[Freeipa-users] Possible trust issues

Tue Nov 11 00:05:55 UTC 2014

On 11/10/2014 07:01 PM, William Muriithi wrote:
> ‎Evening,
>
> Also, this show up on /var/log/krb5kdc.log on ipa server
>
> Nov 10 18:43:22 ipa3-yyz-int.example.loc krb5kdc[5469](info): AS_REQ (4 etypes {18 17 16 23}) 10.10.10.29: NEEDED_PREAUTH: host/sogo-eval.example.loc at EXAMPLE.LOC for krbtgt/EXAMPLE.LOC at EXAMPLE.LOC, Additional pre-authentication required
> Nov 10 18:43:22 ipa3-yyz-int.example.loc krb5kdc[5468](info): AS_REQ (4 etypes {18 17 16 23}) 10.10.10.29: ISSUE: authtime 1415663002, etypes {rep=18 tkt=18 ses=18}, host/sogo-eval.example.loc at EXAMPLE.LOC for krbtgt/EXAMPLE.LOC at EXAMPLE.LOC
>
> What does pre-authentication required mean?

It is normal.
http://superuser.com/questions/200010/how-does-kerberos-preauthentication-increase-security

>
> William‎
>
>
>
> I am certain the problem has something to do with trust as I have created a local account on FreeIPA (wmuriithi_user) and it works as expected.  However active directory users in the same posix group fails and have not been able to nail where my mistake.  How would one go about debugging this issue?  I have looked at logs and the looks as below.
>
> cat /var/log/secure
>
> Nov 10 12:12:05 datagroup-dev sshd[30150]: Invalid user wmuriithi at example.local from 10.10.10.15
> Nov 10 12:12:05 datagroup-dev sshd[30151]: input_userauth_request: invalid user wmuriithi at example.local
> Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_unix(sshd:auth): check pass; user unknown
> Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.15
> Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_succeed_if(sshd:auth): error retrieving information about user wmuriithi at example.local
> Nov 10 12:12:11 datagroup-dev sshd[30150]: Failed password for invalid user wmuriithi at example.local from 10.10.10.15 port 52792 ssh2
> Nov 10 12:12:17 datagroup-dev sshd[30151]: Connection closed by 10.10.10.15
>
> cat /var/log/sssd/sssd_ssh.log
>
>
> (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'wmuriithi at example.local' matched expression for domain 'EXAMPLE.local', user is wmuriithi
> (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [ssh_user_pubkeys_search_dp_callback] (0x0040): Unable to get information from Data Provider
> Error: 3, 1432158221, Account info lookup failed
> (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0040): No attributes for user [wmuriithi] found.
> (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [client_recv] (0x0200): Client disconnected!
> (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0].
> (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0].
> (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'wmuriithi at example.local' matched expression for domain 'EXAMPLE.local', user is wmuriithi
> (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [ssh_user_pubkeys_search_dp_callback] (0x0040): Unable to get information from Data Provider
> Error: 3, 1432158221, Account info lookup failed
>
>
> less /var/log/sssd/sssd_example.loc.log
>
> (Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa3-yyz-int.example.loc' as 'working'
> (Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [set_server_common_status] (0x0100): Marking server 'ipa3-yyz-int.example.loc' as 'working'
> (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi]
> (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
> (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed
> (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi]
> (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
> (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed
> (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi]
> (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
> (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed
> (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi]
> (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
>
> Does this mean I have to recreate the trust relationship?  I didn't get any error when I set up the trust last week and uncertain recreating the trust would help.  Would highly appreciate any pointers on what would be best way forward.
>
> William‎
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.