On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: >> Hi there, >> >> I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup >> (described here: >> http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf) to be able >> to autenticate AIX 7.1 clients against an AD domain using LDAP. After the >> trust was created all seems to work well on the freeIPA server. I can also >> do a lookup of AD users and groups on an AIX test server. >> >> But as soon as I want to log in on the AIX system I get an SSSD error on the >> freeIPA server in krb5_child.log (debug_level = 10): >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.590260: AS key >> obtained for encrypted timestamp: aes256-cts/2F5D >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.590326: Encrypted >> timestamp (for 1426778442.525165): plain >> 301AA011180F32303135303331393135323034325AA105020308036D, encrypted >> 9B3299264F09E50D63D84B385A09A4C64D44116A02B58FFF12830B39F88722CD9B792F5ABA0653578DE9138B91D29C17C197453D8B8A5E7A >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.590349: Preauth >> module encrypted_timestamp (2) (flags=1) returned: 0/Success >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.590360: Produced >> preauth for next request: 2 >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.590384: Sending >> request (238 bytes) to EXAMPLE.CORP >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.591325: Resolving >> hostname dct020.example.corp. >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.591889: Sending >> initial UDP request to dgram 192.168.143.1:88 >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636127: Received >> answer from dgram 192.168.143.1:88 >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636626: Response was >> not from master KDC >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636667: Received >> error from KDC: -1765328360/Preauthentication failed >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636698: Preauth >> tryagain input types: 16, 14, 19, 2 >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636728: Retrying AS >> request with master KDC >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636741: Getting >> initial credentials for [email protected] >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] >> [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636787: Sending >> request (160 bytes) to EXAMPLE.CORP (master) >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [get_and_save_tgt] >> (0x0020): 979: [-1765328360][Preauthentication failed] >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [map_krb5_error] >> (0x0020): 1040: [-1765328360][Preauthentication failed] >> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [k5c_send_data] >> (0x0200): Received error code 1432158214 >> >> If I do the same with 'KRB5_TRACE=/dev/stderr kinit [email protected]': > >Can you test if kinit -C -E makes any difference?
KRB5_TRACE=/dev/stderr kinit -C -E [email protected] output: [12994] 1426781014.22372: Resolving unique ccache of type KEYRING [12994] 1426781014.22420: Getting initial credentials for BPrins\@[email protected] [12994] 1426781014.24809: Sending request (182 bytes) to UNIX.EXAMPLE.CORP [12994] 1426781014.25036: Sending initial UDP request to dgram 192.168.140.133:88 [12994] 1426781014.26345: Received answer from dgram 192.168.140.133:88 [12994] 1426781014.26381: Response was from master KDC [12994] 1426781014.26402: Received error from KDC: -1765328378/Client not found in Kerberos database kinit: Client 'BPrins\@[email protected]' not found in Kerberos database while getting initial credentials > >> [12299] 1426773524.361785: AS key obtained for encrypted timestamp: >> aes256-cts/B997 >> [12299] 1426773524.361850: Encrypted timestamp (for 1426773524.277583): >> plain 301AA011180F32303135303331393133353834345AA1050203043C4F, encrypted >> ED9CF995617740C4B14DB9CC84187E3505B664FE5C0AD16D19477E912F5400FB2C4665A090E3A37CD749535B3C80595809E14D15CB3527C0 >> [12299] 1426773524.361876: Preauth module encrypted_timestamp (2) (flags=1) >> returned: 0/Success >> [12299] 1426773524.361880: Produced preauth for next request: 2 >> [12299] 1426773524.361901: Sending request (238 bytes) to EXAMPLE.CORP >> [12299] 1426773524.363002: Resolving hostname dct020.EXAMPLE.corp. >> [12299] 1426773524.363841: Sending initial UDP request to dgram >> 192.168.141.1:88 >> [12299] 1426773524.368089: Received answer from dgram 192.168.141.1:88 >> [12299] 1426773524.368482: Response was not from master KDC >> [12299] 1426773524.368500: Received error from KDC: -1765328332/Response too >> big for UDP, retry with TCP >> [12299] 1426773524.368506: Request or response is too big for UDP; retrying >> with TCP >> [12299] 1426773524.368511: Sending request (238 bytes) to EXAMPLE.CORP (tcp >> only) >> [12299] 1426773524.368953: Resolving hostname dct030.EXAMPLE.corp. >> [12299] 1426773524.370056: Initiating TCP connection to stream >> 192.168.143.5:88 >> [12299] 1426773524.375140: Sending TCP request to stream 192.168.143.5:88 >> [12299] 1426773524.383801: Received answer from stream 192.168.143.5:88 > >I see the KDCs were different, can you also test against the KDC that >SSSD autodiscovered? Just tried it a couple of times again and against the same KDC kinit works, SSSD not. > >> [12299] 1426773524.384237: Response was not from master KDC >> [12299] 1426773524.384263: Processing preauth types: 19 >> [12299] 1426773524.384271: Selected etype info: etype aes256-cts, salt >> "EXAMPLE.CORPBPrins", params "" >> [12299] 1426773524.384275: Produced preauth for next request: (empty) >> [12299] 1426773524.384282: AS key determined by preauth: aes256-cts/B997 >> [12299] 1426773524.384329: Decrypted AS reply; session key is: rc4-hmac/39AB >> [12299] 1426773524.384333: FAST negotiation: unavailable >> [12299] 1426773524.384357: Initializing >> KEYRING:persistent:0:krb_ccache_rhX3V4v with default princ >> [email protected] >> [12299] 1426773524.384400: Removing [email protected] -> >> krbtgt/[email protected] from KEYRING:persistent:0:krb_ccache_rhX3V4v >> [12299] 1426773524.384407: Storing [email protected] -> >> krbtgt/[email protected] in KEYRING:persistent:0:krb_ccache_rhX3V4v >> [12299] 1426773524.384469: Storing config in >> KEYRING:persistent:0:krb_ccache_rhX3V4v for >> krbtgt/[email protected]: pa_type: 2 >> [12299] 1426773524.384484: Removing [email protected] -> >> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.CORP\@EXAMPLE.CORP@X-CACHECONF: >> from KEYRING:persistent:0:krb_ccache_rhX3V4v >> [12299] 1426773524.384492: Storing [email protected] -> >> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.CORP\@EXAMPLE.CORP@X-CACHECONF: >> in KEYRING:persistent:0:krb_ccache_rhX3V4v >> >> Any ideas? >> >> Thanks, >> >> Bobby >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
