Am Fri, Feb 25, 2022 at 11:21:55AM -0300 schrieb Mateo Duffour:
> Hi,
>
> I send you attached the files needed, let me know if you need something else.
Hi,
thanks for the file, they look ok. After looking again at what you send
I came across
Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did
not match expectations
which typically indicates a canonization of the principal by the
server-side which was not expected by the client.
While version of SSSD are you using on the Ubuntu client? Recent version
of SSSD already set 'krb5_canonicalize = true' by default for
'id_provider = ipa'. Maybe your version is a bit older? Please try if it
works better if you explicitly set
krb5_canonicalize = true
in the [domain/...] section of sssd.conf and restart SSSD. At least the
'KDC reply did not match expectations' should be gone now. If the
password change still fails, please set 'debug_level = 9' in the [pam]
and [domain/...] section of sssd.conf, restart SSSD, run the test again
and send the logs from /var/log/sssd.
bye,
Sumit
>
>
> Thanks again, regards.
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "Sumit Bose" <sb...@redhat.com>
> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
> Cc: "Alexander Bokovoy" <aboko...@redhat.com>, "Mateo Duffour"
> <mduff...@fnr.gub.uy>
> Sent: Friday, 25 February, 2022 03:46:43
> Subject: Re: [Freeipa-users] Re: IdM with trust relationship with Samba AD DC
> - User accounts with passwords expired
>
> Am Thu, Feb 24, 2022 at 11:53:07AM -0300 schrieb Mateo Duffour via
> FreeIPA-users:
>
>
> Which /etc/pam.d/ config file do you need ?
>
>
>
> Hi,
>
> from the logs below it looks like you are using ssh to log in, so it
> would be /etc/pam.d/sshd and all the files which might be referenced in
> that file.
>
> bye,
> Sumit
>
>
> BQ_BEGIN
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "Mateo Duffour" <mduff...@fnr.gub.uy>
> To: "Alexander Bokovoy" <aboko...@redhat.com>
> Cc: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
> Sent: Wednesday, 23 February, 2022 17:26:49
> Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC -
> User accounts with passwords expired
>
> Hi, thank you for the quick reply.
>
> We were further investigating the issue.
>
> We were testing with user "usu5" that has its password expired. The log of
> IdM server below shows that Samba AD DC is sending "Password has expired" for
> user "usu5", thats OK.
> So we can suspect that IdM is not behaving as expected, it should prompt a
> password expiry to the user and let the user change it, but something is
> wrong with our config or scenario because that does not happen.
>
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: Password has
> expired
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy krb5_child[4283]: KDC reply did
> not match expectations
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.9.9.8
> user=u...@adtest.fnr.gub.uy
> Feb 23 08:14:35 idmsrvpru.idmpru.fnr.gub.uy sshd[4281]: pam_sss(sshd:auth):
> received for user u...@adtest.fnr.gub.uy: 4 (System error)
> Feb 23 08:14:37 idmsrvpru.idmpru.fnr.gub.uy sshd[4277]: error: PAM:
> Authentication failure for u...@adtest.fnr.gub.uy from 10.9.9.8
>
> Also in the attached file there is the log of sssd_idmpru.fnr.gub.uy.log that
> shows a login attempt with user "usu6", that is on the same situation as
> "usu5".
>
> ############
>
> We have done other tests as well, in this case we are logged on IdM server as
> user "usu1", which has a password not expired and working properly. But when
> we try to change it with "passwd" it also fails.
>
> [u...@adtest.fnr.gub.uy@idmsrvpru /]$ passwd
> Changing password for user u...@adtest.fnr.gub.uy.
> Current Password:
> Password change failed. Server message: Old password not accepted.
> passwd: Authentication token manipulation error
>
> Log of this test on IdM server:
>
> Feb 23 08:15:40 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
> pam_unix(passwd:chauthtok): user "u...@adtest.fnr.gub.uy" does not exist in
> /etc/passwd
> Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
> pam_sss(passwd:chauthtok): User info message: Password change failed. Server
> message: Old password not accepted.
> Feb 23 08:15:45 idmsrvpru.idmpru.fnr.gub.uy passwd[4335]:
> pam_sss(passwd:chauthtok): Authentication failed for user
> u...@adtest.fnr.gub.uy: 4 (System error)
>
> Which pam logs do u need ? we have several files apparently.
>
>
> Thank you guys again and best regards.
>
> Lic. Mateo Duffour
> Unidad Informática
> 2901.40.91
>
> [
> http://maps.apple.com/?q=18%20de%20julio%20985%20-%20Piso%204,Montevideo,Uruguay
> | 18 de julio 985 - Piso 3, Montevideo, Uruguay ]
> [ http://www.fnr.gub.uy/ | ]
>
>
>
> No me imprimas si no es necesario. Protejamos el medio ambiente. Este mensaje
> y la información adjunta al mismo está dirigido exclusivamente a su
> destinatario. Puede contener información confidencial, privilegiada o de uso
> restringido, protegida por las normas. Si Ud. recibió este e-mail por error,
> por favor, sírvase notificarle a quien se lo envió y borrar el original.
> Cualquier otro uso del e-mail por Ud. está prohibido.
>
>
> From: "Alexander Bokovoy" <aboko...@redhat.com>
> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
> Cc: "Mateo Duffour" <mduff...@fnr.gub.uy>
> Sent: Wednesday, 23 February, 2022 05:14:42
> Subject: Re: [Freeipa-users] IdM with trust relationship with Samba AD DC -
> User accounts with passwords expired
>
> Hello,
>
> On ti, 22 helmi 2022, Mateo Duffour via FreeIPA-users wrote:
>
>
> Hi,
>
> We currently have an IdM installation with a trust relationship with a
> Samba AD DC. Our user accounts reside on Samba AD DC, we dont have user
> accounts on IdM. We are having a problem with Samba user acounts that
> have its passwords expired.
>
> When we try to login with an ubuntu IdM client with one of those
> accounts, it fails and asks again for password. The behaviour we are
> expecting is that Ubuntu should ask for a password change.
>
>
>
> I think you need to look at SSSD troubleshooting guide and investigate a
> bit yourself. Without logs it is impossible to tell what's wrong.
>
> Please see https://sssd.io/troubleshooting/basics.html and
> https://sssd.io/troubleshooting/ipa_provider.html for two parts that
> would be relevant here.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
>
> BQ_END
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
