<div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, </blockquote><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I am using FreeIPA version 4.4.0 and Active Directory trust setup. on Active Directory side I am using UPN suffix. Following are my setup. AD DOMANIN :- <a href="http://corp.addomain.com" rel="noreferrer" target="_blank">corp.addomain.com</a> <<a href="http://corp.addomain.com" rel="noreferrer" target="_blank">http://corp.addomain.com</a>> UPN suffix :- <a href="mailto:username@mydomain.com" target="_blank">username@mydomain.com</a> <mailto:<a href="mailto:username@mydomain.com" target="_blank">username@mydomain.com</a>><div><div class="h5"> IPA DOMAIN :- ipa.ipadomain.local IPA server hostname:- ilt-gif-ipa01.ipa.ipadomain.local I am able to login with AD user on IPA server. But on IPA clinet i am not able to login i am getting the login message "Access denied". I have enabled the debug_level on sssd.conf on ipa client. below are some logs.. ================ /var/log/secure Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=rg1989 Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_sss(sshd:auth): received for user e600336: 6 (Permission denied) Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): getting password (0x00000010) Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): pam_get_item returned a password Nov 16 09:00:52 ipa-clinet1 sshd[3752]: pam_winbind(sshd:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'rg1989') Nov 16 09:00:52 ipa-clinet1 sshd[3752]: Failed password for rg1989 from x.x.x.x. port 48842 ssh2 ================ ================ krb5_child.log (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4836]]]] [main] (0x0400): krb5_child completed successfully (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): krb5_child started. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] (0x1000): total buffer size: [159] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [false] UPN </div></div> [<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a> <mailto:<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a>>]<div><div class="h5"> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds] (0x0200): Switch user to [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:1007656917] and is not active and TGT is valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL in keytab. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [match_principal] (0x1000): Principal matched to the sample (host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL). (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_setup] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): Will perform online auth (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [get_and_save_tgt] </div></div> (0x0400): Attempting kinit for realm [<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>>] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.416687: Getting initial credentials for <a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a> <mailto:<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a>> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418641: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418698: Retrieving host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL -> krb5_ccache_conf_data/fast_avail/krbtgt\/<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>>\@MYDOMAIN.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: -1765328243/Matching credential not found (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.418756: Sending request (164 bytes) to <a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419718: Retrying AS request with master KDC (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419752: Getting initial credentials for <a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a> <mailto:<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a>> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419778: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419821: Retrieving host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL -> krb5_ccache_conf_data/fast_avail/krbtgt\/<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>>\@MYDOMAIN.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: -1765328243/Matching credential not found (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [sss_child_krb5_trace_cb] (0x4000): [4837] 1479283764.419859: Sending request (164 bytes) to <a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>> (master) (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328230][Cannot find KDC for realm "<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>>"] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [map_krb5_error] (0x0020): 1365: [-1765328230][Cannot find KDC for realm "<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>>"] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data] (0x0200): Received error code 1432158228 (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [pack_response_packet] (0x2000): response packet size: [4] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4837]]]] [main] (0x0400): krb5_child completed successfully (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): krb5_child started. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] (0x1000): total buffer size: [159] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [false] UPN [<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a> <mailto:<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a>>]<div><div class="h5"> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds] (0x0200): Switch user to [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:1007656917] and is not active and TGT is valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL in keytab. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [match_principal] (0x1000): Principal matched to the sample (host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL). (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_setup] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): Will perform online auth (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [get_and_save_tgt] </div></div> (0x0400): Attempting kinit for realm [<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>>] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.426870: Getting initial credentials for <a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a> <mailto:<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a>> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428706: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428762: Retrieving host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL -> krb5_ccache_conf_data/fast_avail/krbtgt\/<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>>\@MYDOMAIN.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: -1765328243/Matching credential not found (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.428825: Sending request (164 bytes) to <a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429706: Retrying AS request with master KDC (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429740: Getting initial credentials for <a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a> <mailto:<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a>> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429767: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429812: Retrieving host/ipa-clinet1.ipa.ipadomain.local@IPA.IPADOMAIN.LOCAL -> krb5_ccache_conf_data/fast_avail/krbtgt\/<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>>\@MYDOMAIN.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_IPA.IPADOMAIN.LOCAL with result: -1765328243/Matching credential not found (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [sss_child_krb5_trace_cb] (0x4000): [4838] 1479283764.429854: Sending request (164 bytes) to <a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>> (master) (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328230][Cannot find KDC for realm "<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>>"] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [map_krb5_error] (0x0020): 1365: [-1765328230][Cannot find KDC for realm "<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>>"] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data] (0x0200): Received error code 1432158228 (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [pack_response_packet] (0x2000): response packet size: [4] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4838]]]] [main] (0x0400): krb5_child completed successfully (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): krb5_child started. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] (0x1000): total buffer size: [159] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [true] UPN [<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a> <mailto:<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a>>]<div><div class="h5"> (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds] (0x0200): Switch user to [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:1007656917] and is not active and TGT is valid. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [become_user] (0x0200): Already user [1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_setup] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): Will perform offline auth (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [create_empty_ccache] (0x1000): Existing ccache still valid, reusing (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data] (0x0200): Received error code 0 (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [pack_response_packet] (0x2000): response packet size: [53] (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:24 2016) [[sssd[krb5_child[4839]]]] [main] (0x0400): krb5_child completed successfully (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): krb5_child started. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer] (0x1000): total buffer size: [52] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [unpack_buffer] (0x0100): cmd [249] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [true] UPN </div></div> [<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a> <mailto:<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a>>] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [become_user] (0x0200): Already user [1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_setup] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): Will perform pre-auth (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>>] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.766694: Getting initial credentials for <a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a> <mailto:<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a>> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.769074: Sending request (164 bytes) to <a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770020: Retrying AS request with master KDC (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770051: Getting initial credentials for <a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a> <mailto:<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a>> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [sss_child_krb5_trace_cb] (0x4000): [4840] 1479283767.770091: Sending request (164 bytes) to <a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">MYDOMAIN.COM</a> <<a href="http://MYDOMAIN.COM" rel="noreferrer" target="_blank">http://MYDOMAIN.COM</a>> (master) (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328230} during pre-auth. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data] (0x0200): Received error code 0 (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [pack_response_packet] (0x2000): response packet size: [4] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4840]]]] [main] (0x0400): krb5_child completed successfully (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): krb5_child started. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] (0x1000): total buffer size: [160] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] (0x0100): cmd [241] uid [1007656917] gid [1007656917] validate [true] enterprise principal [false] offline [true] UPN [<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a> <mailto:<a href="mailto:Rajat.Gupta@MYDOMAIN.COM" target="_blank">Rajat.Gupta@MYDOMAIN.COM</a>>]<div><div class="h5"> (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1007656917] old_ccname: [KEYRING:persistent:1007656917] keytab: [/etc/krb5.keytab] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds] (0x0200): Switch user to [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:1007656917] and is not active and TGT is valid. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] (0x0200): Trying to become user [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [become_user] (0x0200): Already user [1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_setup] (0x2000): Running as [1007656917][1007656917]. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): Will perform offline auth (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [create_empty_ccache] (0x1000): Existing ccache still valid, reusing (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data] (0x0200): Received error code 0 (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [pack_response_packet] (0x2000): response packet size: [53] (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [k5c_send_data] (0x4000): Response sent. (Wed Nov 16 09:09:27 2016) [[sssd[krb5_child[4841]]]] [main] (0x0400): krb5_child completed successfully ======================= Can you please help me to fix this, /Rajat </div></div></blockquote> </div> </div>