On Mon, May 2, 2022 at 2:36 PM Sumit Bose <sb...@redhat.com> wrote: > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo: > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose <sb...@redhat.com> wrote: > > > > > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo: > > > > > Hi, > > > > > > > > > > thanks, at least I received your email. Can you run the tests with > > > > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" > > > > > again > > > > > but with 'debug_level = 9' in the [domain/...] section of sssd.conf. > > > > > This will add some additional information into krb5_child.log which > > > > > might help to understand why the client does not like the reply from > > > > > the > > > > > DC. > > > > > > > > > > bye, > > > > > Sumit > > > > > > > > > > > > > I cleared all the logs and ran the tests again with those parameters. > > > > I am sending the logs. Thanks! > > > > > > Hi, > > > > > > can you try if you can change the password with 'kapsswd > > > u...@adtest.fnr.gub.uy'? I guess it will fail as well. Can you take a > > > network trace of this command with tcpdump and send it as well? > > > > > > bye, > > > Sumit > > > > > > > It fails, and with kinit too: > > > > [root@idmt01 tmp]# kinit u...@adtest.fnr.gub.uy > > Password for u...@adtest.fnr.gub.uy: > > kinit: KDC reply did not match expectations while getting initial > > credentials > > [root@idmt01 tmp]# kpasswd u...@adtest.fnr.gub.uy > > Password for u...@adtest.fnr.gub.uy: > > kpasswd: KDC reply did not match expectations getting initial ticket > > > > I am sending tcpdump captures while trying with kpasswd. There are > > two, as there are two Samba DC (smbtest.adtest.fnr.gub.uy and > > smbtest02.adtest.fnr.gub.uy), but I think that the first one replied > > in this case. > > Hi, > > can you send the output of > > KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy > > as well and your /etc/krb5.conf? > > bye, > Sumit > >
Output: [root@idmt01 tmp]# KRB5_TRACE=/dev/stdout kpasswd u...@adtest.fnr.gub.uy [4732] 1651514884.487540: Getting initial credentials for u...@adtest.fnr.gub.uy [4732] 1651514884.487541: Setting initial creds service to kadmin/changepw [4732] 1651514884.487543: Sending unauthenticated request [4732] 1651514884.487544: Sending request (179 bytes) to ADTEST.FNR.GUB.UY [4732] 1651514884.487545: Initiating TCP connection to stream 10.2.100.3:88 [4732] 1651514884.487546: Sending TCP request to stream 10.2.100.3:88 [4732] 1651514884.487547: Received answer (314 bytes) from stream 10.2.100.3:88 [4732] 1651514884.487548: Terminating TCP connection to stream 10.2.100.3:88 [4732] 1651514884.487549: Response was from master KDC [4732] 1651514884.487550: Received error from KDC: -1765328359/Additional pre-authentication required [4732] 1651514884.487553: Preauthenticating using KDC method data [4732] 1651514884.487554: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-FAST (136), 655, PA-ETYPE-INFO2 (19) [4732] 1651514884.487555: Selected etype info: etype aes256-cts, salt "ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00" [4732] 1651514884.487556: PKINIT client has no configured identity; giving up [4732] 1651514884.487557: Preauth module pkinit (147) (info) returned: 0/Success [4732] 1651514884.487558: PKINIT client has no configured identity; giving up [4732] 1651514884.487559: Preauth module pkinit (16) (real) returned: 22/Invalid argument Password for u...@adtest.fnr.gub.uy: [4732] 1651514896.851314: AS key obtained for encrypted timestamp: aes256-cts/75AC [4732] 1651514896.851316: Encrypted timestamp (for 1651514896.949521): plain 301AA011180F32303232303530323138303831365AA10502030E7D11, encrypted C418DCD1573DF5E07F0578A78FCB73D9A41DB9DF39398EE86AEA12F587FCED5A3D008FF9FB8565A73C29D1AEA9EB089C576D532C11F7BFD4 [4732] 1651514896.851317: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [4732] 1651514896.851318: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [4732] 1651514896.851319: Sending request (257 bytes) to ADTEST.FNR.GUB.UY [4732] 1651514896.851320: Initiating TCP connection to stream 10.2.100.3:88 [4732] 1651514896.851321: Sending TCP request to stream 10.2.100.3:88 [4732] 1651514896.851322: Received answer (1460 bytes) from stream 10.2.100.3:88 [4732] 1651514896.851323: Terminating TCP connection to stream 10.2.100.3:88 [4732] 1651514896.851324: Response was from master KDC [4732] 1651514896.851325: Processing preauth types: PA-ETYPE-INFO2 (19) [4732] 1651514896.851326: Selected etype info: etype aes256-cts, salt "ADTEST.FNR.GUB.UYusu1", params "\x00\x00\x10\x00" [4732] 1651514896.851327: Produced preauth for next request: (empty) [4732] 1651514896.851328: AS key determined by preauth: aes256-cts/75AC [4732] 1651514896.851329: Decrypted AS reply; session key is: aes256-cts/6539 [4732] 1651514896.851330: FAST negotiation: available kpasswd: KDC reply did not match expectations getting initial ticket I am sending /etc/krb5.conf and /var/lib/sss/pubconf/krb5.include.d/domain_realm_idmt_fnr_gub_uy, as the latter is included in the former and might be relevant.
krb5.conf
Description: Binary data
domain_realm_idmt_fnr_gub_uy
Description: Binary data
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
