Am Thu, Jul 11, 2024 at 02:43:50PM +0200 schrieb Grzegorz Sobanski:
> On 24/06/2024 16:54, Sumit Bose wrote:
> > Am Mon, Jun 24, 2024 at 03:55:50PM +0200 schrieb Grzegorz Sobanski:
> > > On 24/06/2024 13:15, Sumit Bose wrote:
> > > > Attention: This email originated outside trusted domains.
> > > >
> > > >
> > > > Am Mon, Jun 24, 2024 at 08:23:54AM +0000 schrieb Grzegorz Sobański:
> > > > > Hi,
> > > > > Thanks for working on this.
> > > > > Could you please share a source diff for this change? We can’t use
> > > > > this private build - we will need to build it ourselves.
> > > > Hi,
> > > >
> > > > please check
> > > > https://github.com/sumit-bose/sssd/commit/464a7ec2793a82c83330cb3a10b114d1cafaf0ba
> > >
> > > This patch do fix our issue, thanks.
> > >
> > > I submitted a ticket as you asked:
> > > https://github.com/SSSD/sssd/issues/7456
> >
> > Hi,
> >
> > thanks for the confirmation and the ticket. I have to check if the
> > current patch does not cause any other regressions before making a
> > pull-request out of it to get it included.
>
> Hi,
> continuing discussion form ticket - I applied the change from master to
> 2.9.4 with patches from Rocky9.4.
> And while your first change from your private fork did fixed our issue, this
> patch unfortunately didn't.
>
> As requested I attach logs from 2.9.4 from Rocky9.4 with the patch applied.
Hi,
thank you for the logs. Please try to add
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index d43bd0f55..d1101e16c 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2505,8 +2505,13 @@ static int prompt_by_config(pam_handle_t *pamh, struct
pam_items *pi)
ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c]));
break;
case PC_TYPE_2FA:
- ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),
- pc_get_2fa_2nd_prompt(pi->pc[c]));
+ if (pi->password_prompting) {
+ ret = prompt_2fa(pamh, pi, true,
pc_get_2fa_1st_prompt(pi->pc[c]),
+ pc_get_2fa_2nd_prompt(pi->pc[c]));
+ } else {
+ ret = prompt_2fa(pamh, pi, false,
pc_get_2fa_1st_prompt(pi->pc[c]),
+ pc_get_2fa_2nd_prompt(pi->pc[c]));
+ }
break;
case PC_TYPE_2FA_SINGLE:
ret = prompt_2fa_single(pamh, pi,
to your build and let me know if this fixes the issue for you.
bye,
Sumit
>
> bye,
> Grzegorz
> ==> /var/log/sssd/sssd_realm.log <==
> (2024-07-11 12:49:50): [be[realm]] [dp_pam_handler_send] (0x0100): Got
> request with the following data
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): command:
> SSS_PAM_PREAUTH
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): domain: realm
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): user:
> gsobanski@realm
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): service: sudo
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): rhost:
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): authtok type: 0
> (No authentication token available)
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): newauthtok
> type: 0 (No authentication token available)
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): priv: 0
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): cli_pid: 2109271
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): child_pid: 0
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): logon name: not
> set
> (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): flags: 0
> (2024-07-11 12:49:50): [be[realm]] [dp_attach_req] (0x0400): [RID#5] DP
> Request [PAM Preauth #5]: REQ_TRACE: New request. [sssd.pam CID #2] Flags
> [0000].
> (2024-07-11 12:49:50): [be[realm]] [dp_attach_req] (0x0400): [RID#5] Number
> of active DP request: 1
> (2024-07-11 12:49:50): [be[realm]] [fo_resolve_service_send] (0x0100):
> [RID#5] Trying to resolve service 'IPA'
> (2024-07-11 12:49:50): [be[realm]] [be_resolve_server_process] (0x0200):
> [RID#5] Found address for server ipaserver: [V.X.Y.Z] TTL 2652
> (2024-07-11 12:49:50): [be[realm]] [_write_pipe_handler] (0x0400): [RID#5]
> All data has been sent!
> (2024-07-11 12:49:50): [be[realm]] [_read_pipe_handler] (0x0400): [RID#5] All
> data received
> (2024-07-11 12:49:50): [be[realm]] [fo_set_port_status] (0x0100): [RID#5]
> Marking port 0 of server 'ipaserver' as 'working'
> (2024-07-11 12:49:50): [be[realm]] [set_server_common_status] (0x0100):
> [RID#5] Marking server 'ipaserver' as 'working'
> (2024-07-11 12:49:50): [be[realm]] [fo_set_port_status] (0x0400): [RID#5]
> Marking port 0 of duplicate server 'ipaserver' as 'working'
> (2024-07-11 12:49:50): [be[realm]] [dp_req_done] (0x0400): [RID#5] DP Request
> [PAM Preauth #5]: Request handler finished [0]: Success
> (2024-07-11 12:49:50): [be[realm]] [_dp_req_recv] (0x0400): [RID#5] DP
> Request [PAM Preauth #5]: Receiving request data.
> (2024-07-11 12:49:50): [be[realm]] [dp_req_destructor] (0x0400): [RID#5] DP
> Request [PAM Preauth #5]: Request removed.
> (2024-07-11 12:49:50): [be[realm]] [dp_req_destructor] (0x0400): [RID#5]
> Number of active DP request: 0
> (2024-07-11 12:49:50): [be[realm]] [sbus_issue_request_done] (0x0400):
> sssd.dataprovider.pamHandler: Success
> (2024-07-11 12:49:50): [be[realm]] [child_sig_handler] (0x0100): [RID#5]
> child [2109273] finished successfully.
> (2024-07-11 12:49:53): [be[realm]] [dp_pam_handler_send] (0x0100): Got
> request with the following data
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): command:
> SSS_PAM_AUTHENTICATE
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): domain: realm
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): user:
> gsobanski@realm
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): service: sudo
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): rhost:
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): authtok type: 6
> (Two factors in a single string)
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): newauthtok
> type: 0 (No authentication token available)
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): priv: 0
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): cli_pid: 2109271
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): child_pid: 0
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): logon name: not
> set
> (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): flags: 0
> (2024-07-11 12:49:53): [be[realm]] [dp_attach_req] (0x0400): [RID#6] DP
> Request [PAM Authenticate #6]: REQ_TRACE: New request. [sssd.pam CID #2]
> Flags [0000].
> (2024-07-11 12:49:53): [be[realm]] [dp_attach_req] (0x0400): [RID#6] Number
> of active DP request: 1
> (2024-07-11 12:49:53): [be[realm]] [fo_resolve_service_send] (0x0100):
> [RID#6] Trying to resolve service 'IPA'
> (2024-07-11 12:49:53): [be[realm]] [be_resolve_server_process] (0x0200):
> [RID#6] Found address for server ipaserver: [V.X.Y.Z] TTL 2652
> (2024-07-11 12:49:53): [be[realm]] [ipa_resolve_callback] (0x0400): [RID#6]
> Constructed uri 'ldap://ipaserver'
> (2024-07-11 12:49:53): [be[realm]] [_write_pipe_handler] (0x0400): [RID#6]
> All data has been sent!
> (2024-07-11 12:49:53): [be[realm]] [_read_pipe_handler] (0x0400): [RID#6] All
> data received
> (2024-07-11 12:49:53): [be[realm]] [sdap_get_generic_ext_step] (0x0400):
> [RID#6] calling ldap_search_ext with
> [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=...].
> (2024-07-11 12:49:53): [be[realm]] [sdap_get_generic_op_finished] (0x0400):
> [RID#6] Search result: Success(0), no errmsg set
> (2024-07-11 12:49:53): [be[realm]] [dp_req_done] (0x0400): [RID#6] DP Request
> [PAM Authenticate #6]: Request handler finished [0]: Success
> (2024-07-11 12:49:53): [be[realm]] [_dp_req_recv] (0x0400): [RID#6] DP
> Request [PAM Authenticate #6]: Receiving request data.
> (2024-07-11 12:49:53): [be[realm]] [dp_req_destructor] (0x0400): [RID#6] DP
> Request [PAM Authenticate #6]: Request removed.
> (2024-07-11 12:49:53): [be[realm]] [dp_req_destructor] (0x0400): [RID#6]
> Number of active DP request: 0
> (2024-07-11 12:49:53): [be[realm]] [sbus_issue_request_done] (0x0400):
> sssd.dataprovider.pamHandler: Success
> (2024-07-11 12:49:53): [be[realm]] [child_sig_handler] (0x0100): [RID#6]
> child [2109421] finished successfully.
> (2024-07-11 12:49:55): [be[realm]] [dp_pam_handler_send] (0x0100): Got
> request with the following data
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): command:
> SSS_PAM_PREAUTH
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): domain: realm
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): user:
> gsobanski@realm
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): service: sudo
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): rhost:
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): authtok type: 0
> (No authentication token available)
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): newauthtok
> type: 0 (No authentication token available)
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): priv: 0
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): cli_pid: 2109271
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): child_pid: 0
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): logon name: not
> set
> (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): flags: 0
> (2024-07-11 12:49:55): [be[realm]] [dp_attach_req] (0x0400): [RID#7] DP
> Request [PAM Preauth #7]: REQ_TRACE: New request. [sssd.pam CID #2] Flags
> [0000].
> (2024-07-11 12:49:55): [be[realm]] [dp_attach_req] (0x0400): [RID#7] Number
> of active DP request: 1
> (2024-07-11 12:49:55): [be[realm]] [fo_resolve_service_send] (0x0100):
> [RID#7] Trying to resolve service 'IPA'
> (2024-07-11 12:49:55): [be[realm]] [be_resolve_server_process] (0x0200):
> [RID#7] Found address for server ipaserver: [V.X.Y.Z] TTL 2652
> (2024-07-11 12:49:55): [be[realm]] [_write_pipe_handler] (0x0400): [RID#7]
> All data has been sent!
> (2024-07-11 12:49:55): [be[realm]] [_read_pipe_handler] (0x0400): [RID#7] All
> data received
> (2024-07-11 12:49:55): [be[realm]] [fo_set_port_status] (0x0100): [RID#7]
> Marking port 0 of server 'ipaserver' as 'working'
> (2024-07-11 12:49:55): [be[realm]] [set_server_common_status] (0x0100):
> [RID#7] Marking server 'ipaserver' as 'working'
> (2024-07-11 12:49:55): [be[realm]] [fo_set_port_status] (0x0400): [RID#7]
> Marking port 0 of duplicate server 'ipaserver' as 'working'
> (2024-07-11 12:49:55): [be[realm]] [dp_req_done] (0x0400): [RID#7] DP Request
> [PAM Preauth #7]: Request handler finished [0]: Success
> (2024-07-11 12:49:55): [be[realm]] [_dp_req_recv] (0x0400): [RID#7] DP
> Request [PAM Preauth #7]: Receiving request data.
> (2024-07-11 12:49:55): [be[realm]] [dp_req_destructor] (0x0400): [RID#7] DP
> Request [PAM Preauth #7]: Request removed.
> (2024-07-11 12:49:55): [be[realm]] [dp_req_destructor] (0x0400): [RID#7]
> Number of active DP request: 0
> (2024-07-11 12:49:55): [be[realm]] [sbus_issue_request_done] (0x0400):
> sssd.dataprovider.pamHandler: Success
> (2024-07-11 12:49:55): [be[realm]] [child_sig_handler] (0x0100): [RID#7]
> child [2109427] finished successfully.
>
> ==> /var/log/sssd/krb5_child.log <==
> (2024-07-11 12:49:50): [krb5_child[2109273]] [main] (0x0400): [RID#5]
> krb5_child started.
> (2024-07-11 12:49:50): [krb5_child[2109273]] [unpack_buffer] (0x0100):
> [RID#5] cmd [249 (pre-auth)] uid [123456] gid [1002] validate [true]
> enterprise principal [false] offline [false] UPN [gsobanski@REALM]
> (2024-07-11 12:49:50): [krb5_child[2109273]] [unpack_buffer] (0x0100):
> [RID#5] ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname:
> [FILE:/tmp/krb5cc_123456_cKvOjo] keytab: [/etc/krb5.keytab]
> (2024-07-11 12:49:50): [krb5_child[2109273]] [k5c_setup_fast] (0x0100):
> [RID#5] Fast principal is set to [host/hostname@REALM]
> (2024-07-11 12:49:50): [krb5_child[2109273]] [check_fast_ccache] (0x0200):
> [RID#5] FAST TGT is still valid.
> (2024-07-11 12:49:50): [krb5_child[2109273]] [become_user] (0x0200): [RID#5]
> Trying to become user [123456][1002].
> (2024-07-11 12:49:50): [krb5_child[2109273]] [set_lifetime_options] (0x0100):
> [RID#5] No specific renewable lifetime requested.
> (2024-07-11 12:49:50): [krb5_child[2109273]] [set_lifetime_options] (0x0100):
> [RID#5] No specific lifetime requested.
> (2024-07-11 12:49:50): [krb5_child[2109273]] [set_canonicalize_option]
> (0x0100): [RID#5] Canonicalization is set to [true]
> (2024-07-11 12:49:50): [krb5_child[2109273]] [main] (0x0400): [RID#5] Will
> perform pre-auth
> (2024-07-11 12:49:50): [krb5_child[2109273]] [get_and_save_tgt] (0x0400):
> [RID#5] Attempting kinit for realm [REALM]
> (2024-07-11 12:49:50): [krb5_child[2109273]] [sss_krb5_prompter] (0x0200):
> [RID#5] Prompter interface isn't used for prompting by SSSD.Returning the
> expected error [-1765328254/Cannot read password].
> (2024-07-11 12:49:50): [krb5_child[2109273]] [sss_krb5_prompter] (0x0200):
> [RID#5] Prompter interface isn't used for prompting by SSSD.Returning the
> expected error [-1765328254/Cannot read password].
> (2024-07-11 12:49:50): [krb5_child[2109273]] [get_and_save_tgt] (0x0400):
> [RID#5] krb5_get_init_creds_password returned [-1765328174] during pre-auth.
> (2024-07-11 12:49:50): [krb5_child[2109273]] [k5c_send_data] (0x0200):
> [RID#5] Received error code 0
> (2024-07-11 12:49:50): [krb5_child[2109273]] [main] (0x0400): [RID#5]
> krb5_child completed successfully
> (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6]
> krb5_child started.
> (2024-07-11 12:49:53): [krb5_child[2109421]] [unpack_buffer] (0x0100):
> [RID#6] cmd [241 (auth)] uid [123456] gid [1002] validate [true] enterprise
> principal [false] offline [false] UPN [gsobanski@REALM]
> (2024-07-11 12:49:53): [krb5_child[2109421]] [unpack_buffer] (0x0100):
> [RID#6] ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname:
> [FILE:/tmp/krb5cc_123456_cKvOjo] keytab: [/etc/krb5.keytab]
> (2024-07-11 12:49:53): [krb5_child[2109421]] [switch_creds] (0x0200): [RID#6]
> Switch user to [123456][1002].
> (2024-07-11 12:49:53): [krb5_child[2109421]] [switch_creds] (0x0200): [RID#6]
> Switch user to [0][0].
> (2024-07-11 12:49:53): [krb5_child[2109421]] [k5c_setup_fast] (0x0100):
> [RID#6] Fast principal is set to [host/hostname@REALM]
> (2024-07-11 12:49:53): [krb5_child[2109421]] [check_fast_ccache] (0x0200):
> [RID#6] FAST TGT is still valid.
> (2024-07-11 12:49:53): [krb5_child[2109421]] [become_user] (0x0200): [RID#6]
> Trying to become user [123456][1002].
> (2024-07-11 12:49:53): [krb5_child[2109421]] [set_lifetime_options] (0x0100):
> [RID#6] No specific renewable lifetime requested.
> (2024-07-11 12:49:53): [krb5_child[2109421]] [set_lifetime_options] (0x0100):
> [RID#6] No specific lifetime requested.
> (2024-07-11 12:49:53): [krb5_child[2109421]] [set_canonicalize_option]
> (0x0100): [RID#6] Canonicalization is set to [true]
> (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6] Will
> perform auth
> (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6] Will
> perform online auth
> (2024-07-11 12:49:53): [krb5_child[2109421]] [get_and_save_tgt] (0x0400):
> [RID#6] Attempting kinit for realm [REALM]
> (2024-07-11 12:49:53): [krb5_child[2109421]] [get_and_save_tgt] (0x0020):
> [RID#6] 2341: [-1765328360][Preauthentication failed]
> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
> BACKTRACE:
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6]
> krb5_child started.
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [unpack_buffer] (0x1000):
> [RID#6] total buffer size: [179]
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [unpack_buffer] (0x0100):
> [RID#6] cmd [241 (auth)] uid [123456] gid [1002] validate [true] enterprise
> principal [false] offline [false] UPN [gsobanski@REALM]
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [unpack_buffer] (0x0100):
> [RID#6] ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname:
> [FILE:/tmp/krb5cc_123456_cKvOjo] keytab: [/etc/krb5.keytab]
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [switch_creds] (0x0200):
> [RID#6] Switch user to [123456][1002].
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [switch_creds] (0x0200):
> [RID#6] Switch user to [0][0].
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [k5c_check_old_ccache]
> (0x4000): [RID#6] Ccache_file is [FILE:/tmp/krb5cc_123456_cKvOjo] and is
> active and TGT is valid.
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [k5c_setup_fast] (0x0100):
> [RID#6] Fast principal is set to [host/hostname@REALM]
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [find_principal_in_keytab]
> (0x4000): [RID#6] Trying to find principal host/hostname@REALM in keytab.
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [match_principal]
> (0x1000): [RID#6] Principal matched to the sample (host/hostname@REALM).
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [check_fast_ccache]
> (0x0200): [RID#6] FAST TGT is still valid.
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [become_user] (0x0200):
> [RID#6] Trying to become user [123456][1002].
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x2000): [RID#6]
> Running as [123456][1002].
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [set_lifetime_options]
> (0x0100): [RID#6] No specific renewable lifetime requested.
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [set_lifetime_options]
> (0x0100): [RID#6] No specific lifetime requested.
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [set_canonicalize_option]
> (0x0100): [RID#6] Canonicalization is set to [true]
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6]
> Will perform auth
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6]
> Will perform online auth
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [tgt_req_child] (0x1000):
> [RID#6] Attempting to get a TGT
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [get_and_save_tgt]
> (0x0400): [RID#6] Attempting kinit for realm [REALM]
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [sss_krb5_responder]
> (0x4000): [RID#6] Got question [otp].
> * (2024-07-11 12:49:53): [krb5_child[2109421]] [get_and_save_tgt]
> (0x0020): [RID#6] 2341: [-1765328360][Preauthentication failed]
> ********************** BACKTRACE DUMP ENDS HERE
> *********************************
>
> (2024-07-11 12:49:53): [krb5_child[2109421]] [map_krb5_error] (0x0020):
> [RID#6] 2470: [-1765328360][Preauthentication failed]
> (2024-07-11 12:49:53): [krb5_child[2109421]] [k5c_send_data] (0x0200):
> [RID#6] Received error code 1432158222
> (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6]
> krb5_child completed successfully
> (2024-07-11 12:49:55): [krb5_child[2109427]] [main] (0x0400): [RID#7]
> krb5_child started.
> (2024-07-11 12:49:55): [krb5_child[2109427]] [unpack_buffer] (0x0100):
> [RID#7] cmd [249 (pre-auth)] uid [123456] gid [1002] validate [true]
> enterprise principal [false] offline [false] UPN [gsobanski@REALM]
> (2024-07-11 12:49:55): [krb5_child[2109427]] [unpack_buffer] (0x0100):
> [RID#7] ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname:
> [FILE:/tmp/krb5cc_123456_cKvOjo] keytab: [/etc/krb5.keytab]
> (2024-07-11 12:49:55): [krb5_child[2109427]] [k5c_setup_fast] (0x0100):
> [RID#7] Fast principal is set to [host/hostname@REALM]
> (2024-07-11 12:49:55): [krb5_child[2109427]] [check_fast_ccache] (0x0200):
> [RID#7] FAST TGT is still valid.
> (2024-07-11 12:49:55): [krb5_child[2109427]] [become_user] (0x0200): [RID#7]
> Trying to become user [123456][1002].
> (2024-07-11 12:49:55): [krb5_child[2109427]] [set_lifetime_options] (0x0100):
> [RID#7] No specific renewable lifetime requested.
> (2024-07-11 12:49:55): [krb5_child[2109427]] [set_lifetime_options] (0x0100):
> [RID#7] No specific lifetime requested.
> (2024-07-11 12:49:55): [krb5_child[2109427]] [set_canonicalize_option]
> (0x0100): [RID#7] Canonicalization is set to [true]
> (2024-07-11 12:49:55): [krb5_child[2109427]] [main] (0x0400): [RID#7] Will
> perform pre-auth
> (2024-07-11 12:49:55): [krb5_child[2109427]] [get_and_save_tgt] (0x0400):
> [RID#7] Attempting kinit for realm [REALM]
> (2024-07-11 12:49:55): [krb5_child[2109427]] [sss_krb5_prompter] (0x0200):
> [RID#7] Prompter interface isn't used for prompting by SSSD.Returning the
> expected error [-1765328254/Cannot read password].
> (2024-07-11 12:49:55): [krb5_child[2109427]] [sss_krb5_prompter] (0x0200):
> [RID#7] Prompter interface isn't used for prompting by SSSD.Returning the
> expected error [-1765328254/Cannot read password].
> (2024-07-11 12:49:55): [krb5_child[2109427]] [get_and_save_tgt] (0x0400):
> [RID#7] krb5_get_init_creds_password returned [-1765328174] during pre-auth.
> (2024-07-11 12:49:55): [krb5_child[2109427]] [k5c_send_data] (0x0200):
> [RID#7] Received error code 0
> (2024-07-11 12:49:55): [krb5_child[2109427]] [main] (0x0400): [RID#7]
> krb5_child completed successfully
> --
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
