[Freeipa-users] sssd, krb5_child.log: Received error code 1432158221

Harald Dunkel harald.dunkel at aixigo.de
Mon Apr 24 12:24:34 UTC 2017 

Hi folks,

some colleagues have to enter their password 3 times (or even
more) to authenticate. krb5_child.log shows

(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [k5c_send_data] (0x0200): Received error code 1432158221
(Mon Apr  3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr  3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr  3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr  3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr  3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [k5c_send_data] (0x0200): Received error code 1432158221
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr  3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [k5c_send_data] (0x0200): Received error code 1432158221
(Mon Apr  3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr  3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr  3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr  3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr  3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [k5c_send_data] (0x0200): Received error code 0

sssd_pam.log:

(Mon Apr  3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr  3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr  3 10:45:20 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:20 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
(Mon Apr  3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
(Mon Apr  3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr  3 10:45:22 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Apr  3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr  3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr  3 10:45:27 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:28 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
(Mon Apr  3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
(Mon Apr  3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr  3 10:45:30 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
(Mon Apr  3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr  3 10:45:35 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sysdb_set_entry_attr] (0x0200): Entry [name=juppschmitz at example.com,cn=users,cn=example.com,cn=sysdb] has set [cache, ts_cache] attrs.
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 73
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr  3 10:45:39 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!


Did they enter just a bad password? What can I do to make authentication
more reliable?

sssd version is 1.15.0-3, backported from Debian Testing
to Jessie.

Every helpful hint is highly appreciated
Harri

More information about the Freeipa-users mailing list