Hi again, Last week I had to change my sssd.conf to ldap_sasl_mech=GSSAPI. SSSD is 2.4.2 on Arch Linux. Don't know if it is related but now I can't change password with this machine (last time it was working in February). Anyway passwd is asking me for current password and after typing it + Enter it returning with message: Password changed.
Error which are most important (I think) is: authentication service cannot retrieve user authentication to the client (bold below in Polish). What I see in logs: pam_sss: (2021-05-11 14:40:28): [pam] [pam_initgr_check_timeout] (0x2000): User [test] found in PAM cache. (2021-05-11 14:40:28): [pam] [pam_dp_send_req] (0x0100): Sending request with the following data: (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): command: SSS_PAM_CHAUTHTOK (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): domain: realm.domain (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): user: test@realm.domain (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): service: passwd (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): tty: not set (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): ruser: not set (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): rhost: not set (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): authtok type: 1 (Password) (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available) (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): priv: 0 (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): cli_pid: 955753 (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): logon name: test (2021-05-11 14:40:28): [pam] [pam_print_data] (0x0100): flags: 4 (2021-05-11 14:40:28): [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (2021-05-11 14:40:28): [pam] [sbus_dispatch] (0x4000): Dispatching. (2021-05-11 14:40:28): [pam] [pam_dp_send_req_done] (0x0200): received: [15 (Usługa uwierzytelniania nie może uzyskać uwierzytelnienia użytkownika)][realm.domain] (2021-05-11 14:40:28): [pam] [ldb] (0x10000): Added timed event "ldb_kv_callback": 0x56049f493ce0 *(2021-05-11 14:40:28): [pam] [pam_reply] (0x4000): pam_reply initially called with result [15]: Usługa uwierzytelniania nie może uzyskać uwierzytelnienia użytkownika. this result might be changed during processing* (2021-05-11 14:40:28): [pam] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (2021-05-11 14:40:28): [pam] [pam_reply] (0x0200): blen: 35 *(2021-05-11 14:40:28): [pam] [pam_reply] (0x0200): Returning [15]: Usługa uwierzytelniania nie może uzyskać uwierzytelnienia użytkownika to the client* (2021-05-11 14:40:28): [pam] [client_recv] (0x0200): Client disconnected! (2021-05-11 14:40:28): [pam] [client_close_fn] (0x2000): Terminated client [0x56049f489150][19] (2021-05-11 14:40:33): [pam] [pam_initgr_cache_remove] (0x2000): [test] removed from PAM initgroup cache krb5 logs (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x0400): krb5_child started. (2021-05-11 14:40:28): [krb5_child[955777]] [unpack_buffer] (0x1000): total buffer size: [173] (2021-05-11 14:40:28): [krb5_child[955777]] [unpack_buffer] (0x0100): cmd [247 (password change checks)] uid [1175201116] gid [1175200513] validate [true] enterprise principal [false] offline [false] UPN [test@REALM.DOMAIN] (2021-05-11 14:40:28): [krb5_child[955777]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1175201116_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1175201116_GlkSJ1] keytab: [/etc/krb5.keytab] (2021-05-11 14:40:28): [krb5_child[955777]] [check_use_fast] (0x0100): Not using FAST. (2021-05-11 14:40:28): [krb5_child[955777]] [switch_creds] (0x0200): Switch user to [1175201116][1175200513]. (2021-05-11 14:40:28): [krb5_child[955777]] [switch_creds] (0x0200): Switch user to [0][0]. (2021-05-11 14:40:28): [krb5_child[955777]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1175201116_GlkSJ1] and is active and TGT is valid. (2021-05-11 14:40:28): [krb5_child[955777]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (2021-05-11 14:40:28): [krb5_child[955777]] [become_user] (0x0200): Trying to become user [1175201116][1175200513]. (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x2000): Running as [1175201116][1175200513]. (2021-05-11 14:40:28): [krb5_child[955777]] [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available (2021-05-11 14:40:28): [krb5_child[955777]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. (2021-05-11 14:40:28): [krb5_child[955777]] [set_lifetime_options] (0x0100): No specific lifetime requested. (2021-05-11 14:40:28): [krb5_child[955777]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x0400): Will perform password change checks (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x1000): Password change operation (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x0400): Attempting kinit for realm [REALM.DOMAIN] (2021-05-11 14:40:28): [krb5_child[955777]] [sss_krb5_responder] (0x4000): Got question [password]. (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x2000): chpass is not using OTP (2021-05-11 14:40:28): [krb5_child[955777]] [changepw_child] (0x1000): Initial authentication for change password operation successful. (2021-05-11 14:40:28): [krb5_child[955777]] [k5c_send_data] (0x0200): Received error code 0 (2021-05-11 14:40:28): [krb5_child[955777]] [pack_response_packet] (0x2000): response packet size: [4] (2021-05-11 14:40:28): [krb5_child[955777]] [k5c_send_data] (0x4000): Response sent. (2021-05-11 14:40:28): [krb5_child[955777]] [main] (0x0400): krb5_child completed successfully (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x0400): krb5_child started. (2021-05-11 14:40:28): [krb5_child[955786]] [unpack_buffer] (0x1000): total buffer size: [181] (2021-05-11 14:40:28): [krb5_child[955786]] [unpack_buffer] (0x0100): cmd [246 (password change)] uid [1175201116] gid [1175200513] validate [true] enterprise principal [false] offline [false] UPN [test@REALM.DOMAIN] (2021-05-11 14:40:28): [krb5_child[955786]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1175201116_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1175201116_GlkSJ1] keytab: [/etc/krb5.keytab] (2021-05-11 14:40:28): [krb5_child[955786]] [check_use_fast] (0x0100): Not using FAST. (2021-05-11 14:40:28): [krb5_child[955786]] [switch_creds] (0x0200): Switch user to [1175201116][1175200513]. (2021-05-11 14:40:28): [krb5_child[955786]] [switch_creds] (0x0200): Switch user to [0][0]. (2021-05-11 14:40:28): [krb5_child[955786]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1175201116_GlkSJ1] and is active and TGT is valid. (2021-05-11 14:40:28): [krb5_child[955786]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (2021-05-11 14:40:28): [krb5_child[955786]] [become_user] (0x0200): Trying to become user [1175201116][1175200513]. (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x2000): Running as [1175201116][1175200513]. (2021-05-11 14:40:28): [krb5_child[955786]] [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available (2021-05-11 14:40:28): [krb5_child[955786]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. (2021-05-11 14:40:28): [krb5_child[955786]] [set_lifetime_options] (0x0100): No specific lifetime requested. (2021-05-11 14:40:28): [krb5_child[955786]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x0400): Will perform password change (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x1000): Password change operation (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x0400): Attempting kinit for realm [REALM.DOMAIN] (2021-05-11 14:40:28): [krb5_child[955786]] [sss_krb5_responder] (0x4000): Got question [password]. (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x2000): chpass is not using OTP (2021-05-11 14:40:28): [krb5_child[955786]] [changepw_child] (0x0020): Failed to fetch new password [2] No such file or directory. (2021-05-11 14:40:28): [krb5_child[955786]] [k5c_send_data] (0x0200): Received error code 1432158219 (2021-05-11 14:40:28): [krb5_child[955786]] [pack_response_packet] (0x2000): response packet size: [4] (2021-05-11 14:40:28): [krb5_child[955786]] [k5c_send_data] (0x4000): Response sent. (2021-05-11 14:40:28): [krb5_child[955786]] [main] (0x0400): krb5_child completed successfully Thanks in advance for your help! ----- Best regards, Pawel
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
