[Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

Sumit Bose sbose at redhat.com
Thu Mar 19 17:11:19 UTC 2015 

On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote:
> Hi there,
> 
> I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup (described here: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf) to be able to autenticate AIX 7.1 clients against an AD domain using LDAP. After the trust was created all seems to work well on the freeIPA server. I can also do a lookup of AD users and groups on an AIX test server.
> 
> But as soon as I want to log in on the AIX system I get an SSSD error on the freeIPA server in krb5_child.log (debug_level = 10):
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.590260: AS key obtained for encrypted timestamp: aes256-cts/2F5D
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.590326: Encrypted timestamp (for 1426778442.525165): plain 301AA011180F32303135303331393135323034325AA105020308036D, encrypted 9B3299264F09E50D63D84B385A09A4C64D44116A02B58FFF12830B39F88722CD9B792F5ABA0653578DE9138B91D29C17C197453D8B8A5E7A
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.590349: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.590360: Produced preauth for next request: 2
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.590384: Sending request (238 bytes) to EXAMPLE.CORP
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.591325: Resolving hostname dct020.example.corp.
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.591889: Sending initial UDP request to dgram 192.168.143.1:88
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636127: Received answer from dgram 192.168.143.1:88
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636626: Response was not from master KDC
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636667: Received error from KDC: -1765328360/Preauthentication failed
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636698: Preauth tryagain input types: 16, 14, 19, 2
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636728: Retrying AS request with master KDC
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636741: Getting initial credentials for BPrins at EXAMPLE.CORP
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [sss_child_krb5_trace_cb] (0x4000): [12775] 1426778442.636787: Sending request (160 bytes) to EXAMPLE.CORP (master)
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [get_and_save_tgt] (0x0020): 979: [-1765328360][Preauthentication failed]
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [map_krb5_error] (0x0020): 1040: [-1765328360][Preauthentication failed]
> (Thu Mar 19 16:20:42 2015) [[sssd[krb5_child[12775]]]] [k5c_send_data] (0x0200): Received error code 1432158214
> 
> If I do the same with 'KRB5_TRACE=/dev/stderr kinit BPrins at EXAMPLE.CORP':
> [12299] 1426773524.361785: AS key obtained for encrypted timestamp: aes256-cts/B997
> [12299] 1426773524.361850: Encrypted timestamp (for 1426773524.277583): plain 301AA011180F32303135303331393133353834345AA1050203043C4F, encrypted ED9CF995617740C4B14DB9CC84187E3505B664FE5C0AD16D19477E912F5400FB2C4665A090E3A37CD749535B3C80595809E14D15CB3527C0
> [12299] 1426773524.361876: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
> [12299] 1426773524.361880: Produced preauth for next request: 2
> [12299] 1426773524.361901: Sending request (238 bytes) to EXAMPLE.CORP
> [12299] 1426773524.363002: Resolving hostname dct020.EXAMPLE.corp.
> [12299] 1426773524.363841: Sending initial UDP request to dgram 192.168.141.1:88
> [12299] 1426773524.368089: Received answer from dgram 192.168.141.1:88
> [12299] 1426773524.368482: Response was not from master KDC
> [12299] 1426773524.368500: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
> [12299] 1426773524.368506: Request or response is too big for UDP; retrying with TCP
> [12299] 1426773524.368511: Sending request (238 bytes) to EXAMPLE.CORP (tcp only)
> [12299] 1426773524.368953: Resolving hostname dct030.EXAMPLE.corp.
> [12299] 1426773524.370056: Initiating TCP connection to stream 192.168.143.5:88
> [12299] 1426773524.375140: Sending TCP request to stream 192.168.143.5:88
> [12299] 1426773524.383801: Received answer from stream 192.168.143.5:88
> [12299] 1426773524.384237: Response was not from master KDC
> [12299] 1426773524.384263: Processing preauth types: 19
> [12299] 1426773524.384271: Selected etype info: etype aes256-cts, salt "EXAMPLE.CORPBPrins", params ""
> [12299] 1426773524.384275: Produced preauth for next request: (empty)
> [12299] 1426773524.384282: AS key determined by preauth: aes256-cts/B997
> [12299] 1426773524.384329: Decrypted AS reply; session key is: rc4-hmac/39AB
> [12299] 1426773524.384333: FAST negotiation: unavailable
> [12299] 1426773524.384357: Initializing KEYRING:persistent:0:krb_ccache_rhX3V4v with default princ BPrins at EXAMPLE.CORP
> [12299] 1426773524.384400: Removing BPrins at EXAMPLE.CORP -> krbtgt/EXAMPLE.CORP at EXAMPLE.CORP from KEYRING:persistent:0:krb_ccache_rhX3V4v
> [12299] 1426773524.384407: Storing BPrins at EXAMPLE.CORP -> krbtgt/EXAMPLE.CORP at EXAMPLE.CORP in KEYRING:persistent:0:krb_ccache_rhX3V4v
> [12299] 1426773524.384469: Storing config in KEYRING:persistent:0:krb_ccache_rhX3V4v for krbtgt/EXAMPLE.CORP at EXAMPLE.CORP: pa_type: 2
> [12299] 1426773524.384484: Removing BPrins at EXAMPLE.CORP -> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.CORP\@EXAMPLE.CORP at X-CACHECONF: from KEYRING:persistent:0:krb_ccache_rhX3V4v
> [12299] 1426773524.384492: Storing BPrins at EXAMPLE.CORP -> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.CORP\@EXAMPLE.CORP at X-CACHECONF: in KEYRING:persistent:0:krb_ccache_rhX3V4v
> 
> Any ideas?

Can you log in to the IPA server as this user? If yes I would assume
that the password gets garbled somewhere on the way from AIX through the
IPA machinery to SSSD. Does the password contain some special characters
which some LDAP processing calls might want the escape?

bye,
Sumit

> 
> Thanks,
> 
> Bobby
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list