[Freeipa-users] ipa-client password authentication failed
Rakesh Rajasekharan
rakesh.rajasekharan at gmail.com
Fri Apr 22 14:59:06 UTC 2016
Hi There,
I have successfully set up and running freeipa in my environment.
I am running a freeipa master 4.2.x and my ipa clients are at 3.0.0-47
This set up works fine for majority of servers. But just on one host I am
unable to authenticate the users.
it gives me password denied
Below is the error from /var/log/secure
Apr 22 14:25:26 localhost sshd[18785]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.13
user=q-testuser
Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.213
user=q-testuser
Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): received for
user q-testuser: 4 (System error)
and in my krb5_child.log, i see the below lines,
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x0400):
krb5_child started.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer]
(0x1000): total buffer size: [171]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer]
(0x0100): cmd [241] uid [1142000001] gid [1142000001] validate [true]
enterprise principal [false] offline [false] UPN [q-testuser at XYZ.COM]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_1142000001_XXXXXX] old_ccname:
[FILE:/tmp/krb5cc_1142000001_RjJBN2] keytab: [/etc/krb5.keytab]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [switch_creds]
(0x0200): Switch user to [1142000001][1142000001].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [switch_creds]
(0x0200): Switch user to [0][0].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[k5c_check_old_ccache] (0x4000): Ccache_file is
[FILE:/tmp/krb5cc_1142000001_RjJBN2] and is not active and TGT is valid.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[k5c_precreate_ccache] (0x4000): Recreating ccache
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_setup_fast]
(0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.2.2.15 at XYZ.COM]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[find_principal_in_keytab] (0x4000): Trying to find principal host/
10.2.2.15 at XYZ.COM in keytab.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [match_principal]
(0x1000): Principal matched to the sample (host/10.2.2.15 at XYZ.COM).
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [become_user]
(0x0200): Trying to become user [1142000001][1142000001].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x2000):
Running as [1142000001][1142000001].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_setup]
(0x2000): Running as [1142000001][1142000001].
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x0400):
Will perform online auth
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [XYZ.COM]
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127643: Getting
initial credentials for q-testuser at XYZ.COM
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127715: FAST armor
ccache: MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127767: Retrieving
host/10.2.2.15 at XYZ.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/XYZ.COM
\@XYZ.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM with
result: -1765328243/Matching credential not found
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127832: Sending
request (185 bytes) to XYZ.COM
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.128056: Initiating
TCP connection to stream 10.0.4.175:88
(Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
[sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.129419: Sending TCP
request to stream 10.
krb5_child.log (END)
can someone please advice , what seems to go wrong here.
Thanks,
Rakesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160422/62feabf2/attachment.htm>
More information about the Freeipa-users
mailing list