On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote: > Hi, > > when I try to login to an IPA client with my AD user it works perfectly when > I already have a kerberos ticket for my user. When I do not and I try a > password-based login it fails:
Please send the sssd_domain.log and krb5_child.log form the same time as well. bye, Sumit > > Password-based: > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_check_user_search] (0x0400): > Returning info for user [[email protected]@xyz.mydomain.at] > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pd_set_primary_name] (0x0400): > User's primary name is [email protected] > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending > request with the following data: > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): command: > SSS_PAM_PREAUTH > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: > XYZ > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): user: > [email protected] > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): service: > sshd > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not > set > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: > chupacabra.ipa.mydomain.at > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok > type: 0 > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 31816 > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): logon > name: myuser > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x7f4c122ed450 > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x7f4c122ed450 > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: > 0x7f4c122e59c0 > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [sbus_dispatch] (0x4000): > Dispatching. > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): > received: [4 (System error)][XYZ] > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [4]: System error. > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 20 > (Thu Apr 6 10:39:12 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0x7f4c122f4640][21] > > When I have a Kerberos ticket: > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_check_user_search] (0x0400): > Returning info for user [[email protected]@xyz.mydomain.at] > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pd_set_primary_name] (0x0400): > User's primary name is [email protected] > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending > request with the following data: > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): command: > SSS_PAM_OPEN_SESSION > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: > XYZ > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): user: > [email protected] > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): service: > sshd > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not > set > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: > chupacabra.ipa.mydomain.at > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok > type: 0 > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 31841 > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): logon > name: myuser > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x7f4c122ec4a0 > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x7f4c122ec4a0 > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: > 0x7f4c122e59c0 > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [sbus_dispatch] (0x4000): > Dispatching. > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): > received: [0 (Success)][XYZ] > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [0]: Success. > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 20 > (Thu Apr 6 10:41:00 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle > timer re-set for client [0x7f4c122f4640][21] > > My question is why? > > Regards, > Ronald > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
