We created the keytab file and imported that into the existing krb5.keytab file using ktutil. I can see that now, klist -k shows a "host" principle entry for this computer which was missing earlier.
Also initialized the new keytab file using "kinit -k -t /etc/krb5.keytab host/hostname.X.Y.local". I can see the service principal update after this step in klist.
But authentication using my AD account still fails with the following in logs:
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x1666a60 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch] (0x4000): Dispatching. (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=firstname.lastname] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_req_set_domain] (0x0400): Changing request domain from [X.Y.local] to [X.Y.local] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=X,dc=Y,dc=local] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_print_server] (0x2000): Searching xxx.xxx.xxx.xxx (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=firstname.lastname)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=X,dc=Y,dc=local]. (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_add] (0x2000): New operation 17 timeout 6 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_destructor] (0x2000): Operation 17 finished (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. *(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.* *(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users* (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1692df0 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1692120 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running timer event 0x1692df0 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Destroying timer event 0x1692120 "ltdb_timeout" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending timer event 0x1692df0 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_by_name] (0x0400): No such entry (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=firstname.lastname)) (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1691210 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x167da00 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running timer event 0x1691210 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Destroying timer event 0x167da00 "ltdb_timeout" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending timer event 0x1691210 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups] (0x2000): No such entry (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[(nil)], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
How to check further where it is failing?
Thanks,
~ Abhi
On Tue, Feb 14, 2017 at 12:42 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Feb 14, 2017 at 11:36:32AM -0500, Abhijit Tikekar wrote:
Hi,
Has anyone had any success while setting up SSSD with RODC AD Server? We are setting this up on CentOS 6.8 machines but doesn't seem to work.
Computer object is created and replicated to RODC. Verified that all configuration file parameters are identical to the ones mentioned in the link below. https://access.redhat.com/discussions/2838371
I assume we still have to join the server to RODC? Is the joining process still the same as we do for a Writable DC.
No, you need to create the computer object first and then copy the keytab.
When using "net ads join" I get the following error:
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)
in the logs, we also get the following( Debug level set to 7)
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for testdmzlin@X.Y.LOCAL in default keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching testdmzlin@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching TESTDMZLIN$@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching host/testdmzlin@X.Y.LOCAL found in
keytab.
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching *$@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching host/*@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching host/*@(null) found in keytab.
But if i try to query this RODC using "ldapsearch" it works.
ldapsearch -H ldap://RODC_ServerName.x.y.local/ -Y GSSAPI -N -b "dc=x,dc=y,dc=local" "(&(objectClass=user)(sAMAccountName=firstname.lastname))"
What principal did you authenticate as? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org