[Freeipa-users] Client Auth Failing - Ubuntu 15.10
Jakub Hrozek
jhrozek at redhat.com
Tue Feb 23 19:54:53 UTC 2016
On Tue, Feb 23, 2016 at 01:32:11PM -0500, Jester wrote:
> New IPA install of Fedora 23 with FreeIPA 4.2.3. Client is Ubuntu
> Desktop 15.10 (nuc) with IPA client 4.1.4.
>
> ipa-client-install was successful. Host object created, DNS updated, etc.
>
> I am not able to log into the Ubuntu client with any user aside from
> Admin. I get inconsistent password prompting behavior. It doesn't
> always prompt. Most of the time, it just gives the client not found
> message. kinit works with all users on the IPA server directly.
>
> root at nuc0:/var/lib/sss# kinit admin
> Password for admin at MRJESTER.NET:
> root at nuc0:/var/lib/sss# kinit jon
> kinit: Client 'jon at MRJESTER.NET' not found in Kerberos database while
> getting initial credentials
> root at nuc0:/var/lib/sss# kinit jon-test
> Password for jon-test at MRJESTER.NET:
> Password expired. You must change it now.
> Enter new password:
> Enter it again:
> kinit: Password change failed while getting initial credentials
> root at nuc0:/var/lib/sss# kinit jon-test
> kinit: Client 'jon-test at MRJESTER.NET' not found in Kerberos database
> while getting initial credentials
> root at nuc0:/var/lib/sss#
>
> I am able to do GSSAPI auth from the client.
>
> /usr/bin/ldapsearch -LLL -H ldap://dir0.mrjester.net/ -Y GSSAPI -N -b
> "dc=mrjester,dc=net" cn
>
> Some various messages I see that stand out as possibly related. SSSD
> debug level 8
>
> [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty!
>
>
> [sssd[be[mrjester.net]]] [sdap_get_tgt_recv] (0x0400): Child
> responded: 14 [Decrypt integrity check failed], expired on [0]
Please look into ldap_child with high debug level, it looks like sssd
has some issues authenticating to the directory.
>
>
> [sssd[be[mrjester.net]]] [sdap_kinit_done] (0x0100): Could not get
> TGT: 14 [Bad address]
> [sssd[be[mrjester.net]]] [sdap_cli_kinit_done] (0x0400): Cannot get a
> TGT: ret [1432158219](Authentication Failed)
> [sssd[be[mrjester.net]]] [fo_set_port_status] (0x0100): Marking port
> 389 of server 'dir0.mrjester.net' as 'not working'
> [sssd[be[mrjester.net]]] [fo_set_port_status] (0x0400): Marking port
> 389 of duplicate server 'dir0.mrjester.net' as 'not working'
>
>
> [sssd[be[mrjester.net]]] [sbus_get_sender_id_send] (0x2000): Not a
> sysbus message, quit
> [sssd[be[mrjester.net]]] [be_get_account_info] (0x0200): Got request
> for [0x1001][1][name=*]
> [sssd[be[mrjester.net]]] [be_req_set_domain] (0x0400): Changing
> request domain from [mrjester.net] to [mrjester.net]
> [sssd[be[mrjester.net]]] [sdap_idmap_domain_has_algorithmic_mapping]
> (0x0080): Could not parse domain SID from [(null)]
> [sssd[be[mrjester.net]]] [sdap_search_user_next_base] (0x0400):
> Searching for users with base [cn=accounts,dc=mrjester,dc=net]
> [sssd[be[mrjester.net]]] [sdap_print_server] (0x2000): Searching 10.8.10.40
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x0400): calling
> ldap_search_ext with
> [(&(uid=\2a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=mrjester,dc=net].
Do you use enumerate=true?
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [objectClass]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [uid]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [userPassword]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [uidNumber]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [gidNumber]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [gecos]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [homeDirectory]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [loginShell]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [krbPrincipalName]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [cn]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [memberOf]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaUniqueID]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaNTSecurityIdentifier]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [modifyTimestamp]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [entryUSN]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [shadowLastChange]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [shadowMin]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [shadowMax]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [shadowWarning]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [shadowInactive]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [shadowExpire]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [shadowFlag]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [krbLastPwdChange]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [krbPasswordExpiration]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [pwdAttribute]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [authorizedService]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [accountExpires]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [userAccountControl]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [nsAccountLock]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [host]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [loginDisabled]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [loginExpirationTime]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [loginAllowedTimeMap]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaSshPubKey]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaUserAuthType]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 12
> [sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1b6d100], connected[1], ops[0x1b6e810], ldap[0x1b7a970]
> [sssd[be[mrjester.net]]] [sdap_get_generic_op_finished] (0x0400):
> Search result: Success(0), no errmsg set
> [sssd[be[mrjester.net]]] [sdap_search_user_process] (0x0400): Search
> for users, returned 0 results.
> [sssd[be[mrjester.net]]] [sdap_get_users_done] (0x0040): Failed to
> retrieve users
> [sssd[be[mrjester.net]]] [sysdb_search_by_name] (0x0400): No such entry
> [sssd[be[mrjester.net]]] [sysdb_search_groups] (0x2000): Search groups
> with filter: (&(objectclass=group)(ghost=\2a))
> [sssd[be[mrjester.net]]] [sysdb_search_groups] (0x2000): No such entry
> [sssd[be[mrjester.net]]] [sysdb_delete_user] (0x0400): Error: 2 (No
> such file or directory)
> [sssd[be[mrjester.net]]] [sysdb_search_by_name] (0x0400): No such entry
> [sssd[be[mrjester.net]]] [ipa_id_get_account_info_orig_done] (0x0080):
> Object not found, ending request
> [sssd[be[mrjester.net]]] [acctinfo_callback] (0x0100): Request
> processed. Returned 3,0,Account info lookup failed
> [sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace:
> sh[0x1b6d100], connected[1], ops[(nil)], ldap[0x1b7a970]
> [sssd[be[mrjester.net]]] [sdap_process_result] (0x2000): Trace:
> ldap_result found nothing!
>
>
>
> What additional information can I provide or things I can try?
>
> Thanks
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list