Hi list,
I am experiencing strange issue w/ sssd (F19, AD). SSSD is working fine until I do:
1. net ads leave 2. change machine hostname 3. net ads join
After this, name services are working OK, but I am unable to authenticate myself using pam_sss.so. The workaround is:
1. net ads leave 2. rm /etc/krb5.keytab 3. net ads join
Looks like after machine rename the old principal is still held in krb5.keytab and making pam_sss worthless.
Is this a known issue? Note that pam_krb5 is working fine. Thanks,
Ondrej
On Wed, Jan 15, 2014 at 04:53:10PM +0000, Ondrej Valousek wrote:
Hi list,
I am experiencing strange issue w/ sssd (F19, AD). SSSD is working fine until I do:
- net ads leave
- change machine hostname
- net ads join
After this, name services are working OK, but I am unable to authenticate myself using pam_sss.so. The workaround is:
- net ads leave
- rm /etc/krb5.keytab
- net ads join
Looks like after machine rename the old principal is still held in krb5.keytab and making pam_sss worthless.
Is this a known issue? Note that pam_krb5 is working fine. Thanks,
I guess it is kind of know. I think it is related to validation. As can be seen in the in sssd-krb5 man page the first principal in the keytab with a matching realm will be used for validation. In your case where the new keys are added to the end of the keytab and the old ones are still at the beginning sssd will pick the old key and validations fails.
The solution is either to remove the keytab as you did before the new join or to delete the old keys with ktutil.
HTH
bye, Sumit
Ondrej
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Ondrej Valousek -
Sumit Bose