Discussion:
[Freeipa-users] sssd, krb5_child.log: Received error code 1432158221
Harald Dunkel
2017-04-24 12:24:34 UTC
Permalink
Hi folks,

some colleagues have to enter their password 3 times (or even
more) to authenticate. krb5_child.log shows

(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [k5c_send_data] (0x0200): Received error code 1432158221
(Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [k5c_send_data] (0x0200): Received error code 1432158221
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [k5c_send_data] (0x0200): Received error code 1432158221
(Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [k5c_send_data] (0x0200): Received error code 0

sssd_pam.log:

(Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
(Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
(Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr 3 10:45:22 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
(Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
(Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr 3 10:45:30 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr 3 10:45:35 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [sysdb_set_entry_attr] (0x0200): Entry [name=***@example.com,cn=users,cn=example.com,cn=sysdb] has set [cache, ts_cache] attrs.
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 73
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!


Did they enter just a bad password? What can I do to make authentication
more reliable?

sssd version is 1.15.0-3, backported from Debian Testing
to Jessie.

Every helpful hint is highly appreciated
Harri
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Sumit Bose
2017-04-24 13:48:24 UTC
Permalink
Post by Harald Dunkel
Hi folks,
some colleagues have to enter their password 3 times (or even
more) to authenticate. krb5_child.log shows
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:20 2017) [[sssd[krb5_child[5116]]]] [k5c_send_data] (0x0200): Received error code 1432158221
(Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr 3 10:45:27 2017) [[sssd[krb5_child[5186]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:28 2017) [[sssd[krb5_child[5186]]]] [k5c_send_data] (0x0200): Received error code 1432158221
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]
(Mon Apr 3 10:45:33 2017) [[sssd[krb5_child[5243]]]] [k5c_send_data] (0x0200): Received error code 1432158221
(Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): Switch user to [657][100].
(Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [switch_creds] (0x0200): Switch user to [0][0].
(Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [become_user] (0x0200): Trying to become user [657][100].
(Mon Apr 3 10:45:39 2017) [[sssd[krb5_child[5304]]]] [k5c_send_data] (0x0200): Received error code 0
Please re-run with a higher log level. E.g. it would be good to know if
all requests where send to the same KDC or different ones?

If the requests were send to different KDCs it might be a time skew
issue, although I would expect a different error code here.

Do you have KDC logs for those requests?

bye,
Sumit
Post by Harald Dunkel
(Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr 3 10:45:20 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
(Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
(Mon Apr 3 10:45:20 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr 3 10:45:22 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr 3 10:45:27 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
(Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
(Mon Apr 3 10:45:28 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr 3 10:45:30 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [8 (Insufficient credentials to access authentication data)][example.com]
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.
(Mon Apr 3 10:45:33 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr 3 10:45:35 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 73
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'juppschmitz' matched without domain, user is juppschmitz
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.com]
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Mon Apr 3 10:45:39 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
Did they enter just a bad password? What can I do to make authentication
more reliable?
sssd version is 1.15.0-3, backported from Debian Testing
to Jessie.
Every helpful hint is highly appreciated
Harri
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...