Hi List,
I am currently fighting to get Kerberized NFS working against clustered Netapp. Their support says that they support all enc types but arcfour-hmac. When I specify default_enctypes in krb5.conf and omit arcfour-hmac enc type, sssd stops working (goes offline, can not connect). Funny thing is, that kinit -k $HOSTNAME$ works just fine.
Is SSSD picky about Kerberos encryption types or not?
Thanks, Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
Ok the error I am getting is:
(Tue Apr 5 16:23:47 2016) [sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)]
Ldapsearch is working fine....
Ondrej
From: Ondrej Valousek [mailto:Ondrej.Valousek@s3group.com] Sent: Tuesday, April 05, 2016 4:49 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Allowed Kerberos encryption types for SSSD
Hi List,
I am currently fighting to get Kerberized NFS working against clustered Netapp. Their support says that they support all enc types but arcfour-hmac. When I specify default_enctypes in krb5.conf and omit arcfour-hmac enc type, sssd stops working (goes offline, can not connect). Funny thing is, that kinit –k $HOSTNAME$ works just fine.
Is SSSD picky about Kerberos encryption types or not?
Thanks, Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.commailto:communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Tue, Apr 05, 2016 at 02:48:51PM +0000, Ondrej Valousek wrote:
Hi List,
I am currently fighting to get Kerberized NFS working against clustered Netapp. Their support says that they support all enc types but arcfour-hmac. When I specify default_enctypes in krb5.conf and omit arcfour-hmac enc type, sssd stops working (goes offline, can not connect). Funny thing is, that kinit -k $HOSTNAME$ works just fine.
Is SSSD picky about Kerberos encryption types or not?
If you use AD on the server side arcfour might be needed. Does
kvno LDAP/some.ad.dc@AD.DOMAIN
or
ldapsearch -H ldap://some.ad.dc -b '' -s base -Y GSSAPI
work after kinit?
bye, Sumit
Thanks, Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Both commands works just fine - I am getting AES256 keys then (if I forbid arcfour).
Seems to me that SSSD for some reason rely on arcfour - is this by design? Thanks, Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Tuesday, April 05, 2016 5:27 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Allowed Kerberos encryption types for SSSD
On Tue, Apr 05, 2016 at 02:48:51PM +0000, Ondrej Valousek wrote:
Hi List,
I am currently fighting to get Kerberized NFS working against clustered Netapp. Their support says that they support all enc types but arcfour-hmac. When I specify default_enctypes in krb5.conf and omit arcfour-hmac enc type, sssd stops working (goes offline, can not connect). Funny thing is, that kinit -k $HOSTNAME$ works just fine.
Is SSSD picky about Kerberos encryption types or not?
If you use AD on the server side arcfour might be needed. Does
kvno LDAP/some.ad.dc@AD.DOMAIN
or
ldapsearch -H ldap://some.ad.dc -b '' -s base -Y GSSAPI
work after kinit?
bye, Sumit
Thanks, Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Wed, Apr 06, 2016 at 07:09:16AM +0000, Ondrej Valousek wrote:
Both commands works just fine - I am getting AES256 keys then (if I forbid arcfour).
Seems to me that SSSD for some reason rely on arcfour - is this by design?
No, there is no dependency on arcfour, SSSD just use common library calls to libkrb5 and libldap as the two commands below.
Can you try to remove the credential cache used by SSSD with
rm /var/lib/sss/db/ccache_*
and restart SSSD? Maybe there are still olb but valid tickets in the ccache?
HTH
bye, Sumit
Thanks, Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Tuesday, April 05, 2016 5:27 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Allowed Kerberos encryption types for SSSD
On Tue, Apr 05, 2016 at 02:48:51PM +0000, Ondrej Valousek wrote:
Hi List,
I am currently fighting to get Kerberized NFS working against clustered Netapp. Their support says that they support all enc types but arcfour-hmac. When I specify default_enctypes in krb5.conf and omit arcfour-hmac enc type, sssd stops working (goes offline, can not connect). Funny thing is, that kinit -k $HOSTNAME$ works just fine.
Is SSSD picky about Kerberos encryption types or not?
If you use AD on the server side arcfour might be needed. Does
kvno LDAP/some.ad.dc@AD.DOMAIN
or
ldapsearch -H ldap://some.ad.dc -b '' -s base -Y GSSAPI
work after kinit?
bye, Sumit
Thanks, Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Ok got it. SSSD is contacting root forest controllers first to obtain information about AD forest. Unfortunately our root DCs seems to be running some older version of Windows server which is not quite happy with AES keys.
Workaround is to disable subdomains provider & specify ad servers manually. Sorry for the noise.
Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Wednesday, April 06, 2016 9:39 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Allowed Kerberos encryption types for SSSD
On Wed, Apr 06, 2016 at 07:09:16AM +0000, Ondrej Valousek wrote:
Both commands works just fine - I am getting AES256 keys then (if I forbid arcfour).
Seems to me that SSSD for some reason rely on arcfour - is this by design?
No, there is no dependency on arcfour, SSSD just use common library calls to libkrb5 and libldap as the two commands below.
Can you try to remove the credential cache used by SSSD with
rm /var/lib/sss/db/ccache_*
and restart SSSD? Maybe there are still olb but valid tickets in the ccache?
HTH
bye, Sumit
Thanks, Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Tuesday, April 05, 2016 5:27 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Allowed Kerberos encryption types for SSSD
On Tue, Apr 05, 2016 at 02:48:51PM +0000, Ondrej Valousek wrote:
Hi List,
I am currently fighting to get Kerberized NFS working against clustered Netapp. Their support says that they support all enc types but arcfour-hmac. When I specify default_enctypes in krb5.conf and omit arcfour-hmac enc type, sssd stops working (goes offline, can not connect). Funny thing is, that kinit -k $HOSTNAME$ works just fine.
Is SSSD picky about Kerberos encryption types or not?
If you use AD on the server side arcfour might be needed. Does
kvno LDAP/some.ad.dc@AD.DOMAIN
or
ldapsearch -H ldap://some.ad.dc -b '' -s base -Y GSSAPI
work after kinit?
bye, Sumit
Thanks, Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho sted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users@lists.fedorahosted.org