Hello,
I am having problems trying to get SSSD to work with RHEL 5 to authenticate against a Microsoft AD 2008. I did a manual complile/install of Kerberos 1.9.4 to use with SSSD 1.8.2., because I understand that the kerberos must be greater than 1.7. A "getent passwd username" is unsuccessful. This is the output is the /var/log/sssd/ldap_child.log.
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [main] (0x0400): ldap_child started. (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): total buffer size: 67 (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): realm_str size: 12 (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got realm_str: REALM.COM (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): princ_str size: 23 (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got princ_str: HOSTNAME$@REALM.COM (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): keytab_name size: 16 (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got keytab_name: /etc/krb5.keytab (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [HOSTNAME$@REALM.COM] (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [sss_krb5_get_init_creds_opt_set_canonicalize] (0x0040): Kerberos principal canonicalization is not available! (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Key table entry not found (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
Haven't been able to figure out what is wrong so far. Can someone help?
John
On 09/07/2012 05:08 PM, John Thomas wrote:
Hello,
I am having problems trying to get SSSD to work with RHEL 5 to authenticate against a Microsoft AD 2008. I did a manual complile/install of Kerberos 1.9.4 to use with SSSD 1.8.2., because I understand that the kerberos must be greater than 1.7. A "getent passwd username" is unsuccessful. This is the output is the /var/log/sssd/ldap_child.log.
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [main] (0x0400): ldap_child started. (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): total buffer size: 67 (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): realm_str size: 12 (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got realm_str: REALM.COM (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): princ_str size: 23 (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got princ_str: HOSTNAME$@REALM.COM (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): keytab_name size: 16 (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got keytab_name: /etc/krb5.keytab (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [HOSTNAME$@REALM.COM] (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [sss_krb5_get_init_creds_opt_set_canonicalize] (0x0040): Kerberos principal canonicalization is not available! (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Key table entry not found (Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.
Haven't been able to figure out what is wrong so far. Can someone help?
Please provide sssd.conf and krb5.conf files.
Based on the information above the name of the host principal did not match the name of the principal in the keytab. Did you provision host keytab from the KDC manually? Please see what host principals you have in the keytab and verify that it matches the host name of the system. Also the host principal is usually "host/<host FQDN>@<REALM IN CAPS>" http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerb...
It seems that the principal that has been looked up is different but it is sanitized to be sure what the issue is.
John
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Dmitri Pal -
John Thomas