We have an IPA-AD trust up and running. The IPA domain is
idm.fnr.gub.uy and the AD (Samba) domain is smb.fnr.gub.uy. Our users
belong to AD.

We have a couple of Ubuntu 22.04 IPA clients configured. In the first
one, all works like a charm, and AD users can login without problems.
In the second one, AD users can login sometimes, and sometimes not.
The log /var/log/sssd/krb5_child.log is completely empty in the first
case. In the second one, we have the following when a user cannot
login:

(2023-01-04 11:42:11): [krb5_child[4430]] [get_and_save_tgt] (0x0020):
[RID#19] 1725: [-1765328353][Decrypt integrity check failed]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400):
[RID#19] krb5_child started.
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer]
(0x1000): [RID#19] total buffer size: [134]
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer]
(0x0100): [RID#19] cmd [241 (auth)] uid [700000003] gid [700000005]
validate [true] enterprise principal [false] offline [false] UPN
[[email protected]]
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer]
(0x2000): [RID#19] No old ccache
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer]
(0x0100): [RID#19] ccname: [KEYRING:persistent:700000003] old_ccname:
[not set] keytab: [/etc/krb5.keytab]
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [k5c_precreate_ccache]
(0x4000): [RID#19] Recreating ccache
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [k5c_setup_fast]
(0x0100): [RID#19] Fast principal is set to
[host/[email protected]]
   *  (2023-01-04 11:42:10): [krb5_child[4430]]
[find_principal_in_keytab] (0x4000): [RID#19] Trying to find principal
host/[email protected] in keytab.
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [match_principal]
(0x1000): [RID#19] Principal matched to the sample
(host/[email protected]).
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [check_fast_ccache]
(0x0200): [RID#19] FAST TGT is still valid.
   *  (2023-01-04 11:42:10): [krb5_child[4430]]
[privileged_krb5_setup] (0x0080): [RID#19] Cannot open the PAC
responder socket
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [become_user]
(0x0200): [RID#19] Trying to become user [700000003][700000005].
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x2000):
[RID#19] Running as [700000003][700000005].
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [set_lifetime_options]
(0x0100): [RID#19] No specific renewable lifetime requested.
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [set_lifetime_options]
(0x0100): [RID#19] No specific lifetime requested.
   *  (2023-01-04 11:42:10): [krb5_child[4430]]
[set_canonicalize_option] (0x0100): [RID#19] Canonicalization is set
to [true]
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400):
[RID#19] Will perform auth
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400):
[RID#19] Will perform online auth
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [tgt_req_child]
(0x1000): [RID#19] Attempting to get a TGT
   *  (2023-01-04 11:42:10): [krb5_child[4430]] [get_and_save_tgt]
(0x0400): [RID#19] Attempting kinit for realm [SMB.FNR.GUB.UY]
   *  (2023-01-04 11:42:11): [krb5_child[4430]] [sss_krb5_responder]
(0x4000): [RID#19] Got question [password].
   *  (2023-01-04 11:42:11): [krb5_child[4430]] [get_and_save_tgt]
(0x0020): [RID#19] 1725: [-1765328353][Decrypt integrity check failed]
********************** BACKTRACE DUMP ENDS HERE
*********************************

(2023-01-04 11:42:11): [krb5_child[4430]] [map_krb5_error] (0x0020):
[RID#19] 1854: [-1765328353][Decrypt integrity check failed]

And the following when the same user is able to login:

(2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt] (0x0040):
[RID#21] sss_send_pac failed, group membership for user with principal
[[email protected]] might not be correct.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400):
[RID#21] krb5_child started.
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer]
(0x1000): [RID#21] total buffer size: [134]
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer]
(0x0100): [RID#21] cmd [241 (auth)] uid [700000003] gid [700000005]
validate [true] enterprise principal [false] offline [false] UPN
[[email protected]]
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer]
(0x2000): [RID#21] No old ccache
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer]
(0x0100): [RID#21] ccname: [KEYRING:persistent:700000003] old_ccname:
[not set] keytab: [/etc/krb5.keytab]
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [k5c_precreate_ccache]
(0x4000): [RID#21] Recreating ccache
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [k5c_setup_fast]
(0x0100): [RID#21] Fast principal is set to
[host/[email protected]]
   *  (2023-01-04 11:42:28): [krb5_child[4432]]
[find_principal_in_keytab] (0x4000): [RID#21] Trying to find principal
host/[email protected] in keytab.
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [match_principal]
(0x1000): [RID#21] Principal matched to the sample
(host/[email protected]).
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [check_fast_ccache]
(0x0200): [RID#21] FAST TGT is still valid.
   *  (2023-01-04 11:42:28): [krb5_child[4432]]
[privileged_krb5_setup] (0x0080): [RID#21] Cannot open the PAC
responder socket
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [become_user]
(0x0200): [RID#21] Trying to become user [700000003][700000005].
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x2000):
[RID#21] Running as [700000003][700000005].
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [set_lifetime_options]
(0x0100): [RID#21] No specific renewable lifetime requested.
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [set_lifetime_options]
(0x0100): [RID#21] No specific lifetime requested.
   *  (2023-01-04 11:42:28): [krb5_child[4432]]
[set_canonicalize_option] (0x0100): [RID#21] Canonicalization is set
to [true]
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400):
[RID#21] Will perform auth
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400):
[RID#21] Will perform online auth
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [tgt_req_child]
(0x1000): [RID#21] Attempting to get a TGT
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [get_and_save_tgt]
(0x0400): [RID#21] Attempting kinit for realm [SMB.FNR.GUB.UY]
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [sss_krb5_responder]
(0x4000): [RID#21] Got question [password].
   *  (2023-01-04 11:42:28): [krb5_child[4432]]
[sss_krb5_expire_callback_func] (0x2000): [RID#21] exp_time:
[10276087]
   *  (2023-01-04 11:42:28): [krb5_child[4432]] [validate_tgt]
(0x2000): [RID#21] Keytab entry with the realm of the credential not
found in keytab. Using the last entry.
   *  (2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt]
(0x0400): [RID#21] TGT verified using key for
[host/[email protected]].
   *  (2023-01-04 11:42:29): [krb5_child[4432]] [sss_send_pac]
(0x0080): [RID#21] failed to contact PAC responder
   *  (2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt]
(0x0040): [RID#21] sss_send_pac failed, group membership for user with
principal [[email protected]] might not be correct.
********************** BACKTRACE DUMP ENDS HERE
*********************************

I have tried clearing all sssd caches (even removing
/var/lib/sss/db/*), restarting all the servers, uninstalling ipa
client and configuring it again, etc. The behaviour is always the
same.

Any help is appreciated. Thanks very much,

tizo
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to