[Freeipa-users] Password-based authentication with AD users does not work

Sumit Bose sbose at redhat.com
Thu Apr 6 09:21:22 UTC 2017 

On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote:
> Hi,
> 
> when I try to login to an IPA client with my AD user it works perfectly when
> I already have a kerberos ticket for my user. When I do not and I try a
> password-based login it fails:

Please send the sssd_domain.log and krb5_child.log form the same time as
well.

bye,
Sumit

> 
> Password-based:
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_check_user_search] (0x0400):
> Returning info for user [myuser at xyz.mydomain.at@xyz.mydomain.at]
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pd_set_primary_name] (0x0400):
> User's primary name is myuser at xyz.mydomain.at
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
> request with the following data:
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): command:
> SSS_PAM_PREAUTH
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): domain:
> XYZ
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
> myuser at xyz.mydomain.at
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): service:
> sshd
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not
> set
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> chupacabra.ipa.mydomain.at
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok
> type: 0
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
> type: 0
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> 31816
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_print_data] (0x0100): logon
> name: myuser
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [sbus_add_timeout] (0x2000):
> 0x7f4c122ed450
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> pam_dp_send_req returned 0
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000):
> 0x7f4c122ed450
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
> 0x7f4c122e59c0
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [sbus_dispatch] (0x4000):
> Dispatching.
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
> received: [4 (System error)][XYZ]
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> called with result [4]: System error.
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 20
> (Thu Apr  6 10:39:12 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0x7f4c122f4640][21]
> 
> When I have a Kerberos ticket:
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_check_user_search] (0x0400):
> Returning info for user [myuser at xyz.mydomain.at@xyz.mydomain.at]
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pd_set_primary_name] (0x0400):
> User's primary name is myuser at xyz.mydomain.at
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
> request with the following data:
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): command:
> SSS_PAM_OPEN_SESSION
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): domain:
> XYZ
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
> myuser at xyz.mydomain.at
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): service:
> sshd
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not
> set
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> chupacabra.ipa.mydomain.at
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok
> type: 0
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
> type: 0
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> 31841
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_print_data] (0x0100): logon
> name: myuser
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [sbus_add_timeout] (0x2000):
> 0x7f4c122ec4a0
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> pam_dp_send_req returned 0
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000):
> 0x7f4c122ec4a0
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
> 0x7f4c122e59c0
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [sbus_dispatch] (0x4000):
> Dispatching.
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
> received: [0 (Success)][XYZ]
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> called with result [0]: Success.
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 20
> (Thu Apr  6 10:41:00 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle
> timer re-set for client [0x7f4c122f4640][21]
> 
> My question is why?
> 
> Regards,
> Ronald
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list