On Tue, Dec 06, 2016 at 12:45:18PM -0500, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: > #### > This is a new thread related to one I started today about upgrading FreeIPA > software before continuing troubleshooting work ... > > New post here so I don't pollute the other thread. > #### > > > Looking for additional eyeballs or tips on this ongoing problem. The short > summary > is we can't check passwords for AD users. > > SSSD is running in debug-10 mode and we have tons of logs > > I've got 2 interesting things to trace down, would be interested in feedback > on > which may be best to concentrate on ... > > > 1. In the SAMBA logs there are very clear and interesting "message=Cannot > contact any KDC for realm 'COMPANY-IDM.ORG'" > which seems very straightforward and interesting
you can ignore those, samba is not involved in the authentication. > > 2. However the SSSD logs contain more worrisome messages about TGT ticket > errors > > > Should I concentrate on the samba logs that talk about being unable to find > the KDC? > That seems more straightforward at the moment. > > > Thanks! > > -Chris > > > > > ... > (Tue Dec 6 15:36:48 2016) [[sssd[krb5_child[4005]]]] [main] (0x0400): > krb5_child started. > (Tue Dec 6 15:36:48 2016) [[sssd[krb5_child[4005]]]] [unpack_buffer] > (0x1000): total buffer size: [158] > (Tue Dec 6 15:36:48 2016) [[sssd[krb5_child[4005]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1843770609] gid [1843770609] validate [false] > enterprise principal [false] offline [true] UPN [u...@company.org] ^^^^^^^^^^^^^^^ The backend switch to offline mode, please send the SSSD domain logs around this time as well. If possible please start about 5 minutes earlier. bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project