Following https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20... on Oracle Linux (RHEL clone) 6.3, 64-bit, sssd version 1.8.0 gets us all the way to the point where we can kinit with /etc/krb5.keytab and successfully run the test ldapsearch command. When we start sssd and try getent on a user in AD we get this to /var/log/messages:
"Jul 18 14:58:44 wardentest3 sssd_be: encoded packet size too big (813957120 > 16777215)"
Setting debug_level to 0x7850 (the highest, I believe) doesn't yield any additional helpful info.
I did deviate a bit from the SSSD/AD document in that I did not bind the host but instead created a keytab for a generic user we use to give our linux hosts access to LDAP on AD. I didn't think this would be a problem since the kinit/ldapsearch test worked fine.
Here's the safe bits of our keytab (we're using mailuser@W2K.GENESEO.EDU as our principal):
Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 25 HOST/mail.geneseo.edu@W2K.GENESEO.EDU (arcfour-hmac) 25 HOST/mailtest.geneseo.edu@W2K.GENESEO.EDU (arcfour-hmac) 25 IMAP/mail.geneseo.edu@W2K.GENESEO.EDU (arcfour-hmac) 25 IMAP/mailtest.geneseo.edu@W2K.GENESEO.EDU (arcfour-hmac) 25 SMTP/mail.geneseo.edu@W2K.GENESEO.EDU (arcfour-hmac) 25 SMTP/mailtest.geneseo.edu@W2K.GENESEO.EDU (arcfour-hmac) 25 HTTP/mail.geneseo.edu@W2K.GENESEO.EDU (arcfour-hmac) 25 HTTP/mailtest.geneseo.edu@W2K.GENESEO.EDU (arcfour-hmac) 25 mailuser@W2K.GENESEO.EDU (arcfour-hmac)
Google searches seemed to indicate that this may be some kind of sasl issue and possibly out of SSSD's control. Has anyone experience a similar problem or have advice on what to try?
-- David Warden Mail Administrator State University of New York at Geneseo
"There's only one rule that I know of, babies—God damn it, you've got to be kind."