Hi all,
I am trying to use the AD provider in order to connect a client to our Active Directory. I have to mention, that our DNS Setup is somewhat broken, so reverse lookups do not work by default.
When I now try connect, with reverse lookups not working, I got an error:
...
(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status] (0x1000): Status of server 'novo.d.ethz.ch' is 'name resolved' (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x0200): Found address for server novo.d.ethz.ch: [172.31.65.60] TTL 938 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 43 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child started. (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): total buffer size: 43 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): realm_str size: 9 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got realm_str: D.ETHZ.CH (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): princ_str size: 18 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got princ_str: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [ldapmap1/d.ethz.ch@D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response] (0x0400): Building response for result [0] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [37] msg [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child completed successfully (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH], expired on [1376347208] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1376312108 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
...
Any idea why this might happen?
Greets Marcus
On 08/12/2013 03:00 PM, Marcus Moeller wrote:
Hi all,
I am trying to use the AD provider in order to connect a client to our Active Directory. I have to mention, that our DNS Setup is somewhat broken, so reverse lookups do not work by default.
When I now try connect, with reverse lookups not working, I got an error:
...
(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status] (0x1000): Status of server 'novo.d.ethz.ch' is 'name resolved' (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x0200): Found address for server novo.d.ethz.ch: [172.31.65.60] TTL 938 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 43 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child started. (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): total buffer size: 43 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): realm_str size: 9 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got realm_str: D.ETHZ.CH (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): princ_str size: 18 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got princ_str: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [ldapmap1/d.ethz.ch@D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response] (0x0400): Building response for result [0] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [37] msg [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child completed successfully (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH], expired on [1376347208] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1376312108 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
...
Any idea why this might happen?
Greets Marcus
Hi Marcus,
Could you post your sssd.conf and krb5.conf setting?
Ondra
Am 12.08.2013 15:26, schrieb Ondrej Kos:
On 08/12/2013 03:00 PM, Marcus Moeller wrote:
Hi all,
I am trying to use the AD provider in order to connect a client to our Active Directory. I have to mention, that our DNS Setup is somewhat broken, so reverse lookups do not work by default.
When I now try connect, with reverse lookups not working, I got an error:
...
(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status] (0x1000): Status of server 'novo.d.ethz.ch' is 'name resolved' (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x0200): Found address for server novo.d.ethz.ch: [172.31.65.60] TTL 938 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 43 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child started. (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): total buffer size: 43 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): realm_str size: 9 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got realm_str: D.ETHZ.CH (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): princ_str size: 18 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got princ_str: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [ldapmap1/d.ethz.ch@D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response] (0x0400): Building response for result [0] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [37] msg [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child completed successfully (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH], expired on [1376347208] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1376312108 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
...
Any idea why this might happen?
Greets Marcus
Hi Marcus,
Could you post your sssd.conf and krb5.conf setting?
krb5.conf ... [libdefaults] dns_lookup_realm = true forwardable = true default_realm = D.ETHZ.CH
sssd.conf ... [sssd] config_file_version = 2
# Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam
# SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LOCAL,LDAP
domains = D.ETHZ.CH
[nss] # The following prevents SSSD from searching for the root user/group in # all domains (you can add here a comma-separated list of system accounts that # are always going to be /etc/passwd users, or that you want to filter out). filter_groups = root filter_users = root reconnection_retries = 3
# The entry_cache_timeout indicates the number of seconds to retain an # entry in cache before it is considered stale and must block to refresh. # The entry_cache_nowait_timeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still # be returned from cache until the full entry_cache_timeout). Setting this # value to 0 turns this feature off (default). # entry_cache_timeout = 600 # entry_cache_nowait_timeout = 300
[pam] reconnection_retries = 3
[domain/D.ETHZ.CH] #debug_level=5 id_provider = ad ad_domain = d.ethz.ch dns_discovery_domain = d.ethz.ch krb5_realm = D.ETHZ.CH ldap_user_principal = xyz.example ldap_id_mapping = false
Greets Marcus
On Mon, Aug 12, 2013 at 03:27:56PM +0200, Marcus Moeller wrote:
Am 12.08.2013 15:26, schrieb Ondrej Kos:
On 08/12/2013 03:00 PM, Marcus Moeller wrote:
Hi all,
I am trying to use the AD provider in order to connect a client to our Active Directory. I have to mention, that our DNS Setup is somewhat broken, so reverse lookups do not work by default.
When I now try connect, with reverse lookups not working, I got an error:
...
(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status] (0x1000): Status of server 'novo.d.ethz.ch' is 'name resolved' (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x0200): Found address for server novo.d.ethz.ch: [172.31.65.60] TTL 938 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 43 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child started. (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): total buffer size: 43 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): realm_str size: 9 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got realm_str: D.ETHZ.CH (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): princ_str size: 18 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got princ_str: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [ldapmap1/d.ethz.ch@D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response] (0x0400): Building response for result [0] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [37] msg [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child completed successfully (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH], expired on [1376347208] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1376312108 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
...
Any idea why this might happen?
Greets Marcus
Hi Marcus,
Could you post your sssd.conf and krb5.conf setting?
krb5.conf ... [libdefaults] dns_lookup_realm = true forwardable = true default_realm = D.ETHZ.CH
sssd.conf ... [sssd] config_file_version = 2
# Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam
# SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LOCAL,LDAP
domains = D.ETHZ.CH
[nss] # The following prevents SSSD from searching for the root user/group in # all domains (you can add here a comma-separated list of system accounts that # are always going to be /etc/passwd users, or that you want to filter out). filter_groups = root filter_users = root reconnection_retries = 3
# The entry_cache_timeout indicates the number of seconds to retain an # entry in cache before it is considered stale and must block to refresh. # The entry_cache_nowait_timeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still # be returned from cache until the full entry_cache_timeout). Setting this # value to 0 turns this feature off (default). # entry_cache_timeout = 600 # entry_cache_nowait_timeout = 300
[pam] reconnection_retries = 3
[domain/D.ETHZ.CH] #debug_level=5 id_provider = ad ad_domain = d.ethz.ch dns_discovery_domain = d.ethz.ch krb5_realm = D.ETHZ.CH ldap_user_principal = xyz.example ldap_id_mapping = false
Greets Marcus
SSSD tries to get a TGT for ldapmap1/d.ethz.ch@D.ETHZ.CH which looks a bit odd and the AD KDC returns (Server not found in Kerberos database) for this principal. Please try to add the hostname of the client in the ad_hostname option.
HTH
bye, Sumit
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Am 12.08.2013 15:58, schrieb Sumit Bose:
On Mon, Aug 12, 2013 at 03:27:56PM +0200, Marcus Moeller wrote:
Am 12.08.2013 15:26, schrieb Ondrej Kos:
On 08/12/2013 03:00 PM, Marcus Moeller wrote:
Hi all,
I am trying to use the AD provider in order to connect a client to our Active Directory. I have to mention, that our DNS Setup is somewhat broken, so reverse lookups do not work by default.
When I now try connect, with reverse lookups not working, I got an error:
...
(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status] (0x1000): Status of server 'novo.d.ethz.ch' is 'name resolved' (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x0200): Found address for server novo.d.ethz.ch: [172.31.65.60] TTL 938 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 43 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child started. (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): total buffer size: 43 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): realm_str size: 9 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got realm_str: D.ETHZ.CH (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): princ_str size: 18 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got princ_str: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [ldapmap1/d.ethz.ch@D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response] (0x0400): Building response for result [0] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [37] msg [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child completed successfully (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH], expired on [1376347208] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1376312108 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
...
Any idea why this might happen?
Greets Marcus
Hi Marcus,
Could you post your sssd.conf and krb5.conf setting?
krb5.conf ... [libdefaults] dns_lookup_realm = true forwardable = true default_realm = D.ETHZ.CH
sssd.conf ... [sssd] config_file_version = 2
# Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam
# SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LOCAL,LDAP
domains = D.ETHZ.CH
[nss] # The following prevents SSSD from searching for the root user/group in # all domains (you can add here a comma-separated list of system accounts that # are always going to be /etc/passwd users, or that you want to filter out). filter_groups = root filter_users = root reconnection_retries = 3
# The entry_cache_timeout indicates the number of seconds to retain an # entry in cache before it is considered stale and must block to refresh. # The entry_cache_nowait_timeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still # be returned from cache until the full entry_cache_timeout). Setting this # value to 0 turns this feature off (default). # entry_cache_timeout = 600 # entry_cache_nowait_timeout = 300
[pam] reconnection_retries = 3
[domain/D.ETHZ.CH] #debug_level=5 id_provider = ad ad_domain = d.ethz.ch dns_discovery_domain = d.ethz.ch krb5_realm = D.ETHZ.CH ldap_user_principal = xyz.example ldap_id_mapping = false
Greets Marcus
SSSD tries to get a TGT for ldapmap1/d.ethz.ch@D.ETHZ.CH which looks a bit odd and the AD KDC returns (Server not found in Kerberos database) for this principal. Please try to add the hostname of the client in the ad_hostname option.
I am using a keytab and have not joined the machine. ldapmap1 is correct.
Greets Marcus
On Mon, Aug 12, 2013 at 04:01:46PM +0200, Marcus Moeller wrote:
Am 12.08.2013 15:58, schrieb Sumit Bose:
On Mon, Aug 12, 2013 at 03:27:56PM +0200, Marcus Moeller wrote:
Am 12.08.2013 15:26, schrieb Ondrej Kos:
On 08/12/2013 03:00 PM, Marcus Moeller wrote:
Hi all,
I am trying to use the AD provider in order to connect a client to our Active Directory. I have to mention, that our DNS Setup is somewhat broken, so reverse lookups do not work by default.
When I now try connect, with reverse lookups not working, I got an error:
...
(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status] (0x1000): Status of server 'novo.d.ethz.ch' is 'name resolved' (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x0200): Found address for server novo.d.ethz.ch: [172.31.65.60] TTL 938 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 43 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child started. (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): total buffer size: 43 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): realm_str size: 9 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got realm_str: D.ETHZ.CH (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): princ_str size: 18 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got princ_str: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [ldapmap1/d.ethz.ch@D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response] (0x0400): Building response for result [0] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [37] msg [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child completed successfully (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH], expired on [1376347208] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1376312108 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
...
Any idea why this might happen?
Greets Marcus
Hi Marcus,
Could you post your sssd.conf and krb5.conf setting?
krb5.conf ... [libdefaults] dns_lookup_realm = true forwardable = true default_realm = D.ETHZ.CH
sssd.conf ... [sssd] config_file_version = 2
# Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam
# SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LOCAL,LDAP
domains = D.ETHZ.CH
[nss] # The following prevents SSSD from searching for the root user/group in # all domains (you can add here a comma-separated list of system accounts that # are always going to be /etc/passwd users, or that you want to filter out). filter_groups = root filter_users = root reconnection_retries = 3
# The entry_cache_timeout indicates the number of seconds to retain an # entry in cache before it is considered stale and must block to refresh. # The entry_cache_nowait_timeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still # be returned from cache until the full entry_cache_timeout). Setting this # value to 0 turns this feature off (default). # entry_cache_timeout = 600 # entry_cache_nowait_timeout = 300
[pam] reconnection_retries = 3
[domain/D.ETHZ.CH] #debug_level=5 id_provider = ad ad_domain = d.ethz.ch dns_discovery_domain = d.ethz.ch krb5_realm = D.ETHZ.CH ldap_user_principal = xyz.example ldap_id_mapping = false
Greets Marcus
SSSD tries to get a TGT for ldapmap1/d.ethz.ch@D.ETHZ.CH which looks a bit odd and the AD KDC returns (Server not found in Kerberos database) for this principal. Please try to add the hostname of the client in the ad_hostname option.
I am using a keytab and have not joined the machine. ldapmap1 is correct.
Does
kinit -k 'ldapmap1/d.ethz.ch@D.ETHZ.CH'
work on the command line?
How did you create the keytab? If ldapmap1 is just an SPN it might not be possible to get a TGT for this principal.
bye, Sumit
Greets Marcus
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Am 12.08.2013 16:08, schrieb Sumit Bose:
On Mon, Aug 12, 2013 at 04:01:46PM +0200, Marcus Moeller wrote:
Am 12.08.2013 15:58, schrieb Sumit Bose:
On Mon, Aug 12, 2013 at 03:27:56PM +0200, Marcus Moeller wrote:
Am 12.08.2013 15:26, schrieb Ondrej Kos:
On 08/12/2013 03:00 PM, Marcus Moeller wrote:
Hi all,
I am trying to use the AD provider in order to connect a client to our Active Directory. I have to mention, that our DNS Setup is somewhat broken, so reverse lookups do not work by default.
When I now try connect, with reverse lookups not working, I got an error:
...
(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status] (0x1000): Status of server 'novo.d.ethz.ch' is 'name resolved' (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [be_resolve_server_process] (0x0200): Found address for server novo.d.ethz.ch: [172.31.65.60] TTL 938 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 43 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child started. (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): total buffer size: 43 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): realm_str size: 9 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got realm_str: D.ETHZ.CH (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): princ_str size: 18 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): got princ_str: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [ldapmap1/d.ethz.ch@D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response] (0x0400): Building response for result [0] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [37] msg [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH] (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): ldap_child completed successfully (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH], expired on [1376347208] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1376312108 (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
...
Any idea why this might happen?
Greets Marcus
Hi Marcus,
Could you post your sssd.conf and krb5.conf setting?
krb5.conf ... [libdefaults] dns_lookup_realm = true forwardable = true default_realm = D.ETHZ.CH
sssd.conf ... [sssd] config_file_version = 2
# Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam
# SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LOCAL,LDAP
domains = D.ETHZ.CH
[nss] # The following prevents SSSD from searching for the root user/group in # all domains (you can add here a comma-separated list of system accounts that # are always going to be /etc/passwd users, or that you want to filter out). filter_groups = root filter_users = root reconnection_retries = 3
# The entry_cache_timeout indicates the number of seconds to retain an # entry in cache before it is considered stale and must block to refresh. # The entry_cache_nowait_timeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still # be returned from cache until the full entry_cache_timeout). Setting this # value to 0 turns this feature off (default). # entry_cache_timeout = 600 # entry_cache_nowait_timeout = 300
[pam] reconnection_retries = 3
[domain/D.ETHZ.CH] #debug_level=5 id_provider = ad ad_domain = d.ethz.ch dns_discovery_domain = d.ethz.ch krb5_realm = D.ETHZ.CH ldap_user_principal = xyz.example ldap_id_mapping = false
Greets Marcus
SSSD tries to get a TGT for ldapmap1/d.ethz.ch@D.ETHZ.CH which looks a bit odd and the AD KDC returns (Server not found in Kerberos database) for this principal. Please try to add the hostname of the client in the ad_hostname option.
I am using a keytab and have not joined the machine. ldapmap1 is correct.
Does
kinit -k 'ldapmap1/d.ethz.ch@D.ETHZ.CH'
work on the command line?
How did you create the keytab? If ldapmap1 is just an SPN it might not be possible to get a TGT for this principal.
Yes, it all works and it also works when reverse lookup is set up correctly, so it must be somewhat related to that.
Greets Marcus
On Mon, Aug 12, 2013 at 05:43:05PM +0200, Marcus Moeller wrote:
Am 12.08.2013 16:08, schrieb Sumit Bose:
On Mon, Aug 12, 2013 at 04:01:46PM +0200, Marcus Moeller wrote:
Am 12.08.2013 15:58, schrieb Sumit Bose:
On Mon, Aug 12, 2013 at 03:27:56PM +0200, Marcus Moeller wrote:
Am 12.08.2013 15:26, schrieb Ondrej Kos:
On 08/12/2013 03:00 PM, Marcus Moeller wrote: >Hi all, > >I am trying to use the AD provider in order to connect a client to our >Active Directory. I have to mention, that our DNS Setup is somewhat >broken, so reverse lookups do not work by default. > >When I now try connect, with reverse lookups not working, I got an error: > >... > >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send] >(0x0200): The status of SRV lookup is resolved >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status] >(0x1000): Status of server 'novo.d.ethz.ch' is 'name resolved' >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] >[be_resolve_server_process] (0x1000): Saving the first resolved server >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] >[be_resolve_server_process] (0x0200): Found address for server >novo.d.ethz.ch: [172.31.65.60] TTL 938 >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] >[sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get >TGT... >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] >[create_tgt_req_send_buffer] (0x1000): buffer size: 43 >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout] >(0x0400): Setting 6 seconds timeout for tgt child >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler] >(0x0400): All data has been sent! >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): >ldap_child started. >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >(0x1000): total buffer size: 43 >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >(0x1000): realm_str size: 9 >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >(0x1000): got realm_str: D.ETHZ.CH >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >(0x1000): princ_str size: 18 >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >(0x1000): got princ_str: ldapmap1/d.ethz.ch >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >(0x1000): keytab_name size: 0 >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >(0x1000): lifetime: 86400 >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] >[ldap_child_get_tgt_sync] (0x0100): Principal name is: >[ldapmap1/d.ethz.ch@D.ETHZ.CH] >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] >[ldap_child_get_tgt_sync] (0x0100): Using keytab [default] >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response] >(0x0400): Building response for result [0] >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer] >(0x1000): result [0] krberr [0] msgsize [37] msg >[FILE:/var/lib/sss/db/ccache_D.ETHZ.CH] >(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): >ldap_child completed successfully >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler] >(0x0400): EOF received, client finished >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv] >(0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH], >expired on [1376347208] >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] >(0x0100): expire timeout is 900 >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] >(0x1000): the connection will expire at 1376312108 >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] >(0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] >(0x0020): ldap_sasl_bind failed (-2)[Local error] >(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] >(0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI >Error: Unspecified GSS failure. Minor code may provide more information >(Server not found in Kerberos database)] > >... > >Any idea why this might happen? > >Greets >Marcus >
Hi Marcus,
Could you post your sssd.conf and krb5.conf setting?
krb5.conf ... [libdefaults] dns_lookup_realm = true forwardable = true default_realm = D.ETHZ.CH
sssd.conf ... [sssd] config_file_version = 2
# Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam
# SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LOCAL,LDAP
domains = D.ETHZ.CH
[nss] # The following prevents SSSD from searching for the root user/group in # all domains (you can add here a comma-separated list of system accounts that # are always going to be /etc/passwd users, or that you want to filter out). filter_groups = root filter_users = root reconnection_retries = 3
# The entry_cache_timeout indicates the number of seconds to retain an # entry in cache before it is considered stale and must block to refresh. # The entry_cache_nowait_timeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still # be returned from cache until the full entry_cache_timeout). Setting this # value to 0 turns this feature off (default). # entry_cache_timeout = 600 # entry_cache_nowait_timeout = 300
[pam] reconnection_retries = 3
[domain/D.ETHZ.CH] #debug_level=5 id_provider = ad ad_domain = d.ethz.ch dns_discovery_domain = d.ethz.ch krb5_realm = D.ETHZ.CH ldap_user_principal = xyz.example ldap_id_mapping = false
Greets Marcus
SSSD tries to get a TGT for ldapmap1/d.ethz.ch@D.ETHZ.CH which looks a bit odd and the AD KDC returns (Server not found in Kerberos database) for this principal. Please try to add the hostname of the client in the ad_hostname option.
I am using a keytab and have not joined the machine. ldapmap1 is correct.
Does
kinit -k 'ldapmap1/d.ethz.ch@D.ETHZ.CH'
work on the command line?
How did you create the keytab? If ldapmap1 is just an SPN it might not be possible to get a TGT for this principal.
Yes, it all works and it also works when reverse lookup is set up correctly, so it must be somewhat related to that.
By "when reverse lookup is set up correctly" you mean correctly set up on the DNS server?
Have you set the rdns option in your krb5.conf? Setting it to false should skip all attempts to do reverse lookups in libkrb5.
bye, Sumit
Greets Marcus
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Dear Sumit,
>> I am trying to use the AD provider in order to connect a client to our >> Active Directory. I have to mention, that our DNS Setup is somewhat >> broken, so reverse lookups do not work by default. >> >> When I now try connect, with reverse lookups not working, I got an error: >> >> ... >> >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send] >> (0x0200): The status of SRV lookup is resolved >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status] >> (0x1000): Status of server 'novo.d.ethz.ch' is 'name resolved' >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] >> [be_resolve_server_process] (0x1000): Saving the first resolved server >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] >> [be_resolve_server_process] (0x0200): Found address for server >> novo.d.ethz.ch: [172.31.65.60] TTL 938 >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] >> [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get >> TGT... >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] >> [create_tgt_req_send_buffer] (0x1000): buffer size: 43 >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout] >> (0x0400): Setting 6 seconds timeout for tgt child >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler] >> (0x0400): All data has been sent! >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): >> ldap_child started. >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >> (0x1000): total buffer size: 43 >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >> (0x1000): realm_str size: 9 >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >> (0x1000): got realm_str: D.ETHZ.CH >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >> (0x1000): princ_str size: 18 >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >> (0x1000): got princ_str: ldapmap1/d.ethz.ch >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >> (0x1000): keytab_name size: 0 >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer] >> (0x1000): lifetime: 86400 >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] >> [ldap_child_get_tgt_sync] (0x0100): Principal name is: >> [ldapmap1/d.ethz.ch@D.ETHZ.CH] >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] >> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response] >> (0x0400): Building response for result [0] >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer] >> (0x1000): result [0] krberr [0] msgsize [37] msg >> [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH] >> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400): >> ldap_child completed successfully >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler] >> (0x0400): EOF received, client finished >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv] >> (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH], >> expired on [1376347208] >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] >> (0x0100): expire timeout is 900 >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step] >> (0x1000): the connection will expire at 1376312108 >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] >> (0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] >> (0x0020): ldap_sasl_bind failed (-2)[Local error] >> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send] >> (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI >> Error: Unspecified GSS failure. Minor code may provide more information >> (Server not found in Kerberos database)] >> >> ... >> >> Any idea why this might happen? >> >> Greets >> Marcus >> > > Hi Marcus, > > Could you post your sssd.conf and krb5.conf setting?
krb5.conf ... [libdefaults] dns_lookup_realm = true forwardable = true default_realm = D.ETHZ.CH
sssd.conf ... [sssd] config_file_version = 2
# Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam
# SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LOCAL,LDAP
domains = D.ETHZ.CH
[nss] # The following prevents SSSD from searching for the root user/group in # all domains (you can add here a comma-separated list of system accounts that # are always going to be /etc/passwd users, or that you want to filter out). filter_groups = root filter_users = root reconnection_retries = 3
# The entry_cache_timeout indicates the number of seconds to retain an # entry in cache before it is considered stale and must block to refresh. # The entry_cache_nowait_timeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still # be returned from cache until the full entry_cache_timeout). Setting this # value to 0 turns this feature off (default). # entry_cache_timeout = 600 # entry_cache_nowait_timeout = 300
[pam] reconnection_retries = 3
[domain/D.ETHZ.CH] #debug_level=5 id_provider = ad ad_domain = d.ethz.ch dns_discovery_domain = d.ethz.ch krb5_realm = D.ETHZ.CH ldap_user_principal = xyz.example ldap_id_mapping = false
Greets Marcus
SSSD tries to get a TGT for ldapmap1/d.ethz.ch@D.ETHZ.CH which looks a bit odd and the AD KDC returns (Server not found in Kerberos database) for this principal. Please try to add the hostname of the client in the ad_hostname option.
I am using a keytab and have not joined the machine. ldapmap1 is correct.
Does
kinit -k 'ldapmap1/d.ethz.ch@D.ETHZ.CH'
work on the command line?
How did you create the keytab? If ldapmap1 is just an SPN it might not be possible to get a TGT for this principal.
Yes, it all works and it also works when reverse lookup is set up correctly, so it must be somewhat related to that.
By "when reverse lookup is set up correctly" you mean correctly set up on the DNS server?
Have you set the rdns option in your krb5.conf? Setting it to false should skip all attempts to do reverse lookups in libkrb5.
That was the option that was missing. Thanks for pointing it out.
Greets Marcus
sssd-users@lists.fedorahosted.org
-
Marcus Moeller -
Ondrej Kos -
Sumit Bose