[Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts

Thu Dec 8 14:29:34 UTC 2016

Sumit Bose wrote:
>> >  Am I being stupid (again?)  Obviously the krb5_validate=false setting needs
>> >  to be fixed. Just not sure if I should work on a fix within 4.2 or move to
>> >  4.4 and see if it gets resolved as part of other changes.
>
> The validation issue might have different reasons. One might be
> https://fedorahosted.org/sssd/ticket/3103  where SSSD creates a wrong
> Kerberos configuration snippet. Fixes are available for sssd-1.13 and
> later. But there might be other reasons as well.
>
> If you don't mind please send the krb5_child.log with debug_level=10
> covering an authentication attempt with 'krb5_validate = true' and the
> content of /var/lib/sss/pubconf/krb5.include.d/domain_realm_your_domain.

Thanks Sumit,

Info you requested is attached. These logs are from a client machine. I 
confirmed that I could not authenticate with krb5_validate = True and 
that I could authenticate when I switched krb5_validate=false.  I set 
the value to "True", turned up debug logging to 10 and then stopped SSSD 
service after my 3 login tries to try to constrain the log volume.

Still ended up with 1200+ lines in krb5_child.log though

Here is the info you requested (sanitized)

URL to krb5_child.log since it is pretty lengthy:
-------------------------------------------------------------
http://chrisdag.me/krb5_child.log.txt

And we actually had 2 domain_realm* files which is I think due to our 
difference in DNS for client hostnames vs DNS for the IPA server:
Our CAPATH info does look like that SSSD issue you mentioned (ticket 
3103)  ...

This is domain_realm_companyaws_org:
------------------------------------------------------
[domain_realm]
.COMPANY.ORG = COMPANY.ORG
COMPANY.ORG = COMPANY.ORG
.EAME.COMPANY.ORG = EAME.COMPANY.ORG
EAME.COMPANY.ORG = EAME.COMPANY.ORG
.APAC.COMPANY.ORG = APAC.COMPANY.ORG
APAC.COMPANY.ORG = APAC.COMPANY.ORG
.LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
.NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
[capaths]
COMPANY.ORG = {
   COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
   COMPANY.ORG = COMPANY.ORG
}
EAME.COMPANY.ORG = {
   COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
   EAME.COMPANY.ORG = COMPANY.ORG
}
APAC.COMPANY.ORG = {
   COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
   APAC.COMPANY.ORG = COMPANY.ORG
}
LATAM.COMPANY.ORG = {
   COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
   LATAM.COMPANY.ORG = COMPANY.ORG
}
NAFTA.COMPANY.ORG = {
   COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
   NAFTA.COMPANY.ORG = COMPANY.ORG
}

And this is domain_realm_companyidm_org:
------------------------------------------------------------
[domain_realm]
.COMPANY.ORG = COMPANY.ORG
COMPANY.ORG = COMPANY.ORG
.EAME.COMPANY.ORG = EAME.COMPANY.ORG
EAME.COMPANY.ORG = EAME.COMPANY.ORG
.APAC.COMPANY.ORG = APAC.COMPANY.ORG
APAC.COMPANY.ORG = APAC.COMPANY.ORG
.LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
.NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
[capaths]
COMPANYAWS.ORG = {
   COMPANYIDM.ORG = COMPANYAWS.ORG
}
COMPANYIDM.ORG = {
   COMPANYAWS.ORG = COMPANYAWS.ORG
}
COMPANY.ORG = {
   COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
   COMPANY.ORG = COMPANY.ORG
}
EAME.COMPANY.ORG = {
   COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
   EAME.COMPANY.ORG = COMPANY.ORG
}
APAC.COMPANY.ORG = {
   COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
   APAC.COMPANY.ORG = COMPANY.ORG
}
LATAM.COMPANY.ORG = {
   COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
   LATAM.COMPANY.ORG = COMPANY.ORG
}
NAFTA.COMPANY.ORG = {
   COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
   NAFTA.COMPANY.ORG = COMPANY.ORG
}