On Mon, Apr 25, 2022 at 12:23 PM tizo <tiz...@gmail.com> wrote: > > > Hi, > > > > thanks for the logs. The issue does not happen during Kerberos ticket > > validation, as I thought but while trying to establish the FAST tunnel. > > > > There should be two way to solve this. The first is setting > > > > krb5_use_fast = never > > > > in the [domain/...] section of sssd.conf on every IPA client. The second > > is to reestablish the trust as two-way trust with the '--two-way=True' > > option of 'ipa trust-add'. I would recommend the latter. > > > > HTH > > > > bye, > > Sumit > > > > Hi Sumit, > > I'm taking Mateo's place here because he's busy with other things. > Sorry for the delay. > > We tried two-way trust on a brand new IdM server for a new IdM domain > (since the old server was giving others errors - we probably messed it > up at some point), and we're back to square one: AD users without > expiring password can login on the new IdM server with ssh, and for > those with expired passwords journalctl gives: > > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: Password has expired > Apr 25 11:46:56 idmt01.idmt.fnr.gub.uy krb5_child[12339]: KDC reply > did not match expectations > > I really don't know if behind the scenes it's exactly the same problem > as the first time, but it shouldn't since we updated the Samba servers > to version 4.16.0 which has FAST support (as was noted in the Samba > users list). I'm wondering at the moment if the samba-client package > on the IdM server, that is version 4.14.5, could affect it or if it > doesn't matter. > > How do you think I can continue from here? > > Thank you very much, > > tizo
Just for the records, If I add krb5_use_fast = never in the [domain/...] section of sssd.conf, I get the same in journalctl, but something different in krb5_child.log: (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] (0x0020): 1724: [-1765328361][Password has expired] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): krb5_child started. * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] (0x1000): total buffer size: [115] * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] (0x0100): cmd [241 (auth)] uid [10101] gid [10101] validate [true] enterprise principal [false] offline [false] UPN [u...@adtest.fnr.gub.uy] * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] (0x2000): No old ccache * (2022-04-25 13:17:05): [krb5_child[2000]] [unpack_buffer] (0x0100): ccname: [KCM:] old_ccname: [not set] keytab: [/etc/krb5.keytab] * (2022-04-25 13:17:05): [krb5_child[2000]] [check_use_fast] (0x0100): Not using FAST. * (2022-04-25 13:17:05): [krb5_child[2000]] [k5c_precreate_ccache] (0x4000): Recreating ccache * (2022-04-25 13:17:05): [krb5_child[2000]] [become_user] (0x0200): Trying to become user [10101][10101]. * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x2000): Running as [10101][10101]. * (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. * (2022-04-25 13:17:05): [krb5_child[2000]] [set_lifetime_options] (0x0100): No specific lifetime requested. * (2022-04-25 13:17:05): [krb5_child[2000]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will perform auth * (2022-04-25 13:17:05): [krb5_child[2000]] [main] (0x0400): Will perform online auth * (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child] (0x1000): Attempting to get a TGT * (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [ADTEST.FNR.GUB.UY] * (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder] (0x4000): Got question [password]. * (2022-04-25 13:17:05): [krb5_child[2000]] [get_and_save_tgt] (0x0020): 1724: [-1765328361][Password has expired] ********************** BACKTRACE DUMP ENDS HERE ********************************* (2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error] (0x0020): 1853: [-1765328237][KDC reply did not match expectations] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-04-25 13:17:05): [krb5_child[2000]] [tgt_req_child] (0x1000): Password was expired * (2022-04-25 13:17:05): [krb5_child[2000]] [sss_krb5_responder] (0x4000): Got question [password]. * (2022-04-25 13:17:05): [krb5_child[2000]] [map_krb5_error] (0x0020): 1853: [-1765328237][KDC reply did not match expectations] ********************** BACKTRACE DUMP ENDS HERE ********************************* _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
