Open BryanMCarroll opened 1 month ago
Hi,
the debug messages you have pasted are expected and not related to the error. The actual error can be found at the end of the krb5_child.log
you have added. SSSD tries to get a Kerberos ticket for the kadmin/changepw
service to see if the given old password is correct and to be able to change the password. But this fails with Received error from KDC: -1765328324/Generic error (see e-text
. Can you check the krb5_kdc.log
on the server with the IP address 172.29.29.37 if there is any helpful log messages?
bye, Sumit
Hi Sumit,
Thanks for looking at this issue. The output from the krb5kdc.log is:
Aug 15 17:24:20 pacific.caps.int krb5kdc[15681](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: CLIENT KEY EXPIRED: bcarroll@CAPS.INT for krbtgt/CAPS.INT@CAPS.INT, Password has expired
Aug 15 17:24:20 pacific.caps.int krb5kdc[15681](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15681](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: NEEDED_PREAUTH: bcarroll@CAPS.INT for kadmin/changepw@CAPS.INT, Additional pre-authentication required
Aug 15 17:24:20 pacific.caps.int krb5kdc[15681](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15680](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: NEEDED_PREAUTH: bcarroll@CAPS.INT for kadmin/changepw@CAPS.INT, Additional pre-authentication required
Aug 15 17:24:20 pacific.caps.int krb5kdc[15680](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: CLIENT KEY EXPIRED: bcarroll@CAPS.INT for krbtgt/CAPS.INT@CAPS.INT, Password has expired
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: NEEDED_PREAUTH: bcarroll@CAPS.INT for kadmin/changepw@CAPS.INT, Additional pre-authentication required
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: NEEDED_PREAUTH: bcarroll@CAPS.INT for kadmin/changepw@CAPS.INT, Additional pre-authentication required
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): closing down fd 11
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ : handle_authdata (2)
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 172.29.29.37: HANDLE_AUTHDATA: bcarroll@CAPS.INT for kadmin/changepw@CAPS.INT, No such file or directory
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): closing down fd 11
I ran strace on "kinit bcarroll" and see this multiple times:
openat(AT_FDCWD, "/var/lib/sss/pubconf/kpasswdinfo.CAPS.INT", O_RDONLY) = -1 ENOENT (No such file or directory)
listing out the content of that directory:
root@pacific ~ $ ls -alZ /var/lib/sss/pubconf/*
-rw-r--r--. 1 root root system_u:object_r:sssd_public_t:s0 13 Aug 21 23:37 /var/lib/sss/pubconf/kdcinfo.CAPS.INT
-rw-------. 1 root root system_u:object_r:sssd_public_t:s0 0 Aug 12 10:28 /var/lib/sss/pubconf/pam_preauth_available
/var/lib/sss/pubconf/krb5.include.d:
total 12
drwxr-xr-x. 2 sssd sssd system_u:object_r:sssd_public_t:s0 83 Aug 12 10:28 .
drwxr-xr-x. 3 sssd sssd system_u:object_r:sssd_public_t:s0 81 Aug 21 23:37 ..
-rw-r--r--. 1 root root system_u:object_r:sssd_public_t:s0 15 Aug 12 10:28 domain_realm_caps_int
-rw-r--r--. 1 root root system_u:object_r:sssd_public_t:s0 35 Aug 12 10:28 krb5_libdefaults
-rw-r--r--. 1 root root system_u:object_r:sssd_public_t:s0 98 Aug 12 10:28 localauth_plugin
What is the /var/lib/sss/pubconf/kpasswdinfo.CAPS.INT and how do I fix it?
In the strace I'm also seeing mutliple missing files in the /usr/share/locale such as:
openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
Thank you, Bryan
Hi,
thank you for the additional details. /var/lib/sss/pubconf/kpasswdinfo.CAPS.INT
is only needed if the Kerberos service doing password changes is running on a different host than the KDC which is not the case for FreeIPA. Missing local language files are also not an issue.
I think the issue is
Aug 15 17:24:20 pacific.caps.int krb5kdc[15682](info): AS_REQ : handle_authdata (2)
from the KDC logs. I guess this might indicate that the PAC in the Kerberos ticket is missing. Can you check if you user has a SID assigned by calling
ipa user-show --all bcarroll
and check if the ipantsecurityidentifier
attribute is present?
bye, Sumit
Hi Sumit,
I see a ipauniqueid. I don't see a ipantsecurityidentifier.
Thanks, Bryan
Hi,
ok, this might be the reason. Am I right assuming that you have created the user by specifying a POSIX UID and not letting FreeIPA assign an UID automatically?
bye, Sumit
Hi,
That's correct. I specified the UID when using "ipa user-add".
Thank you, Bryan
Hi,
ok, this means you have to add a suitable local id-range which covers the UID and other UIDs and GIDs you plan to assign manually with ipa idrange-add
. If you call ipa idrange-find
you should see the default local id-range which FreeIPA is using for the automatic assignment where you can see the required parameters.
After adding the new local id-range you can call /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --add-sids
to generate the SID for existing users.
HTH
bye, Sumit
Hi,
I just freshly installed Rocky 9.4 and installed FreeIPA server on it. I added a user and changed the password. However, when I try to login with that password, it doesn't prompt for a new password. It just says permission denied:
In the krb5_child.log, I see:
I've been using FreeIPA and Rocky 9 for a long time and haven't seen this issue before. I'm attaching the krb5_child.log output for one login attempt.
sssd.conf:
FreeIPA version is 4.11.0-15.el9_4. SSSD version is 2.9.4-6.el9_4.1.
Thanks, Bryan Carroll
krb5_child.log