Thank you Justin.
Centos 7, sssd 1.13
Authentication with the consoleworks application uses a yubikey via authlite which
basically makes it two-factor authentication. It appends the AD credential password with
a onetime password.
I tried to login with yubikey and without and get two different errors.
With Yubikey (correct password):
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): Will perform
online auth
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [tgt_req_child] (0x1000):
Attempting to get a TGT
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0400):
Attempting kinit for realm [
ABC.COM]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [get_and_save_tgt] (0x0020): 1234:
[-1765328360][Preauthentication failed]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [map_krb5_error] (0x0020): 1303:
[-1765328360][Preauthentication failed]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [k5c_send_data] (0x0200): Received
error code 1432158215
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [pack_response_packet] (0x2000):
response packet size: [4]
(Mon Jan 30 15:30:44 2017) [[sssd[krb5_child[11869]]]] [main] (0x0400): krb5_child
completed successfully
Without yubikey (wrong password):
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100):
Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_lifetime_options] (0x0100):
Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [set_canonicalize_option] (0x0100):
SSSD_KRB5_CANONICALIZE is set to [true]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): Will perform
online auth
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [tgt_req_child] (0x1000):
Attempting to get a TGT
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0400):
Attempting kinit for realm [
ABC.COM]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [get_and_save_tgt] (0x0020): 1234:
[-1765328372][KDC policy rejects request]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [map_krb5_error] (0x0020): 1303:
[-1765328372][KDC policy rejects request]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [k5c_send_data] (0x0200): Received
error code 1432158209
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [pack_response_packet] (0x2000):
response packet size: [4]
(Mon Jan 30 15:30:56 2017) [[sssd[krb5_child[11876]]]] [main] (0x0400): krb5_child
completed successfully
Would it help to remove it from realm and rejoin it to the realm? I have another server
where the authentication to the parent domain in working where this one is not. I have
compared the configurations but can't find the difference.
Sonia Gilbert, -Engineer II, Information Protection & Compliance Team
3375 Koapaka Street, 3rd Floor, Honolulu, HI 96819 | P: 808.564.7503
Sonia.Gilbert@HawaiianAir.com<mailto:Sonia.Gilbert@HawaiianAir.com>
[HA Email Signature Logo]