[Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts

[List dedicated to discussions about use, configuration and deployment of the IPA server.]

On Tue, Dec 06, 2016 at 12:45:18PM -0500, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote:
> ####
> This is a new thread related to one I started today about upgrading FreeIPA
> software before continuing troubleshooting work ...
> 
> New post here so I don't pollute the other thread.
> ####
> 
> 
> Looking for additional eyeballs or tips on this ongoing problem. The short
> summary
> is we can't check passwords for AD users.
> 
> SSSD is running in debug-10 mode and we have tons of logs
> 
> I've got 2 interesting things to trace down, would be interested in feedback
> on
> which may be best to concentrate on ...
> 
> 
> 1. In the SAMBA logs there are very clear and interesting "message=Cannot
> contact any KDC for realm 'COMPANY-IDM.ORG'"
> which seems very straightforward and interesting

you can ignore those, samba is not involved in the authentication.

> 
> 2. However the SSSD logs contain more worrisome messages about TGT ticket
> errors
> 
> 
> Should I concentrate on the samba logs that talk about being unable to find
> the KDC?
> That seems more straightforward at the moment.
> 
> 
> Thanks!
> 
> -Chris
> 
> 
> 
> 
> 
...
> (Tue Dec  6 15:36:48 2016) [[sssd[krb5_child[4005]]]] [main] (0x0400):
> krb5_child started.
> (Tue Dec  6 15:36:48 2016) [[sssd[krb5_child[4005]]]] [unpack_buffer]
> (0x1000): total buffer size: [158]
> (Tue Dec  6 15:36:48 2016) [[sssd[krb5_child[4005]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1843770609] gid [1843770609] validate [false]
> enterprise principal [false] offline [true] UPN [user at COMPANY.ORG]

                              ^^^^^^^^^^^^^^^

The backend switch to offline mode, please send the SSSD domain logs
around this time as well. If possible please start about 5 minutes
earlier.

bye,
Sumit