Am Wed, Jan 04, 2023 at 11:52:21AM -0300 schrieb tizo via FreeIPA-users: > We have an IPA-AD trust up and running. The IPA domain is > idm.fnr.gub.uy and the AD (Samba) domain is smb.fnr.gub.uy. Our users > belong to AD. > > We have a couple of Ubuntu 22.04 IPA clients configured. In the first > one, all works like a charm, and AD users can login without problems. > In the second one, AD users can login sometimes, and sometimes not. > The log /var/log/sssd/krb5_child.log is completely empty in the first > case. In the second one, we have the following when a user cannot > login: > > (2023-01-04 11:42:11): [krb5_child[4430]] [get_and_save_tgt] (0x0020): > [RID#19] 1725: [-1765328353][Decrypt integrity check failed] > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING > BACKTRACE: > * (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400): > [RID#19] krb5_child started. > * (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer] > (0x1000): [RID#19] total buffer size: [134] > * (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer] > (0x0100): [RID#19] cmd [241 (auth)] uid [700000003] gid [700000005] > validate [true] enterprise principal [false] offline [false] UPN > [mduff...@smb.fnr.gub.uy] > * (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer] > (0x2000): [RID#19] No old ccache > * (2023-01-04 11:42:10): [krb5_child[4430]] [unpack_buffer] > (0x0100): [RID#19] ccname: [KEYRING:persistent:700000003] old_ccname: > [not set] keytab: [/etc/krb5.keytab] > * (2023-01-04 11:42:10): [krb5_child[4430]] [k5c_precreate_ccache] > (0x4000): [RID#19] Recreating ccache > * (2023-01-04 11:42:10): [krb5_child[4430]] [k5c_setup_fast] > (0x0100): [RID#19] Fast principal is set to > [host/laptingw02.idm.fnr.gub...@idm.fnr.gub.uy] > * (2023-01-04 11:42:10): [krb5_child[4430]] > [find_principal_in_keytab] (0x4000): [RID#19] Trying to find principal > host/laptingw02.idm.fnr.gub...@idm.fnr.gub.uy in keytab. > * (2023-01-04 11:42:10): [krb5_child[4430]] [match_principal] > (0x1000): [RID#19] Principal matched to the sample > (host/laptingw02.idm.fnr.gub...@idm.fnr.gub.uy). > * (2023-01-04 11:42:10): [krb5_child[4430]] [check_fast_ccache] > (0x0200): [RID#19] FAST TGT is still valid. > * (2023-01-04 11:42:10): [krb5_child[4430]] > [privileged_krb5_setup] (0x0080): [RID#19] Cannot open the PAC > responder socket > * (2023-01-04 11:42:10): [krb5_child[4430]] [become_user] > (0x0200): [RID#19] Trying to become user [700000003][700000005]. > * (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x2000): > [RID#19] Running as [700000003][700000005]. > * (2023-01-04 11:42:10): [krb5_child[4430]] [set_lifetime_options] > (0x0100): [RID#19] No specific renewable lifetime requested. > * (2023-01-04 11:42:10): [krb5_child[4430]] [set_lifetime_options] > (0x0100): [RID#19] No specific lifetime requested. > * (2023-01-04 11:42:10): [krb5_child[4430]] > [set_canonicalize_option] (0x0100): [RID#19] Canonicalization is set > to [true] > * (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400): > [RID#19] Will perform auth > * (2023-01-04 11:42:10): [krb5_child[4430]] [main] (0x0400): > [RID#19] Will perform online auth > * (2023-01-04 11:42:10): [krb5_child[4430]] [tgt_req_child] > (0x1000): [RID#19] Attempting to get a TGT > * (2023-01-04 11:42:10): [krb5_child[4430]] [get_and_save_tgt] > (0x0400): [RID#19] Attempting kinit for realm [SMB.FNR.GUB.UY] > * (2023-01-04 11:42:11): [krb5_child[4430]] [sss_krb5_responder] > (0x4000): [RID#19] Got question [password]. > * (2023-01-04 11:42:11): [krb5_child[4430]] [get_and_save_tgt] > (0x0020): [RID#19] 1725: [-1765328353][Decrypt integrity check failed]
Hi, 'Decrypt integrity check failed' typically means that the wrong Kerberos password or key was used. Since you are using FAST it might either be the user password the user is typing in or the host key which was used to setup the FAST tunnel. Was the host key updated shortly before the issue happened? Can you add 'debug_level = 9' to the [domain/...] section of sssd.conf, restart SSSD and waiting until the issue occurs again? With this debug_level a details Kerberos trace should be in krb5_child.log which might help to identify with specific operation fails. bye, Sumit > ********************** BACKTRACE DUMP ENDS HERE > ********************************* > > (2023-01-04 11:42:11): [krb5_child[4430]] [map_krb5_error] (0x0020): > [RID#19] 1854: [-1765328353][Decrypt integrity check failed] > > And the following when the same user is able to login: > > (2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt] (0x0040): > [RID#21] sss_send_pac failed, group membership for user with principal > [mduff...@smb.fnr.gub.uy] might not be correct. > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING > BACKTRACE: > * (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400): > [RID#21] krb5_child started. > * (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer] > (0x1000): [RID#21] total buffer size: [134] > * (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer] > (0x0100): [RID#21] cmd [241 (auth)] uid [700000003] gid [700000005] > validate [true] enterprise principal [false] offline [false] UPN > [mduff...@smb.fnr.gub.uy] > * (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer] > (0x2000): [RID#21] No old ccache > * (2023-01-04 11:42:28): [krb5_child[4432]] [unpack_buffer] > (0x0100): [RID#21] ccname: [KEYRING:persistent:700000003] old_ccname: > [not set] keytab: [/etc/krb5.keytab] > * (2023-01-04 11:42:28): [krb5_child[4432]] [k5c_precreate_ccache] > (0x4000): [RID#21] Recreating ccache > * (2023-01-04 11:42:28): [krb5_child[4432]] [k5c_setup_fast] > (0x0100): [RID#21] Fast principal is set to > [host/laptingw02.idm.fnr.gub...@idm.fnr.gub.uy] > * (2023-01-04 11:42:28): [krb5_child[4432]] > [find_principal_in_keytab] (0x4000): [RID#21] Trying to find principal > host/laptingw02.idm.fnr.gub...@idm.fnr.gub.uy in keytab. > * (2023-01-04 11:42:28): [krb5_child[4432]] [match_principal] > (0x1000): [RID#21] Principal matched to the sample > (host/laptingw02.idm.fnr.gub...@idm.fnr.gub.uy). > * (2023-01-04 11:42:28): [krb5_child[4432]] [check_fast_ccache] > (0x0200): [RID#21] FAST TGT is still valid. > * (2023-01-04 11:42:28): [krb5_child[4432]] > [privileged_krb5_setup] (0x0080): [RID#21] Cannot open the PAC > responder socket > * (2023-01-04 11:42:28): [krb5_child[4432]] [become_user] > (0x0200): [RID#21] Trying to become user [700000003][700000005]. > * (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x2000): > [RID#21] Running as [700000003][700000005]. > * (2023-01-04 11:42:28): [krb5_child[4432]] [set_lifetime_options] > (0x0100): [RID#21] No specific renewable lifetime requested. > * (2023-01-04 11:42:28): [krb5_child[4432]] [set_lifetime_options] > (0x0100): [RID#21] No specific lifetime requested. > * (2023-01-04 11:42:28): [krb5_child[4432]] > [set_canonicalize_option] (0x0100): [RID#21] Canonicalization is set > to [true] > * (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400): > [RID#21] Will perform auth > * (2023-01-04 11:42:28): [krb5_child[4432]] [main] (0x0400): > [RID#21] Will perform online auth > * (2023-01-04 11:42:28): [krb5_child[4432]] [tgt_req_child] > (0x1000): [RID#21] Attempting to get a TGT > * (2023-01-04 11:42:28): [krb5_child[4432]] [get_and_save_tgt] > (0x0400): [RID#21] Attempting kinit for realm [SMB.FNR.GUB.UY] > * (2023-01-04 11:42:28): [krb5_child[4432]] [sss_krb5_responder] > (0x4000): [RID#21] Got question [password]. > * (2023-01-04 11:42:28): [krb5_child[4432]] > [sss_krb5_expire_callback_func] (0x2000): [RID#21] exp_time: > [10276087] > * (2023-01-04 11:42:28): [krb5_child[4432]] [validate_tgt] > (0x2000): [RID#21] Keytab entry with the realm of the credential not > found in keytab. Using the last entry. > * (2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt] > (0x0400): [RID#21] TGT verified using key for > [host/laptingw02.idm.fnr.gub...@idm.fnr.gub.uy]. > * (2023-01-04 11:42:29): [krb5_child[4432]] [sss_send_pac] > (0x0080): [RID#21] failed to contact PAC responder > * (2023-01-04 11:42:29): [krb5_child[4432]] [validate_tgt] > (0x0040): [RID#21] sss_send_pac failed, group membership for user with > principal [mduff...@smb.fnr.gub.uy] might not be correct. > ********************** BACKTRACE DUMP ENDS HERE > ********************************* > > I have tried clearing all sssd caches (even removing > /var/lib/sss/db/*), restarting all the servers, uninstalling ipa > client and configuring it again, etc. The behaviour is always the > same. > > Any help is appreciated. Thanks very much, > > tizo > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
