[Freeipa-users] ipa_get_*_acct request failed: [22]: Invalid argument on IPA client when looking up AD users

Troels Hansen th at casalogic.dk
Tue Aug 9 13:13:25 UTC 2016 

At least for some users....

One user failing:

(Tue Aug  9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [unpack_buffer] (0x0100): cmd [249] uid [1349930179] gid
 [1349930179] validate [true] enterprise principal [false] offline [true] UPN [hlau at NET.DR.DK]
(Tue Aug  9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [become_user] (0x0200): Trying to become user [134993017
9][1349930179].
(Tue Aug  9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [become_user] (0x0200): Trying to become user [134993017
9][1349930179].
(Tue Aug  9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [become_user] (0x0200): Already user [1349930179].
(Tue Aug  9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_
RENEWABLE_LIFETIME] from environment.
(Tue Aug  9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_
LIFETIME] from environment.
(Tue Aug  9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [sss_krb5_prompter] (0x0020): Cannot handle password pro
mpts.
(Tue Aug  9 14:41:37 2016) [[sssd[krb5_child[1360]]]] [k5c_send_data] (0x0200): Received error code 0


Me logging in works....
(Tue Aug  9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [unpack_buffer] (0x0100): cmd [241] uid [1349938498] gid [1349938498] validate [true] enterprise principal [false] offline [false] UPN [DREXTRHA at NET.DR.DK]
(Tue Aug  9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1349938498] old_ccname: [KEYRING:persistent:1349938498] keytab: [/etc/krb5.keytab]
(Tue Aug  9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [switch_creds] (0x0200): Switch user to [1349938498][1349938498].
(Tue Aug  9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Tue Aug  9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/rhel02udv.linux.dr.dk at LINUX.DR.DK]
(Tue Aug  9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Tue Aug  9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [become_user] (0x0200): Trying to become user [1349938498][1349938498].
(Tue Aug  9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Tue Aug  9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Tue Aug  9 14:58:21 2016) [[sssd[krb5_child[1497]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]


What does "Cannot handle password prompts" mean? the only thing I can find is some sssd krb5 commits looking to be related to password change?

----- On Aug 9, 2016, at 2:29 PM, Troels Hansen th at casalogic.dk wrote:

> ----- On Aug 9, 2016, at 2:09 PM, Jakub Hrozek jhrozek at redhat.com wrote:
> 
> 
>>> 
>>> So, I currently works in the current RedHat (sssd-ipa-1.13.0-40.el7_2.12) but
>>> only on the server, but not on a pure IPA client, but will work in 1.14.0 ?
>> 
>> I would not recommend this setting on the server, even with 1.14,
>> because some components of the stack rely on the name of trusted users
>> being qualified, namely the compat plugin IIRC parses the names.
>> 
>> But on clients, this should work.
>> 
>>> 
>>> I guess this will be included in RedHat 7.3?
>> 
>> Yes.
> 
> I guess I have hit some sort of configuration parameter combination that made it
> not work......  I have removed the full_name_format on the server, but kept
> "ldap_user_principal = nosuchattr" and
> "subdomain_inherit = ldap_user_principal" on both server untill 7.3 arrives.
> 
> This seems to work.
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.

More information about the Freeipa-users mailing list