On Thu, May 11, 2017 at 01:07:25PM +0000, Berkouwer, Walter wrote:
> Hello
>
> I am trying to setup an IPA configuration at an remote site. I got the
> ssh-connection working with a 6.6 client ( ipa-client version 3.0.0), but I
> can't get it working with a 7.3 client ( ipa-client version 4.4.0 ).
>
> Version of the server is 4.4.0.
>
> Can some help me with this problem.
>
> >From the logfiles I got the following messages.
> /var/log/secure:
>
> May 11 13:05:10 edsnfmwsv009 sshd[14026]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.72.145
> user=berkouwa
> May 11 13:05:10 edsnfmwsv009 sshd[14026]: pam_sss(sshd:auth): received for
> user berkouwa: 17 (Failure setting user credentials)
> May 11 13:05:10 edsnfmwsv009 sshd[14021]: error: PAM: Authentication failure
> for berkouwa from 192.168.72.145
> May 11 13:05:10 edsnfmwsv009 sshd[14021]: Postponed keyboard-interactive for
> berkouwa from 192.168.72.145 port 51772 ssh2 [preauth]
>
> /var/log/sssd/krb5_child.log:
>
> (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14030] 1494500710.640900: Received
> cookie: MIT
>
> (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_responder]
> (0x4000): Got question [password].
> (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_prompter]
> (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1]
> EINVAL.
> (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_prompter]
> (0x0020): Cannot handle password prompts.
> (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_prompter]
> (0x4000): Prompt [0][Password for berkouwa@EDSN.LOCAL].
> (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]]
> [sss_child_krb5_trace_cb] (0x4000): [14030] 1494500710.640958: Preauth module
> encrypted_challenge (138) (real) returned: -1765328254/Cannot read password
>
> (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [get_and_save_tgt]
> (0x0400): krb5_get_init_creds_password returned [-1765328254} during pre-auth.
Errors are expected during the pre-auth phase, I guess I should make the
debug message more clear about it.
The actual error is:
[[sssd[krb5_child[17076]]]] [sss_get_ccache_name_for_principal] (0x2000):
krb5_cc_cache_match failed: [-1750600185][Invalid UID in persistent keyring
name]
Please check your /etc/krb5.conf if accidentally there are some
additional config option on the same line as 'default_ccache_name =
KEYRING:persistent:%{uid}'.
HTH
bye,
Sumit
> (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [k5c_send_data]
> (0x0200): Received error code 0
> (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [pack_response_packet]
> (0x2000): response packet size: [12]
> (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [k5c_send_data]
> (0x4000): Response sent.
> (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [main] (0x0400):
> krb5_child completed successfully
>
> I placed the full logfiles and the sssd.conf here:
> https://drive.google.com/open?id=0B66tVXzcZy1CdFZNb1dvUjk4Tnc
>
> Walter
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
