[Freeipa-users] ipa-client password authentication failed
Jakub Hrozek
jhrozek at redhat.com
Fri Apr 22 15:16:51 UTC 2016
On Fri, Apr 22, 2016 at 08:29:06PM +0530, Rakesh Rajasekharan wrote:
> Hi There,
>
> I have successfully set up and running freeipa in my environment.
>
> I am running a freeipa master 4.2.x and my ipa clients are at 3.0.0-47
>
> This set up works fine for majority of servers. But just on one host I am
> unable to authenticate the users.
>
> it gives me password denied
>
> Below is the error from /var/log/secure
>
> Apr 22 14:25:26 localhost sshd[18785]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.13
> user=q-testuser
> Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.213
> user=q-testuser
> Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): received for
> user q-testuser: 4 (System error)
>
>
> and in my krb5_child.log, i see the below lines,
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x0400):
> krb5_child started.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer]
> (0x1000): total buffer size: [171]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1142000001] gid [1142000001] validate [true]
> enterprise principal [false] offline [false] UPN [q-testuser at XYZ.COM]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_1142000001_XXXXXX] old_ccname:
> [FILE:/tmp/krb5cc_1142000001_RjJBN2] keytab: [/etc/krb5.keytab]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [switch_creds]
> (0x0200): Switch user to [1142000001][1142000001].
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [switch_creds]
> (0x0200): Switch user to [0][0].
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [k5c_check_old_ccache] (0x4000): Ccache_file is
> [FILE:/tmp/krb5cc_1142000001_RjJBN2] and is not active and TGT is valid.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [k5c_precreate_ccache] (0x4000): Recreating ccache
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.2.2.15 at XYZ.COM]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [find_principal_in_keytab] (0x4000): Trying to find principal host/
> 10.2.2.15 at XYZ.COM in keytab.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [match_principal]
> (0x1000): Principal matched to the sample (host/10.2.2.15 at XYZ.COM).
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [become_user]
> (0x0200): Trying to become user [1142000001][1142000001].
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x2000):
> Running as [1142000001][1142000001].
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_setup]
> (0x2000): Running as [1142000001][1142000001].
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x0400):
> Will perform online auth
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [XYZ.COM]
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127643: Getting
> initial credentials for q-testuser at XYZ.COM
>
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127715: FAST armor
> ccache: MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM
>
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127767: Retrieving
> host/10.2.2.15 at XYZ.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/XYZ.COM
> \@XYZ.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM with
> result: -1765328243/Matching credential not found
>
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127832: Sending
> request (185 bytes) to XYZ.COM
>
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.128056: Initiating
> TCP connection to stream 10.0.4.175:88
>
> (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]]
> [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.129419: Sending TCP
> request to stream 10.
> krb5_child.log (END)
>
>
> can someone please advice , what seems to go wrong here.
Is there really nothing else in the child log?
What about the domain log from about the same time? (The system error
was received at 14:25:27..)
More information about the Freeipa-users
mailing list