Although perhaps I spoke too soon. sssd starts up but throws log entries:
May 7 14:36:04 paixlab-rhel67 [sssd[ldap_child[24887]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. May 7 14:36:04 paixlab-rhel67 [sssd[ldap_child[24887]]]: Preauthentication failed
John
On 7 May 2015 at 14:34, John Beranek john@redux.org.uk wrote:
Sumit, many thanks - you hit the nail on the head! My smb.conf was missing the line:
kerberos method = secrets and keytab
so had not created the keytab. Added the line, rejoined and sssd starts as expected.
Cheers,
John
On 7 May 2015 at 11:45, Sumit Bose sbose@redhat.com wrote:
On Thu, May 07, 2015 at 11:35:21AM +0100, John Beranek wrote:
Hi all,
I've just built a RHEL 6.7 Beta VM to test the new SSSD release, and
have
come across a strange issue.
I can successfully kinit and join our AD domain with "net ads join -k"
but
sssd won't start. The logs contain:
you have to make sure that net ads join really creates a keytab. Please check 'kerberos method' in the smb.conf man page. By default the keys are written only to samba's internal secrets.tdb.
As an alternative you might want to consider using the realm command to join the AD domain.
HTH
bye, Sumit
[ad_set_ad_id_options] (0x0100): Option krb5_realm set to EXAMPLE.COM [sdap_set_sasl_options] (0x0100): Will look for rhel67.example.com@EXAMPLE.COM in default keytab [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. [select_principal_from_keytab] (0x0080): No suitable principal found in keytab [select_principal_from_keytab] (0x0010): Failed to read keytab
[default]:
No such file or directory [ad_set_ad_id_options] (0x0040): Cannot set the SASL-related options [load_backend_module] (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)! [be_process_init] (0x0010): fatal error initializing data providers
Had a little feedback from Lukas, who suggested I ran "klist -kt". This gives:
# klist -kt Keytab name: FILE:/etc/krb5.keytab klist: No such file or directory while starting keytab scan
Any ideas?
John
-- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake