Learn more about these different git repos.
Other Git URLs
FreeIPA + 389 Directory + Kerberos MIT + SSSD Client: RHEL 5.11 Server: RHEL 7.5
Server is running on RHEL 7.5, up to this moment I have successfully tested against clients on RHEL 6 & 7, but I have an issue setting up clients on RHEL 5. I suspect a problem in the Kerberos TGT supported encryption type, but I cannot confirm this.
root : INFO Successfully retrieved CA cert - successfully set certificate verify locations: - CAfile: /etc/ipa/ca.crt - Closing connection #0 Failed to retrieve encryption type DES cbc mode with CRC-32 (#1) Keytab successfully retrieved and stored in: /etc/krb5.keytab SSSD enabled root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= Unable to find ‘admin’ user with ‘getent passwd admin’!
Kerberos
File modified by ipa-client-install [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NAME dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes allow_weak_crypto = yes default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 [realms] DOMAIN.NAME = { kdc = server.domain.name:88 master_kdc = server.domain.name:88 admin_server = server.domain.name:749 default_domain = domain.name pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .domain.name = DOMAIN.NAME domain.name = DOMAIN.NAME
Kerberos Keytab
[root@client-server]# klist -kte /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal 2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (Triple DES cbc mode with HMAC/sha1) 2 09/12/18 18:20:35 host/client-server.domain.name@domain.name (ArcFour with HMAC/md5)
SSSD
[sssd] services = nss, pam config_file_version = 2 debug_level = 9 domains = domain.name [nss] debug_level = 9 [pam] debug_level = 9 [domain/domain.name] cache_credentials = True krb5_realm = DOMAIN.NAME krb5_store_password_if_offline = True ipa_domain = domain.name id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client-server.domain.name chpass_provider = ipa ipa_server = srv, server.domain.name ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9
General error is:
Sep 20 12:01:20 client-server [sssd[ldap_child[31633]]]: Failed to initialize credentials using keytab [(null)]: Client not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
Specific SSSD errors
==> /var/log/sssd/sssd_domain.name.log <== (Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [sbus_dispatch] (9): dbus conn: E25C380 (Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [sbus_dispatch] (9): Dispatching. (Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [sbus_message_handler] (9): Received SBUS method [getAccountInfo] (Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [be_get_account_info] (4): Got request for [4097][1][name=admin] (Thu Sep 20 17:08:01 2018) [sssd[be[domain.name]]] [be_get_account_info] (4): Request processed. Returned 1,11,Fast reply - offline ==> /var/log/sssd/sssd_nss.log <== (Thu Sep 20 17:08:01 2018) [sssd[nss]] [get_client_cred] (9): Client creds: euid[0] egid[0] pid[7917]. (Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [accept_fd_handler] (6): Client connected! (Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_cmd_get_version] (5): Received client version [1]. (Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_cmd_get_version] (5): Offered version [1]. (Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [admin] from [<all>] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/domain.name/admin] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (4): Requesting info for [admin@domain.name] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x13ca1e50 (Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x13ca1fb0 (Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Running timer event 0x13ca1e50 "ltdb_callback" (Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Destroying timer event 0x13ca1fb0 "ltdb_timeout" (Thu Sep 20 17:08:01 2018) [sssd[nss]] [ldb] (9): tevent: Ending timer event 0x13ca1e50 "ltdb_callback" (Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_dp_send_acct_req_create] (4): Sending request for [domain.name][4097][1][name=admin] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_add_timeout] (8): 0x13ca20f0 (Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_remove_timeout] (8): 0x13ca20f0 (Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 13C98050 (Thu Sep 20 17:08:01 2018) [sssd[nss]] [sbus_dispatch] (9): Dispatching. (Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_dp_get_reply] (4): Got reply (1, 11, Fast reply - offline) from Data Provider (Thu Sep 20 17:08:01 2018) [sssd[nss]] [nss_cmd_getpwnam_dp_callback] (2): Unable to get information from Data Provider Error: 1, 11, Fast reply - offline Will try to return what we have in cache (Thu Sep 20 17:08:01 2018) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue (Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x13ca10e0][20] (Thu Sep 20 17:08:01 2018) [sssd[nss]] [client_recv] (5): Client disconnected! (Thu Sep 20 17:08:01 2018) [sssd[nss]] [client_destructor] (8): Terminated client [0x13ca10e0][20]
Does
kinit -k host/client-server.domain.name@domain.name
work?
Is the '@domain.name' part of the principal in the keytab really in lower-case?
Hi,
The principal name is not in lower case, but it is the same as on the RHEL7 client where everything works fine. On the RHEL5 client I have the following results:
[root@client-server ~]# klist -kte Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ----------------------------------------------------------------------------- 2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (Triple DES cbc mode with HMAC/sha1) 2 09/12/18 18:20:35 host/client-server.domain.name@DOMAIN.NAME (ArcFour with HMAC/md5) [root@client-server ~]# kinit -k host/client-server.domain.name@DOMAIN.NAME kinit(v5): KDC has no support for encryption type while getting initial credentials [root@client-server ~]# kinit -k host/client-server.domain.name@domain.name kinit(v5): Cannot find KDC for requested realm while getting initial credentials
I have even tried the allow_weak_crypto = true parameter:
[libdefaults] default_realm = DOMAIN.NAME dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes allow_weak_crypto = true #default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 #default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 #preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
Did you set
allow_weak_crypto = true
for the KDC as well? What are the related log messages in the KDC logs?
Yes , I've set the same directive on KDC. Cannot really find a specific error:
==> /var/log/dirsrv/slapd-DOMAIN-NAME/access <== [21/Sep/2018:13:18:34.002915235 +0200] conn=39 op=14 UNBIND [21/Sep/2018:13:18:34.002961729 +0200] conn=39 op=14 fd=104 closed - U1 [21/Sep/2018:13:18:40.002454382 +0200] conn=42 fd=104 slot=104 connection from server-ip to server-ip [21/Sep/2018:13:18:40.003090287 +0200] conn=42 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci" [21/Sep/2018:13:18:40.005870030 +0200] conn=42 op=0 RESULT err=0 tag=101 nentries=1 etime=0.0003324465 [21/Sep/2018:13:18:40.082065262 +0200] conn=6 op=293 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/server-name.domain.name@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=host/server-name.domain.name@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Sep/2018:13:18:40.082528294 +0200] conn=6 op=293 RESULT err=0 tag=101 nentries=1 etime=0.0000620453 [21/Sep/2018:13:18:40.082668007 +0200] conn=6 op=294 SRCH base="cn=ipaConfig,cn=etc,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" [21/Sep/2018:13:18:40.082754757 +0200] conn=6 op=294 RESULT err=0 tag=101 nentries=1 etime=0.0000112246 [21/Sep/2018:13:18:40.082908745 +0200] conn=6 op=295 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [21/Sep/2018:13:18:40.082977641 +0200] conn=6 op=295 RESULT err=0 tag=101 nentries=1 etime=0.0000095027 [21/Sep/2018:13:18:40.083109279 +0200] conn=6 op=296 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/CONSILI UM.EU.INT@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.NAME@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Sep/2018:13:18:40.083312119 +0200] conn=6 op=296 RESULT err=0 tag=101 nentries=1 etime=0.0000258206 [21/Sep/2018:13:18:40.083455553 +0200] conn=6 op=297 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffCharskrbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [21/Sep/2018:13:18:40.083536162 +0200] conn=6 op=297 RESULT err=0 tag=101 nentries=1 etime=0.0000109979 [21/Sep/2018:13:18:40.084877948 +0200] conn=7 op=336 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/server-name.domain.name@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=host/server-name.domain.name@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Sep/2018:13:18:40.085355826 +0200] conn=7 op=336 RESULT err=0 tag=101 nentries=1 etime=0.0000666018 [21/Sep/2018:13:18:40.085544586 +0200] conn=7 op=337 SRCH base="cn=ipaConfig,cn=etc,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType" [21/Sep/2018:13:18:40.085712870 +0200] conn=7 op=337 RESULT err=0 tag=101 nentries=1 etime=0.0000212498 [21/Sep/2018:13:18:40.086014212 +0200] conn=7 op=338 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [21/Sep/2018:13:18:40.086148962 +0200] conn=7 op=338 RESULT err=0 tag=101 nentries=1 etime=0.0000194921 [21/Sep/2018:13:18:40.086409343 +0200] conn=7 op=339 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/CONSILI UM.EU.INT@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.NAME@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Sep/2018:13:18:40.086841256 +0200] conn=7 op=339 RESULT err=0 tag=101 nentries=1 etime=0.0000541397 [21/Sep/2018:13:18:40.087123842 +0200] conn=7 op=340 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffCharskrbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [21/Sep/2018:13:18:40.087280465 +0200] conn=7 op=340 RESULT err=0 tag=101 nentries=1 etime=0.0000209183 [21/Sep/2018:13:18:40.087725247 +0200] conn=7 op=341 SRCH base="fqdn=server-name.domain.name,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [21/Sep/2018:13:18:40.089009833 +0200] conn=7 op=341 RESULT err=0 tag=101 nentries=1 etime=0.0001369664 [21/Sep/2018:13:18:40.089179613 +0200] conn=7 op=342 SRCH base="cn=server-name.domain.name,cn=masters,cn=ipa,cn=etc,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs=ALL [21/Sep/2018:13:18:40.089312354 +0200] conn=7 op=342 RESULT err=0 tag=101 nentries=1 etime=0.0000177481 [21/Sep/2018:13:18:40.096457697 +0200] conn=6 op=298 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/CONSILI UM.EU.INT@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.NAME@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Sep/2018:13:18:40.096925806 +0200] conn=6 op=298 RESULT err=0 tag=101 nentries=1 etime=0.0012274579 [21/Sep/2018:13:18:40.097576344 +0200] conn=6 op=299 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/server-name.domain.name@DOMAIN.NAME)(krbPrincipalName:caseIgnoreIA5Match:=ldap/server-name.domain.name@DOMAIN.NAME)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Sep/2018:13:18:40.098037030 +0200] conn=6 op=299 RESULT err=0 tag=101 nentries=1 etime=0.0000577484 [21/Sep/2018:13:18:40.098332739 +0200] conn=6 op=300 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [21/Sep/2018:13:18:40.098469183 +0200] conn=6 op=300 RESULT err=0 tag=101 nentries=1 etime=0.0000186208 [21/Sep/2018:13:18:40.098819558 +0200] conn=6 op=301 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/server-name.domain.name@DOMAIN.NAME))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliaseskrbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Sep/2018:13:18:40.099168924 +0200] conn=6 op=301 RESULT err=0 tag=101 nentries=1 etime=0.0000441551 [21/Sep/2018:13:18:40.099462545 +0200] conn=6 op=302 SRCH base="cn=DOMAIN.NAME,cn=kerberos,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [21/Sep/2018:13:18:40.099630288 +0200] conn=6 op=302 RESULT err=0 tag=101 nentries=1 etime=0.0000190654 [21/Sep/2018:13:18:40.100739928 +0200] conn=42 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [21/Sep/2018:13:18:40.108959766 +0200] conn=42 op=1 RESULT err=14 tag=97 nentries=0 etime=0.0008372020, SASL bind in progress [21/Sep/2018:13:18:40.110626686 +0200] conn=42 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [21/Sep/2018:13:18:40.112923851 +0200] conn=42 op=2 RESULT err=14 tag=97 nentries=0 etime=0.0002420539, SASL bind in progress [21/Sep/2018:13:18:40.113202164 +0200] conn=42 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [21/Sep/2018:13:18:40.113882936 +0200] conn=42 op=3 RESULT err=0 tag=97 nentries=0 etime=0.0000757528 dn="fqdn=server-name.domain.name,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" [21/Sep/2018:13:18:40.114434941 +0200] conn=42 op=4 SRCH base="cn=accounts,dc=domain,dc=eu,dc=int" scope=2 filter="(&(objectClass=ipaHost)(fqdn=server-name.domain.name))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" [21/Sep/2018:13:18:40.116771339 +0200] conn=42 op=4 RESULT err=0 tag=101 nentries=1 etime=0.0002551874 notes=P pr_idx=0 pr_cookie=-1 [21/Sep/2018:13:18:40.117266795 +0200] conn=42 op=5 SRCH base="fqdn=server-name.domain.name,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID" [21/Sep/2018:13:18:40.122752829 +0200] conn=42 op=5 RESULT err=0 tag=101 nentries=1 etime=0.0005646722 notes=P pr_idx=0 pr_cookie=-1 [21/Sep/2018:13:18:40.123127542 +0200] conn=42 op=6 SRCH base="cn=sudo,dc=domain,dc=eu,dc=int" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=20081))" attrs="objectClass ipaUniqueID cn member entryusn" [21/Sep/2018:13:18:40.123240428 +0200] conn=42 op=6 RESULT err=0 tag=101 nentries=0 etime=0.0000210893 notes=P pr_idx=0 pr_cookie=-1 [21/Sep/2018:13:18:40.123684805 +0200] conn=42 op=7 SRCH base="cn=sudo,dc=domain,dc=eu,dc=int" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=server-name.consil ium.eu.int,cn=computers,cn=accounts,dc=domain,dc=eu,dc=int)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=domain,dc=eu,dc=int))(entryusn>=20081))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAsipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn" [21/Sep/2018:13:18:40.124146001 +0200] conn=42 op=7 RESULT err=0 tag=101 nentries=0 etime=0.0000614365 notes=P pr_idx=0 pr_cookie=-1 [21/Sep/2018:13:18:46.154654100 +0200] conn=7 op=344 SRCH base="dc=domain,dc=eu,dc=int" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=CMPAIBL1$@DOMAIN.NAME))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Sep/2018:13:18:46.155229636 +0200] conn=7 op=344 RESULT err=0 tag=101 nentries=0 etime=0.0000941003
This is the directory server access log the KDC log is at /var/log/krb5kdc.log.
Can you try if you get extra debug output when calling
KRB5_TRACE=/dev/stdout kinit -k host/client-server.domain.name@DOMAIN.NAME
Yes, apologize. Here below the related KDC logs in regard to this client:
/var/log/krb5kdc.log:Sep 21 14:04:59 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1654](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: NEEDED_PREAUTH: host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME, Additional pre-authentication required /var/log/krb5kdc.log:Sep 21 14:04:59 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1655](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: ISSUE: authtime 1537531499, etypes {rep=18 tkt=18 ses=18}, host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME /var/log/krb5kdc.log:Sep 21 14:06:11 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1654](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: NEEDED_PREAUTH: host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME, Additional pre-authentication required /var/log/krb5kdc.log:Sep 21 14:06:11 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1655](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: ISSUE: authtime 1537531571, etypes {rep=18 tkt=18 ses=18}, host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME /var/log/krb5kdc.log:Sep 21 14:06:27 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1654](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: NEEDED_PREAUTH: host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME, Additional pre-authentication required /var/log/krb5kdc.log:Sep 21 14:06:27 CLIENT-SERVER.DOMAIN.NAME krb5kdc[1655](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 170.255.66.95: ISSUE: authtime 1537531587, etypes {rep=18 tkt=18 ses=18}, host/client-server.DOMAIN.NAME@DOMAIN.NAME for krbtgt/DOMAIN.NAME@DOMAIN.NAME
Ok, so the client asks for {18 17 16 23 1 3 2} (ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD4, ENCTYPE_DES_CBC_MD5) and the KDC sends a ticket with {rep=18 tkt=18 ses=18} (ENCTYPE_AES256_CTS_HMAC_SHA1_96).
So it looks like all is ok on the KDC side.
Did
return any extra debug output?
No, it did not returned anything now.
Metadata Update from @pbrezina: - Issue tagged with: Canditate to close
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Thank you for understanding.
Metadata Update from @pbrezina: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4828
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.