Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour:
> Hi Sumit,
>
> I have attached all the files you requested, this test was done with user
> usu5 which has its password expired.
Hi,
thanks for the new logs. Can you check if adding
krb5_use_enterprise_principal = True
to the [domain/...] section of sssd.conf make it any better? If this
still does not help it would be good if you can record a network trace
covering the authentication attempt.
bye,
Sumit
>
>
> Regards,
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "Sumit Bose" <[email protected]>
> To: "Mateo Duffour" <[email protected]>
> Cc: "Sumit Bose" <[email protected]>, "freeipa-users"
> <[email protected]>, "Alexander Bokovoy"
> <[email protected]>
> Sent: Thursday, 10 March, 2022 07:23:11
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC
> - User accounts with passwords expired
>
> Am Tue, Mar 08, 2022 at 01:42:53PM -0300 schrieb Mateo Duffour:
>
>
> Hi, thanks again for the quick reply.
> Sorry i did not have the time to test it again until now, i tried your
> recomendations.
>
> Its still behaving the same way than before, so I attached the sssd_pam.log
> you requested with the debug set to level 9 on pam section (sssd.conf).
> The log attached is from our Ubuntu 20.04 client.
>
>
>
> Hi,
>
> please send the related SSSD backened logs and krb5_child.log as well.
>
> bye,
> Sumit
>
>
> BQ_BEGIN
>
> We also tested it on our IdM server over Roky Linux, getting the same
> behaviour.
>
>
> Best regards.
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "Sumit Bose" <[email protected]>
> To: "Mateo Duffour" <[email protected]>
> Cc: "Sumit Bose" <[email protected]>, "freeipa-users"
> <[email protected]>, "Alexander Bokovoy"
> <[email protected]>
> Sent: Monday, 28 February, 2022 06:23:51
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC
> - User accounts with passwords expired
>
> Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour:
>
>
> Hi,
>
> I send you attached the files needed, let me know if you need something else.
>
>
>
> Hi,
>
> thanks for the file, they look ok. After looking again at what you send
> I came across
>
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did
> not match expectations
>
> which typically indicates a canonization of the principal by the
> server-side which was not expected by the client.
>
> While version of SSSD are you using on the Ubuntu client? Recent version
> of SSSD already set 'krb5_canonicalize = true' by default for
> 'id_provider = ipa'. Maybe your version is a bit older? Please try if it
> works better if you explicitly set
>
> krb5_canonicalize = true
>
> in the [domain/...] section of sssd.conf and restart SSSD. At least the
> 'KDC reply did not match expectations' should be gone now. If the
> password change still fails, please set 'debug_level = 9' in the [pam]
> and [domain/...] section of sssd.conf, restart SSSD, run the test again
> and send the logs from /var/log/sssd.
>
> bye,
> Sumit
>
>
> BQ_BEGIN
>
>
> Thanks again, regards.
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "Sumit Bose" <[email protected]>
> To: "freeipa-users" <[email protected]>
> Cc: "Alexander Bokovoy" <[email protected]>, "Mateo Duffour"
> <[email protected]>
> Sent: Friday, 25 February, 2022 03:46:43
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC
> - User accounts with passwords expired
>
> Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via
> FreeIPA-users:
>
>
> Which /etc/pam.d/ config file do you need ?
>
>
>
> Hi,
>
> from the logs below it looks like you are using ssh to log in, so it
> would be /etc/pam.d/sshd and all the files which might be referenced in
> that file.
>
> bye,
> Sumit
>
>
> BQ_BEGIN
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "Mateo Duffour" <[email protected]>
> To: "Alexander Bokovoy" <[email protected]>
> Cc: "freeipa-users" <[email protected]>
> Sent: Wednesday, 23 February, 2022 17:26:49
> Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC -
> User accounts with passwords expired
>
> Hi, thank you for the quick reply.
>
> We were further investigating the issue.
>
> We were testing with user "usu5" that has its password expired. The log of
> IdM server below shows that Samba AD DC is sending "Password has expired" for
> user "usu5", thats OK.
> So we can suspect that IdM is not behaving as expected, it should prompt a
> password expiry to the user and let the user change it, but something is
> wrong with our config or scenario because that does not happen.
>
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has
> expired
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did
> not match expectations
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8
> [email protected]
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth):
> received for user [email protected]: 4 (System error)
> Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM:
> Authentication failure for [email protected] from 10.9.9.8
>
> Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that
> shows a login attempt with user "usu6", that is on the same situation as
> "usu5".
>
> ############
>
> We have done other tests as well, in this case we are logged on IdM server as
> user "usu1", which has a password not expired and working properly. But when
> we try to change it with "passwd" it also fails.
>
> [[email protected]@idmsrvpru /]$ passwd
> Changing password for user [email protected].
> Current Password:
> Password change failed. Server message: Old password not accepted.
> passwd: Authentication token manipulation error
>
> Log of this test on IdM server:
>
> Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
> pam_unix(passwd:chauthtok): user "[email protected]" does not exist in
> /etc/passwd
> Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
> pam_sss(passwd:chauthtok): User info message: Password change failed. Server
> message: Old password not accepted.
> Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
> pam_sss(passwd:chauthtok): Authentication failed for user
> [email protected]: 4 (System error)
>
> Which pam logs do u need ? we have several files apparently.
>
>
> Thank you guys again and best regards.
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "Alexander Bokovoy" <[email protected]>
> To: "freeipa-users" <[email protected]>
> Cc: "Mateo Duffour" <[email protected]>
> Sent: Wednesday, 23 February, 2022 05:14:42
> Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC -
> User accounts with passwords expired
>
> Hello,
>
> On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote:
>
>
> Hi,
>
> We currently have an IdM installation with a trust relationship with a
> Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user
> accounts on IdM. We are having a problem with Samba user acounts that
> have its passwords expired.
>
> When we try to login with an ubuntu IdM client with one of those
> accounts, it fails and asks again for password. The behaviour we are
> expecting is that Ubuntu should ask for a password change.
>
>
>
> I think you need to look at SSSD troubleshooting guide and investigate a
> bit yourself. Without logs it is impossible to tell what's wrong.
>
> Please see https://sssd.io/troubleshooting/basics.html and
> https://sssd.io/troubleshooting/ipa_provider.html for two parts that
> would be relevant here.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
>
> BQ_END
>
>
>
> BQ_END
>
>
> (Tue Mar 8 13:23:57 2022) [pam] [cache_req_search_done] (0x0400): CR #1:
> Returning updated object [[email protected]]
> (Tue Mar 8 13:23:57 2022) [pam] [cache_req_create_and_add_result] (0x0400):
> CR #1: Found 3 entries in domain adtest.xxx
> (Tue Mar 8 13:23:57 2022) [pam] [cache_req_done] (0x0400): CR #1: Finished:
> Success
> (Tue Mar 8 13:23:57 2022) [pam] [pd_set_primary_name] (0x0400): User's
> primary name is [email protected]
> (Tue Mar 8 13:23:57 2022) [pam] [pam_initgr_cache_set] (0x2000): [usu5] added
> to PAM initgroup cache
> (Tue Mar 8 13:23:57 2022) [pam] [pam_dp_send_req] (0x0100): Sending request
> with the following data:
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): command:
> SSS_PAM_AUTHENTICATE
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): domain: adtest.xxx
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): user:
> [email protected]
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): service:
> gdm-password
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): tty: /dev/tty1
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): ruser: not set
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): rhost: not set
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): authtok type: 1
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 0
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): priv: 1
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): cli_pid: 1201
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): logon name: usu5
> (Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): flags: 1
> (Tue Mar 8 13:23:57 2022) [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req
> returned 0
> (Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching.
> (Tue Mar 8 13:23:57 2022) [pam] [sbus_signal_handler] (0x2000): Received
> D-Bus signal org.freedesktop.DBus.NameOwnerChanged on /org/freedesktop/DBus
> (Tue Mar 8 13:23:57 2022) [pam] [sbus_name_owner_changed] (0x4000): Name of
> owner :1.8 has changed from [] to [:1.8]
> (Tue Mar 8 13:23:57 2022) [pam] [sbus_senders_delete] (0x2000): Removing
> identity of sender [:1.8]
> (Tue Mar 8 13:23:57 2022) [pam] [sbus_issue_request_done] (0x0400):
> org.freedesktop.DBus.NameOwnerChanged: Success
> (Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching.
> (Tue Mar 8 13:23:57 2022) [pam] [sbus_signal_handler] (0x2000): Received
> D-Bus signal org.freedesktop.DBus.NameOwnerChanged on /org/freedesktop/DBus
> (Tue Mar 8 13:23:57 2022) [pam] [sbus_name_owner_changed] (0x4000): Name of
> owner :1.9 has changed from [] to [:1.9]
> (Tue Mar 8 13:23:57 2022) [pam] [sbus_senders_delete] (0x2000): Removing
> identity of sender [:1.9]
> (Tue Mar 8 13:23:57 2022) [pam] [sbus_issue_request_done] (0x0400):
> org.freedesktop.DBus.NameOwnerChanged: Success
> (Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching.
> (Tue Mar 8 13:23:57 2022) [pam] [pam_dp_send_req_done] (0x0200): received: [4
> (System error)][adtest.xxx]
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
> "ldb_kv_callback": 0x559ac166d7a0
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
> "ldb_kv_timeout": 0x559ac166e450
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event
> 0x559ac166d7a0 "ldb_kv_callback"
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
> 0x559ac166e450 "ldb_kv_timeout"
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
> 0x559ac166d7a0 "ldb_kv_callback"
>
> (Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x4000): pam_reply initially
> called with result [4]: System error. this result might be changed during
> processing
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
> "ldb_kv_callback": 0x559ac1668fa0
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
> "ldb_kv_timeout": 0x559ac166d7a0
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event
> 0x559ac1668fa0 "ldb_kv_callback"
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
> 0x559ac166d7a0 "ldb_kv_timeout"
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
> 0x559ac1668fa0 "ldb_kv_callback"
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
> "ldb_kv_callback": 0x559ac166e260
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
> "ldb_kv_timeout": 0x559ac1668fa0
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event
> 0x559ac166e260 "ldb_kv_callback"
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
> 0x559ac1668fa0 "ldb_kv_timeout"
>
> (Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
> 0x559ac166e260 "ldb_kv_callback"
>
> (Tue Mar 8 13:23:57 2022) [pam] [filter_responses] (0x0100):
> [pam_response_filter] not available, not fatal.
> (Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x0200): blen: 34
> (Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x0200): Returning [4]: System
> error to the client
> (Tue Mar 8 13:23:59 2022) [pam] [client_recv] (0x0200): Client disconnected!
> (Tue Mar 8 13:23:59 2022) [pam] [client_close_fn] (0x2000): Terminated client
> [0x559ac1666fa0][19]
> (Tue Mar 8 13:24:02 2022) [pam] [pam_initgr_cache_remove] (0x2000): [usu5]
> removed from PAM initgroup cache
>
>
>
> BQ_END
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
