org.au] (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Mon May 23 17:18:58 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 32 (Mon May 23 17:18:58 2016) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Mon May 23 17:18:59 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
[root@la35185 jellul]# klist -k -t /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 LA35185$@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 HOST/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/LA35185@PETERMAC.ORG.AU 2 23/05/16 12:55:53 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU 2 23/05/16 12:55:54 RestrictedKrbHost/la35185.petermac.org.au@PETERMAC.ORG.AU
Many thanks
Jason _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Thanks so much for the help I think you may be correct.
The password may have been updated on AD when we generated a host certificate for our move to a new hospital. All computers will need to be joined to the domain and have certificates to access the main network.
Is there a way I can update my keytab file?
Thanks again,
Jason
On Tue, May 24, 2016 at 05:46:26AM -0000, jas.petermac@gmail.com wrote:
Thanks so much for the help I think you may be correct.
The password may have been updated on AD when we generated a host certificate for our move to a new hospital. All computers will need to be joined to the domain and have certificates to access the main network.
Is there a way I can update my keytab file?
You can just call 'adcli join ....' again, it will use the existing computer account in AD and just sets a new password and put the related key in the keytab.
HTH
bye, Sumit
Thanks again,
Jason _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Thanks again
I will try that when I am return to work on Monday.
Thanks for all the help
Jason
sssd-users@lists.fedorahosted.org