[Freeipa-users] Password-based authentication with AD users does not work

Ronald Wimmer ronaldw at ronzo.at
Thu Apr 6 10:10:29 UTC 2017 

Hi,

when I try to login to an IPA client with my AD user it works perfectly 
when I already have a kerberos ticket for my user. When I do not and I 
try a password-based login it fails:

Password-based:
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_check_user_search] (0x0400): 
Returning info for user [myuser at xyz.mydomain.at@xyz.mydomain.at]
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pd_set_primary_name] (0x0400): 
User's primary name is myuser at xyz.mydomain.at
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): 
Sending request with the following data:
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): 
command: SSS_PAM_PREAUTH
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): 
domain: XYZ
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): user: 
myuser at xyz.mydomain.at
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): 
service: sshd
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: 
not set
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 
chupacabra.ipa.mydomain.at
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): 
authtok type: 0
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): 
newauthtok type: 0
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): 
cli_pid: 31816
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): logon 
name: myuser
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 
0x7f4c122ed450
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): 
pam_dp_send_req returned 0
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 
0x7f4c122ed450
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus 
conn: 0x7f4c122e59c0
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [sbus_dispatch] (0x4000): 
Dispatching.
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [4 (System error)][XYZ]
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply 
called with result [4]: System error.
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 20
(Thu Apr  6 10:39:12 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle 
timer re-set for client [0x7f4c122f4640][21]

When I have a Kerberos ticket:
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_check_user_search] (0x0400): 
Returning info for user [myuser at xyz.mydomain.at@xyz.mydomain.at]
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pd_set_primary_name] (0x0400): 
User's primary name is myuser at xyz.mydomain.at
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): 
Sending request with the following data:
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): 
command: SSS_PAM_OPEN_SESSION
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): 
domain: XYZ
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): user: 
myuser at xyz.mydomain.at
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): 
service: sshd
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: 
not set
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 
chupacabra.ipa.mydomain.at
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): 
authtok type: 0
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): 
newauthtok type: 0
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): 
cli_pid: 31841
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): logon 
name: myuser
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 
0x7f4c122ec4a0
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): 
pam_dp_send_req returned 0
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 
0x7f4c122ec4a0
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus 
conn: 0x7f4c122e59c0
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [sbus_dispatch] (0x4000): 
Dispatching.
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [0 (Success)][XYZ]
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply 
called with result [0]: Success.
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 20
(Thu Apr  6 10:41:00 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle 
timer re-set for client [0x7f4c122f4640][21]

My question is why?

Regards,
Ronald

More information about the Freeipa-users mailing list