On Tue, Feb 23, 2016 at 01:32:11PM -0500, Jester wrote: > New IPA install of Fedora 23 with FreeIPA 4.2.3. Client is Ubuntu > Desktop 15.10 (nuc) with IPA client 4.1.4. > > ipa-client-install was successful. Host object created, DNS updated, etc. > > I am not able to log into the Ubuntu client with any user aside from > Admin. I get inconsistent password prompting behavior. It doesn't > always prompt. Most of the time, it just gives the client not found > message. kinit works with all users on the IPA server directly. > > root@nuc0:/var/lib/sss# kinit admin > Password for [email protected]: > root@nuc0:/var/lib/sss# kinit jon > kinit: Client '[email protected]' not found in Kerberos database while > getting initial credentials > root@nuc0:/var/lib/sss# kinit jon-test > Password for [email protected]: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Password change failed while getting initial credentials > root@nuc0:/var/lib/sss# kinit jon-test > kinit: Client '[email protected]' not found in Kerberos database > while getting initial credentials > root@nuc0:/var/lib/sss# > > I am able to do GSSAPI auth from the client. > > /usr/bin/ldapsearch -LLL -H ldap://dir0.mrjester.net/ -Y GSSAPI -N -b > "dc=mrjester,dc=net" cn > > Some various messages I see that stand out as possibly related. SSSD > debug level 8 > > [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty! > > > [sssd[be[mrjester.net]]] [sdap_get_tgt_recv] (0x0400): Child > responded: 14 [Decrypt integrity check failed], expired on [0]
Please look into ldap_child with high debug level, it looks like sssd has some issues authenticating to the directory. > > > [sssd[be[mrjester.net]]] [sdap_kinit_done] (0x0100): Could not get > TGT: 14 [Bad address] > [sssd[be[mrjester.net]]] [sdap_cli_kinit_done] (0x0400): Cannot get a > TGT: ret [1432158219](Authentication Failed) > [sssd[be[mrjester.net]]] [fo_set_port_status] (0x0100): Marking port > 389 of server 'dir0.mrjester.net' as 'not working' > [sssd[be[mrjester.net]]] [fo_set_port_status] (0x0400): Marking port > 389 of duplicate server 'dir0.mrjester.net' as 'not working' > > > [sssd[be[mrjester.net]]] [sbus_get_sender_id_send] (0x2000): Not a > sysbus message, quit > [sssd[be[mrjester.net]]] [be_get_account_info] (0x0200): Got request > for [0x1001][1][name=*] > [sssd[be[mrjester.net]]] [be_req_set_domain] (0x0400): Changing > request domain from [mrjester.net] to [mrjester.net] > [sssd[be[mrjester.net]]] [sdap_idmap_domain_has_algorithmic_mapping] > (0x0080): Could not parse domain SID from [(null)] > [sssd[be[mrjester.net]]] [sdap_search_user_next_base] (0x0400): > Searching for users with base [cn=accounts,dc=mrjester,dc=net] > [sssd[be[mrjester.net]]] [sdap_print_server] (0x2000): Searching 10.8.10.40 > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x0400): calling > ldap_search_ext with > [(&(uid=\2a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=mrjester,dc=net]. Do you use enumerate=true? > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [objectClass] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [uid] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [userPassword] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [uidNumber] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [gidNumber] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [gecos] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [homeDirectory] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [loginShell] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [krbPrincipalName] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [cn] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [memberOf] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaUniqueID] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaNTSecurityIdentifier] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [modifyTimestamp] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [entryUSN] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [shadowLastChange] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [shadowMin] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [shadowMax] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [shadowWarning] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [shadowInactive] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [shadowExpire] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [shadowFlag] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [krbLastPwdChange] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [krbPasswordExpiration] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [pwdAttribute] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [authorizedService] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [accountExpires] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [userAccountControl] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [nsAccountLock] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [host] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [loginDisabled] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [loginExpirationTime] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [loginAllowedTimeMap] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaSshPubKey] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000): > Requesting attrs: [ipaUserAuthType] > [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x2000): > ldap_search_ext called, msgid = 12 > [sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace: > sh[0x1b6d100], connected[1], ops[0x1b6e810], ldap[0x1b7a970] > [sssd[be[mrjester.net]]] [sdap_get_generic_op_finished] (0x0400): > Search result: Success(0), no errmsg set > [sssd[be[mrjester.net]]] [sdap_search_user_process] (0x0400): Search > for users, returned 0 results. > [sssd[be[mrjester.net]]] [sdap_get_users_done] (0x0040): Failed to > retrieve users > [sssd[be[mrjester.net]]] [sysdb_search_by_name] (0x0400): No such entry > [sssd[be[mrjester.net]]] [sysdb_search_groups] (0x2000): Search groups > with filter: (&(objectclass=group)(ghost=\2a)) > [sssd[be[mrjester.net]]] [sysdb_search_groups] (0x2000): No such entry > [sssd[be[mrjester.net]]] [sysdb_delete_user] (0x0400): Error: 2 (No > such file or directory) > [sssd[be[mrjester.net]]] [sysdb_search_by_name] (0x0400): No such entry > [sssd[be[mrjester.net]]] [ipa_id_get_account_info_orig_done] (0x0080): > Object not found, ending request > [sssd[be[mrjester.net]]] [acctinfo_callback] (0x0100): Request > processed. Returned 3,0,Account info lookup failed > [sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace: > sh[0x1b6d100], connected[1], ops[(nil)], ldap[0x1b7a970] > [sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace: > ldap_result found nothing! > > > > What additional information can I provide or things I can try? > > Thanks > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
