[Freeipa-users] pam_winbind(sshd:auth): pam_get_item returned a password
Sumit Bose
sbose at redhat.com
Wed Nov 16 12:01:59 UTC 2016
On Wed, Nov 16, 2016 at 12:49:59PM +0100, rajat gupta wrote:
> I am using FreeIPA version 4.4.0 Active Directory trust setup. And on
> Active Directory side I am using UPN suffix.
> Following are my domain setup.
>
> AD DOMANIN :- corp.addomain.com
> UPN suffix :- username at mydomain.com
> IPA DOMAIN :- ipa.ipadomain.local
> IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain.local
When you call 'ipa trust-find' on the IPA server do you see the
mydomain.com UPN suffix listed, like e.g.:
# ipa trust-find
---------------
1 trust matched
---------------
Realm-Name: ad.devel
Domain NetBIOS name: AD
Domain Security Identifier: S-1-5-21-3692237560-1981608775-3610128199
Trust type: Active Directory domain
UPN suffixes: alt.alt, alt.upn.suffix
SSSD 1.14 and above on the IPA client should enable enterprise principal
support automatically if UPN suffixes are found on the server but according to
(0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [false] UPN [Rajat.Gupta at MYDOMAIN.COM]
it is not. If the UPN suffixes are not know on the server, calling 'ipa
trust-fetch-domains' might help to get them. If there are still no UPN suffixes
available on the server you can switch on enterprise principal on the client
manually by adding 'krb5_use_enterprise_principal = True' in the [domain/...]
section of sssd.conf. You have to set it manually as well if you are using
older versions of SSSD.
HTH
bye,
Sumit
>
>
> I am able to login with AD user on IPA server. But on IPA clinet i am not
> able to login i am getting the login message "Access denied". I have
> enabled the debug_level on sssd.conf on ipa clinet.
>
> below are some logs..
> ================
> /var/log/secure
>
> Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=rg1989
> Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): received for
> user e600336: 6 (Permission denied)
> Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): getting
> password (0x00000010)
> Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth):
> pam_get_item returned a password
> Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): internal
> module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'rg1989')
> Nov 16 09:00:52 ipa-clinet1 sshd[3752]: Failed password for e600336 from
> x.x.x.x. port 48842 ssh2
> ================
>
> ================
> krb5_child.log
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [k5c_send_data]
> (0x4000): Response sent.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [main] (0x0400):
> krb5_child completed successfully
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400):
> krb5_child started.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer]
> (0x1000): total buffer size: [159]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true]
> enterprise principal [false] offline [false] UPN [Rajat.Gupta at MYDOMAIN.COM]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer]
> (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname:
> [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds]
> (0x0200): Switch user to [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds]
> (0x0200): Switch user to [0][0].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [k5c_check_old_ccache] (0x4000): Ccache_file is
> [KEYRING:persistent:1007656917] and is not active and TGT is valid.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [k5c_precreate_ccache] (0x4000): Recreating ccache
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
> [host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [find_principal_in_keytab] (0x4000): Trying to find principal
> host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL in keytab.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [match_principal]
> (0x1000): Principal matched to the sample
> (host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL).
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [become_user]
> (0x0200): Trying to become user [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x2000):
> Running as [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup] (0x2000):
> Running as [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): Will
> perform online auth
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [MYDOMAIN.COM]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.416687: Getting
> initial credentials for Rajat.Gupta at MYDOMAIN.COM
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418641: FAST armor
> ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418698: Retrieving
> host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM
> \@MYDOMAIN.COM at X-CACHECONF: from
> MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result:
> -1765328243/Matching credential not found
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418756: Sending
> request (164 bytes) to MYDOMAIN.COM
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419718: Retrying AS
> request with master KDC
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419752: Getting
> initial credentials for Rajat.Gupta at MYDOMAIN.COM
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419778: FAST armor
> ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419821: Retrieving
> host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM
> \@MYDOMAIN.COM at X-CACHECONF: from
> MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result:
> -1765328243/Matching credential not found
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419859: Sending
> request (164 bytes) to MYDOMAIN.COM (master)
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [get_and_save_tgt]
> (0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM"]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [map_krb5_error]
> (0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM"]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data]
> (0x0200): Received error code 1432158228
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]]
> [pack_response_packet] (0x2000): response packet size: [4]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data]
> (0x4000): Response sent.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400):
> krb5_child completed successfully
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400):
> krb5_child started.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer]
> (0x1000): total buffer size: [159]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true]
> enterprise principal [false] offline [false] UPN [Rajat.Gupta at MYDOMAIN.COM]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer]
> (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname:
> [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds]
> (0x0200): Switch user to [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds]
> (0x0200): Switch user to [0][0].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [k5c_check_old_ccache] (0x4000): Ccache_file is
> [KEYRING:persistent:1007656917] and is not active and TGT is valid.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [k5c_precreate_ccache] (0x4000): Recreating ccache
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
> [host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [find_principal_in_keytab] (0x4000): Trying to find principal
> host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL in keytab.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [match_principal]
> (0x1000): Principal matched to the sample
> (host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL).
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [become_user]
> (0x0200): Trying to become user [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x2000):
> Running as [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup] (0x2000):
> Running as [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): Will
> perform online auth
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [MYDOMAIN.COM]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.426870: Getting
> initial credentials for Rajat.Gupta at MYDOMAIN.COM
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428706: FAST armor
> ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428762: Retrieving
> host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM
> \@MYDOMAIN.COM at X-CACHECONF: from
> MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result:
> -1765328243/Matching credential not found
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428825: Sending
> request (164 bytes) to MYDOMAIN.COM
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429706: Retrying AS
> request with master KDC
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429740: Getting
> initial credentials for Rajat.Gupta at MYDOMAIN.COM
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429767: FAST armor
> ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429812: Retrieving
> host/ipa-clinet1.ipa.ipadomain.local at IPA.IPADOMAIN.LOCAL ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/MYDOMAIN.COM
> \@MYDOMAIN.COM at X-CACHECONF: from
> MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result:
> -1765328243/Matching credential not found
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429854: Sending
> request (164 bytes) to MYDOMAIN.COM (master)
>
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [get_and_save_tgt]
> (0x0020): 1296: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM"]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [map_krb5_error]
> (0x0020): 1365: [-1765328230][Cannot find KDC for realm "MYDOMAIN.COM"]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data]
> (0x0200): Received error code 1432158228
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]]
> [pack_response_packet] (0x2000): response packet size: [4]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data]
> (0x4000): Response sent.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400):
> krb5_child completed successfully
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400):
> krb5_child started.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer]
> (0x1000): total buffer size: [159]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true]
> enterprise principal [false] offline [true] UPN [Rajat.Gupta at MYDOMAIN.COM]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer]
> (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname:
> [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds]
> (0x0200): Switch user to [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]]
> [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds]
> (0x0200): Switch user to [0][0].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]]
> [k5c_check_old_ccache] (0x4000): Ccache_file is
> [KEYRING:persistent:1007656917] and is not active and TGT is valid.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user]
> (0x0200): Trying to become user [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x2000):
> Running as [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user]
> (0x0200): Trying to become user [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user]
> (0x0200): Already user [1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_setup] (0x2000):
> Running as [1007656917][1007656917].
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): Will
> perform offline auth
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [create_empty_ccache]
> (0x1000): Existing ccache still valid, reusing
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data]
> (0x0200): Received error code 0
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]]
> [pack_response_packet] (0x2000): response packet size: [53]
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data]
> (0x4000): Response sent.
> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400):
> krb5_child completed successfully
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400):
> krb5_child started.
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer]
> (0x1000): total buffer size: [52]
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer]
> (0x0100): cmd [249] uid [1007656917] gid [1007656917] validate [true]
> enterprise principal [false] offline [true] UPN [Rajat.Gupta at MYDOMAIN.COM]
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user]
> (0x0200): Trying to become user [1007656917][1007656917].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x2000):
> Running as [1007656917][1007656917].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user]
> (0x0200): Trying to become user [1007656917][1007656917].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user]
> (0x0200): Already user [1007656917].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_setup] (0x2000):
> Running as [1007656917][1007656917].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): Will
> perform pre-auth
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [MYDOMAIN.COM]
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.766694: Getting
> initial credentials for Rajat.Gupta at MYDOMAIN.COM
>
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.769074: Sending
> request (164 bytes) to MYDOMAIN.COM
>
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770020: Retrying AS
> request with master KDC
>
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770051: Getting
> initial credentials for Rajat.Gupta at MYDOMAIN.COM
>
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770091: Sending
> request (164 bytes) to MYDOMAIN.COM (master)
>
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [get_and_save_tgt]
> (0x0400): krb5_get_init_creds_password returned [-1765328230} during
> pre-auth.
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data]
> (0x0200): Received error code 0
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]]
> [pack_response_packet] (0x2000): response packet size: [4]
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data]
> (0x4000): Response sent.
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400):
> krb5_child completed successfully
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400):
> krb5_child started.
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer]
> (0x1000): total buffer size: [160]
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true]
> enterprise principal [false] offline [true] UPN [Rajat.Gupta at MYDOMAIN.COM]
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer]
> (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname:
> [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab]
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds]
> (0x0200): Switch user to [1007656917][1007656917].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]]
> [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds]
> (0x0200): Switch user to [0][0].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]]
> [k5c_check_old_ccache] (0x4000): Ccache_file is
> [KEYRING:persistent:1007656917] and is not active and TGT is valid.
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user]
> (0x0200): Trying to become user [1007656917][1007656917].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x2000):
> Running as [1007656917][1007656917].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user]
> (0x0200): Trying to become user [1007656917][1007656917].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user]
> (0x0200): Already user [1007656917].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_setup] (0x2000):
> Running as [1007656917][1007656917].
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): Will
> perform offline auth
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [create_empty_ccache]
> (0x1000): Existing ccache still valid, reusing
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data]
> (0x0200): Received error code 0
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]]
> [pack_response_packet] (0x2000): response packet size: [53]
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data]
> (0x4000): Response sent.
> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400):
> krb5_child completed successfully
>
> =======================
> Can you please help me to fix this,
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list