[Freeipa-users] sssd, krb5_child.log: Received error code 1432158221
Sumit Bose
sbose at redhat.com
Mon Apr 24 13:48:24 UTC 2017
On Mon, Apr 24, 2017 at 02:24:34PM +0200, Harald Dunkel wrote:
> Hi folks,
>
> some colleagues have to enter their password 3 times (or even
> more) to authenticate. krb5_child.log shows
>
> (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): Switch user to [657][100].
> (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): Switch user to [0][0].
> (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
> (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [become_user] (0x0200): Trying to become user [657][100].
> (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
> (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
> (Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [k5c_send_data] (0x0200): Received error code 1432158221
> (Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): Switch user to [657][100].
> (Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): Switch user to [0][0].
> (Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
> (Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [become_user] (0x0200): Trying to become user [657][100].
> (Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
> (Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
> (Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [k5c_send_data] (0x0200): Received error code 1432158221
> (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): Switch user to [657][100].
> (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): Switch user to [0][0].
> (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
> (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [become_user] (0x0200): Trying to become user [657][100].
> (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
> (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
> (Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [k5c_send_data] (0x0200): Received error code 1432158221
> (Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): Switch user to [657][100].
> (Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): Switch user to [0][0].
> (Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
> (Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [become_user] (0x0200): Trying to become user [657][100].
> (Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [k5c_send_data] (0x0200): Received error code 0
Please re-run with a higher log level. E.g. it would be good to know if
all requests where send to the same KDC or different ones?
If the requests were send to different KDCs it might be a time skew
issue, although I would expect a different error code here.
Do you have KDC logs for those requests?
bye,
Sumit
>
> sssd_pam.log:
>
> (Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
> (Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
> (Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
> (Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
> (Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
> (Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
> (Mon Apr 3 10:45:22 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
> (Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
> (Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
> (Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
> (Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
> (Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
> (Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
> (Mon Apr 3 10:45:30 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
> (Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
> (Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
> (Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
> (Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
> (Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
> (Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
> (Mon Apr 3 10:45:35 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sysdb_set_entry_attr] (0x0200): Entry [name=juppschmitz at example.com,cn=users,cn=example.com,cn=sysdb] has set [cache, ts_cache] attrs.
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 73
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
> (Mon Apr 3 10:45:39 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
>
>
> Did they enter just a bad password? What can I do to make authentication
> more reliable?
>
> sssd version is 1.15.0-3, backported from Debian Testing
> to Jessie.
>
> Every helpful hint is highly appreciated
> Harri
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list