[Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
Chris Dagdigian
dag at sonsorol.org
Thu Dec 8 14:29:34 UTC 2016
Sumit Bose wrote:
>> > Am I being stupid (again?) Obviously the krb5_validate=false setting needs
>> > to be fixed. Just not sure if I should work on a fix within 4.2 or move to
>> > 4.4 and see if it gets resolved as part of other changes.
>
> The validation issue might have different reasons. One might be
> https://fedorahosted.org/sssd/ticket/3103 where SSSD creates a wrong
> Kerberos configuration snippet. Fixes are available for sssd-1.13 and
> later. But there might be other reasons as well.
>
> If you don't mind please send the krb5_child.log with debug_level=10
> covering an authentication attempt with 'krb5_validate = true' and the
> content of /var/lib/sss/pubconf/krb5.include.d/domain_realm_your_domain.
Thanks Sumit,
Info you requested is attached. These logs are from a client machine. I
confirmed that I could not authenticate with krb5_validate = True and
that I could authenticate when I switched krb5_validate=false. I set
the value to "True", turned up debug logging to 10 and then stopped SSSD
service after my 3 login tries to try to constrain the log volume.
Still ended up with 1200+ lines in krb5_child.log though
Here is the info you requested (sanitized)
URL to krb5_child.log since it is pretty lengthy:
-------------------------------------------------------------
http://chrisdag.me/krb5_child.log.txt
And we actually had 2 domain_realm* files which is I think due to our
difference in DNS for client hostnames vs DNS for the IPA server:
Our CAPATH info does look like that SSSD issue you mentioned (ticket
3103) ...
This is domain_realm_companyaws_org:
------------------------------------------------------
[domain_realm]
.COMPANY.ORG = COMPANY.ORG
COMPANY.ORG = COMPANY.ORG
.EAME.COMPANY.ORG = EAME.COMPANY.ORG
EAME.COMPANY.ORG = EAME.COMPANY.ORG
.APAC.COMPANY.ORG = APAC.COMPANY.ORG
APAC.COMPANY.ORG = APAC.COMPANY.ORG
.LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
.NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
[capaths]
COMPANY.ORG = {
COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
COMPANY.ORG = COMPANY.ORG
}
EAME.COMPANY.ORG = {
COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
EAME.COMPANY.ORG = COMPANY.ORG
}
APAC.COMPANY.ORG = {
COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
APAC.COMPANY.ORG = COMPANY.ORG
}
LATAM.COMPANY.ORG = {
COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
LATAM.COMPANY.ORG = COMPANY.ORG
}
NAFTA.COMPANY.ORG = {
COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
NAFTA.COMPANY.ORG = COMPANY.ORG
}
And this is domain_realm_companyidm_org:
------------------------------------------------------------
[domain_realm]
.COMPANY.ORG = COMPANY.ORG
COMPANY.ORG = COMPANY.ORG
.EAME.COMPANY.ORG = EAME.COMPANY.ORG
EAME.COMPANY.ORG = EAME.COMPANY.ORG
.APAC.COMPANY.ORG = APAC.COMPANY.ORG
APAC.COMPANY.ORG = APAC.COMPANY.ORG
.LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
.NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
[capaths]
COMPANYAWS.ORG = {
COMPANYIDM.ORG = COMPANYAWS.ORG
}
COMPANYIDM.ORG = {
COMPANYAWS.ORG = COMPANYAWS.ORG
}
COMPANY.ORG = {
COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
COMPANY.ORG = COMPANY.ORG
}
EAME.COMPANY.ORG = {
COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
EAME.COMPANY.ORG = COMPANY.ORG
}
APAC.COMPANY.ORG = {
COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
APAC.COMPANY.ORG = COMPANY.ORG
}
LATAM.COMPANY.ORG = {
COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
LATAM.COMPANY.ORG = COMPANY.ORG
}
NAFTA.COMPANY.ORG = {
COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
NAFTA.COMPANY.ORG = COMPANY.ORG
}
More information about the Freeipa-users
mailing list