Am Thu, Apr 07, 2022 at 05:07:00PM -0300 schrieb Mateo Duffour:
> Hi,
>
> The last answer that we received on bugzilla and on samba lists sais "Your
> kpasswd is expecting FAST support which has been added in samba 4.16. So you
> either have to disable FAST or upgrade first."
>
> We've upgraded our Samba server version to 4.16.0 and we're getting this
> error now (when trying to login with any user from our IdM server):
>
> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error
> constructing AP-REQ armor: Server krbtgt/[email protected]
> not found in Kerberos database
> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx krb5_child[4846]: Error
> constructing AP-REQ armor: Server krbtgt/[email protected]
> not found in Kerberos database
Hi,
looks like there are issues requesting the cross-realm TGT, it would be
good to see the full krb5_child.log file with 'debug_level = 9' in the
[domain/...] section of sssd.conf to maybe better understand why this fails.
I would expect that the cross-realm TGT is requested during the
validation of the Kerberos ticket. You can disable the validation as a
workaround by adding
krb5_validate = false
in the [domain/...] section of sssd.conf, see man sssd-krb5 for details.
bye,
Sumit
> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.4
> [email protected]
> Apr 07 11:50:46 idmsrvpru.idmpru.xxx.xxx.xx sshd[4842]: pam_sss(sshd:auth):
> received for user [email protected] : 4 (System error)
> Apr 07 11:50:48 idmsrvpru.idmpru.xxx.xxx.xx sshd[4840]: error: PAM:
> Authentication failure for [email protected] from 10.9.9.4
>
> Any help is appreciated, regards.
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "Mateo Duffour" <[email protected]>
> To: "Alexander Bokovoy" <[email protected]>
> Cc: "Sumit Bose" <[email protected]>, "freeipa-users"
> <[email protected]>, "tizo" <[email protected]>
> Sent: Friday, 11 March, 2022 15:49:31
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC
> - User accounts with passwords expired
>
> Hi,
>
> We are experiencing the same behavior on Samba AD DC 4.15.5, we are going to
> report a bug on bugzilla.samba.org as you suggested.
>
>
> Thanks again.
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "Alexander Bokovoy" <[email protected]>
> To: "Mateo Duffour" <[email protected]>
> Cc: "Sumit Bose" <[email protected]>, "freeipa-users"
> <[email protected]>, "tizo" <[email protected]>
> Sent: Friday, 11 March, 2022 15:03:58
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC
> - User accounts with passwords expired
>
> On pe, 11 maalis 2022, Mateo Duffour wrote:
>
>
> Hi,
>
> We installed Samba AD DC from this repo [
> https://samba.tranquil.it/redhat8/samba-4.14.10/ |
> https://samba.tranquil.it/redhat8/samba-4.14.10/ ] Its running over
> Roky Linux and it's on a trust relationship with IdM.
>
>
>
> Thanks. So this is a build with embedded Heimdal Kerberos version and a
> relatively old one.
>
> This sounds like a bug worth opening Samba upstream. There is nothing
> specific to FreeIPA in this communication, though. What happens is that
> a Kerberos client (in this case kpasswd) attempts to change a password
> and fails when expecting a response on Kerberos level from Samba AD DC.
>
> It may be mix of expectations between kpasswd from MIT Kerberos (on
> Rocky) and Heimdal (embedded in Samba AD DC), but to fix it you'd need
> to talk to Samba AD developers.
>
> Please open a bug at bugzilla.samba.org, attach this capture and
> kpasswd trace logs. Also please provide details to what Samba build is
> this in the bug report.
>
> Prior doing that, may be try an upgrade to Samba 4.15.5 which is
> available in the same repositories from Tranquil IT.
> (https://samba.tranquil.it/redhat8/).
>
>
> BQ_BEGIN
>
>
> Regards,
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "Alexander Bokovoy" <[email protected]>
> To: "Mateo Duffour" <[email protected]>
> Cc: "Sumit Bose" <[email protected]>, "freeipa-users"
> <[email protected]>, "tizo" <[email protected]>
> Sent: Friday, 11 March, 2022 14:07:58
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC
> - User accounts with passwords expired
>
> On pe, 11 maalis 2022, Mateo Duffour wrote:
>
>
> Hi,
>
> I've send the network capture attached, it was made with tcpdump in the
> IdM server to the Samba AD DC server, while trying to log in with ssh
> with user5.
>
>
>
> Hi,
>
> can you give more details about this Samba AD DC installation? What
> Samba version is that? How was it built?
>
>
>
>
> BQ_BEGIN
>
> Regards,
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "tizo" <[email protected]>
> To: "freeipa-users" <[email protected]>
> Cc: "Mateo Duffour" <[email protected]>, "Alexander Bokovoy"
> <[email protected]>, "Sumit Bose" <[email protected]>
> Sent: Friday, 11 March, 2022 11:38:50
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC
> - User accounts with passwords expired
>
>
>
>
> Hi,
>
> this is still the same pattern. Would it be possible to get a network
> trace to better understand how the KDC reply looks like and what might
> not be as expected by libkrb5?
>
> Additionally, can you try to set the password for the user with the
> expired password with
>
> KRB5_TRACE=/dev/stdout kpasswd usu5@ADTEST.....
>
> and send the output?
>
> bye,
> Sumit
>
>
>
>
>
> Hi there. I work with Mateo. We are sending the network capture in some
> minutes, but to get ahead I am sending the other test:
>
> # KRB5_TRACE=/dev/stdout kpasswd [email protected]
> [47521] 1647008539.753136: Getting initial credentials for
> [email protected]
> [47521] 1647008539.753137: FAST armor ccache: KCM:0:84390
> [47521] 1647008539.753138: Retrieving
> host/[email protected] ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
> from KCM:0:84390 with result: -1765328243/Matching credential not found
> [47521] 1647008539.753139: Setting initial creds service to kadmin/changepw
> [47521] 1647008539.753140: FAST armor ccache: KCM:0:84390
> [47521] 1647008539.753141: Retrieving
> host/[email protected] ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/ADTEST.XXX.XXX.XX\@ADTEST.XXX.XXX.XX@X-CACHECONF:
> from KCM:0:84390 with result: -1765328243/Matching credential not found
> [47521] 1647008539.753143: Sending unauthenticated request
> [47521] 1647008539.753144: Sending request (179 bytes) to ADTEST.XXX.XXX.XX
> [47521] 1647008539.753145: Initiating TCP connection to stream [
> http://10.2.100.4:88/ | 10.2.100.4:88 ]
> [47521] 1647008540.776855: Initiating TCP connection to stream [
> http://10.2.100.3:88/ | 10.2.100.3:88 ]
> [47521] 1647008540.776856: Sending TCP request to stream [
> http://10.2.100.3:88/ | 10.2.100.3:88 ]
> [47521] 1647008540.776857: Received answer (278 bytes) from stream [
> http://10.2.100.3:88/ | 10.2.100.3:88 ]
> [47521] 1647008540.776858: Terminating TCP connection to stream [
> http://10.2.100.4:88/ | 10.2.100.4:88 ]
> [47521] 1647008540.776859: Terminating TCP connection to stream [
> http://10.2.100.3:88/ | 10.2.100.3:88 ]
> [47521] 1647008540.776860: Response was from master KDC
> [47521] 1647008540.776861: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [47521] 1647008540.776864: Preauthenticating using KDC method data
> [47521] 1647008540.776865: Processing preauth types: PA-PK-AS-REQ (16),
> PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19)
> [47521] 1647008540.776866: Selected etype info: etype aes256-cts, salt
> "ADTEST.XXX.XXX.XXusu5", params "\x00\x00\x10\x00"
> [47521] 1647008540.776867: PKINIT client has no configured identity; giving
> up
> [47521] 1647008540.776868: PKINIT client has no configured identity; giving
> up
> [47521] 1647008540.776869: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> Password for [email protected]:
> [47521] 1647008555.456745: AS key obtained for encrypted timestamp:
> aes256-cts/0DAE
> [47521] 1647008555.456747: Encrypted timestamp (for 1647008555.462202): plain
> 301AA011180F32303232303331313134323233355AA1050203070D7A, encrypted
> 588F164716268F95639456AEE7589886245643006D4F7B630289E1E745736D8B9037356B398C63F122292C02AAB12E25883A00C2E266E84C
>
> [47521] 1647008555.456748: Preauth module encrypted_timestamp (2) (real)
> returned: 0/Success
> [47521] 1647008555.456749: Produced preauth for next request:
> PA-ENC-TIMESTAMP (2)
> [47521] 1647008555.456750: Sending request (257 bytes) to ADTEST.XXX.XXX.XX
> [47521] 1647008555.456751: Initiating TCP connection to stream [
> http://10.2.100.4:88/ | 10.2.100.4:88 ]
> [47521] 1647008556.458248: Initiating TCP connection to stream [
> http://10.2.100.3:88/ | 10.2.100.3:88 ]
> [47521] 1647008556.458249: Sending TCP request to stream [
> http://10.2.100.3:88/ | 10.2.100.3:88 ]
> [47521] 1647008556.458250: Received answer (1438 bytes) from stream [
> http://10.2.100.3:88/ | 10.2.100.3:88 ]
> [47521] 1647008556.458251: Terminating TCP connection to stream [
> http://10.2.100.4:88/ | 10.2.100.4:88 ]
> [47521] 1647008556.458252: Terminating TCP connection to stream [
> http://10.2.100.3:88/ | 10.2.100.3:88 ]
> [47521] 1647008556.458253: Response was from master KDC
> [47521] 1647008556.458254: Processing preauth types: PA-PW-SALT (3)
> [47521] 1647008556.458255: Received salt "ADTEST.XXX.XXX.XXusu5" via padata
> type PA-PW-SALT (3)
> [47521] 1647008556.458256: Produced preauth for next request: (empty)
> [47521] 1647008556.458257: AS key determined by preauth: aes256-cts/0DAE
> [47521] 1647008556.458258: Decrypted AS reply; session key is:
> aes256-cts/35D9
> [47521] 1647008556.458259: FAST negotiation: unavailable
> kpasswd: KDC reply did not match expectations getting initial ticket
>
> FYI, I have tried the same test with a user WITHOUT expired password, and it
> does not work either, and the log is exactly the same. Indeed, when I log in
> with ssh with this user, I cannot change the password too:
>
> $ passwd
> Changing password for user [email protected].
> Current Password:
> Password change failed. Server message: Old password not accepted.
> passwd: Authentication token manipulation error
>
> Thanks very much.
>
>
>
>
>
> BQ_END
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
>
>
> BQ_END
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
