I have had my head inside the ldap_child.c source code all morning. I am getting these errors logged:
[ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/ IBIS@NZWW.NZCORP.NET' not found in Kerberos database
However the dialy ksktutil cron job I have running completes OK, and msktutil --auto-update tells me the machine password was renewed two days ago.
Here is what happens when I run kinit from the command line. My workstation is called ibis. Please someone hit me with a clue stick.
# kinit -k kinit: Client 'host/ibis@NZWW.NZCORP.NET' not found in Kerberos database while getting initial credentials
# kinit -V -k ibis$ Using default cache: /tmp/krb5cc_0 Using principal: ibis$@NZWW.NZCORP.NET Authenticated to Kerberos v5
# kinit -V -k IBIS$@NZWW.NZCORP.NET Using default cache: /tmp/krb5cc_0 Using principal: IBIS$@NZWW.NZCORP.NET Authenticated to Kerberos v5
On 16 Jul 2018, at 11:48, John Hearns hearnsj@googlemail.com wrote:
I have had my head inside the ldap_child.c source code all morning. I am getting these errors logged:
[ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/ IBIS@NZWW.NZCORP.NET' not found in Kerberos database
This is expected, in AD the host/fqdn principal cannot be used to get a TGT. As you can see below, you are using the netbiosname$@realm principal to kinit which works fine.
If your configuration is using id_provider=ad I would have expected sssd to prefer the netbiosname$ principal, but if the selection fails or you are using the ldap provider, you can help sssd with the ldap_sasl_authid parameter.
However the dialy ksktutil cron job I have running completes OK, and msktutil --auto-update tells me the machine password was renewed two days ago.
Here is what happens when I run kinit from the command line. My workstation is called ibis. Please someone hit me with a clue stick.
# kinit -k kinit: Client 'host/ibis@NZWW.NZCORP.NET' not found in Kerberos database while getting initial credentials
# kinit -V -k ibis$ Using default cache: /tmp/krb5cc_0 Using principal: ibis$@NZWW.NZCORP.NET Authenticated to Kerberos v5
# kinit -V -k IBIS$@NZWW.NZCORP.NET Using default cache: /tmp/krb5cc_0 Using principal: IBIS$@NZWW.NZCORP.NET Authenticated to Kerberos v5
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
Jakub, thankyou for your reply.
If your configuration is using id_provider=ad I would have expected sssd
to prefer the netbiosname$ principal,
Indeed. My reading of kinit is that it should take the first principal in the list returned by klist. In my case thsi should be ibis$
# klist -k 11 ibis$@NZWW.NZCORP.NET 11 ibis$@NZWW.NZCORP.NET 11 IBIS$@NZWW.NZCORP.NET 11 IBIS$@NZWW.NZCORP.NET 11 ibis$@NZWW.NZCORP.NET 11 host/ibis@NZWW.NZCORP.NET 11 host/ibis@NZWW.NZCORP.NET 11 IBIS$@NZWW.NZCORP.NET 11 host/ibis@NZWW.NZCORP.NET
On 19 July 2018 at 11:09, Jakub Hrozek jhrozek@redhat.com wrote:
On 16 Jul 2018, at 11:48, John Hearns hearnsj@googlemail.com wrote:
I have had my head inside the ldap_child.c source code all morning. I am getting these errors logged:
[ldap_child_get_tgt_sync] (0x0100): Using keytab
[MEMORY:/etc/krb5.keytab]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client
'host/
IBIS@NZWW.NZCORP.NET' not found in Kerberos database
This is expected, in AD the host/fqdn principal cannot be used to get a TGT. As you can see below, you are using the netbiosname$@realm principal to kinit which works fine.
If your configuration is using id_provider=ad I would have expected sssd to prefer the netbiosname$ principal, but if the selection fails or you are using the ldap provider, you can help sssd with the ldap_sasl_authid parameter.
However the dialy ksktutil cron job I have running completes OK, and
msktutil --auto-update tells me the machine password was renewed two days ago.
Here is what happens when I run kinit from the command line. My workstation is called ibis. Please someone hit me with a clue stick.
# kinit -k kinit: Client 'host/ibis@NZWW.NZCORP.NET' not found in Kerberos
database while getting initial credentials
# kinit -V -k ibis$ Using default cache: /tmp/krb5cc_0 Using principal: ibis$@NZWW.NZCORP.NET Authenticated to Kerberos v5
# kinit -V -k IBIS$@NZWW.NZCORP.NET Using default cache: /tmp/krb5cc_0 Using principal: IBIS$@NZWW.NZCORP.NET Authenticated to Kerberos v5
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
lists.fedorahosted.org/message/4DY3TSRSJBV5AU2P3CQH2UHH7GHXLOLV/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@ lists.fedorahosted.org/message/BPEL355LXLAJ4ZI7UVSFHJ5ZG6CUJIWI/
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
John Hearns