[Freeipa-users] Re: Some ipa user passwords did not work after update

[Ronald Wimmer via FreeIPA-users]

On 24.01.22 09:55, Alexander Bokovoy wrote:
On ma, 24 tammi 2022, Ronald Wimmer wrote:
On 17.01.22 17:53, Alexander Bokovoy wrote:
On ma, 17 tammi 2022, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 13.01.22 09:29, Ronald Wimmer via FreeIPA-users wrote:
Today the problem reappeared. I cannot login with the admin user.  
The
error message I get is "The password or username you entered is
incorrect". kinit also does not work.
It seems that the password has changed somehow without user 
interaction.

How can we debug this?

Cheers,
Ronald

We could verify that the user is neither locked nor disabled. The
password has not changed since we reset it. There is no obvious reason
why the password is not accepted anymore.

Whats strange is the fact that a particular IPA server says 'Failed
logins: 0' but shows a 'Last failed authentication' timestamp that is
later than the 'Last successful authentication' timestamp.

I suppose what I would do, as DM, is to take a snapshot of one of the
broken entries, because you want the userPassword, krbPrincipalKey, 
etc.
Then reset the password. If it breaks again compare the stored and new
entry to see what, if anything, is different.

Including things like logs for a failing kinit would be useful as well.

For login failures, following the sssd troubleshooting guide to bump up
the devel level.

I wonder if this is similar to
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/ 



but can't confirm without krb5kdc logs.

Which debug level should I set?

There is no separate debug level. You either see an error message
around SIDs being different or not.

That's what I see:
Jan 24 10:02:18 pipa08.linux.mydomain.at krb5kdc[4152](info): AS_REQ (7 
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), 
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), 
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), 
DEPRECATED:arcfour-hmac(23)}) 10.66.39.142: NEEDED_PREAUTH: 
ad...@linux.mydomain.at for krbtgt/linux.mydomain...@linux.mydomain.at, 
Additional pre-authentication required
Jan 24 10:02:18 pipa08.linux.mydomain.at krb5kdc[4152](info): closing 
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): AS_REQ (7 
etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), 
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), 
DEPRECATED:arcfour-hmac(23)}) 10.66.16.39: NEEDED_PREAUTH: 
host/as40202.linux.mydomain...@linux.mydomain.at for 
krbtgt/linux.mydomain...@linux.mydomain.at, Additional 
pre-authentication required
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): closing 
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4150](info): AS_REQ (7 
etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), 
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), 
DEPRECATED:arcfour-hmac(23)}) 10.66.16.39: ISSUE: authtime 1643014943, 
etypes {rep=aes256-cts-hmac-sha1-96(18), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, 
host/as40202.linux.mydomain...@linux.mydomain.at for 
krbtgt/linux.mydomain...@linux.mydomain.at
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4150](info): closing 
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4152](info): TGS_REQ (7 
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), 
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), 
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), 
DEPRECATED:arcfour-hmac(23)}) 10.66.16.39: ISSUE: authtime 1643014943, 
etypes {rep=aes256-cts-hmac-sha1-96(18), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, 
host/as40202.linux.mydomain...@linux.mydomain.at for 
ldap/pipa08.linux.mydomain...@linux.mydomain.at
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4152](info): closing 
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): preauth 
(spake) verify failure: Preauthentication failed
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): AS_REQ (7 
etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), 
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), 
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25), 
DEPRECATED:arcfour-hmac(23)}) 10.66.39.142: PREAUTH_FAILED: 
ad...@linux.mydomain.at for krbtgt/linux.mydomain...@linux.mydomain.at, 
Preauthentication failed
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): closing 
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): AS_REQ (8 
etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), 
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.66.43.162: 
NEEDED_PREAUTH: host/as13399.org.mydomain...@linux.mydomain.at for 
krbtgt/linux.mydomain...@linux.mydomain.at, Additional 
pre-authentication required
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4151](info): closing 
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4148](info): AS_REQ (8 
etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), 
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.66.43.162: 
ISSUE: authtime 1643014943, etypes {rep=aes256-cts-hmac-sha1-96(18), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, 
host/as13399.org.mydomain...@linux.mydomain.at for 
krbtgt/linux.mydomain...@linux.mydomain.at
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4148](info): closing 
down fd 12
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4150](info): TGS_REQ (8 
etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), 
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.66.43.162: 
ISSUE: authtime 1643014943, etypes {rep=aes256-cts-hmac-sha1-96(18), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, 
host/as13399.org.mydomain...@linux.mydomain.at for 
ldap/pipa08.linux.mydomain...@linux.mydomain.at
Jan 24 10:02:23 pipa08.linux.mydomain.at krb5kdc[4150](info): closing 
down fd 12
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure