Hide Forgot
This bug has been copied from bug #1672527 and has been proposed to be backported to 7.6 z-stream (EUS).
Reproducing the Issue: ===================== sssd-libwbclient-1.16.2-13.el7.x86_64 sssd-krb5-common-1.16.2-13.el7.x86_64 sssd-ldap-1.16.2-13.el7.x86_64 sssd-proxy-1.16.2-13.el7.x86_64 sssd-tools-1.16.2-13.el7.x86_64 sssd-client-1.16.2-13.el7.x86_64 sssd-common-1.16.2-13.el7.x86_64 sssd-common-pac-1.16.2-13.el7.x86_64 sssd-krb5-1.16.2-13.el7.x86_64 sssd-dbus-1.16.2-13.el7.x86_64 sssd-1.16.2-13.el7.x86_64 sssd-kcm-1.16.2-13.el7.x86_64 python-sssdconfig-1.16.2-13.el7.noarch sssd-ad-1.16.2-13.el7.x86_64 sssd-ipa-1.16.2-13.el7.x86_64 1. Configure sssd to use ldap provider and krb5 authentication For Users to login [sssd] domains = sssd2016.com config_file_version = 2 services = nss, pam [domain/sssd2016.com] krb5_realm = SSSD2016.COM id_provider = ldap chpass_provider = krb5 cache_credentials = True ldap_uri = ldap://mars.sssd2016.com ldap_search_base = DC=sssd2016,DC=COM cache_credentials = False ldap_referrals = False id_provider = ldap ldap_schema = ad ldap_force_upper_case_realm = true ldap_id_mapping = true ldap_sasl_mech = gssapi ldap_account_expire_policy = ad ldap_use_tokengroups = true auth_provider = krb5 ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem krb5_store_password_if_offline = True default_shell = /bin/bash use_fully_qualified_names = True fallback_homedir = /home/%u@%d debug_level = 9 3. Cat /etc/krb5.conf [root@sparks ~]# cat /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} default_realm = SSSD2016.COM [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } SSSD2016.COM = { } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM sssd2016.com = SSSD2016.COM .sssd2016.com = SSSD2016.COM [root@sparks ~]# 2. Login as AD user using ssh so that kdcinfo.<DOMAIN> and kpasswd.<DOMAIN> files are created under /var/lib/sss/pubconf /var/lib/sss/pubconf [root@sparks pubconf]# ll total 8 -rw-r--r--. 1 root root 16 Apr 10 08:27 kdcinfo.SSSD2016.COM -rw-r--r--. 1 root root 17 Apr 10 08:15 kpasswdinfo.SSSD2016.COM drwxr-xr-x. 2 sssd sssd 87 Sep 5 2018 krb5.include.d 3. From another terminal as root user run the below kinit command env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator when prompted for password specify a wrong or no password to check if the port 464 root@sparks ~]# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator [27555] 1554898748.181016: Getting initial credentials for Administrator [27555] 1554898748.181018: Sending unauthenticated request [27555] 1554898748.181019: Sending request (200 bytes) to SSSD2016.COM [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [27555] 1554898748.181020: Initiating TCP connection to stream 10.65.207.18:88 [27555] 1554898748.181021: Sending TCP request to stream 10.65.207.18:88 [27555] 1554898748.181022: Received answer (157 bytes) from stream 10.65.207.18:88 [27555] 1554898748.181023: Terminating TCP connection to stream 10.65.207.18:88 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] Found [10.65.207.18][464]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2] [sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [27555] 1554898748.181024: Response was not from master KDC [27555] 1554898748.181025: Received error from KDC: -1765328359/Additional pre-authentication required [27555] 1554898748.181028: Preauthenticating using KDC method data [27555] 1554898748.181029: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [27555] 1554898748.181030: Selected etype info: etype rc4-hmac, salt "", params "" Password for Administrator: [27555] 1554898751.324171: AS key obtained for encrypted timestamp: rc4-hmac/A247 [27555] 1554898751.324173: Encrypted timestamp (for 1554898751.707740): plain 301AA011180F32303139303431303132313931315AA10502030ACC9C, encrypted FC89D373AF3534165D28F2AE73E72B86214AEDEFEDBB216AB28508E87CA238A83A0EF767C10B1AC6E9FAE3605F88288D8865368C [27555] 1554898751.324174: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [27555] 1554898751.324175: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [27555] 1554898751.324176: Sending request (276 bytes) to SSSD2016.COM [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [27555] 1554898751.324177: Initiating TCP connection to stream 10.65.207.18:88 [27555] 1554898751.324178: Sending TCP request to stream 10.65.207.18:88 [27555] 1554898751.324179: Received answer (1526 bytes) from stream 10.65.207.18:88 [27555] 1554898751.324180: Terminating TCP connection to stream 10.65.207.18:88 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] Found [10.65.207.18][464]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2] [sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [27555] 1554898751.324181: Response was not from master KDC [27555] 1554898751.324182: Salt derived from principal: SSSD2016.COMAdministrator [27555] 1554898751.324183: AS key determined by preauth: rc4-hmac/A247 [27555] 1554898751.324184: Decrypted AS reply; session key is: aes256-cts/EF66 [27555] 1554898751.324185: FAST negotiation: unavailable [27555] 1554898751.324186: Initializing KEYRING:persistent:0:0 with default princ Administrator [27555] 1554898751.324187: Storing Administrator -> krbtgt/SSSD2016.COM in KEYRING:persistent:0:0 [27555] 1554898751.324188: Storing config in KEYRING:persistent:0:0 for krbtgt/SSSD2016.COM: pa_type: 2 [27555] 1554898751.324189: Storing Administrator -> krb5_ccache_conf_data/pa_type/krbtgt\/SSSD2016.COM\@SSSD2016.COM@X-CACHECONF: in KEYRING:persistent:0:0 [root@sparks ~]# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator [27556] 1554898759.377230: Getting initial credentials for Administrator [27556] 1554898759.377232: Sending unauthenticated request [27556] 1554898759.377233: Sending request (200 bytes) to SSSD2016.COM [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [27556] 1554898759.377234: Initiating TCP connection to stream 10.65.207.18:88 [27556] 1554898759.377235: Sending TCP request to stream 10.65.207.18:88 [27556] 1554898759.377236: Received answer (157 bytes) from stream 10.65.207.18:88 [27556] 1554898759.377237: Terminating TCP connection to stream 10.65.207.18:88 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] Found [10.65.207.18][464]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2] [sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [27556] 1554898759.377238: Response was not from master KDC [27556] 1554898759.377239: Received error from KDC: -1765328359/Additional pre-authentication required [27556] 1554898759.377242: Preauthenticating using KDC method data [27556] 1554898759.377243: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [27556] 1554898759.377244: Selected etype info: etype rc4-hmac, salt "", params "" Password for Administrator: [27556] 1554898760.652839: AS key obtained for encrypted timestamp: rc4-hmac/4EE8 [27556] 1554898760.652841: Encrypted timestamp (for 1554898761.43279): plain 301AA011180F32303139303431303132313932315AA105020300A90F, encrypted 693DCFAEED27C776A547C57E0E3444F0801A0570D9EBDC14648BB96278A912FF810E8C65CE06DB72ADD90240DDF90033459ACF0E [27556] 1554898760.652842: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [27556] 1554898760.652843: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [27556] 1554898760.652844: Sending request (276 bytes) to SSSD2016.COM [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [27556] 1554898760.652845: Initiating TCP connection to stream 10.65.207.18:88 [27556] 1554898760.652846: Sending TCP request to stream 10.65.207.18:88 [27556] 1554898761.718373: Received answer (122 bytes) from stream 10.65.207.18:88 [27556] 1554898761.718374: Terminating TCP connection to stream 10.65.207.18:88 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] Found [10.65.207.18][464]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2] [sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [27556] 1554898761.718375: Response was not from master KDC [27556] 1554898761.718376: Received error from KDC: -1765328360/Preauthentication failed [27556] 1554898761.718379: Preauthenticating using KDC method data [27556] 1554898761.718380: Processing preauth types: PA-ETYPE-INFO2 (19) [27556] 1554898761.718381: Selected etype info: etype rc4-hmac, salt "", params "" [27556] 1554898761.718382: Retrying AS request with master KDC [27556] 1554898761.718383: Getting initial credentials for Administrator [27556] 1554898761.718385: Sending unauthenticated request [27556] 1554898761.718386: Sending request (200 bytes) to SSSD2016.COM (master) [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] Found [10.65.207.18][464]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[2] [sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[2] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2] [sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [27556] 1554898761.718387: Initiating TCP connection to stream 10.65.207.18:464 [27556] 1554898761.718388: Sending TCP request to stream 10.65.207.18:464 [27556] 1554898762.200747: Terminating TCP connection to stream 10.65.207.18:464 [27556] 1554898762.200748: Sending initial UDP request to dgram 10.65.207.18:464 [27556] 1554898765.203935: Sending retry UDP request to dgram 10.65.207.18:464 [27556] 1554898770.209022: Sending retry UDP request to dgram 10.65.207.18:464 kinit: Password incorrect while getting initial credentials As seen above sssd_krb5_locator plugin tries AD server on port 464 . Update the sssd to below versions: sssd-ipa-1.16.2-13.el7_6.7.x86_64 sssd-proxy-1.16.2-13.el7_6.7.x86_64 sssd-client-1.16.2-13.el7_6.7.x86_64 python-sssdconfig-1.16.2-13.el7_6.7.noarch sssd-common-1.16.2-13.el7_6.7.x86_64 sssd-common-pac-1.16.2-13.el7_6.7.x86_64 sssd-ad-1.16.2-13.el7_6.7.x86_64 sssd-krb5-1.16.2-13.el7_6.7.x86_64 sssd-1.16.2-13.el7_6.7.x86_64 sssd-krb5-common-1.16.2-13.el7_6.7.x86_64 sssd-ldap-1.16.2-13.el7_6.7.x86_64 Restart sssd and Run the above kinit command [root@qe-blade-14 pubconf]# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator [26280] 1554899579.642990: Getting initial credentials for Administrator [26280] 1554899579.642992: Sending unauthenticated request [26280] 1554899579.642993: Sending request (200 bytes) to SSSD2016.COM [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [26280] 1554899579.642994: Initiating TCP connection to stream 10.65.207.18:88 [26280] 1554899579.642995: Sending TCP request to stream 10.65.207.18:88 [26280] 1554899580.128031: Received answer (157 bytes) from stream 10.65.207.18:88 [26280] 1554899580.128032: Terminating TCP connection to stream 10.65.207.18:88 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] Found [10.65.207.18][464]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [26280] 1554899580.128033: Response was from master KDC [26280] 1554899580.128034: Received error from KDC: -1765328359/Additional pre-authentication required [26280] 1554899580.128037: Preauthenticating using KDC method data [26280] 1554899580.128038: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [26280] 1554899580.128039: Selected etype info: etype rc4-hmac, salt "", params "" Password for Administrator: [26280] 1554899582.293153: AS key obtained for encrypted timestamp: rc4-hmac/4EE8 [26280] 1554899582.293155: Encrypted timestamp (for 1554899582.204260): plain 301AA011180F32303139303431303132333330325AA1050203031DE4, encrypted 76CFD1F609AC0F1AB294F2CA5B04379C69960E3332B17E22CEB10709DD201BF5F06B2776F4ECE062225328CF514D10801A259B64 [26280] 1554899582.293156: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [26280] 1554899582.293157: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [26280] 1554899582.293158: Sending request (276 bytes) to SSSD2016.COM [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [26280] 1554899582.293159: Initiating TCP connection to stream 10.65.207.18:88 [26280] 1554899582.293160: Sending TCP request to stream 10.65.207.18:88 [26280] 1554899582.293161: Received answer (122 bytes) from stream 10.65.207.18:88 [26280] 1554899582.293162: Terminating TCP connection to stream 10.65.207.18:88 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [10.65.207.18][88]. [sssd_krb5_locator] Found [10.65.207.18][464]. [sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2] [sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1] [sssd_krb5_locator] [10.65.207.18] used [sssd_krb5_locator] sssd_krb5_locator_close called [26280] 1554899582.293163: Response was from master KDC [26280] 1554899582.293164: Received error from KDC: -1765328360/Preauthentication failed [26280] 1554899582.293167: Preauthenticating using KDC method data [26280] 1554899582.293168: Processing preauth types: PA-ETYPE-INFO2 (19) [26280] 1554899582.293169: Selected etype info: etype rc4-hmac, salt "", params "" kinit: Password incorrect while getting initial credentials [ As we can see sssd_krb5_locator plugin doesn't retry the AD server ip on port 464 and tries to connect on port 88.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0816