My appologies. I have tested kinit user@REALM in 11.10 WITHOUT
disabling preauthentication and it works just fine
kinit user@REALM in 12.04 WITHOUT disabling preauthentication responds
with Generic preauthentication failure
I will troubleshoot the kinit issue, and if sssd is still a problem
Sorry I wasn't more explicity
Taking your suggestion, running kinit user@REALM i do recieve Password
Expired. You must change it now
This is with preauthentication off
However, when I turn Pre-authentication on, I recieve a Generic
Preauthetncation Failure
perhaps this is an issue with
Can you please be more explicit?
Please describe if you're getting this behavior from SSSD or from using
the 'kinit' command directly.
For now, let's investigate the problem using only kinit (that will
narrow down the problem to Kerberos and Active Directory, thus
eliminating SSSD for the time
'generic preauthentication failure' == KRB5KDC_ERR_PREAUTH_FAILED (Which
is therefore different from KRB5KDC_ERR_KEY_EXP. So yeah, the Active
Directory server is not sending the correct response from the KDC. We
can't do anything about that (since KRB5KDC_ERR_PREAUTH_FAILED is the
same error code
Thanks Stephen, closing the bug.
** Changed in: sssd (Ubuntu)
Status: New = Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/915386
Title:
SSSD/AD 2008 and Password Change
To manage
I actually do see a KRB5KDC_ERR_KEY_EXP when running wireshark and
capturing packets
38 2.04530910.8.35.22 10.12.2.94 KRB5263 KRB
Error: KRB5KDC_ERR_PREAUTH_REQUIRED
39 2.04532310.12.2.94 10.8.35.22 TCP 66 53244
kerberos [ACK]
accientally hit the post command
43 2.04608310.8.35.22 10.12.2.94 TCP 74
kerberos 53245 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256
SACK_PERM=1 TSval=878789915 TSecr=23443430
44 2.04609510.12.2.94 10.8.35.22 TCP 66
I'm going to make a guess, because you didn't include the packets
between KRB5KDC_ERR_KEY_EXP and KRB5KDC_ERR_PREAUTH_REQUIRED. I suspect
that what happened is that AD returned the correct error that the key
was expired, and the MIT libraries then went and tried to acquire a
password-change token
Ok, so in Active Directory, I have disabled Require Preauthentication
which has eliminated the KRB5KDC_ERR_PREAUTH_REQUIRED message
I'm still seeing the KRB5KDC_ERR_KEY_EXP
I can see the machine send the Kerberos AS-REQ and immediately get a KRB
Error: KRB5KDC_ERR_KEY_EXP_KEY
It doesn't even
You need to use:
access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = ad
From sssd-ldap(5):
ldap_account_expire_policy (string)
With this option a client side evaluation of access control
attributes can be enabled.
Please note that it
I have added these to my sssd.conf and I am still reciving invalid
password, please try again
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/915386
Title:
SSSD/AD 2008 and Password Change
To manage
This is from the ubuntu man page for sssd.conf
It doesnt look like access_provider = ldap is valid
permit, deny, simple are the only options
access_provider (string)
The access control provider used for the domain. There are two
built-in access providers (in
(in addition to any included in installed backends)
That list is just the internal special providers. The installed
backends are those for ldap and kerberos.
What do you see in /var/log/secure when doing that authentication that
fails?
Is it showing just pam_sss.so:auth or is it also getting to
aaahh ok I see what is meant by in addition to any included installed
backends
I have changed it back
I don't have a /var/log/secure but i have /var/log/auth.log
This is just trying login from tty2
Jan 12 15:41:00 vut-precise01 login[781]: pam_krb5(login:auth): authentication
failure;
14 matches
Mail list logo