Hi, Sumit.
Thanks for the reply. This morning, I found a support article behind the RHEL
paywall that closely resembles this error. One of the suggested workarounds was
to delete secrets.ldb:
# systemctl stop sssd # systemctl stop sssd-kcm.service
# cp -av /var/lib/sss/secrets /var/lib/sss/secrets-backup
# rm /var/lib/sss/secrets/secrets.ldb /var/lib/sss/secrets/.secrets.mkey
# kinit "User principal" as a test.
# rm -fr /var/lib/sss/{mc,db}/* ; systemctl start sssd
That worked. Oddly, this problem was with a specific ipa account on this
particular machine. Other ipa accounts could log into this machine just fine.
The same problem account could log into other ipa machines just fine, so it was
not a password problem. After completing the steps above, the problem account
could log into the machine.
-Scott
-----Original Message-----
From: Sumit Bose via FreeIPA-users <[email protected]>
Sent: Tuesday, August 17, 2021 9:50 AM
To: [email protected]
Cc: Sumit Bose <[email protected]>
Subject: [Freeipa-users] Re: krb5_child.log - Internal credentials cache error
Am Mon, Aug 16, 2021 at 10:49:18PM +0000 schrieb Dungan, Scott A. via
FreeIPA-users:
> Hello.
>
> We have a client system (client1) that refuses login and throws an error in
> the krb5_child.log only when a particular account tries to log in (user1).
> The same account can log into other ipa domain client machines just fine.
> Other ipa accounts can log in to this machine, just not the user1 account. In
> /var/log/secure we see:
>
> Aug 16 15:16:56 client1 sshd[13173]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=xxx.xxx.xxx.xxx user=user1 Aug 16 15:16:56 client1 sshd[13173]:
> pam_sss(sshd:auth): received for user user1: 4 (System error) Aug 16
> 15:16:59 client1 sshd[13171]: error: PAM: Authentication failure for
> user1 from xxx.xxx.xxx.xxx
>
> sssd_domain_withheld.log:
>
> (2021-08-16 15:16:56): [be[]] [krb5_auth_done]
> (0x0040): The krb5_child process returned an error. Please inspect the
> krb5_child.log file or the journal for more information
>
> krb5_child.log:
>
> (2021-08-16 15:16:56): [krb5_child[13176]] [create_ccache] (0x0020):
> 1039: [-1765328188][Internal credentials cache error]
> (2021-08-16 15:16:56): [krb5_child[13176]] [map_krb5_error] (0x0020):
> 1849: [-1765328188][Internal credentials cache error]
Hi,
can you add 'debug_level = 9' to the [domain/...] section of sssd.conf, restart
SSSD and try again to get more debug information into the logs?
If possible please send the full log of the failed krb5_child run.
>
> Sometimes we see this in krb5_child.log as well:
>
> (2021-08-16 12:32:13): [krb5_child[6232]] [get_and_save_tgt] (0x0020):
> 1720: [-1765328360][Preauthentication failed]
> (2021-08-16 12:32:13): [krb5_child[6232]] [map_krb5_error] (0x0020):
> 1849: [-1765328360][Preauthentication failed]
This typically indicates a wrong password.
bye,
Sumit
>
> Steps taken to clear the issue with no results:
>
> 1. sss_cache -E
>
> 2. systemctl stop sssd
> rm -rf /var/lib/sss/db/*
> systemctl start sssd
>
> 3. ipa-client-install -uninstall and then rejoin
>
> Environment:
>
> RHEL8.4 - 4.18.0-305.12.1.el8_4.x86_64
> ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64
>
> Contents of /etc/krb5.conf:
>
> #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
> default_realm = DOMAIN.WITHHELD.LOCAL
> dns_lookup_realm = true
> rdns = false
> dns_canonicalize_hostname = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = true
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> DOMAIN.WITHHELD.LOCAL = {
> pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
>
> }
>
> [domain_realm]
> .domain.withheld.local = DOMAIN.WITHHELD.LOCAL
> domain.withheld.local = DOMAIN.WITHHELD.LOCAL
> client1.domain.withheld.local = DOMAIN.WITHHELD.LOCAL
> .withheld.local = DOMAIN.WITHHELD.LOCAL
> withheld.local = DOMAIN.WITHHELD.LOCAL
>
>
> Contents of /etc/sssd/sssd.conf:
>
> [domain/domain.withheld.local]
>
> id_provider = ipa
> dns_discovery_domain = domain.withheld.local ipa_server = _srv_,
> idm2.domain.withheld.local ipa_domain = domain.withheld.local
> ipa_hostname = client1.domain.withheld.local auth_provider = ipa
> chpass_provider = ipa access_provider = ipa cache_credentials = True
> ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline =
> True sudo_provider = ipa autofs_provider = ipa subdomains_provider =
> ipa session_provider = ipa hostid_provider = ipa
> ipa_automount_location = default [sssd] services = nss, pam, ssh,
> sudo, autofs
>
> domains = domain.withheld.local
> [nss]
> homedir_substring = /home
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
> [secrets]
>
> [session_recording]
>
> Any help would be appreciated.
>
> -Scott
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to
> [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> ahosted.org Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
