I made a mistake and copied other log, the log of the test mentioned is:
Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: Password has
expired
Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45687]: KDC reply did
not match expectations
Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4
[email protected]
Mar 10 18:08:08 idmsrvpru.idmpru.xxx.xxx.xx sshd[45685]: pam_sss(sshd:auth):
received for user [email protected]: 4 (System error)
Mar 10 18:08:10 idmsrvpru.idmpru.xxx.xxx.xx sshd[45683]: error: PAM:
Authentication failure for [email protected] from 10.9.9.4
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "Mateo Duffour" <[email protected]>
To: "Sumit Bose" <[email protected]>
Cc: "freeipa-users" <[email protected]>, "Alexander Bokovoy"
<[email protected]>
Sent: Thursday, 10 March, 2022 17:48:17
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
Hi,
We also tried with krb5_use_enterprise_principal with no success.
With the intention of simplifying our scenario we are now testing (with the
same configurations that you suggested) an ssh of the user to IdM server.
On our IdM server we are getting the same error:
ssh [email protected]@idmsrvpru.idmpru.xxx.xx.xx
Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: Password has
expired
Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[45298]: KDC reply did
not match expectations
Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4
user=usu5
Mar 10 16:50:12 idmsrvpru.idmpru.xxx.xxx.xx sshd[45296]: pam_sss(sshd:auth):
received for user usu5: 4 (System error)
Mar 10 16:50:14 idmsrvpru.idmpru.xxx.xxx.xx sshd[45293]: error: PAM:
Authentication failure for usu5 from 10.9.9.4
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "Sumit Bose" <[email protected]>
To: "Mateo Duffour" <[email protected]>
Cc: "Sumit Bose" <[email protected]>, "freeipa-users"
<[email protected]>, "Alexander Bokovoy"
<[email protected]>
Sent: Thursday, 10 March, 2022 14:01:29
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
Am Thu, Mar 10, 2022 at 01:34:27PM -0300 schrieb Mateo Duffour:
Hi Sumit,
I have attached all the files you requested, this test was done with user usu5
which has its password expired.
Hi,
thanks for the new logs. Can you check if adding
krb5_use_enterprise_principal = True
to the [domain/...] section of sssd.conf make it any better? If this
still does not help it would be good if you can record a network trace
covering the authentication attempt.
bye,
Sumit
BQ_BEGIN
Regards,
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "Sumit Bose" <[email protected]>
To: "Mateo Duffour" <[email protected]>
Cc: "Sumit Bose" <[email protected]>, "freeipa-users"
<[email protected]>, "Alexander Bokovoy"
<[email protected]>
Sent: Thursday, 10 March, 2022 07:23:11
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
Am Tue, Mar 08, 2022 at 01:42:53PM -0300 schrieb Mateo Duffour:
Hi, thanks again for the quick reply.
Sorry i did not have the time to test it again until now, i tried your
recomendations.
Its still behaving the same way than before, so I attached the sssd_pam.log you
requested with the debug set to level 9 on pam section (sssd.conf).
The log attached is from our Ubuntu 20.04 client.
Hi,
please send the related SSSD backened logs and krb5_child.log as well.
bye,
Sumit
BQ_BEGIN
We also tested it on our IdM server over Roky Linux, getting the same
behaviour.
Best regards.
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "Sumit Bose" <[email protected]>
To: "Mateo Duffour" <[email protected]>
Cc: "Sumit Bose" <[email protected]>, "freeipa-users"
<[email protected]>, "Alexander Bokovoy"
<[email protected]>
Sent: Monday, 28 February, 2022 06:23:51
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour:
Hi,
I send you attached the files needed, let me know if you need something else.
Hi,
thanks for the file, they look ok. After looking again at what you send
I came across
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not
match expectations
which typically indicates a canonization of the principal by the
server-side which was not expected by the client.
While version of SSSD are you using on the Ubuntu client? Recent version
of SSSD already set 'krb5_canonicalize = true' by default for
'id_provider = ipa'. Maybe your version is a bit older? Please try if it
works better if you explicitly set
krb5_canonicalize = true
in the [domain/...] section of sssd.conf and restart SSSD. At least the
'KDC reply did not match expectations' should be gone now. If the
password change still fails, please set 'debug_level = 9' in the [pam]
and [domain/...] section of sssd.conf, restart SSSD, run the test again
and send the logs from /var/log/sssd.
bye,
Sumit
BQ_BEGIN
Thanks again, regards.
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "Sumit Bose" <[email protected]>
To: "freeipa-users" <[email protected]>
Cc: "Alexander Bokovoy" <[email protected]>, "Mateo Duffour"
<[email protected]>
Sent: Friday, 25 February, 2022 03:46:43
Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via
FreeIPA-users:
Which /etc/pam.d/ config file do you need ?
Hi,
from the logs below it looks like you are using ssh to log in, so it
would be /etc/pam.d/sshd and all the files which might be referenced in
that file.
bye,
Sumit
BQ_BEGIN
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "Mateo Duffour" <[email protected]>
To: "Alexander Bokovoy" <[email protected]>
Cc: "freeipa-users" <[email protected]>
Sent: Wednesday, 23 February, 2022 17:26:49
Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
Hi, thank you for the quick reply.
We were further investigating the issue.
We were testing with user "usu5" that has its password expired. The log of IdM
server below shows that Samba AD DC is sending "Password has expired" for user
"usu5", thats OK.
So we can suspect that IdM is not behaving as expected, it should prompt a
password expiry to the user and let the user change it, but something is wrong
with our config or scenario because that does not happen.
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has
expired
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did not
match expectations
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8
[email protected]
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth):
received for user [email protected]: 4 (System error)
Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM:
Authentication failure for [email protected] from 10.9.9.8
Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that
shows a login attempt with user "usu6", that is on the same situation as
"usu5".
############
We have done other tests as well, in this case we are logged on IdM server as
user "usu1", which has a password not expired and working properly. But when we
try to change it with "passwd" it also fails.
[[email protected]@idmsrvpru /]$ passwd
Changing password for user [email protected].
Current Password:
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error
Log of this test on IdM server:
Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
pam_unix(passwd:chauthtok): user "[email protected]" does not exist in
/etc/passwd
Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
pam_sss(passwd:chauthtok): User info message: Password change failed. Server
message: Old password not accepted.
Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
pam_sss(passwd:chauthtok): Authentication failed for user
[email protected]: 4 (System error)
Which pam logs do u need ? we have several files apparently.
Thank you guys again and best regards.
Lic. Mateo Duffour
Unidad Informática
2901.40.91
[
http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
| 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
[ http://www.fnr.gub.uy/ | ]
No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje y
la información adjunta al mismo está dirigido exclusivamente a su destinatario.
Puede contener información confidencial, privilegiada o de uso restringido,
protegida por las normas. Si Ud. recibió este e-mail por error, por favor,
sírvase notificarle a quien se lo envió y borrar el original. Cualquier otro
uso del e-mail por Ud. está prohibido.
From: "Alexander Bokovoy" <[email protected]>
To: "freeipa-users" <[email protected]>
Cc: "Mateo Duffour" <[email protected]>
Sent: Wednesday, 23 February, 2022 05:14:42
Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC -
User accounts with passwords expired
Hello,
On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote:
Hi,
We currently have an IdM installation with a trust relationship with a
Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user
accounts on IdM. We are having a problem with Samba user acounts that
have its passwords expired.
When we try to login with an ubuntu IdM client with one of those
accounts, it fails and asks again for password. The behaviour we are
expecting is that Ubuntu should ask for a password change.
I think you need to look at SSSD troubleshooting guide and investigate a
bit yourself. Without logs it is impossible to tell what's wrong.
Please see https://sssd.io/troubleshooting/basics.html and
https://sssd.io/troubleshooting/ipa_provider.html for two parts that
would be relevant here.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
BQ_END
BQ_END
(Tue Mar 8 13:23:57 2022) [pam] [cache_req_search_done] (0x0400): CR #1:
Returning updated object [[email protected]]
(Tue Mar 8 13:23:57 2022) [pam] [cache_req_create_and_add_result] (0x0400): CR
#1: Found 3 entries in domain adtest.xxx
(Tue Mar 8 13:23:57 2022) [pam] [cache_req_done] (0x0400): CR #1: Finished:
Success
(Tue Mar 8 13:23:57 2022) [pam] [pd_set_primary_name] (0x0400): User's primary
name is [email protected]
(Tue Mar 8 13:23:57 2022) [pam] [pam_initgr_cache_set] (0x2000): [usu5] added
to PAM initgroup cache
(Tue Mar 8 13:23:57 2022) [pam] [pam_dp_send_req] (0x0100): Sending request
with the following data:
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): command:
SSS_PAM_AUTHENTICATE
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): domain: adtest.xxx
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): user:
[email protected]
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): service:
gdm-password
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): tty: /dev/tty1
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): ruser: not set
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): rhost: not set
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): authtok type: 1
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): priv: 1
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): cli_pid: 1201
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): logon name: usu5
(Tue Mar 8 13:23:57 2022) [pam] [pam_print_data] (0x0100): flags: 1
(Tue Mar 8 13:23:57 2022) [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req
returned 0
(Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching.
(Tue Mar 8 13:23:57 2022) [pam] [sbus_signal_handler] (0x2000): Received D-Bus
signal org.freedesktop.DBus.NameOwnerChanged on /org/freedesktop/DBus
(Tue Mar 8 13:23:57 2022) [pam] [sbus_name_owner_changed] (0x4000): Name of
owner :1.8 has changed from [] to [:1.8]
(Tue Mar 8 13:23:57 2022) [pam] [sbus_senders_delete] (0x2000): Removing
identity of sender [:1.8]
(Tue Mar 8 13:23:57 2022) [pam] [sbus_issue_request_done] (0x0400):
org.freedesktop.DBus.NameOwnerChanged: Success
(Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching.
(Tue Mar 8 13:23:57 2022) [pam] [sbus_signal_handler] (0x2000): Received D-Bus
signal org.freedesktop.DBus.NameOwnerChanged on /org/freedesktop/DBus
(Tue Mar 8 13:23:57 2022) [pam] [sbus_name_owner_changed] (0x4000): Name of
owner :1.9 has changed from [] to [:1.9]
(Tue Mar 8 13:23:57 2022) [pam] [sbus_senders_delete] (0x2000): Removing
identity of sender [:1.9]
(Tue Mar 8 13:23:57 2022) [pam] [sbus_issue_request_done] (0x0400):
org.freedesktop.DBus.NameOwnerChanged: Success
(Tue Mar 8 13:23:57 2022) [pam] [sbus_dispatch] (0x4000): Dispatching.
(Tue Mar 8 13:23:57 2022) [pam] [pam_dp_send_req_done] (0x0200): received: [4
(System error)][adtest.xxx]
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
"ldb_kv_callback": 0x559ac166d7a0
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
"ldb_kv_timeout": 0x559ac166e450
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event
0x559ac166d7a0 "ldb_kv_callback"
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
0x559ac166e450 "ldb_kv_timeout"
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
0x559ac166d7a0 "ldb_kv_callback"
(Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x4000): pam_reply initially
called with result [4]: System error. this result might be changed during
processing
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
"ldb_kv_callback": 0x559ac1668fa0
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
"ldb_kv_timeout": 0x559ac166d7a0
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event
0x559ac1668fa0 "ldb_kv_callback"
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
0x559ac166d7a0 "ldb_kv_timeout"
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
0x559ac1668fa0 "ldb_kv_callback"
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
"ldb_kv_callback": 0x559ac166e260
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Added timed event
"ldb_kv_timeout": 0x559ac1668fa0
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Running timer event
0x559ac166e260 "ldb_kv_callback"
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
0x559ac1668fa0 "ldb_kv_timeout"
(Tue Mar 8 13:23:57 2022) [pam] [ldb] (0x4000): Destroying timer event
0x559ac166e260 "ldb_kv_callback"
(Tue Mar 8 13:23:57 2022) [pam] [filter_responses] (0x0100):
[pam_response_filter] not available, not fatal.
(Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x0200): blen: 34
(Tue Mar 8 13:23:57 2022) [pam] [pam_reply] (0x0200): Returning [4]: System
error to the client
(Tue Mar 8 13:23:59 2022) [pam] [client_recv] (0x0200): Client disconnected!
(Tue Mar 8 13:23:59 2022) [pam] [client_close_fn] (0x2000): Terminated client
[0x559ac1666fa0][19]
(Tue Mar 8 13:24:02 2022) [pam] [pam_initgr_cache_remove] (0x2000): [usu5]
removed from PAM initgroup cache
BQ_END
BQ_END
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
