Kerberos 5 Tacking on Realm Twice to Principal












0














I recently updated a Fedora 22 workstation and SSSD logins began to fail.



Logs look good until sss_send_pac fails. Oddly the principal user is getting the domain added twice. For example:



jgiotta@magic.local@magic.local


I'm not sure what debuggin steps to take at this point. Joining the realm and performing ldapsearch commands are all successful.



Authentication is provided by an Active Directory system on a larger Windows-based network.



When I step up logging output in sssd.conf to level 10 I can review the krb5_child.log. I find the following failure in the log:




(Thu Dec 3 09:22:36 2015) [[sssd[krb5_child[2158]]]] [sss_send_pac]
(0x0040): sss_pac_make_request failed [-1][2]



(Thu Dec 3 09:22:36
2015) [[sssd[krb5_child[2158]]]] [validate_tgt] (0x0040): sss_send_pac
failed, group membership for user with principal
[jgiotta@magic.local@magic.local] might not be correct.




When this occurs I believe login fails, but terminal only says "System error" at login. At this moment, I'm essentially locked out of my profile and can only access via root.






fedora kerberos







share|improve this question
























  • How exactly does sss_send_pac fail? There's an infinite number of ways for a program to fail (including making the computer explode); please describe your situation. What domain (AD, IPA, Krb5) do you have? What was done when you "patched" the system? What exact failure did you start seeing?
    – grawity
    Dec 3 '15 at 6:04












  • I assume you're seeing this in Wireshark. What "name type" is set in the request? The format you show is normal for NT-ENTERPRISE-PRINCIPAL, where the KDC (not the client) is expected to resolve various "UPN suffixes".
    – grawity
    Dec 3 '15 at 6:05












  • @grawity I've added more detail. Honestly, I don't know if that message is a warning or an error, but it's really the only log I can identify a "failure"
    – John Giotta
    Dec 3 '15 at 14:34
















0














I recently updated a Fedora 22 workstation and SSSD logins began to fail.



Logs look good until sss_send_pac fails. Oddly the principal user is getting the domain added twice. For example:



jgiotta@magic.local@magic.local


I'm not sure what debuggin steps to take at this point. Joining the realm and performing ldapsearch commands are all successful.



Authentication is provided by an Active Directory system on a larger Windows-based network.



When I step up logging output in sssd.conf to level 10 I can review the krb5_child.log. I find the following failure in the log:




(Thu Dec 3 09:22:36 2015) [[sssd[krb5_child[2158]]]] [sss_send_pac]
(0x0040): sss_pac_make_request failed [-1][2]



(Thu Dec 3 09:22:36
2015) [[sssd[krb5_child[2158]]]] [validate_tgt] (0x0040): sss_send_pac
failed, group membership for user with principal
[jgiotta@magic.local@magic.local] might not be correct.




When this occurs I believe login fails, but terminal only says "System error" at login. At this moment, I'm essentially locked out of my profile and can only access via root.






fedora kerberos







share|improve this question
























  • How exactly does sss_send_pac fail? There's an infinite number of ways for a program to fail (including making the computer explode); please describe your situation. What domain (AD, IPA, Krb5) do you have? What was done when you "patched" the system? What exact failure did you start seeing?
    – grawity
    Dec 3 '15 at 6:04












  • I assume you're seeing this in Wireshark. What "name type" is set in the request? The format you show is normal for NT-ENTERPRISE-PRINCIPAL, where the KDC (not the client) is expected to resolve various "UPN suffixes".
    – grawity
    Dec 3 '15 at 6:05












  • @grawity I've added more detail. Honestly, I don't know if that message is a warning or an error, but it's really the only log I can identify a "failure"
    – John Giotta
    Dec 3 '15 at 14:34














0












0








0







I recently updated a Fedora 22 workstation and SSSD logins began to fail.



Logs look good until sss_send_pac fails. Oddly the principal user is getting the domain added twice. For example:



jgiotta@magic.local@magic.local


I'm not sure what debuggin steps to take at this point. Joining the realm and performing ldapsearch commands are all successful.



Authentication is provided by an Active Directory system on a larger Windows-based network.



When I step up logging output in sssd.conf to level 10 I can review the krb5_child.log. I find the following failure in the log:




(Thu Dec 3 09:22:36 2015) [[sssd[krb5_child[2158]]]] [sss_send_pac]
(0x0040): sss_pac_make_request failed [-1][2]



(Thu Dec 3 09:22:36
2015) [[sssd[krb5_child[2158]]]] [validate_tgt] (0x0040): sss_send_pac
failed, group membership for user with principal
[jgiotta@magic.local@magic.local] might not be correct.




When this occurs I believe login fails, but terminal only says "System error" at login. At this moment, I'm essentially locked out of my profile and can only access via root.






fedora kerberos







share|improve this question















I recently updated a Fedora 22 workstation and SSSD logins began to fail.



Logs look good until sss_send_pac fails. Oddly the principal user is getting the domain added twice. For example:



jgiotta@magic.local@magic.local


I'm not sure what debuggin steps to take at this point. Joining the realm and performing ldapsearch commands are all successful.



Authentication is provided by an Active Directory system on a larger Windows-based network.



When I step up logging output in sssd.conf to level 10 I can review the krb5_child.log. I find the following failure in the log:




(Thu Dec 3 09:22:36 2015) [[sssd[krb5_child[2158]]]] [sss_send_pac]
(0x0040): sss_pac_make_request failed [-1][2]



(Thu Dec 3 09:22:36
2015) [[sssd[krb5_child[2158]]]] [validate_tgt] (0x0040): sss_send_pac
failed, group membership for user with principal
[jgiotta@magic.local@magic.local] might not be correct.




When this occurs I believe login fails, but terminal only says "System error" at login. At this moment, I'm essentially locked out of my profile and can only access via root.






fedora kerberos




fedora kerberos






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 3 '15 at 14:33

























asked Dec 2 '15 at 19:09









John Giotta

1214




1214












  • How exactly does sss_send_pac fail? There's an infinite number of ways for a program to fail (including making the computer explode); please describe your situation. What domain (AD, IPA, Krb5) do you have? What was done when you "patched" the system? What exact failure did you start seeing?
    – grawity
    Dec 3 '15 at 6:04












  • I assume you're seeing this in Wireshark. What "name type" is set in the request? The format you show is normal for NT-ENTERPRISE-PRINCIPAL, where the KDC (not the client) is expected to resolve various "UPN suffixes".
    – grawity
    Dec 3 '15 at 6:05












  • @grawity I've added more detail. Honestly, I don't know if that message is a warning or an error, but it's really the only log I can identify a "failure"
    – John Giotta
    Dec 3 '15 at 14:34


















  • How exactly does sss_send_pac fail? There's an infinite number of ways for a program to fail (including making the computer explode); please describe your situation. What domain (AD, IPA, Krb5) do you have? What was done when you "patched" the system? What exact failure did you start seeing?
    – grawity
    Dec 3 '15 at 6:04












  • I assume you're seeing this in Wireshark. What "name type" is set in the request? The format you show is normal for NT-ENTERPRISE-PRINCIPAL, where the KDC (not the client) is expected to resolve various "UPN suffixes".
    – grawity
    Dec 3 '15 at 6:05












  • @grawity I've added more detail. Honestly, I don't know if that message is a warning or an error, but it's really the only log I can identify a "failure"
    – John Giotta
    Dec 3 '15 at 14:34
















How exactly does sss_send_pac fail? There's an infinite number of ways for a program to fail (including making the computer explode); please describe your situation. What domain (AD, IPA, Krb5) do you have? What was done when you "patched" the system? What exact failure did you start seeing?
– grawity
Dec 3 '15 at 6:04






How exactly does sss_send_pac fail? There's an infinite number of ways for a program to fail (including making the computer explode); please describe your situation. What domain (AD, IPA, Krb5) do you have? What was done when you "patched" the system? What exact failure did you start seeing?
– grawity
Dec 3 '15 at 6:04














I assume you're seeing this in Wireshark. What "name type" is set in the request? The format you show is normal for NT-ENTERPRISE-PRINCIPAL, where the KDC (not the client) is expected to resolve various "UPN suffixes".
– grawity
Dec 3 '15 at 6:05






I assume you're seeing this in Wireshark. What "name type" is set in the request? The format you show is normal for NT-ENTERPRISE-PRINCIPAL, where the KDC (not the client) is expected to resolve various "UPN suffixes".
– grawity
Dec 3 '15 at 6:05














@grawity I've added more detail. Honestly, I don't know if that message is a warning or an error, but it's really the only log I can identify a "failure"
– John Giotta
Dec 3 '15 at 14:34




@grawity I've added more detail. Honestly, I don't know if that message is a warning or an error, but it's really the only log I can identify a "failure"
– John Giotta
Dec 3 '15 at 14:34










1 Answer
1






active

oldest

votes


















0














Years late, but for the Internet searchers:



In CentOS 7 as of now (and probably for a while now, really), there is an option in sssd.conf:



use_fully_qualified_names (bool)

   Use the full name and domain (as formatted by the domain's

   full_name_format) as the user's login name reported to NSS.


I was struggling with the duplicated domain name in my kerberos request for xrdp and after a lot of effort learned that explicitly setting this to false even though that's the default made a difference.



sssd.conf



[domain/magic.local]

use_fully_qualified_names = false





share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1008236%2fkerberos-5-tacking-on-realm-twice-to-principal%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Years late, but for the Internet searchers:



    In CentOS 7 as of now (and probably for a while now, really), there is an option in sssd.conf:



    use_fully_qualified_names (bool)
    
   Use the full name and domain (as formatted by the domain's
    
   full_name_format) as the user's login name reported to NSS.


    I was struggling with the duplicated domain name in my kerberos request for xrdp and after a lot of effort learned that explicitly setting this to false even though that's the default made a difference.



    sssd.conf



    [domain/magic.local]
    
use_fully_qualified_names = false





    share|improve this answer


























      0














      Years late, but for the Internet searchers:



      In CentOS 7 as of now (and probably for a while now, really), there is an option in sssd.conf:



      use_fully_qualified_names (bool)
      
   Use the full name and domain (as formatted by the domain's
      
   full_name_format) as the user's login name reported to NSS.


      I was struggling with the duplicated domain name in my kerberos request for xrdp and after a lot of effort learned that explicitly setting this to false even though that's the default made a difference.



      sssd.conf



      [domain/magic.local]
      
use_fully_qualified_names = false





      share|improve this answer
























        0












        0








        0






        Years late, but for the Internet searchers:



        In CentOS 7 as of now (and probably for a while now, really), there is an option in sssd.conf:



        use_fully_qualified_names (bool)
        
   Use the full name and domain (as formatted by the domain's
        
   full_name_format) as the user's login name reported to NSS.


        I was struggling with the duplicated domain name in my kerberos request for xrdp and after a lot of effort learned that explicitly setting this to false even though that's the default made a difference.



        sssd.conf



        [domain/magic.local]
        
use_fully_qualified_names = false





        share|improve this answer












        Years late, but for the Internet searchers:



        In CentOS 7 as of now (and probably for a while now, really), there is an option in sssd.conf:



        use_fully_qualified_names (bool)
        
   Use the full name and domain (as formatted by the domain's
        
   full_name_format) as the user's login name reported to NSS.


        I was struggling with the duplicated domain name in my kerberos request for xrdp and after a lot of effort learned that explicitly setting this to false even though that's the default made a difference.



        sssd.conf



        [domain/magic.local]
        
use_fully_qualified_names = false






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 6 '18 at 20:42









        bgStack15

        1,1791817




        1,1791817






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1008236%2fkerberos-5-tacking-on-realm-twice-to-principal%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Сан-Квентин

            Image
            Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но...
            Read more

            8-я гвардейская общевойсковая армия

            Image
            8-я гвардейская общевойсковая ордена Ленина армия Награды: Войска: РККА → Советская армия → СВ России Род войск: Формирование: 1943 Расформирование (преобразование): 1992 Предшественник: 62-я армия (1942—43) → 8-я гвардейская общевойсковая армия (1943—92) → 8-й гвардейский армейский корпус (1992—98) Боевой путь Изюм-Барвенковская операция Донбасская операция Запорожская операция Битва за Днепр Днепропетровская операция Березнеговато-Снигирёвская операция Одесская операция Люблин-Брестская операция Варшавско-Познанская операция Восточно-Померанская операция Берлинская наступательная операция У этого термина существуют и другие значения, см. 8-я армия. Фотография Гвардейского Красного Знамени (лицевая сторона) 8-й гвардейской армии , образца 1943 года. Фотография Гвардейского Красного Знамени (оборотная сторона) 8-й гвардейской армии , образца 1943 года. 8-я гвардейская общевойсковая ордена Ленина армия  — гвардейское фор...
            Read more

            Алькесар

            Image
            Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове...
            Read more