[Freeipa-users] Malformed representation of principal - krb5_child.log

Sumit Bose sbose at redhat.com
Fri Apr 28 15:13:20 UTC 2017 

On Fri, Apr 28, 2017 at 02:54:44PM +0000, Sullivan, Daniel [CRI] wrote:
> HI,
> 
> I haven’t posted in a while, I hope everybody is doing well.  I have a problem that I am having a difficult time diagnosing.  To start, I want to say that we have a pretty large IPA environment.  It generally works good.  Most of our servers are of the same flavor RHEL6/7, and pull down their sssd/IPA RPMs from a standard repo.  We also deploy sssd/ipa-client from SaltStack, so there’s not much variation on configuration.  I have a client that is being very finicky, I am getting a message that says "Malformed representation of principal” in my krb5_child.log (when trying to log in).  I’m really kind of an ends with the right way to troubleshoot this further.  Here’s what I know;
> 
> 1) I can kinit -k as root
> 2) I can kinit user at domain, even for the user in the sssd logs
> 3) I’ve blown away /var/lib/sss, deleted /etc/krb*, reinstalled sssd-common, sssd, & ipa-client.
> 
> My logs are below.  Would somebody be able to perhaps provide input on the best way to further troubleshoot this issue?
> 
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x0400): krb5_child started.
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x1000): total buffer size: [174]
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x0100): cmd [241] uid [339788572] gid [339788572] validate [true] enterprise principal [false] offline [false] UPN [user at domain@DOMAIN]

There was an issue in an older version of SSSD which saved a wrong UPN
in the cache. Please check if the latest version of SSSD for your
platform installed, stop SSSD, remove the cache file in
/var/lib/sss/db/, start SSSD and try again.

If you do not want to remove the cache completely you can use e.g.
ldbedit to delete the offending entry individually, search for
user at domain@DOMAIN.

HTH

bye,
Sumit

> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x2000): No old ccache
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_339788572_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab]
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/server.fqdn at DOMAIN]
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/server.fqdn at DOMAIN in keytab.
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [match_principal] (0x1000): Principal matched to the sample (host/server.fqdn at DOMAIN).
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [become_user] (0x0200): Trying to become user [339788572][339788572].
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x2000): Running as [339788572][339788572].
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_setup] (0x2000): Running as [339788572][339788572].
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_setup] (0x0020): 2529: [-1765328250][Malformed representation of principal]
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x0020): krb5_child_setup failed.
> (Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x0020): krb5_child failed!
> 
> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [read_pipe_handler] (0x0400): EOF received, client finished
> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [parse_krb5_child_response] (0x0020): message too short.
> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [krb5_auth_done] (0x0040): Could not parse child response [22]: Invalid argument
> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [check_wait_queue] (0x1000): Wait queue for user [user at domain] is empty.
> (Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [krb5_auth_queue_done] (0x0040): krb5_auth_recv failed with: 22
> (Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [ipa_pam_auth_handler_krb5_done] (0x0040): KRB5 auth failed [22]: Invalid argument
> 
> I appreciate your help with this.
> 
> Thank you,
> 
> Dan Sullivan
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list