<div dir="ltr"><div>yes the space was indeed the culprit... i cleaned up some and login works fine now.. </div>Thanks !! </div><div class="gmail_extra"> <div class="gmail_quote">On Tue, Mar 15, 2016 at 1:55 PM, Sumit Bose <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Mon, Mar 14, 2016 at 05:50:34PM +0530, Rakesh Rajasekharan wrote: > I set up freeipa in my environment and works perfectly. > > But just on one host , I am not able to authenticate. I get a permission > denied eror. > > The sssd version I have is 1.12 > > the krb5_child log does point to some error, > krb5_child.log > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [unpack_buffer] > (0x2000): No old ccache > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XXXXXX] old_ccname: [not set] > keytab: [/etc/krb5.keytab] > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] > [k5c_precreate_ccache] (0x4000): Recreating ccache > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/<a href="mailto:1.1.1.1@TEST.COM">1.1.1.1@TEST.COM</a>] > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] > [find_principal_in_keytab] (0x4000): Trying to find principal host/ > <a href="mailto:1.1.1.1@TEST.COM">1.1.1.1@TEST.COM</a> in keytab. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [match_principal] > (0x1000): Principal matched to the sample (host/<a href="mailto:1.1.1.1@TEST.COM">1.1.1.1@TEST.COM</a>). > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862]]]] [get_tgt_times] > (0x1000): FAST ccache must be recreated > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [become_user] > (0x0200): Trying to become user [0][0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [become_user] > (0x0200): Already user [0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] [check_fast_ccache] > (0x2000): Running as [0][0]. > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864]]]] [create_ccache] > (0x4000): Initializing ccache of type [FILE] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [check_fast_ccache] > (0x0200): FAST TGT was successfully recreated! > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [become_user] > (0x0200): Trying to become user [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [main] (0x2000): > Running as [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [k5c_setup] > (0x2000): Running as [5102][701]. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [main] (0x0400): > Will perform online auth > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [<a href="http://TEST.COM" rel="noreferrer" target="_blank">TEST.COM</a>] > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting > initial credentials for <a href="mailto:q-tempuser@TEST.COM">q-tempuser@TEST.COM</a> > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving > host/<a href="mailto:1.1.1.1@TEST.COM">1.1.1.1@TEST.COM</a> -> krb5_ccache_conf_data/fast_avail/krbtgt\/<a href="http://TEST.COM" rel="noreferrer" target="_blank">TEST.COM</a> > \@TEST.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM > with result: -1765328243/Matching credential not found > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18545: Sending > request (189 bytes) to <a href="http://TEST.COM" rel="noreferrer" target="_blank">TEST.COM</a> > > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862]]]] > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.187.36: Initiating > TCP connection to stre > (END) </div></div>Does the krb5_child.log really ends here? If yes, any change the disk is full? bye, Sumit <div class="HOEnZb"><div class="h5"> > > > And here are the contents from sssd_domain.log > <a href="http://sssd_test.com" rel="noreferrer" target="_blank">sssd_test.com</a> > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [pam_print_data] (0x0100): > domain: <a href="http://test.com" rel="noreferrer" target="_blank">test.com</a> > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [pam_print_data] (0x0100): > user: q-tempuser > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [pam_print_data] (0x0100): > service: sshd > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [pam_print_data] (0x0100): > tty: ssh > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [pam_print_data] (0x0100): > ruser: > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [pam_print_data] (0x0100): > rhost: 127.0.0.1 > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [pam_print_data] (0x0100): > authtok type: 1 > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [pam_print_data] (0x0100): > priv: 1 > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [pam_print_data] (0x0100): > cli_pid: 11794 > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [pam_print_data] (0x0100): > logon name: not set > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [ldb] (0x4000): Added timed > event "ltdb_callback": 0x69e690 > > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [ldb] (0x4000): Added timed > event "ltdb_timeout": 0x69e7b0 > > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [ldb] (0x4000): Running > timer event 0x69e690 "ltdb_callback" > > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [ldb] (0x4000): Destroying > timer event 0x69e7b0 "ltdb_timeout" > > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [ldb] (0x4000): Ending > timer event 0x69e690 "ltdb_callback" > > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user > [q-tempuser] found. > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'IPA' > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [get_server_status] > (0x1000): Status of server '<a href="http://ipa-test-master.test.com" rel="noreferrer" target="_blank">ipa-test-master.test.com</a>' is 'working' > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [get_port_status] (0x1000): > Port status of port 0 for server '<a href="http://ipa-test-master.test.com" rel="noreferrer" target="_blank">ipa-test-master.test.com</a>' is 'working' > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [get_server_status] > (0x1000): Status of server '<a href="http://ipa-test-master.test.com" rel="noreferrer" target="_blank">ipa-test-master.test.com</a>' is 'working' > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [be_resolve_server_process] > (0x1000): Saving the first resolved server > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [be_resolve_server_process] > (0x0200): Found address for server <a href="http://ipa-test-master.test.com" rel="noreferrer" target="_blank">ipa-test-master.test.com</a>: [10.1.6.56] > TTL 183 > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [child_handler_setup] > (0x2000): Setting up signal handler up for pid [11797] > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [child_handler_setup] > (0x2000): Signal handler set up for pid [11797] > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [write_pipe_handler] > (0x0400): All data has been sent! > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [child_sig_handler] > (0x1000): Waiting for child [11797]. > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [child_sig_handler] > (0x0100): child [11797] finished successfully. > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [parse_krb5_child_response] > (0x1000): child response [1432158209][6][8]. > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 4, <NULL>) [Success] > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [be_pam_handler_callback] > (0x0100): Sending result [4][<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>] > (Mon Mar 14 11:57:12 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [be_pam_handler_callback] > (0x0100): Sent result [4][<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>] > (Mon Mar 14 11:57:15 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [sbus_dispatch] (0x4000): > dbus conn: 0x678710 > (Mon Mar 14 11:57:15 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [sbus_dispatch] (0x4000): > Dispatching. > (Mon Mar 14 11:57:15 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [sbus_message_handler] > (0x4000): Received SBUS method [ping] > (Mon Mar 14 11:57:15 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Mon Mar 14 11:57:15 2016) [sssd[be[<a href="http://test.com" rel="noreferrer" target="_blank">test.com</a>]]] > [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] > > > Not sure what could be wrong here, I think thisused to work fine earlier . > > > Thanks, > Rakesh </div></div>> -- > Manage your subscription for the Freeipa-users mailing list: > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></div> </div>