We have an IPA-AD trust up and running. The IPA domain is idm.fnr.gub.uy and the AD (Samba) domain is smb.fnr.gub.uy. Our users belong to AD.
We have a couple of Ubuntu 22.04 IPA clients configured. In the first one, all works like a charm, and AD users can login without problems. In the second one, AD users can login sometimes, and sometimes not. The log /var/log/sssd/krb5_child.log is completely empty in the first case. In the second one, we have the following when a user cannot login: (2023-01-04 11:42:11): [krb5_child[4430]] [get_and_save_tgt] (0x0020): [RID#19] 1725: [-1765328353][Decrypt integrity check failed] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400): [RID#19] krb5_child started. * (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer] (0x1000): [RID#19] total buffer size: [134] * (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer] (0x0100): [RID#19] cmd [241 (auth)] uid [700000003] gid [700000005] validate [true] enterprise principal [false] offline [false] UPN [[email protected]] * (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer] (0x2000): [RID#19] No old ccache * (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer] (0x0100): [RID#19] ccname: [KEYRING:persistent:700000003] old_ccname: [not set] keytab: [/etc/krb5.keytab] * (2023-01-04 11:42:10): [krb5_child[4430]] [k5c_precreate_ccache] (0x4000): [RID#19] Recreating ccache * (2023-01-04 11:42:10): [krb5_child[4430]] [k5c_setup_fast] (0x0100): [RID#19] Fast principal is set to [host/[email protected]] * (2023-01-04 11:42:10): [krb5_child[4430]] [find_principal_in_keytab] (0x4000): [RID#19] Trying to find principal host/[email protected] in keytab. * (2023-01-04 11:42:10): [krb5_child[4430]] [match_principal] (0x1000): [RID#19] Principal matched to the sample (host/[email protected]). * (2023-01-04 11:42:10): [krb5_child[4430]] [check_fast_ccache] (0x0200): [RID#19] FAST TGT is still valid. * (2023-01-04 11:42:10): [krb5_child[4430]] [privileged_krb5_setup] (0x0080): [RID#19] Cannot open the PAC responder socket * (2023-01-04 11:42:10): [krb5_child[4430]] [become_user] (0x0200): [RID#19] Trying to become user [700000003][700000005]. * (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x2000): [RID#19] Running as [700000003][700000005]. * (2023-01-04 11:42:10): [krb5_child[4430]] [set_lifetime_options] (0x0100): [RID#19] No specific renewable lifetime requested. * (2023-01-04 11:42:10): [krb5_child[4430]] [set_lifetime_options] (0x0100): [RID#19] No specific lifetime requested. * (2023-01-04 11:42:10): [krb5_child[4430]] [set_canonicalize_option] (0x0100): [RID#19] Canonicalization is set to [true] * (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400): [RID#19] Will perform auth * (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400): [RID#19] Will perform online auth * (2023-01-04 11:42:10): [krb5_child[4430]] [tgt_req_child] (0x1000): [RID#19] Attempting to get a TGT * (2023-01-04 11:42:10): [krb5_child[4430]] [get_and_save_tgt] (0x0400): [RID#19] Attempting kinit for realm [SMB.FNR.GUB.UY] * (2023-01-04 11:42:11): [krb5_child[4430]] [sss_krb5_responder] (0x4000): [RID#19] Got question [password]. * (2023-01-04 11:42:11): [krb5_child[4430]] [get_and_save_tgt] (0x0020): [RID#19] 1725: [-1765328353][Decrypt integrity check failed] ********************** BACKTRACE DUMP ENDS HERE ********************************* (2023-01-04 11:42:11): [krb5_child[4430]] [map_krb5_error] (0x0020): [RID#19] 1854: [-1765328353][Decrypt integrity check failed] And the following when the same user is able to login: (2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt] (0x0040): [RID#21] sss_send_pac failed, group membership for user with principal [[email protected]] might not be correct. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400): [RID#21] krb5_child started. * (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer] (0x1000): [RID#21] total buffer size: [134] * (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer] (0x0100): [RID#21] cmd [241 (auth)] uid [700000003] gid [700000005] validate [true] enterprise principal [false] offline [false] UPN [[email protected]] * (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer] (0x2000): [RID#21] No old ccache * (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer] (0x0100): [RID#21] ccname: [KEYRING:persistent:700000003] old_ccname: [not set] keytab: [/etc/krb5.keytab] * (2023-01-04 11:42:28): [krb5_child[4432]] [k5c_precreate_ccache] (0x4000): [RID#21] Recreating ccache * (2023-01-04 11:42:28): [krb5_child[4432]] [k5c_setup_fast] (0x0100): [RID#21] Fast principal is set to [host/[email protected]] * (2023-01-04 11:42:28): [krb5_child[4432]] [find_principal_in_keytab] (0x4000): [RID#21] Trying to find principal host/[email protected] in keytab. * (2023-01-04 11:42:28): [krb5_child[4432]] [match_principal] (0x1000): [RID#21] Principal matched to the sample (host/[email protected]). * (2023-01-04 11:42:28): [krb5_child[4432]] [check_fast_ccache] (0x0200): [RID#21] FAST TGT is still valid. * (2023-01-04 11:42:28): [krb5_child[4432]] [privileged_krb5_setup] (0x0080): [RID#21] Cannot open the PAC responder socket * (2023-01-04 11:42:28): [krb5_child[4432]] [become_user] (0x0200): [RID#21] Trying to become user [700000003][700000005]. * (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x2000): [RID#21] Running as [700000003][700000005]. * (2023-01-04 11:42:28): [krb5_child[4432]] [set_lifetime_options] (0x0100): [RID#21] No specific renewable lifetime requested. * (2023-01-04 11:42:28): [krb5_child[4432]] [set_lifetime_options] (0x0100): [RID#21] No specific lifetime requested. * (2023-01-04 11:42:28): [krb5_child[4432]] [set_canonicalize_option] (0x0100): [RID#21] Canonicalization is set to [true] * (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400): [RID#21] Will perform auth * (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400): [RID#21] Will perform online auth * (2023-01-04 11:42:28): [krb5_child[4432]] [tgt_req_child] (0x1000): [RID#21] Attempting to get a TGT * (2023-01-04 11:42:28): [krb5_child[4432]] [get_and_save_tgt] (0x0400): [RID#21] Attempting kinit for realm [SMB.FNR.GUB.UY] * (2023-01-04 11:42:28): [krb5_child[4432]] [sss_krb5_responder] (0x4000): [RID#21] Got question [password]. * (2023-01-04 11:42:28): [krb5_child[4432]] [sss_krb5_expire_callback_func] (0x2000): [RID#21] exp_time: [10276087] * (2023-01-04 11:42:28): [krb5_child[4432]] [validate_tgt] (0x2000): [RID#21] Keytab entry with the realm of the credential not found in keytab. Using the last entry. * (2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt] (0x0400): [RID#21] TGT verified using key for [host/[email protected]]. * (2023-01-04 11:42:29): [krb5_child[4432]] [sss_send_pac] (0x0080): [RID#21] failed to contact PAC responder * (2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt] (0x0040): [RID#21] sss_send_pac failed, group membership for user with principal [[email protected]] might not be correct. ********************** BACKTRACE DUMP ENDS HERE ********************************* I have tried clearing all sssd caches (even removing /var/lib/sss/db/*), restarting all the servers, uninstalling ipa client and configuring it again, etc. The behaviour is always the same. Any help is appreciated. Thanks very much, tizo _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
