Prompter interface isn't used for prompting by SSSD

[BryanMCarroll]

Hi,

I just freshly installed Rocky 9.4 and installed FreeIPA server on it. I added a user and changed the password. However, when I try to login with that password, it doesn't prompt for a new password. It just says permission denied:

bcarroll@Bryan-Desktop:~$ ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no pacific.caps.int
bcarroll@pacific.caps.int's password:
Permission denied, please try again.

In the krb5_child.log, I see:

(2024-08-15 17:24:20): [krb5_child[90722]] [sss_krb5_prompter] (0x4000): [RID#15183] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1].
(2024-08-15 17:24:20): [krb5_child[90722]] [sss_krb5_prompter] (0x4000): [RID#15183] Prompt [0][Password for bcarroll@CAPS.INT].
(2024-08-15 17:24:20): [krb5_child[90722]] [sss_krb5_prompter] (0x0200): [RID#15183] Prompter interface isn't used for prompting by SSSD.Returning the expected error [-1765328254/Cannot read password].

I've been using FreeIPA and Rocky 9 for a long time and haven't seen this issue before. I'm attaching the krb5_child.log output for one login attempt.

sssd.conf:

[domain/caps.int]

id_provider = ipa
ipa_server_mode = True
ipa_server = pacific.caps.int
ipa_domain = caps.int
ipa_hostname = pacific.caps.int
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ifp, ssh, sudo

domains = caps.int
[nss]
homedir_substring = /home
memcache_timeout = 600

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]
allowed_uids = ipaapi, root

[session_recording]

FreeIPA version is 4.11.0-15.el9_4. SSSD version is 2.9.4-6.el9_4.1.

Thanks, Bryan Carroll

krb5_child.log

[sumit-bose]

Hi,

the debug messages you have pasted are expected and not related to the error. The actual error can be found at the end of the krb5_child.log you have added. SSSD tries to get a Kerberos ticket for the kadmin/changepw service to see if the given old password is correct and to be able to change the password. But this fails with Received error from KDC: -1765328324/Generic error (see e-text. Can you check the krb5_kdc.log on the server with the IP address 172.29.29.37 if there is any helpful log messages?

bye, Sumit

[BryanMCarroll]

Hi Sumit,

Thanks for looking at this issue. The output from the krb5kdc.log is:

Aug 15 17:24:20 pacific.caps.int krb5kdc[15681](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: CLIENT KEY EXPIRED: bcarroll@CAPS.INT for krbtgt/CAPS.INT@CAPS.INT, Password has expired
Aug 15 17:24:20 pacific.caps.int krb5kdc[15681](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15681](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: NEEDED_PREAUTH: bcarroll@CAPS.INT for kadmin/changepw@CAPS.INT, Additional pre-authentication required
Aug 15 17:24:20 pacific.caps.int krb5kdc[15681](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15680](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: NEEDED_PREAUTH: bcarroll@CAPS.INT for kadmin/changepw@CAPS.INT, Additional pre-authentication required
Aug 15 17:24:20 pacific.caps.int krb5kdc[15680](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: CLIENT KEY EXPIRED: bcarroll@CAPS.INT for krbtgt/CAPS.INT@CAPS.INT, Password has expired
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: NEEDED_PREAUTH: bcarroll@CAPS.INT for kadmin/changepw@CAPS.INT, Additional pre-authentication required
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: NEEDED_PREAUTH: bcarroll@CAPS.INT for kadmin/changepw@CAPS.INT, Additional pre-authentication required
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ : handle_authdata (2)
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: HANDLE_AUTHDATA: bcarroll@CAPS.INT for kadmin/changepw@CAPS.INT, No such file or directory
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): closing down fd 11

I ran strace on "kinit bcarroll" and see this multiple times:

openat(AT_FDCWD, "/var/lib/sss/pubconf/kpasswdinfo.CAPS.INT", O_RDONLY) = -1 ENOENT (No such file or directory)

listing out the content of that directory:

root@pacific ~ $ ls -alZ /var/lib/sss/pubconf/*
-rw-r--r--. 1 root root system_u:object_r:sssd_public_t:s0 13 Aug 21 23:37 /var/lib/sss/pubconf/kdcinfo.CAPS.INT
-rw-------. 1 root root system_u:object_r:sssd_public_t:s0  0 Aug 12 10:28 /var/lib/sss/pubconf/pam_preauth_available

/var/lib/sss/pubconf/krb5.include.d:
total 12
drwxr-xr-x. 2 sssd sssd system_u:object_r:sssd_public_t:s0 83 Aug 12 10:28 .
drwxr-xr-x. 3 sssd sssd system_u:object_r:sssd_public_t:s0 81 Aug 21 23:37 ..
-rw-r--r--. 1 root root system_u:object_r:sssd_public_t:s0 15 Aug 12 10:28 domain_realm_caps_int
-rw-r--r--. 1 root root system_u:object_r:sssd_public_t:s0 35 Aug 12 10:28 krb5_libdefaults
-rw-r--r--. 1 root root system_u:object_r:sssd_public_t:s0 98 Aug 12 10:28 localauth_plugin

What is the /var/lib/sss/pubconf/kpasswdinfo.CAPS.INT and how do I fix it?

In the strace I'm also seeing mutliple missing files in the /usr/share/locale such as:

openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

Thank you, Bryan

[sumit-bose]

Hi,

thank you for the additional details. /var/lib/sss/pubconf/kpasswdinfo.CAPS.INT is only needed if the Kerberos service doing password changes is running on a different host than the KDC which is not the case for FreeIPA. Missing local language files are also not an issue.

I think the issue is

Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ : handle_authdata (2)

from the KDC logs. I guess this might indicate that the PAC in the Kerberos ticket is missing. Can you check if you user has a SID assigned by calling

ipa user-show --all bcarroll

and check if the ipantsecurityidentifier attribute is present?

bye, Sumit

[BryanMCarroll]

Hi Sumit,

I see a ipauniqueid. I don't see a ipantsecurityidentifier.

Thanks, Bryan

[sumit-bose]

Hi,

ok, this might be the reason. Am I right assuming that you have created the user by specifying a POSIX UID and not letting FreeIPA assign an UID automatically?

bye, Sumit

[BryanMCarroll]

Hi,

That's correct. I specified the UID when using "ipa user-add".

Thank you, Bryan

[sumit-bose]

Hi,

ok, this means you have to add a suitable local id-range which covers the UID and other UIDs and GIDs you plan to assign manually with ipa idrange-add. If you call ipa idrange-find you should see the default local id-range which FreeIPA is using for the automatic assignment where you can see the required parameters.

After adding the new local id-range you can call /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids to generate the SID for existing users.

HTH

bye, Sumit