SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
609 stars 249 forks source link

kerberos pre-auth fails #5377

Closed xDFCx closed 4 years ago

xDFCx commented 4 years ago

Hello. Sorry, if this in not appropriate place for looking for help, but I dont know where else I can find it with such a problem. I'm trying to make work logon via smartcard in a samba4 domain with two level enterprise CA. My test stand consists of offline root CA (centos7-based distro RedOS), subordinate CA (RedOS), samba4 DC (RedOS), Win7 domain client, RedOS domain client. So, I already have working smartcard auth on win7 client, now I'm really stuck with linux client. I've got all needed libs installed, so I get this:

#/usr/libexec/sssd/p11_child --pre --nssdb=/etc/pki/nssdb -d 10
(Mon Oct 26 18:52:04:157147 2020) [[sssd[p11_child[28763]]]] [main] (0x0400): p11_child started.
(Mon Oct 26 18:52:04:157225 2020) [[sssd[p11_child[28763]]]] [main] (0x2000): Running in [pre-auth] mode.
(Mon Oct 26 18:52:04:157236 2020) [[sssd[p11_child[28763]]]] [main] (0x2000): Running with effective IDs: [0][0].
(Mon Oct 26 18:52:04:157245 2020) [[sssd[p11_child[28763]]]] [main] (0x2000): Running with real IDs [0][0].
(Mon Oct 26 18:52:07:257136 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Default Module List:
(Mon Oct 26 18:52:07:257203 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): common name: [NSS Internal PKCS #11 Module].
(Mon Oct 26 18:52:07:257212 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): dll name: [(null)].
(Mon Oct 26 18:52:07:257220 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): common name: [JaCarta].
(Mon Oct 26 18:52:07:257228 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): dll name: [/lib64/libjcPKCS11-2.so].
(Mon Oct 26 18:52:07:257236 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Dead Module List:
(Mon Oct 26 18:52:07:257244 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): DB Module List:
(Mon Oct 26 18:52:07:257251 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): common name: [NSS Internal Module].
(Mon Oct 26 18:52:07:257259 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): dll name: [(null)].
(Mon Oct 26 18:52:07:257267 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): common name: [Policy File].
(Mon Oct 26 18:52:07:257274 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): dll name: [(null)].
(Mon Oct 26 18:52:07:257297 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Description [NSS Internal Cryptographic Services                             Mozilla Foundation                ] Manufacturer [Mozilla Foundation                  ] flags [9] removable [false] token present [true].
(Mon Oct 26 18:52:07:257311 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Description [NSS User Private Key and Certificate Services                   Mozilla Foundation              ] Manufacturer [Mozilla Foundation              ] flags [1] removable [false] token present [true].
(Mon Oct 26 18:52:07:257330 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Description [Aladdin R.D. JaCarta [SCR Interface] (000000000000) 00 00       Aladdin R.D.                    ] Manufacturer [Aladdin R.D.                    ] flags [7] removable [true] token present [true].
(Mon Oct 26 18:52:07:257339 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Found [jacarta] in slot [Aladdin R.D. JaCarta [SCR Interface] (000000000000) 00 00][131071] of module [2][/lib64/libjcPKCS11-2.so].
(Mon Oct 26 18:52:07:257348 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Token is NOT friendly.
(Mon Oct 26 18:52:07:257355 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Trying to switch to friendly to read certificate.
(Mon Oct 26 18:52:07:257364 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Login required.
(Mon Oct 26 18:52:07:257371 2020) [[sssd[p11_child[28763]]]] [do_card] (0x0020): Login required but no PIN available, continue.
(Mon Oct 26 18:52:08:280494 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): found cert[(null)][E=user1@pki-test.local,CN=user1@pki-test.local]
(Mon Oct 26 18:52:08:280556 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): found cert[(null)][E=user1@pki-test.local,CN=user1]
(Mon Oct 26 18:52:08:280568 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Filtered certificates:
(Mon Oct 26 18:52:08:280576 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): found cert[(null)][E=user1@pki-test.local,CN=user1@pki-test.local]
(Mon Oct 26 18:52:08:280619 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): module uri: pkcs11:library-manufacturer=Aladdin%20R.D.;library-description=JaCarta%20PKCS%2311%20module;library-version=2.4.
(Mon Oct 26 18:52:08:280637 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): token uri: pkcs11:token=jacarta;manufacturer=Aladdin%20R.D.;serial=4E46000557304C4E;model=JaCarta%20Laser.
(Mon Oct 26 18:52:08:889249 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): (null) /lib64/libjcPKCS11-2.so (null) jacarta (null) (null).
(Mon Oct 26 18:52:08:889336 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): found cert[(null)][E=user1@pki-test.local,CN=user1]
(Mon Oct 26 18:52:08:889368 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): module uri: pkcs11:library-manufacturer=Aladdin%20R.D.;library-description=JaCarta%20PKCS%2311%20module;library-version=2.4.
(Mon Oct 26 18:52:08:889386 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): token uri: pkcs11:token=jacarta;manufacturer=Aladdin%20R.D.;serial=4E46000557304C4E;model=JaCarta%20Laser.
(Mon Oct 26 18:52:09:043029 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): (null) /lib64/libjcPKCS11-2.so (null) jacarta (null) (null).
(Mon Oct 26 18:52:09:295720 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Found certificate has key id [4321].
(Mon Oct 26 18:52:09:411971 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): uri: pkcs11:token=jacarta;manufacturer=Aladdin%20R.D.;serial=4E46000557304C4E;model=JaCarta%20Laser;library-manufacturer=Aladdin%20R.D.;library-description=JaCarta%20PKCS%2311%20module;library-version=2.4;object=-%20no%20label%20found%20-;type=cert;slot-manufacturer=Aladdin%20R.D.;slot-description=Aladdin%20R.D.%20JaCarta%20[SCR%20Interface]%20(000000000000)%2000%2000;slot-id=131071;id=%43%21.
(Mon Oct 26 18:52:09:676326 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): Found certificate has key id [1616].
(Mon Oct 26 18:52:09:791585 2020) [[sssd[p11_child[28763]]]] [do_card] (0x4000): uri: pkcs11:token=jacarta;manufacturer=Aladdin%20R.D.;serial=4E46000557304C4E;model=JaCarta%20Laser;library-manufacturer=Aladdin%20R.D.;library-description=JaCarta%20PKCS%2311%20module;library-version=2.4;object=-%20no%20label%20found%20-;type=cert;slot-manufacturer=Aladdin%20R.D.;slot-description=Aladdin%20R.D.%20JaCarta%20[SCR%20Interface]%20(000000000000)%2000%2000;slot-id=131071;id=%16%16.
jacarta
/lib64/libjcPKCS11-2.so
4321
- no label found -
MIIE9zCCA9+gAwIBAgIUBLqY47X2y/kL1GKvge8eKPJ71uMwDQYJKoZIhvcNAQELBQAwEzERMA8GA1UEAwwIU1VCQ0EtczEwHhcNMjAxMDIzMDkyNTQxWhcNMjExMDIzMDkyNTQxWjBEMR0wGwYDVQQDDBR1c2VyMUBwa2ktdGVzdC5sb2NhbDEjMCEGCSqGSIb3DQEJARYUdXNlcjFAcGtpLXRlc3QubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrsBsmWBCRMsoohaQf2rkiIfJxPE3UphvmLz+CrcAHhxiMdDbFKcNquamBafhgiDcHK5qFdBdmqpeEzABLtNmjEhheL3UuKVzSLEdWGful+ds3dxTZ+Dvl9n3d5AJ/9RGTOFGFG9TcwDIM7X4kNSeKpeEkiBRfXVr3ws4p5PpNRD4xFQQz2Br2DAEH+0EGaFlgFxwvfzvoVXzlrJn7qpanY7cIAixCJPhKtyJ6aJHqpaSr0ki2Xfkjz3a1F4TTIQBML+9+Lpi6aT0Qj3TTqzQJPXj5qK+GsnbgLc2dR2W5gI5sYsEeyNicHp1HA948L4+z8jikIov86jADv2MlqGcxAgMBAAGjggIQMIICDDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFPMva1ihFSq06/VbLc0GK9UkKOucMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAYZFaHR0cDovL3JlZG9zLXN1YmNhLXMxLnBraS10ZXN0LmxvY2FsOjgwODAvZWpiY2EvcHVibGljd2ViL3N0YXR1cy9vY3NwMDgGA1UdEgQxMC+CHXJlZG9zLXN1YmNhLXMxLnBraS10ZXN0LmxvY2Fsgg5yZWRvcy1zdWJjYS1zMTBFBgNVHREEPjA8gRR1c2VyMUBwa2ktdGVzdC5sb2NhbKAkBgorBgEEAYI3FAIDoBYMFHVzZXIxQHBraS10ZXN0LmxvY2FsMDMGA1UdJQQsMCoGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNxQCAgYIKwYBBQUHAwEwgZIGA1UdHwSBijCBhzCBhKBpoGeGZWh0dHA6Ly9yZWRvcy1zdWJjYS1zMS5wa2ktdGVzdC5sb2NhbDo4MDgwL2VqYmNhL3B1YmxpY3dlYi93ZWJkaXN0L2NlcnRkaXN0P2NtZD1jcmwmaXNzdWVyPUNOPVNVQkNBLXMxohekFTATMREwDwYDVQQDDAhTVUJDQS1zMTAdBgNVHQ4EFgQUo/VymQXXuWRguEza1uZUG3gi5WgwDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBCwUAA4IBAQB45BbY+hfOJnULJ2o1vL+rHYYVLoP+0E3o0Nx/cyoN+ISO3ZthpqMzI5NbpeFQIDcTLCrCDMkGVkse9IDPdD62F78ajrLYXUK2sbJ/hj5r17aXKvtzD44pPgrJFHU7ABNiVwkc8UuY5CMHGmfUZ8ykR8HbIvt8pqTZe/mTblriy8X4lIvf6Dyi8j2mjNAIZYC8ZNrtQFJq22v8e1QszdUayeRuxxndXM3mpqEGWu49QUvep71zH/OahCxZpRjBYnFjLFsQv34Zlv9GQhcgEa0H+IXlxKo1C/+MGjiOSzQnyh3zeknqE3bmInCYEq/maPXvWfkqz2+8aD7BGtWkN52r
jacarta
/lib64/libjcPKCS11-2.so
1616
- no label found -
MIIE6DCCA9CgAwIBAgIUDa8QTOVB60tO5EdcZ4pfc0sYF0QwDQYJKoZIhvcNAQELBQAwEzERMA8GA1UEAwwIU1VCQ0EtczEwHhcNMjAxMDIzMTAwMjQzWhcNMjExMDIzMTAwMjQzWjA1MQ4wDAYDVQQDDAV1c2VyMTEjMCEGCSqGSIb3DQEJARYUdXNlcjFAcGtpLXRlc3QubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe5rwe1+KLb8dB3Mk/AiRieGhfbgpuYk/ELT9DwPm7aVXIKG+CdendeJaoZOPtS+XzB60iQkOMfbH1quixXfHP0BY3S+JIMtI3llR49CsF4UM+lvuDC791AFC1hN2UWqRNLDLDDB3/Ux+HFmlKgGtDWxwdhY2p4auzeBd4tryeg2mVTvUxZ46Wc1bc6KczhgSY3g9kXGWiMM/vanOh5rUAlx0f6ajzq2yQr70/UvxWgVO9iiPgdBCnuLenwGt0EH8BTumQOyz29nzT0tfPNKxYrHYpo4+hBMuo1JvmF7ccfK2c+CJUxMUKxywwiTfI3ANH/Nm/gge2NtasjAgfmc1XAgMBAAGjggIQMIICDDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFPMva1ihFSq06/VbLc0GK9UkKOucMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAYZFaHR0cDovL3JlZG9zLXN1YmNhLXMxLnBraS10ZXN0LmxvY2FsOjgwODAvZWpiY2EvcHVibGljd2ViL3N0YXR1cy9vY3NwMDgGA1UdEgQxMC+CHXJlZG9zLXN1YmNhLXMxLnBraS10ZXN0LmxvY2Fsgg5yZWRvcy1zdWJjYS1zMTBFBgNVHREEPjA8gRR1c2VyMUBwa2ktdGVzdC5sb2NhbKAkBgorBgEEAYI3FAIDoBYMFHVzZXIxQHBraS10ZXN0LmxvY2FsMDMGA1UdJQQsMCoGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNxQCAgYIKwYBBQUHAwEwgZIGA1UdHwSBijCBhzCBhKBpoGeGZWh0dHA6Ly9yZWRvcy1zdWJjYS1zMS5wa2ktdGVzdC5sb2NhbDo4MDgwL2VqYmNhL3B1YmxpY3dlYi93ZWJkaXN0L2NlcnRkaXN0P2NtZD1jcmwmaXNzdWVyPUNOPVNVQkNBLXMxohekFTATMREwDwYDVQQDDAhTVUJDQS1zMTAdBgNVHQ4EFgQULuQ4OuzHMohokQWZhXlk93/41UEwDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBCwUAA4IBAQBMxQ8lASoQGshQYTcusQub1ijNAHk4dJKw5kTSCYC0EvsjgwHczUps4HyUtZhSkGU0cUwWfVBy3gHIbwz5gC/M0M6iILim9z7vMDAUw+RZuoQoROAISN1byoUpU1n9zCYMtlnV4Q+WwTBufVwxiGez6romzA8ajQIIvmW1/VimZ3+tdpQE+F1mEyYkmLlcBvGmfdvA3aUguKDkjUBFbnCT3kg/b6cV3wnVZtAdHpo4en4JnAKR7YS8LrFOiLyg/u4i8dg1Hfh796O2tqEnRihwEJcoBDF5NejbI5kQuZbx5f6k7Uc8FCKmBTs/H1xV3UMEHm5+UOI2qzJINxFtNVSb 

With theese 2 certs (and keys) on my token I can login on windows client, but on RedOS i get this:

# cat krb5_child.log
(Fri Oct 23 18:35:18:015369 2020) [[sssd[krb5_child[19536]]]] [main] (0x0400): krb5_child started.
(Fri Oct 23 18:35:18:015452 2020) [[sssd[krb5_child[19536]]]] [unpack_buffer] (0x1000): total buffer size: [148]
(Fri Oct 23 18:35:18:015467 2020) [[sssd[krb5_child[19536]]]] [unpack_buffer] (0x0100): cmd [249] uid [403801106] gid [403800513] validate [true] enterprise principal [false] offline [true] UPN [user1@PKI-TEST.LOCAL]
(Fri Oct 23 18:35:18:015476 2020) [[sssd[krb5_child[19536]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:403801106] old_ccname: [KEYRING:persistent:403801106] keytab: [/etc/krb5.keytab]
(Fri Oct 23 18:35:18:015660 2020) [[sssd[krb5_child[19536]]]] [check_use_fast] (0x0100): Not using FAST.
(Fri Oct 23 18:35:18:015722 2020) [[sssd[krb5_child[19536]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Fri Oct 23 18:35:18:015731 2020) [[sssd[krb5_child[19536]]]] [become_user] (0x0200): Trying to become user [403801106][403800513].
(Fri Oct 23 18:35:18:015750 2020) [[sssd[krb5_child[19536]]]] [main] (0x2000): Running as [403801106][403800513].
(Fri Oct 23 18:35:18:015762 2020) [[sssd[krb5_child[19536]]]] [become_user] (0x0200): Trying to become user [403801106][403800513].
(Fri Oct 23 18:35:18:015770 2020) [[sssd[krb5_child[19536]]]] [become_user] (0x0200): Already user [403801106].
(Fri Oct 23 18:35:18:015778 2020) [[sssd[krb5_child[19536]]]] [k5c_setup] (0x2000): Running as [403801106][403800513].
(Fri Oct 23 18:35:18:015798 2020) [[sssd[krb5_child[19536]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
(Fri Oct 23 18:35:18:015806 2020) [[sssd[krb5_child[19536]]]] [set_lifetime_options] (0x0100): No specific lifetime requested.
(Fri Oct 23 18:35:18:015813 2020) [[sssd[krb5_child[19536]]]] [main] (0x0400): Will perform pre-auth
(Fri Oct 23 18:35:18:015821 2020) [[sssd[krb5_child[19536]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
(Fri Oct 23 18:35:18:015829 2020) [[sssd[krb5_child[19536]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [PKI-TEST.LOCAL]
(Fri Oct 23 18:35:18:015856 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15649: Getting initial credentials for user1@PKI-TEST.LOCAL

(Fri Oct 23 18:35:18:016148 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15651: Sending unauthenticated request

(Fri Oct 23 18:35:18:016182 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15652: Sending request (208 bytes) to PKI-TEST.LOCAL

(Fri Oct 23 18:35:18:016323 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15653: Sending DNS URI query for _kerberos.PKI-TEST.LOCAL.

(Fri Oct 23 18:35:18:017453 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15654: No URI records found

(Fri Oct 23 18:35:18:017479 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15655: Sending DNS SRV query for _kerberos._udp.PKI-TEST.LOCAL.

(Fri Oct 23 18:35:18:018387 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15656: SRV answer: 0 100 88 "redos-dc-s1.pki-test.local."

(Fri Oct 23 18:35:18:018411 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15657: Sending DNS SRV query for _kerberos._tcp.PKI-TEST.LOCAL.

(Fri Oct 23 18:35:18:019249 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15658: SRV answer: 0 100 88 "redos-dc-s1.pki-test.local."

(Fri Oct 23 18:35:18:019289 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15659: Resolving hostname redos-dc-s1.pki-test.local.

(Fri Oct 23 18:35:18:021060 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15660: Sending initial UDP request to dgram 192.168.42.10:88

(Fri Oct 23 18:35:18:023493 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15661: Received answer (276 bytes) from dgram 192.168.42.10:88

(Fri Oct 23 18:35:18:023572 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15662: Sending DNS URI query for _kerberos.PKI-TEST.LOCAL.

(Fri Oct 23 18:35:18:024359 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15663: No URI records found

(Fri Oct 23 18:35:18:024393 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15664: Sending DNS SRV query for _kerberos-master._udp.PKI-TEST.LOCAL.

(Fri Oct 23 18:35:18:025103 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15665: No SRV records found

(Fri Oct 23 18:35:18:025118 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15666: Response was not from master KDC

(Fri Oct 23 18:35:18:025162 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15667: Received error from KDC: -1765328359/Additional pre-authentication required

(Fri Oct 23 18:35:18:025222 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15670: Preauthenticating using KDC method data

(Fri Oct 23 18:35:18:025241 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15671: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (19)

(Fri Oct 23 18:35:18:025268 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15672: Selected etype info: etype aes256-cts, salt "PKI-TEST.LOCALuser1", params "\x00\x00\x10\x00"

(Fri Oct 23 18:35:18:025283 2020) [[sssd[krb5_child[19536]]]] [sss_krb5_responder] (0x4000): Got question [password].
(Fri Oct 23 18:35:18:025299 2020) [[sssd[krb5_child[19536]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Fri Oct 23 18:35:18:025307 2020) [[sssd[krb5_child[19536]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for user1@PKI-TEST.LOCAL].
(Fri Oct 23 18:35:18:025315 2020) [[sssd[krb5_child[19536]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Fri Oct 23 18:35:18:025328 2020) [[sssd[krb5_child[19536]]]] [sss_child_krb5_trace_cb] (0x4000): [19536] 1603467318.15673: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password

(Fri Oct 23 18:35:18:025345 2020) [[sssd[krb5_child[19536]]]] [sss_krb5_get_init_creds_password] (0x0020): 1618: [-1765328174][Pre-authentication failed: Cannot read password]
(Fri Oct 23 18:35:18:025426 2020) [[sssd[krb5_child[19536]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth.
(Fri Oct 23 18:35:18:025438 2020) [[sssd[krb5_child[19536]]]] [k5c_send_data] (0x0200): Received error code 0
(Fri Oct 23 18:35:18:025446 2020) [[sssd[krb5_child[19536]]]] [pack_response_packet] (0x2000): response packet size: [12]
(Fri Oct 23 18:35:18:025460 2020) [[sssd[krb5_child[19536]]]] [k5c_send_data] (0x4000): Response sent.
(Fri Oct 23 18:35:18:025468 2020) [[sssd[krb5_child[19536]]]] [main] (0x0400): krb5_child completed successfully 

I see that pre-auth fails on asking login and password, but it cannot be used, obviously. But why was PA-PK-AS-REP_OLD/PA-PK-AS-REQ not used? I had no PIN-code prompt. How can I debug it?