On Wed, Nov 16, 2016 at 03:06:34PM +0100, rajat gupta wrote: > Hi sumit, > > you mean to say these? > > ]# grep pam_winbind /etc/pam.d/password-auth > auth sufficient pam_winbind.so use_first_pass > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > password sufficient pam_winbind.so use_authtok > session optional pam_winbind.so
yes, in general pam_winbind is not needed on IPA clients, is there a reason why you added it? Btw, please try to reply to the thread, otherwise is it hard to find you replies. bye, Sumit > > > On Wed, Nov 16, 2016 at 2:32 PM, <[email protected]> wrote: > > > Send Freeipa-users mailing list submissions to > > [email protected] > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://www.redhat.com/mailman/listinfo/freeipa-users > > or, via email, send a message with subject or body 'help' to > > [email protected] > > > > You can reach the person managing the list at > > [email protected] > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of Freeipa-users digest..." > > > > > > Today's Topics: > > > > 1. minimise impact compromised host (Stijn De Weirdt) > > 2. Re: pam_winbind(sshd:auth): pam_get_item returned a password > > (Sumit Bose) > > 3. Re: Freeipa-users Digest, Vol 100, Issue 48 (rajat gupta) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Wed, 16 Nov 2016 14:01:09 +0100 > > From: Stijn De Weirdt <[email protected]> > > To: [email protected] > > Subject: [Freeipa-users] minimise impact compromised host > > Message-ID: <[email protected]> > > Content-Type: text/plain; charset=utf-8 > > > > hi all, > > > > we are looking how to configure whatever relevant policy to minimise the > > impact of compromised IPA hosts (ie servers with a valid host keytab). > > > > in particular, it looks like it possible to retrieve any user token once > > you have access to a valid host keytab. > > > > we're aware that the default IPA policies are wide open, but we are > > looking how to limit this. for us, there's no need that a hostkeytab can > > retrieve tokens for anything except the services on that host. > > > > > > stijn > > > > > > > > ------------------------------ > > > > Message: 2 > > Date: Wed, 16 Nov 2016 14:25:00 +0100 > > From: Sumit Bose <[email protected]> > > To: [email protected] > > Subject: Re: [Freeipa-users] pam_winbind(sshd:auth): pam_get_item > > returned a password > > Message-ID: > > <[email protected]_W_724V_Typ_A_05011603_00_009> > > Content-Type: text/plain; charset=us-ascii > > > > On Wed, Nov 16, 2016 at 01:01:59PM +0100, Sumit Bose wrote: > > > On Wed, Nov 16, 2016 at 12:49:59PM +0100, rajat gupta wrote: > > > > I am using FreeIPA version 4.4.0 Active Directory trust setup. And on > > > > Active Directory side I am using UPN suffix. > > > > Following are my domain setup. > > > > > > > > AD DOMANIN :- corp.addomain.com > > > > UPN suffix :- [email protected] > > > > IPA DOMAIN :- ipa.ipadomain.local > > > > IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain.local > > > > > > When you call 'ipa trust-find' on the IPA server do you see the > > > mydomain.com UPN suffix listed, like e.g.: > > > > > > # ipa trust-find > > > --------------- > > > 1 trust matched > > > --------------- > > > Realm-Name: ad.devel > > > Domain NetBIOS name: AD > > > Domain Security Identifier: S-1-5-21-3692237560-1981608775-3610128199 > > > Trust type: Active Directory domain > > > UPN suffixes: alt.alt, alt.upn.suffix > > > > > > SSSD 1.14 and above on the IPA client should enable enterprise principal > > > support automatically if UPN suffixes are found on the server but > > according to > > > > > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > > enterprise principal [false] offline [false] UPN [[email protected] > > ] > > > > > > it is not. If the UPN suffixes are not know on the server, calling 'ipa > > > trust-fetch-domains' might help to get them. If there are still no UPN > > suffixes > > > available on the server you can switch on enterprise principal on the > > client > > > manually by adding 'krb5_use_enterprise_principal = True' in the > > [domain/...] > > > section of sssd.conf. You have to set it manually as well if you are > > using > > > older versions of SSSD. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > > > > > > > > > I am able to login with AD user on IPA server. But on IPA clinet i am > > not > > > > able to login i am getting the login message "Access denied". I have > > > > enabled the debug_level on sssd.conf on ipa clinet. > > > > > > > > below are some logs.. > > > > ================ > > > > /var/log/secure > > > > > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): > > authentication > > > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=rg1989 > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): received > > for > > > > user e600336: 6 (Permission denied) > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): getting > > > > password (0x00000010) > > > > By the way, why do you have pam_winbind in the PAM configuration? > > > > bye, > > Sumit > > > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): > > > > pam_get_item returned a password > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): > > internal > > > > module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'rg1989') > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: Failed password for e600336 > > from > > > > x.x.x.x. port 48842 ssh2 > > > > ================ > > > > > > > > ================ > > > > krb5_child.log > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): > > > > krb5_child started. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] > > > > (0x1000): total buffer size: [159] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] > > > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > > > > enterprise principal [false] offline [false] UPN [ > > [email protected]] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] > > > > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > > > > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds] > > > > (0x0200): Switch user to [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds] > > > > (0x0200): Switch user to [0][0]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [k5c_check_old_ccache] (0x4000): Ccache_file is > > > > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [k5c_precreate_ccache] (0x4000): Recreating ccache > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup_fast] > > > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > > > > [host/[email protected]] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [find_principal_in_keytab] (0x4000): Trying to find principal > > > > host/[email protected] in keytab. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [match_principal] > > > > (0x1000): Principal matched to the sample > > > > (host/[email protected]). > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > [check_fast_ccache] > > > > (0x0200): FAST TGT is still valid. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup] > > (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [set_lifetime_options] (0x0100): Cannot read > > [SSSD_KRB5_RENEWABLE_LIFETIME] > > > > from environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > > > environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > > [true] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): > > Will > > > > perform online auth > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [tgt_req_child] > > > > (0x1000): Attempting to get a TGT > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > [get_and_save_tgt] > > > > (0x0400): Attempting kinit for realm [MYDOMAIN.COM] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.416687: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418641: FAST > > armor > > > > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418698: > > Retrieving > > > > host/[email protected] -> > > > > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > > > > \@MYDOMAIN.COM@X-CACHECONF: from > > > > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > > > > -1765328243/Matching credential not found > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418756: Sending > > > > request (164 bytes) to MYDOMAIN.COM > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419718: Retrying > > AS > > > > request with master KDC > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419752: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419778: FAST > > armor > > > > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419821: > > Retrieving > > > > host/[email protected] -> > > > > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > > > > \@MYDOMAIN.COM@X-CACHECONF: from > > > > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > > > > -1765328243/Matching credential not found > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419859: Sending > > > > request (164 bytes) to MYDOMAIN.COM (master) > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > [get_and_save_tgt] > > > > (0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > > "] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [map_krb5_error] > > > > (0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > > "] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data] > > > > (0x0200): Received error code 1432158228 > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [pack_response_packet] (0x2000): response packet size: [4] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): > > > > krb5_child started. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] > > > > (0x1000): total buffer size: [159] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] > > > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > > > > enterprise principal [false] offline [false] UPN [ > > [email protected]] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] > > > > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > > > > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds] > > > > (0x0200): Switch user to [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds] > > > > (0x0200): Switch user to [0][0]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [k5c_check_old_ccache] (0x4000): Ccache_file is > > > > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [k5c_precreate_ccache] (0x4000): Recreating ccache > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup_fast] > > > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > > > > [host/[email protected]] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [find_principal_in_keytab] (0x4000): Trying to find principal > > > > host/[email protected] in keytab. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [match_principal] > > > > (0x1000): Principal matched to the sample > > > > (host/[email protected]). > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > [check_fast_ccache] > > > > (0x0200): FAST TGT is still valid. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup] > > (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [set_lifetime_options] (0x0100): Cannot read > > [SSSD_KRB5_RENEWABLE_LIFETIME] > > > > from environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > > > environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > > [true] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): > > Will > > > > perform online auth > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [tgt_req_child] > > > > (0x1000): Attempting to get a TGT > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > [get_and_save_tgt] > > > > (0x0400): Attempting kinit for realm [MYDOMAIN.COM] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.426870: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428706: FAST > > armor > > > > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428762: > > Retrieving > > > > host/[email protected] -> > > > > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > > > > \@MYDOMAIN.COM@X-CACHECONF: from > > > > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > > > > -1765328243/Matching credential not found > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428825: Sending > > > > request (164 bytes) to MYDOMAIN.COM > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429706: Retrying > > AS > > > > request with master KDC > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429740: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429767: FAST > > armor > > > > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429812: > > Retrieving > > > > host/[email protected] -> > > > > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > > > > \@MYDOMAIN.COM@X-CACHECONF: from > > > > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > > > > -1765328243/Matching credential not found > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429854: Sending > > > > request (164 bytes) to MYDOMAIN.COM (master) > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > [get_and_save_tgt] > > > > (0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > > "] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [map_krb5_error] > > > > (0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > > "] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data] > > > > (0x0200): Received error code 1432158228 > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [pack_response_packet] (0x2000): response packet size: [4] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): > > > > krb5_child started. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] > > > > (0x1000): total buffer size: [159] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] > > > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > > > > enterprise principal [false] offline [true] UPN [ > > [email protected]] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] > > > > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > > > > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds] > > > > (0x0200): Switch user to [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > > > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds] > > > > (0x0200): Switch user to [0][0]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > > > [k5c_check_old_ccache] (0x4000): Ccache_file is > > > > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] > > > > (0x0200): Already user [1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_setup] > > (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > > > [set_lifetime_options] (0x0100): Cannot read > > [SSSD_KRB5_RENEWABLE_LIFETIME] > > > > from environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > > > environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): > > Will > > > > perform offline auth > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > [create_empty_ccache] > > > > (0x1000): Existing ccache still valid, reusing > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data] > > > > (0x0200): Received error code 0 > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > > > [pack_response_packet] (0x2000): response packet size: [53] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): > > > > krb5_child started. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer] > > > > (0x1000): total buffer size: [52] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer] > > > > (0x0100): cmd [249] uid [1007656917] gid [1007656917] validate [true] > > > > enterprise principal [false] offline [true] UPN [ > > [email protected]] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] > > > > (0x0200): Already user [1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_setup] > > (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [set_lifetime_options] (0x0100): Cannot read > > [SSSD_KRB5_RENEWABLE_LIFETIME] > > > > from environment. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > > > environment. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): > > Will > > > > perform pre-auth > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [tgt_req_child] > > > > (0x1000): Attempting to get a TGT > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > [get_and_save_tgt] > > > > (0x0400): Attempting kinit for realm [MYDOMAIN.COM] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.766694: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.769074: Sending > > > > request (164 bytes) to MYDOMAIN.COM > > > > > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770020: Retrying > > AS > > > > request with master KDC > > > > > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770051: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770091: Sending > > > > request (164 bytes) to MYDOMAIN.COM (master) > > > > > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > [get_and_save_tgt] > > > > (0x0400): krb5_get_init_creds_password returned [-1765328230} during > > > > pre-auth. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data] > > > > (0x0200): Received error code 0 > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [pack_response_packet] (0x2000): response packet size: [4] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): > > > > krb5_child started. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] > > > > (0x1000): total buffer size: [160] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] > > > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > > > > enterprise principal [false] offline [true] UPN [ > > [email protected]] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] > > > > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > > > > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds] > > > > (0x0200): Switch user to [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > > > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds] > > > > (0x0200): Switch user to [0][0]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > > > [k5c_check_old_ccache] (0x4000): Ccache_file is > > > > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] > > > > (0x0200): Already user [1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_setup] > > (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > > > [set_lifetime_options] (0x0100): Cannot read > > [SSSD_KRB5_RENEWABLE_LIFETIME] > > > > from environment. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > > > environment. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): > > Will > > > > perform offline auth > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > [create_empty_ccache] > > > > (0x1000): Existing ccache still valid, reusing > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data] > > > > (0x0200): Received error code 0 > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > > > [pack_response_packet] (0x2000): response packet size: [53] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > > > > > ======================= > > > > Can you please help me to fix this, > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > > ------------------------------ > > > > Message: 3 > > Date: Wed, 16 Nov 2016 14:31:52 +0100 > > From: rajat gupta <[email protected]> > > To: [email protected] > > Subject: Re: [Freeipa-users] Freeipa-users Digest, Vol 100, Issue 48 > > Message-ID: > > <CAA=996GRhtGZnX1Oapgtt1kz_WiNjQNwW0kk0kvMvz_j4OJ1vg@ > > mail.gmail.com> > > Content-Type: text/plain; charset="utf-8" > > > > Thanks, It is working for few user but not for every one. I have cleared > > the sssd cache as well. > > ===================== > > /var/log/secure > > > > Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_sss(sshd:auth): authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.213.0.134 > > user=kb1980 > > Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_sss(sshd:auth): received for > > user kb1980: 6 (Permission denied) > > Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_winbind(sshd:auth): getting > > password (0x00000010) > > Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_winbind(sshd:auth): > > pam_get_item returned a password > > Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_winbind(sshd:auth): internal > > module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'kb1980') > > Nov 16 14:06:39 ipa-clinet1 sshd[6852]: Failed password for kb1980 from > > 146.213.0.134 port 51114 ssh2 > > Nov 16 14:06:48 ipa-clinet1 sshd[6852]: Connection closed by 146.213.0.134 > > [preauth] > > Nov 16 14:07:07 ipa-clinet1 sshd[3677]: pam_unix(sshd:session): session > > closed for user kb1980 > > > > ======================== > > krb5_child.log > > > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [main] (0x0400): > > krb5_child started. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [unpack_buffer] > > (0x1000): total buffer size: [54] > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [unpack_buffer] > > (0x0100): cmd [249] uid [1007628631] gid [1007628631] validate [true] > > enterprise principal [false] offline [true] UPN [karan.b@MYDOMAIN COM] > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [become_user] > > (0x0200): Trying to become user [1007628631][1007628631]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [main] (0x2000): > > Running as [1007628631][1007628631]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [become_user] > > (0x0200): Trying to become user [1007628631][1007628631]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [become_user] > > (0x0200): Already user [1007628631]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [k5c_setup] (0x2000): > > Running as [1007628631][1007628631]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > > from environment. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > environment. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [main] (0x0400): Will > > perform pre-auth > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [tgt_req_child] > > (0x1000): Attempting to get a TGT > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [get_and_save_tgt] > > (0x0400): Attempting kinit for realm [MYDOMAIN COM] > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] > > [sss_child_krb5_trace_cb] (0x4000): [6879] 1479301593.872554: Getting > > initial credentials for karan.b@MYDOMAIN COM > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] > > [sss_child_krb5_trace_cb] (0x4000): [6879] 1479301593.874607: Sending > > request (167 bytes) to MYDOMAIN COM > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] > > [sss_child_krb5_trace_cb] (0x4000): [6879] 1479301593.898179: Retrying AS > > request with master KDC > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] > > [sss_child_krb5_trace_cb] (0x4000): [6879] 1479301593.898221: Getting > > initial credentials for karan.b@MYDOMAIN COM > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] > > [sss_child_krb5_trace_cb] (0x4000): [6879] 1479301593.898291: Sending > > request (167 bytes) to MYDOMAIN COM (master) > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [get_and_save_tgt] > > (0x0400): krb5_get_init_creds_password returned [-1765328230} during > > pre-auth. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [k5c_send_data] > > (0x0200): Received error code 0 > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] > > [pack_response_packet] (0x2000): response packet size: [4] > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [k5c_send_data] > > (0x4000): Response sent. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [main] (0x0400): > > krb5_child completed successfully > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [main] (0x0400): > > krb5_child started. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [unpack_buffer] > > (0x1000): total buffer size: [159] > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [unpack_buffer] > > (0x0100): cmd [241] uid [1007628631] gid [1007628631] validate [true] > > enterprise principal [false] offline [true] UPN [karan.b@MYDOMAIN COM] > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [unpack_buffer] > > (0x0100): ccname: [KEYRING:persistent:1007628631] old_ccname: > > [KEYRING:persistent:1007628631] keytab: [/etc/krb5.keytab] > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [switch_creds] > > (0x0200): Switch user to [1007628631][1007628631]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] > > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [switch_creds] > > (0x0200): Switch user to [0][0]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] > > [k5c_check_old_ccache] (0x4000): Ccache_file is > > [KEYRING:persistent:1007628631] and is not active and TGT is valid. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [become_user] > > (0x0200): Trying to become user [1007628631][1007628631]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [main] (0x2000): > > Running as [1007628631][1007628631]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [become_user] > > (0x0200): Trying to become user [1007628631][1007628631]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [become_user] > > (0x0200): Already user [1007628631]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [k5c_setup] (0x2000): > > Running as [1007628631][1007628631]. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > > from environment. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > environment. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [main] (0x0400): Will > > perform offline auth > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [create_empty_ccache] > > (0x1000): Existing ccache still valid, reusing > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [k5c_send_data] > > (0x0200): Received error code 0 > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] > > [pack_response_packet] (0x2000): response packet size: [53] > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [k5c_send_data] > > (0x4000): Response sent. > > (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [main] (0x0400): > > krb5_child completed successfully > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [main] (0x0400): > > krb5_child started. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [unpack_buffer] > > (0x1000): total buffer size: [54] > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [unpack_buffer] > > (0x0100): cmd [249] uid [1007628631] gid [1007628631] validate [true] > > enterprise principal [false] offline [true] UPN [karan.b@MYDOMAIN COM] > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [become_user] > > (0x0200): Trying to become user [1007628631][1007628631]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [main] (0x2000): > > Running as [1007628631][1007628631]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [become_user] > > (0x0200): Trying to become user [1007628631][1007628631]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [become_user] > > (0x0200): Already user [1007628631]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [k5c_setup] (0x2000): > > Running as [1007628631][1007628631]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > > from environment. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > environment. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [main] (0x0400): Will > > perform pre-auth > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [tgt_req_child] > > (0x1000): Attempting to get a TGT > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [get_and_save_tgt] > > (0x0400): Attempting kinit for realm [MYDOMAIN COM] > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] > > [sss_child_krb5_trace_cb] (0x4000): [6881] 1479301599.494908: Getting > > initial credentials for karan.b@MYDOMAIN COM > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] > > [sss_child_krb5_trace_cb] (0x4000): [6881] 1479301599.496903: Sending > > request (167 bytes) to MYDOMAIN COM > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] > > [sss_child_krb5_trace_cb] (0x4000): [6881] 1479301599.497962: Retrying AS > > request with master KDC > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] > > [sss_child_krb5_trace_cb] (0x4000): [6881] 1479301599.497985: Getting > > initial credentials for karan.b@MYDOMAIN COM > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] > > [sss_child_krb5_trace_cb] (0x4000): [6881] 1479301599.498026: Sending > > request (167 bytes) to MYDOMAIN COM (master) > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [get_and_save_tgt] > > (0x0400): krb5_get_init_creds_password returned [-1765328230} during > > pre-auth. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [k5c_send_data] > > (0x0200): Received error code 0 > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] > > [pack_response_packet] (0x2000): response packet size: [4] > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [k5c_send_data] > > (0x4000): Response sent. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [main] (0x0400): > > krb5_child completed successfully > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [main] (0x0400): > > krb5_child started. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [unpack_buffer] > > (0x1000): total buffer size: [159] > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [unpack_buffer] > > (0x0100): cmd [241] uid [1007628631] gid [1007628631] validate [true] > > enterprise principal [false] offline [true] UPN [karan.b@MYDOMAIN COM] > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [unpack_buffer] > > (0x0100): ccname: [KEYRING:persistent:1007628631] old_ccname: > > [KEYRING:persistent:1007628631] keytab: [/etc/krb5.keytab] > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [switch_creds] > > (0x0200): Switch user to [1007628631][1007628631]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] > > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [switch_creds] > > (0x0200): Switch user to [0][0]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] > > [k5c_check_old_ccache] (0x4000): Ccache_file is > > [KEYRING:persistent:1007628631] and is not active and TGT is valid. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [become_user] > > (0x0200): Trying to become user [1007628631][1007628631]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [main] (0x2000): > > Running as [1007628631][1007628631]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [become_user] > > (0x0200): Trying to become user [1007628631][1007628631]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [become_user] > > (0x0200): Already user [1007628631]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [k5c_setup] (0x2000): > > Running as [1007628631][1007628631]. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > > from environment. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > environment. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [main] (0x0400): Will > > perform offline auth > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [create_empty_ccache] > > (0x1000): Existing ccache still valid, reusing > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [k5c_send_data] > > (0x0200): Received error code 0 > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] > > [pack_response_packet] (0x2000): response packet size: [53] > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [k5c_send_data] > > (0x4000): Response sent. > > (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [main] (0x0400): > > krb5_child completed successfully > > > > On Wed, Nov 16, 2016 at 1:02 PM, <[email protected]> wrote: > > > > > Send Freeipa-users mailing list submissions to > > > [email protected] > > > > > > To subscribe or unsubscribe via the World Wide Web, visit > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > or, via email, send a message with subject or body 'help' to > > > [email protected] > > > > > > You can reach the person managing the list at > > > [email protected] > > > > > > When replying, please edit your Subject line so it is more specific > > > than "Re: Contents of Freeipa-users digest..." > > > > > > > > > Today's Topics: > > > > > > 1. Client x.x.xx - RFC 1918 response from Internet in > > > /var/log/messages (Bjarne Blichfeldt) > > > 2. Re: pam_winbind(sshd:auth): pam_get_item returned a password > > > (Sumit Bose) > > > > > > > > > ---------------------------------------------------------------------- > > > > > > Message: 1 > > > Date: Wed, 16 Nov 2016 11:56:05 +0000 > > > From: Bjarne Blichfeldt <[email protected]> > > > To: "[email protected]" <[email protected]> > > > Subject: [Freeipa-users] Client x.x.xx - RFC 1918 response from > > > Internet in /var/log/messages > > > Message-ID: > > > <[email protected]. > > > corp.jndata.net> > > > > > > Content-Type: text/plain; charset="us-ascii" > > > > > > Just updated a couple of free-ipa servers to: > > > ipa-server-dns-4.4.0-12.el7.noarch > > > redhat-release-server-7.3-7.el7.x86_64 > > > > > > Before the update, I resolved the issue with RFC messages by: > > > /etc/named.conf: > > > options { > > > disable-empty-zone "10.in-addr.arpa."; > > > : > > > > > > Now after the update the RFS messages has returned. I read in the > > > changelog for 4.4 that this issue was resolved. > > > What did I miss? > > > > > > > > > > > > > > > > > > > > > Venlig hilsen > > > > > > > > > Bjarne Blichfeldt > > > > > > > > > Infrastructure Services > > > > > > > > > > > > Direkte +4563636119 > > > > > > > > > Mobile +4521593270 > > > > > > > > > [email protected] > > > > > > [cid:[email protected]] > > > > > > JN Data A/S > > > > > > * > > > > > > Havsteensvej 4 > > > > > > * > > > > > > 4000 Roskilde > > > > > > > > > Telefon 63 63 63 63/ Fax 63 63 63 64 > > > > > > > > > www.jndata.dk > > > > > > > > > [cid:[email protected]] > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: <https://www.redhat.com/archives/freeipa-users/ > > > attachments/20161116/46aeee39/attachment.html> > > > -------------- next part -------------- > > > A non-text attachment was scrubbed... > > > Name: image005.png > > > Type: image/png > > > Size: 410 bytes > > > Desc: image005.png > > > URL: <https://www.redhat.com/archives/freeipa-users/ > > > attachments/20161116/46aeee39/attachment.png> > > > -------------- next part -------------- > > > A non-text attachment was scrubbed... > > > Name: image006.png > > > Type: image/png > > > Size: 5487 bytes > > > Desc: image006.png > > > URL: <https://www.redhat.com/archives/freeipa-users/ > > > attachments/20161116/46aeee39/attachment-0001.png> > > > > > > ------------------------------ > > > > > > Message: 2 > > > Date: Wed, 16 Nov 2016 13:01:59 +0100 > > > From: Sumit Bose <[email protected]> > > > To: [email protected] > > > Subject: Re: [Freeipa-users] pam_winbind(sshd:auth): pam_get_item > > > returned a password > > > Message-ID: > > > <[email protected]_W_724V_Typ_A_ > > 05011603_00_009> > > > Content-Type: text/plain; charset=us-ascii > > > > > > On Wed, Nov 16, 2016 at 12:49:59PM +0100, rajat gupta wrote: > > > > I am using FreeIPA version 4.4.0 Active Directory trust setup. And on > > > > Active Directory side I am using UPN suffix. > > > > Following are my domain setup. > > > > > > > > AD DOMANIN :- corp.addomain.com > > > > UPN suffix :- [email protected] > > > > IPA DOMAIN :- ipa.ipadomain.local > > > > IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain.local > > > > > > When you call 'ipa trust-find' on the IPA server do you see the > > > mydomain.com UPN suffix listed, like e.g.: > > > > > > # ipa trust-find > > > --------------- > > > 1 trust matched > > > --------------- > > > Realm-Name: ad.devel > > > Domain NetBIOS name: AD > > > Domain Security Identifier: S-1-5-21-3692237560-1981608775-3610128199 > > > Trust type: Active Directory domain > > > UPN suffixes: alt.alt, alt.upn.suffix > > > > > > SSSD 1.14 and above on the IPA client should enable enterprise principal > > > support automatically if UPN suffixes are found on the server but > > > according to > > > > > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > > > enterprise principal [false] offline [false] UPN [ > > [email protected] > > > ] > > > > > > it is not. If the UPN suffixes are not know on the server, calling 'ipa > > > trust-fetch-domains' might help to get them. If there are still no UPN > > > suffixes > > > available on the server you can switch on enterprise principal on the > > > client > > > manually by adding 'krb5_use_enterprise_principal = True' in the > > > [domain/...] > > > section of sssd.conf. You have to set it manually as well if you are > > using > > > older versions of SSSD. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > > > > > > > > > I am able to login with AD user on IPA server. But on IPA clinet i am > > not > > > > able to login i am getting the login message "Access denied". I have > > > > enabled the debug_level on sssd.conf on ipa clinet. > > > > > > > > below are some logs.. > > > > ================ > > > > /var/log/secure > > > > > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): > > > authentication > > > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=rg1989 > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): received > > for > > > > user e600336: 6 (Permission denied) > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): getting > > > > password (0x00000010) > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): > > > > pam_get_item returned a password > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): > > internal > > > > module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'rg1989') > > > > Nov 16 09:00:52 ipa-clinet1 sshd[3752]: Failed password for e600336 > > from > > > > x.x.x.x. port 48842 ssh2 > > > > ================ > > > > > > > > ================ > > > > krb5_child.log > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): > > > > krb5_child started. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] > > > > (0x1000): total buffer size: [159] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] > > > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > > > > enterprise principal [false] offline [false] UPN [ > > > [email protected]] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] > > > > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > > > > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds] > > > > (0x0200): Switch user to [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds] > > > > (0x0200): Switch user to [0][0]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [k5c_check_old_ccache] (0x4000): Ccache_file is > > > > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [k5c_precreate_ccache] (0x4000): Recreating ccache > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup_fast] > > > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > > > > [host/[email protected]] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [find_principal_in_keytab] (0x4000): Trying to find principal > > > > host/[email protected] in keytab. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [match_principal] > > > > (0x1000): Principal matched to the sample > > > > (host/[email protected]). > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > [check_fast_ccache] > > > > (0x0200): FAST TGT is still valid. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup] > > > (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [set_lifetime_options] (0x0100): Cannot read > > > [SSSD_KRB5_RENEWABLE_LIFETIME] > > > > from environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > > > environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > > > [true] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): > > > Will > > > > perform online auth > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [tgt_req_child] > > > > (0x1000): Attempting to get a TGT > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > [get_and_save_tgt] > > > > (0x0400): Attempting kinit for realm [MYDOMAIN.COM] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.416687: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418641: FAST > > armor > > > > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418698: > > Retrieving > > > > host/[email protected] -> > > > > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > > > > \@MYDOMAIN.COM@X-CACHECONF: from > > > > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > > > > -1765328243/Matching credential not found > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418756: Sending > > > > request (164 bytes) to MYDOMAIN.COM > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419718: Retrying > > AS > > > > request with master KDC > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419752: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419778: FAST > > armor > > > > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419821: > > Retrieving > > > > host/[email protected] -> > > > > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > > > > \@MYDOMAIN.COM@X-CACHECONF: from > > > > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > > > > -1765328243/Matching credential not found > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419859: Sending > > > > request (164 bytes) to MYDOMAIN.COM (master) > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > [get_and_save_tgt] > > > > (0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > > "] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [map_krb5_error] > > > > (0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > > "] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data] > > > > (0x0200): Received error code 1432158228 > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] > > > > [pack_response_packet] (0x2000): response packet size: [4] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): > > > > krb5_child started. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] > > > > (0x1000): total buffer size: [159] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] > > > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > > > > enterprise principal [false] offline [false] UPN [ > > > [email protected]] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] > > > > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > > > > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds] > > > > (0x0200): Switch user to [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds] > > > > (0x0200): Switch user to [0][0]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [k5c_check_old_ccache] (0x4000): Ccache_file is > > > > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [k5c_precreate_ccache] (0x4000): Recreating ccache > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup_fast] > > > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > > > > [host/[email protected]] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [find_principal_in_keytab] (0x4000): Trying to find principal > > > > host/[email protected] in keytab. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [match_principal] > > > > (0x1000): Principal matched to the sample > > > > (host/[email protected]). > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > [check_fast_ccache] > > > > (0x0200): FAST TGT is still valid. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup] > > > (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [set_lifetime_options] (0x0100): Cannot read > > > [SSSD_KRB5_RENEWABLE_LIFETIME] > > > > from environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > > > environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > > > [true] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): > > > Will > > > > perform online auth > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [tgt_req_child] > > > > (0x1000): Attempting to get a TGT > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > [get_and_save_tgt] > > > > (0x0400): Attempting kinit for realm [MYDOMAIN.COM] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.426870: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428706: FAST > > armor > > > > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428762: > > Retrieving > > > > host/[email protected] -> > > > > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > > > > \@MYDOMAIN.COM@X-CACHECONF: from > > > > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > > > > -1765328243/Matching credential not found > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428825: Sending > > > > request (164 bytes) to MYDOMAIN.COM > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429706: Retrying > > AS > > > > request with master KDC > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429740: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429767: FAST > > armor > > > > ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429812: > > Retrieving > > > > host/[email protected] -> > > > > krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM > > > > \@MYDOMAIN.COM@X-CACHECONF: from > > > > MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: > > > > -1765328243/Matching credential not found > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429854: Sending > > > > request (164 bytes) to MYDOMAIN.COM (master) > > > > > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > [get_and_save_tgt] > > > > (0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > > "] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [map_krb5_error] > > > > (0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM > > "] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data] > > > > (0x0200): Received error code 1432158228 > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] > > > > [pack_response_packet] (0x2000): response packet size: [4] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): > > > > krb5_child started. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] > > > > (0x1000): total buffer size: [159] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] > > > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > > > > enterprise principal [false] offline [true] UPN [ > > > [email protected]] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] > > > > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > > > > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds] > > > > (0x0200): Switch user to [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > > > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds] > > > > (0x0200): Switch user to [0][0]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > > > [k5c_check_old_ccache] (0x4000): Ccache_file is > > > > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] > > > > (0x0200): Already user [1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_setup] > > > (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > > > [set_lifetime_options] (0x0100): Cannot read > > > [SSSD_KRB5_RENEWABLE_LIFETIME] > > > > from environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > > > environment. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): > > > Will > > > > perform offline auth > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > > [create_empty_ccache] > > > > (0x1000): Existing ccache still valid, reusing > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data] > > > > (0x0200): Received error code 0 > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] > > > > [pack_response_packet] (0x2000): response packet size: [53] > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): > > > > krb5_child started. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer] > > > > (0x1000): total buffer size: [52] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer] > > > > (0x0100): cmd [249] uid [1007656917] gid [1007656917] validate [true] > > > > enterprise principal [false] offline [true] UPN [ > > > [email protected]] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] > > > > (0x0200): Already user [1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_setup] > > > (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [set_lifetime_options] (0x0100): Cannot read > > > [SSSD_KRB5_RENEWABLE_LIFETIME] > > > > from environment. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > > > environment. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): > > > Will > > > > perform pre-auth > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [tgt_req_child] > > > > (0x1000): Attempting to get a TGT > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > [get_and_save_tgt] > > > > (0x0400): Attempting kinit for realm [MYDOMAIN.COM] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.766694: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.769074: Sending > > > > request (164 bytes) to MYDOMAIN.COM > > > > > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770020: Retrying > > AS > > > > request with master KDC > > > > > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770051: Getting > > > > initial credentials for [email protected] > > > > > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770091: Sending > > > > request (164 bytes) to MYDOMAIN.COM (master) > > > > > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > [get_and_save_tgt] > > > > (0x0400): krb5_get_init_creds_password returned [-1765328230} during > > > > pre-auth. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data] > > > > (0x0200): Received error code 0 > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] > > > > [pack_response_packet] (0x2000): response packet size: [4] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): > > > > krb5_child started. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] > > > > (0x1000): total buffer size: [160] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] > > > > (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] > > > > enterprise principal [false] offline [true] UPN [ > > > [email protected]] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] > > > > (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: > > > > [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds] > > > > (0x0200): Switch user to [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > > > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds] > > > > (0x0200): Switch user to [0][0]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > > > [k5c_check_old_ccache] (0x4000): Ccache_file is > > > > [KEYRING:persistent:1007656917] and is not active and TGT is valid. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] > > > > (0x0200): Trying to become user [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] > > > > (0x0200): Already user [1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_setup] > > > (0x2000): > > > > Running as [1007656917][1007656917]. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > > > [set_lifetime_options] (0x0100): Cannot read > > > [SSSD_KRB5_RENEWABLE_LIFETIME] > > > > from environment. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > > > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > > > > environment. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): > > > Will > > > > perform offline auth > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > > [create_empty_ccache] > > > > (0x1000): Existing ccache still valid, reusing > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data] > > > > (0x0200): Received error code 0 > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] > > > > [pack_response_packet] (0x2000): response packet size: [53] > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data] > > > > (0x4000): Response sent. > > > > (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): > > > > krb5_child completed successfully > > > > > > > > ======================= > > > > Can you please help me to fix this, > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > ------------------------------ > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > [email protected] > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > End of Freeipa-users Digest, Vol 100, Issue 48 > > > ********************************************** > > > > > > > > > > > -- > > > > *Rajat Gupta * > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: <https://www.redhat.com/archives/freeipa-users/ > > attachments/20161116/ae006992/attachment.html> > > > > ------------------------------ > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > End of Freeipa-users Digest, Vol 100, Issue 49 > > ********************************************** > > > > > > -- > > *Rajat Gupta * > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
