HI,

I haven’t posted in a while, I hope everybody is doing well. I have a problem that I am having a difficult time diagnosing. To start, I want to say that we have a pretty large IPA environment. It generally works good. Most of our servers are of the same flavor RHEL6/7, and pull down their sssd/IPA RPMs from a standard repo. We also deploy sssd/ipa-client from SaltStack, so there’s not much variation on configuration. I have a client that is being very finicky, I am getting a message that says "Malformed representation of principal” in my krb5_child.log (when trying to log in). I’m really kind of an ends with the right way to troubleshoot this further. Here’s what I know;

1) I can kinit -k as root
2) I can kinit ***@domain, even for the user in the sssd logs
3) I’ve blown away /var/lib/sss, deleted /etc/krb*, reinstalled sssd-common, sssd, & ipa-client.

My logs are below. Would somebody be able to perhaps provide input on the best way to further troubleshoot this issue?

(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x0400): krb5_child started.
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x1000): total buffer size: [174]
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x0100): cmd [241] uid [339788572] gid [339788572] validate [true] enterprise principal [false] offline [false] UPN [***@domain@DOMAIN]
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x2000): No old ccache
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_339788572_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/***@DOMAIN]
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/***@DOMAIN in keytab.
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [match_principal] (0x1000): Principal matched to the sample (host/***@DOMAIN).
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [become_user] (0x0200): Trying to become user [339788572][339788572].
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x2000): Running as [339788572][339788572].
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_setup] (0x2000): Running as [339788572][339788572].
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [k5c_setup] (0x0020): 2529: [-1765328250][Malformed representation of principal]
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x0020): krb5_child_setup failed.
(Thu Apr 27 20:17:24 2017) [[sssd[krb5_child[8722]]]] [main] (0x0020): krb5_child failed!

(Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [parse_krb5_child_response] (0x0020): message too short.
(Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [krb5_auth_done] (0x0040): Could not parse child response [22]: Invalid argument
(Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [check_wait_queue] (0x1000): Wait queue for user [***@domain] is empty.
(Thu Apr 27 20:17:24 2017) [sssd[be[ipa.domain]]] [krb5_auth_queue_done] (0x0040): krb5_auth_recv failed with: 22
(Thu Apr 27 20:17:24 2017) [sssd[be[iipa.domain]]] [ipa_pam_auth_handler_krb5_done] (0x0040): KRB5 auth failed [22]: Invalid argument

I appreciate your help with this.

Thank you,

Dan Sullivan