[Freeipa-users] Client Auth Failing - Ubuntu 15.10
Jester
jester2.0 at gmail.com
Tue Feb 23 18:32:11 UTC 2016
New IPA install of Fedora 23 with FreeIPA 4.2.3. Client is Ubuntu
Desktop 15.10 (nuc) with IPA client 4.1.4.
ipa-client-install was successful. Host object created, DNS updated, etc.
I am not able to log into the Ubuntu client with any user aside from
Admin. I get inconsistent password prompting behavior. It doesn't
always prompt. Most of the time, it just gives the client not found
message. kinit works with all users on the IPA server directly.
root at nuc0:/var/lib/sss# kinit admin
Password for admin at MRJESTER.NET:
root at nuc0:/var/lib/sss# kinit jon
kinit: Client 'jon at MRJESTER.NET' not found in Kerberos database while
getting initial credentials
root at nuc0:/var/lib/sss# kinit jon-test
Password for jon-test at MRJESTER.NET:
Password expired. You must change it now.
Enter new password:
Enter it again:
kinit: Password change failed while getting initial credentials
root at nuc0:/var/lib/sss# kinit jon-test
kinit: Client 'jon-test at MRJESTER.NET' not found in Kerberos database
while getting initial credentials
root at nuc0:/var/lib/sss#
I am able to do GSSAPI auth from the client.
/usr/bin/ldapsearch -LLL -H ldap://dir0.mrjester.net/ -Y GSSAPI -N -b
"dc=mrjester,dc=net" cn
Some various messages I see that stand out as possibly related. SSSD
debug level 8
[parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty!
[sssd[be[mrjester.net]]] [sdap_get_tgt_recv] (0x0400): Child
responded: 14 [Decrypt integrity check failed], expired on [0]
[sssd[be[mrjester.net]]] [sdap_kinit_done] (0x0100): Could not get
TGT: 14 [Bad address]
[sssd[be[mrjester.net]]] [sdap_cli_kinit_done] (0x0400): Cannot get a
TGT: ret [1432158219](Authentication Failed)
[sssd[be[mrjester.net]]] [fo_set_port_status] (0x0100): Marking port
389 of server 'dir0.mrjester.net' as 'not working'
[sssd[be[mrjester.net]]] [fo_set_port_status] (0x0400): Marking port
389 of duplicate server 'dir0.mrjester.net' as 'not working'
[sssd[be[mrjester.net]]] [sbus_get_sender_id_send] (0x2000): Not a
sysbus message, quit
[sssd[be[mrjester.net]]] [be_get_account_info] (0x0200): Got request
for [0x1001][1][name=*]
[sssd[be[mrjester.net]]] [be_req_set_domain] (0x0400): Changing
request domain from [mrjester.net] to [mrjester.net]
[sssd[be[mrjester.net]]] [sdap_idmap_domain_has_algorithmic_mapping]
(0x0080): Could not parse domain SID from [(null)]
[sssd[be[mrjester.net]]] [sdap_search_user_next_base] (0x0400):
Searching for users with base [cn=accounts,dc=mrjester,dc=net]
[sssd[be[mrjester.net]]] [sdap_print_server] (0x2000): Searching 10.8.10.40
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(uid=\2a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=mrjester,dc=net].
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [objectClass]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [uid]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [userPassword]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [uidNumber]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [gidNumber]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [gecos]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [homeDirectory]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [loginShell]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [krbPrincipalName]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [cn]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [memberOf]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaUniqueID]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaNTSecurityIdentifier]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [modifyTimestamp]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [entryUSN]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowLastChange]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowMin]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowMax]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowWarning]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowInactive]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowExpire]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowFlag]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [krbLastPwdChange]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [krbPasswordExpiration]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [pwdAttribute]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [authorizedService]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [accountExpires]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [userAccountControl]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [nsAccountLock]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [host]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [loginDisabled]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [loginExpirationTime]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [loginAllowedTimeMap]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaSshPubKey]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaUserAuthType]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x2000):
ldap_search_ext called, msgid = 12
[sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace:
sh[0x1b6d100], connected[1], ops[0x1b6e810], ldap[0x1b7a970]
[sssd[be[mrjester.net]]] [sdap_get_generic_op_finished] (0x0400):
Search result: Success(0), no errmsg set
[sssd[be[mrjester.net]]] [sdap_search_user_process] (0x0400): Search
for users, returned 0 results.
[sssd[be[mrjester.net]]] [sdap_get_users_done] (0x0040): Failed to
retrieve users
[sssd[be[mrjester.net]]] [sysdb_search_by_name] (0x0400): No such entry
[sssd[be[mrjester.net]]] [sysdb_search_groups] (0x2000): Search groups
with filter: (&(objectclass=group)(ghost=\2a))
[sssd[be[mrjester.net]]] [sysdb_search_groups] (0x2000): No such entry
[sssd[be[mrjester.net]]] [sysdb_delete_user] (0x0400): Error: 2 (No
such file or directory)
[sssd[be[mrjester.net]]] [sysdb_search_by_name] (0x0400): No such entry
[sssd[be[mrjester.net]]] [ipa_id_get_account_info_orig_done] (0x0080):
Object not found, ending request
[sssd[be[mrjester.net]]] [acctinfo_callback] (0x0100): Request
processed. Returned 3,0,Account info lookup failed
[sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace:
sh[0x1b6d100], connected[1], ops[(nil)], ldap[0x1b7a970]
[sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace:
ldap_result found nothing!
What additional information can I provide or things I can try?
Thanks
More information about the Freeipa-users
mailing list