New IPA install of Fedora 23 with FreeIPA 4.2.3. Client is Ubuntu Desktop 15.10 (nuc) with IPA client 4.1.4.
ipa-client-install was successful. Host object created, DNS updated, etc. I am not able to log into the Ubuntu client with any user aside from Admin. I get inconsistent password prompting behavior. It doesn't always prompt. Most of the time, it just gives the client not found message. kinit works with all users on the IPA server directly. root@nuc0:/var/lib/sss# kinit admin Password for [email protected]: root@nuc0:/var/lib/sss# kinit jon kinit: Client '[email protected]' not found in Kerberos database while getting initial credentials root@nuc0:/var/lib/sss# kinit jon-test Password for [email protected]: Password expired. You must change it now. Enter new password: Enter it again: kinit: Password change failed while getting initial credentials root@nuc0:/var/lib/sss# kinit jon-test kinit: Client '[email protected]' not found in Kerberos database while getting initial credentials root@nuc0:/var/lib/sss# I am able to do GSSAPI auth from the client. /usr/bin/ldapsearch -LLL -H ldap://dir0.mrjester.net/ -Y GSSAPI -N -b "dc=mrjester,dc=net" cn Some various messages I see that stand out as possibly related. SSSD debug level 8 [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty! [sssd[be[mrjester.net]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Decrypt integrity check failed], expired on [0] [sssd[be[mrjester.net]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] [sssd[be[mrjester.net]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed) [sssd[be[mrjester.net]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dir0.mrjester.net' as 'not working' [sssd[be[mrjester.net]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'dir0.mrjester.net' as 'not working' [sssd[be[mrjester.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[be[mrjester.net]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=*] [sssd[be[mrjester.net]]] [be_req_set_domain] (0x0400): Changing request domain from [mrjester.net] to [mrjester.net] [sssd[be[mrjester.net]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] [sssd[be[mrjester.net]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=mrjester,dc=net] [sssd[be[mrjester.net]]] [sdap_print_server] (0x2000): Searching 10.8.10.40 [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=\2a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=mrjester,dc=net]. [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12 [sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace: sh[0x1b6d100], connected[1], ops[0x1b6e810], ldap[0x1b7a970] [sssd[be[mrjester.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set [sssd[be[mrjester.net]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. [sssd[be[mrjester.net]]] [sdap_get_users_done] (0x0040): Failed to retrieve users [sssd[be[mrjester.net]]] [sysdb_search_by_name] (0x0400): No such entry [sssd[be[mrjester.net]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=\2a)) [sssd[be[mrjester.net]]] [sysdb_search_groups] (0x2000): No such entry [sssd[be[mrjester.net]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) [sssd[be[mrjester.net]]] [sysdb_search_by_name] (0x0400): No such entry [sssd[be[mrjester.net]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request [sssd[be[mrjester.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed [sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace: sh[0x1b6d100], connected[1], ops[(nil)], ldap[0x1b7a970] [sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! What additional information can I provide or things I can try? Thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
