On Mon, Oct 23, 2017 at 4:55 PM, Jeremy Monnet jmonnet@gmail.com wrote:
This sounds wrong: [sdap_kinit_send] (0x0400): Attempting kinit (default, host/<servername>.<subdomain>.<domain>, <SUBDOMAIN>.<DOMAIN>, 86400) with AD, you normally want to use the SHORTNAME$REALM principal, not the host/hostname principal, because the latter is only a service principal, not a user/computer one.
But since you're using id_provider=ad, then sssd should have already picked up that principal..is the SHORTNAME$@REALM principal in your keytab at all?
Yes, it is
root@servername:~# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal
2 host/servername.sub1.example.com@SUB1.EXAMPLE.COM 2 host/servername.sub1.example.com@SUB1.EXAMPLE.COM 2 host/servername.sub1.example.com@SUB1.EXAMPLE.COM 2 host/servername.sub1.example.com@SUB1.EXAMPLE.COM 2 host/servername.sub1.example.com@SUB1.EXAMPLE.COM 2 host/servername@SUB1.EXAMPLE.COM 2 host/servername@SUB1.EXAMPLE.COM 2 host/servername@SUB1.EXAMPLE.COM 2 host/servername@SUB1.EXAMPLE.COM 2 host/servername@SUB1.EXAMPLE.COM 2 SERVERNAME$@SUB1.EXAMPLE.COM 2 SERVERNAME$@SUB1.EXAMPLE.COM 2 SERVERNAME$@SUB1.EXAMPLE.COM 2 SERVERNAME$@SUB1.EXAMPLE.COM 2 SERVERNAME$@SUB1.EXAMPLE.COM
Some more information (in case that would help...)
1 AD forest with multiple domains : example.com and sub1.example.com 2 users : my_user@example.com, testuser@sub1.example.com 2 servers setup the same way (same adcli commands to get the krb5.keytab, same resolv.conf/hosts/sssd.conf etc), but 1 is ubuntu 14 with sssd 1.11.8-0ubunt, 1 is ubuntu 16 with sssd 1.13.4-1ubunt
(BTW I have about 15 other linuces (RHEL6/RHEL7/ubuntu14) that are connected only to example.com and working OK. Only these 2 servers are members of sub1.example.com with a need to authenticate also users from example.com)
On these 2 servers, authentication works for testuser@sub1.example.com. I can authenticate with my_user@example.com on the ubuntu 14 with sssd 1.11.But I cannot authenticate with my_user@example.com on the ubuntu 16 with sssd 1.13.
sssd.conf for both servers : [sssd] config_file_version = 2 debug_level =0 domains = sub1.example.com,example.com services = nss, pam
[domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 9 id_provider = ad access_provider = ad ldap_id_mapping = false
[domain/sub1.example.com] enumerate = true dns_discovery_domain = cy2._sites.sub1.example.com debug_level = 7 id_provider = ad access_provider = ad ldap_id_mapping = false
I have played with ad_hostname, ldap_sasl_authid, ldap_sasl_realm with little succes (I am not even sure ldap_sasl_* variables are useful with id_provider =ad...)
There is only one tiny difference I see in the SPN's : my ubuntu 16 is the only of my servers that has a host/SERVERNAME SPN, all the others have HOST/SERVERNAME (Capital HOST). I cannot not understand though why that would allow the auth to the subdomain but not to the main, but I know kerberos is very sensible to the case, so just in case. And anyway, that is coherent with the keytab.
Thanks,
Jeremy