[Freeipa-users] Freeipa-users Digest, Vol 100, Issue 48

Wed Nov 16 14:24:50 UTC 2016

On Wed, Nov 16, 2016 at 02:31:52PM +0100, rajat gupta wrote:
> Thanks, It is working for few user but not for every one. I have cleared
> the sssd cache as well.
> =====================
> /var/log/secure
> 
> Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.213.0.134
> user=kb1980
> Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_sss(sshd:auth): received for
> user kb1980: 6 (Permission denied)
> Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_winbind(sshd:auth): getting
> password (0x00000010)
> Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_winbind(sshd:auth):
> pam_get_item returned a password
> Nov 16 14:06:39 ipa-clinet1 sshd[6852]: pam_winbind(sshd:auth): internal
> module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'kb1980')
> Nov 16 14:06:39 ipa-clinet1 sshd[6852]: Failed password for kb1980 from
> 146.213.0.134 port 51114 ssh2
> Nov 16 14:06:48 ipa-clinet1 sshd[6852]: Connection closed by 146.213.0.134
> [preauth]
> Nov 16 14:07:07 ipa-clinet1 sshd[3677]: pam_unix(sshd:session): session
> closed for user kb1980
> 
> ========================
> krb5_child.log
> 
> (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [main] (0x0400):
> krb5_child started.
> (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [unpack_buffer]
> (0x1000): total buffer size: [54]
> (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6879]]]] [unpack_buffer]
> (0x0100): cmd [249] uid [1007628631] gid [1007628631] validate [true]
> enterprise principal [false] offline [true] UPN [karan.b at MYDOMAIN COM]
...
> (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [main] (0x0400):
> krb5_child started.
> (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [unpack_buffer]
> (0x1000): total buffer size: [159]
> (Wed Nov 16 14:06:33 2016) [[sssd[krb5_child[6880]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1007628631] gid [1007628631] validate [true]
> enterprise principal [false] offline [true] UPN [karan.b at MYDOMAIN COM]
...
> (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [main] (0x0400):
> krb5_child started.
> (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [unpack_buffer]
> (0x1000): total buffer size: [54]
> (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6881]]]] [unpack_buffer]
> (0x0100): cmd [249] uid [1007628631] gid [1007628631] validate [true]
> enterprise principal [false] offline [true] UPN [karan.b at MYDOMAIN COM]
...
> (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [main] (0x0400):
> krb5_child started.
> (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [unpack_buffer]
> (0x1000): total buffer size: [159]
> (Wed Nov 16 14:06:39 2016) [[sssd[krb5_child[6882]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1007628631] gid [1007628631] validate [true]
> enterprise principal [false] offline [true] UPN [karan.b at MYDOMAIN COM]

As you can see all attempts where done while SSSD is offline ("offline
[true]") and enterprise principal is still set to 'false' so it is
expected that authentication fails as long as there are no cached
credentials, i.e. the user once authenticated successful and
'cache_credentials = True' is set in sssd.conf.

Please check in the domain log why SSSD is offline and make sure
enterprise principal is set to 'True' as described in my last email.

HTH

bye,
Sumit