[Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
List dedicated to discussions about use, configuration and deployment of the IPA server.
freeipa-users at redhat.com
Tue Dec 6 18:02:11 UTC 2016
On Tue, Dec 06, 2016 at 12:45:18PM -0500, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote:
> ####
> This is a new thread related to one I started today about upgrading FreeIPA
> software before continuing troubleshooting work ...
>
> New post here so I don't pollute the other thread.
> ####
>
>
> Looking for additional eyeballs or tips on this ongoing problem. The short
> summary
> is we can't check passwords for AD users.
>
> SSSD is running in debug-10 mode and we have tons of logs
>
> I've got 2 interesting things to trace down, would be interested in feedback
> on
> which may be best to concentrate on ...
>
>
> 1. In the SAMBA logs there are very clear and interesting "message=Cannot
> contact any KDC for realm 'COMPANY-IDM.ORG'"
> which seems very straightforward and interesting
you can ignore those, samba is not involved in the authentication.
>
> 2. However the SSSD logs contain more worrisome messages about TGT ticket
> errors
>
>
> Should I concentrate on the samba logs that talk about being unable to find
> the KDC?
> That seems more straightforward at the moment.
>
>
> Thanks!
>
> -Chris
>
>
>
>
>
...
> (Tue Dec 6 15:36:48 2016) [[sssd[krb5_child[4005]]]] [main] (0x0400):
> krb5_child started.
> (Tue Dec 6 15:36:48 2016) [[sssd[krb5_child[4005]]]] [unpack_buffer]
> (0x1000): total buffer size: [158]
> (Tue Dec 6 15:36:48 2016) [[sssd[krb5_child[4005]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1843770609] gid [1843770609] validate [false]
> enterprise principal [false] offline [true] UPN [user at COMPANY.ORG]
^^^^^^^^^^^^^^^
The backend switch to offline mode, please send the SSSD domain logs
around this time as well. If possible please start about 5 minutes
earlier.
bye,
Sumit
More information about the Freeipa-users
mailing list