I tried to add it under the domain/ section but it didn't help. krb5_child.log - not modified for a few hours even though I tried to log in many times, the log has not changed, how can I increase log level for kerbros?
What do you mean by backend logs? On Thu, 14 Nov 2024 at 16:51, Sumit Bose <sb...@redhat.com> wrote: > Am Thu, Nov 14, 2024 at 12:35:06PM -0000 schrieb chagai nota via > FreeIPA-users: > > Hi > > I'm new to here hope to ask the question in correct way. > > > > We are trying use IPA to replace our NIS and it works great, now we also > enable integration with our AD and I have some question regard it. > > The structure of the AD domain is like the follow: exmaple.com > a.exmaple.com b.exmaple.com etc, but all users upn is only exmaple.com. > > samaccoutname and upn are not the same. > > so user can be j...@exmaple.com but its samaccountname will be 1234 or > something else > > > > we create one way forest trust with IPA and samaccountname works for all > users from all subdomains, but when I'm trying to use upn it works only for > the root domain, > > when I'm trying to authenticate with user from a.exmaple.com domain but > his UPN its exmaple.com (j...@exmaple.com) it success to understand who is > the user > > but failed to authenticate, PAM trying to perform authentication with > wrong domain it goes to exmaple.com domain instead of a.exmaple.com. > > > > the bottom line: > > search user perform with multi domain search and success but > authentication goes to wrong domain and failed > > > > can you assist with this? can it work? > > Hi, > > krb5_child.log and the backend logs would be useful as well. > > A typical issue in this area is that SSSD fails to detect that the IPA > server supports enterprise principals, so please try to add > > krb5_use_enterprise_principal = True > > manually to the [domain/...] section of sssd.conf, restart SSSD and try > again. > > HTH > > bye, > Sumit > > > > > error message: > > (2024-11-14 14:03:13): [pam] [sss_domain_get_state] (0x1000): [CID#6] > Domain example.com is Active > > (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] > CR #11: Looking up [j...@example.com] in cache > > (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] > CR #11: Object [j...@example.com] was not found in cache > > (2024-11-14 14:03:13): [pam] [cache_req_search_ncache_add_to_domain] > (0x0400): [CID#6] CR #11: Adding [j...@example.com] to negative cache > > (2024-11-14 14:03:13): [pam] [sss_ncache_set_str] (0x0400): [CID#6] > Adding [NCE/USER/example.com/j...@example.com] to negative cache > > (2024-11-14 14:03:13): [pam] [cache_req_set_plugin] (0x2000): [CID#6] CR > #11: Setting "Initgroups by UPN" plugin > > (2024-11-14 14:03:13): [pam] [cache_req_set_name] (0x0400): [CID#6] CR > #11: Setting name [j...@example.com] > > (2024-11-14 14:03:13): [pam] [cache_req_assume_upn] (0x0400): [CID#6] CR > #11: Assuming UPN [j...@example.com] > > (2024-11-14 14:03:13): [pam] [cache_req_select_domains] (0x0400): > [CID#6] CR #11: Performing a multi-domain search > > (2024-11-14 14:03:13): [pam] [cache_req_search_domains] (0x0400): > [CID#6] CR #11: Search will bypass the cache and check the data provider > > (2024-11-14 14:03:13): [pam] [cache_req_validate_domain_type] (0x2000): > [CID#6] Request type POSIX-only for domain a.example.com type POSIX is > valid > > (2024-11-14 14:03:13): [pam] [cache_req_set_domain] (0x0400): [CID#6] CR > #11: Using domain [a.example.com] > > (2024-11-14 14:03:13): [pam] [cache_req_prepare_domain_data] (0x0400): > [CID#6] CR #11: Preparing input data for domain [a.example.com] rules > > (2024-11-14 14:03:13): [pam] [cache_req_search_send] (0x0400): [CID#6] > CR #11: Looking up j...@example.com > > (2024-11-14 14:03:13): [pam] [cache_req_search_ncache] (0x0400): [CID#6] > CR #11: Checking negative cache for [j...@example.com] > > (2024-11-14 14:03:13): [pam] [sss_ncache_check_str] (0x2000): [CID#6] > Checking negative cache for [NCE/USER/a.example.com/@j...@example.com] > > (2024-11-14 14:03:13): [pam] [cache_req_search_ncache] (0x0400): [CID#6] > CR #11: [j...@example.com] is not present in negative cache > > (2024-11-14 14:03:13): [pam] [cache_req_search_dp] (0x0400): [CID#6] CR > #11: Looking up [j...@example.com] in data provider > > (2024-11-14 14:03:13): [pam] [sss_dp_get_account_send] (0x0400): [CID#6] > Creating request for [a.example.com > ][0x3][BE_REQ_INITGROUPS][name=j...@example.com:U] > > (2024-11-14 14:03:13): [pam] [sbus_dispatch] (0x4000): Dispatching. > > (2024-11-14 14:03:13): [pam] [sss_domain_get_state] (0x1000): [CID#6] > Domain a.example.com is Active > > (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] > CR #11: Looking up [j...@example.com] in cache > > (2024-11-14 14:03:13): [pam] [cache_req_search_ncache_filter] (0x0400): > [CID#6] CR #11: This request type does not support filtering result by > negative cache > > (2024-11-14 14:03:13): [pam] [cache_req_search_done] (0x0400): [CID#6] > CR #11: Returning updated object [j...@example.com] > > (2024-11-14 14:03:13): [pam] [cache_req_create_and_add_result] (0x0400): > [CID#6] CR #11: Found 3 entries in domain a.example.com > > (2024-11-14 14:03:13): [pam] [cache_req_done] (0x0400): [CID#6] CR #11: > Finished: Success > > (2024-11-14 14:03:13): [pam] [pd_set_primary_name] (0x0400): [CID#6] > User's primary name is 1...@a.example.com > > (2024-11-14 14:03:13): [pam] [pam_initgr_check_timeout] (0x4000): > [CID#6] User [j...@example.com] not found in PAM cache. > > (2024-11-14 14:03:13): [pam] [pam_initgr_cache_set] (0x2000): [CID#6] [ > j...@example.com] added to PAM initgroup cache > > (2024-11-14 14:03:13): [pam] [pam_dp_send_req] (0x0100): [CID#6] Sending > request with the following data: > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] command: > SSS_PAM_AUTHENTICATE > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] domain: > exmaple.com > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] user: > 1...@a.exmaple.com > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] service: > sshd > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] tty: ssh > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] ruser: > not set > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] rhost: > 192.168.1.15 > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] authtok > type: 1 (Password) > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] > newauthtok type: 0 (No authentication token available) > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] priv: 1 > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] cli_pid: > 8350 > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] logon > name: j...@exmaple.com > > (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] flags: 1 > > (2024-11-14 14:03:13): [pam] [pam_dom_forwarder] (0x0100): [CID#6] > pam_dp_send_req returned 0 > > (2024-11-14 14:03:13): [pam] [sbus_dispatch] (0x4000): Dispatching. > > (2024-11-14 14:03:13): [pam] [pam_dp_send_req_done] (0x0200): [CID#6] > received: [4 (System error)][exmaple.com] > > (2024-11-14 14:03:13): [pam] [pam_reply] (0x4000): [CID#6] pam_reply > initially called with result [4]: System error. this result might be > changed during processing > > (2024-11-14 14:03:13): [pam] [pam_reply] (0x0200): [CID#6] blen: 30 > > (2024-11-14 14:03:13): [pam] [pam_reply] (0x0200): [CID#6] Returning > [4]: System error to the client > > (2024-11-14 14:03:16): [pam] [client_recv] (0x0200): [CID#6] Client > disconnected! > > (2024-11-14 14:03:16): [pam] [client_close_fn] (0x2000): Terminated > client [0x5bcfb8a297c0][19] > > (2024-11-14 14:03:18): [pam] [pam_initgr_cache_remove] (0x2000): [CID#6] > [j...@exmaple.com] removed from PAM initgroup cache > > -- > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
