Hello,
I'm trying to login on a machine from domain2 (machine is joined in domain2) using a user from domain1, but it keeps failing. Also, using pbis I can login without problems.
Users from domain2 can login successfully. Also, I can login on machines registered in domain1 using the same user.
Most probably it fails because of this error:
Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
Maybe someone can take a look at the attached logs and give me a hint on what is wrong?
sssd says domain1 is a subdomain for domain2:
(Wed Oct 15 08:42:35 2014) [sssd[pam]] [new_subdomain] (0x0400): Creating [ domain1.net] as subdomain of [domain2.net]! (Wed Oct 15 08:42:35 2014) [sssd[pam]] [new_subdomain] (0x0400): Creating [ ie-aws.domain2.net] as subdomain of [domain2.net]!
Configuration: authconfig --enablesssd --enablesssdauth --enablemkhomedir --update --disableldaptls --enableldap --enablelocauthorize --update
sssd version: 1.12.1-2.el7.centos
sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = optymyze.net override_space = ^
[domain/optymyze.net] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad dyndns_update = false create_homedir = true override_homedir = /home/%d/%u override_shell = /bin/bash timeout = 3600 [pam] timeout = 3600 [nss] timeout = 3600
On Wed, Oct 15, 2014 at 04:46:44PM +0300, Cristian Falcas wrote:
Hello,
I'm trying to login on a machine from domain2 (machine is joined in domain2) using a user from domain1, but it keeps failing. Also, using pbis I can login without problems.
Users from domain2 can login successfully. Also, I can login on machines registered in domain1 using the same user.
Most probably it fails because of this error:
Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
Maybe someone can take a look at the attached logs and give me a hint on what is wrong?
I'm sorry about the delayed response,
Can you try searching the domain2 AD DC with ldapsearch together with -Y GSSAPI option?
kinit -k 'V-REPO-OP-02$' ldapsearch -Y GSSAPI -h AD_DC
Does ldapsearch work against either of your DCs?
How did you obtain the keytab, did you use realmd?
sssd-users@lists.fedorahosted.org