Hello.
We have a client system (client1) that refuses login and throws an error in the
krb5_child.log only when a particular account tries to log in (user1). The same
account can log into other ipa domain client machines just fine. Other ipa
accounts can log in to this machine, just not the user1 account. In
/var/log/secure we see:
Aug 16 15:16:56 client1 sshd[13173]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=user1
Aug 16 15:16:56 client1 sshd[13173]: pam_sss(sshd:auth): received for user
user1: 4 (System error)
Aug 16 15:16:59 client1 sshd[13171]: error: PAM: Authentication failure for
user1 from xxx.xxx.xxx.xxx
sssd_domain_withheld.log:
(2021-08-16 15:16:56): [be[id.gps.caltech.edu]] [krb5_auth_done] (0x0040): The
krb5_child process returned an error. Please inspect the krb5_child.log file or
the journal for more information
krb5_child.log:
(2021-08-16 15:16:56): [krb5_child[13176]] [create_ccache] (0x0020): 1039:
[-1765328188][Internal credentials cache error]
(2021-08-16 15:16:56): [krb5_child[13176]] [map_krb5_error] (0x0020): 1849:
[-1765328188][Internal credentials cache error]
Sometimes we see this in krb5_child.log as well:
(2021-08-16 12:32:13): [krb5_child[6232]] [get_and_save_tgt] (0x0020): 1720:
[-1765328360][Preauthentication failed]
(2021-08-16 12:32:13): [krb5_child[6232]] [map_krb5_error] (0x0020): 1849:
[-1765328360][Preauthentication failed]
Steps taken to clear the issue with no results:
1. sss_cache -E
2. systemctl stop sssd
rm -rf /var/lib/sss/db/*
systemctl start sssd
3. ipa-client-install -uninstall and then rejoin
Environment:
RHEL8.4 - 4.18.0-305.12.1.el8_4.x86_64
ipa-client-4.9.2-3.module+el8.4.0+10413+a92f1bfa.x86_64
Contents of /etc/krb5.conf:
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = DOMAIN.WITHHELD.LOCAL
dns_lookup_realm = true
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.WITHHELD.LOCAL = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.domain.withheld.local = DOMAIN.WITHHELD.LOCAL
domain.withheld.local = DOMAIN.WITHHELD.LOCAL
client1.domain.withheld.local = DOMAIN.WITHHELD.LOCAL
.withheld.local = DOMAIN.WITHHELD.LOCAL
withheld.local = DOMAIN.WITHHELD.LOCAL
Contents of /etc/sssd/sssd.conf:
[domain/domain.withheld.local]
id_provider = ipa
dns_discovery_domain = domain.withheld.local
ipa_server = _srv_, idm2.domain.withheld.local
ipa_domain = domain.withheld.local
ipa_hostname = client1.domain.withheld.local
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
sudo_provider = ipa
autofs_provider = ipa
subdomains_provider = ipa
session_provider = ipa
hostid_provider = ipa
ipa_automount_location = default
[sssd]
services = nss, pam, ssh, sudo, autofs
domains = domain.withheld.local
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
Any help would be appreciated.
-Scott
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
