Hello,
I never fixed issues I had last year https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... but I did made a new test on a brand new ubuntu up to date, and the result is far better, though everything is not working.
As a reminder, I have an AD with a parent and a child domain, let's say example.com and child.example.com. For the new server I set up, I used system provided utilities realm join example.com -U 'user@EXAMPLE.COM' which pretty much generates
root@ubuntu:/var/log/sssd# cat /etc/sssd/sssd.conf [sssd] domains = example.com config_file_version = 2 services = nss, pam [domain/example.com] ad_domain = example.com krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u@%d debug_level=9 access_provider = ad
Now, everything is OK with the main domain, AFAIK, I can login, sudo based on groups, etc. But for the child domain, most work, I can id a user@child (that resolves the user and the groups associated), I can "su - user@child" from root, BUT I can not login with that user@child. Sanitized logs follow :
sssd_example.com.log (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [get_server_status] (0x1000): Status of server '<ad>' is 'working' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad>' is 'working' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [get_server_status] (0x1000): Status of server '<ad>' is 'working' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [be_resolve_server_process] (0x0200): Found address for server <ad>: [IP] TTL 3600 (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://<ad>' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://<ad>' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_ivIwhy] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_ivIwhy] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [sss_domain_get_state] (0x1000): Domain child.example.com is Active (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [30303] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30303] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information
krb5_child.log (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393070: Sending TCP request to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393071: Received answer (317 bytes) from stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393072: Terminating TCP connection to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393073: Response was from master KDC (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393074: Decoding FAST response (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393075: TGS request result: -1765328377/Server not found in Kerberos database (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393076: Requesting tickets for RestrictedKrbHost/ubuntu@EXAMPLE.COM, referrals off (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393077: Generated subkey for TGS request: rc4-hmac/1624 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393078: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393080: Encoding request body and padata into FAST request (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393081: Sending request (1719 bytes) to EXAMPLE.COM (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393082: Initiating TCP connection to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393083: Sending TCP request to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393084: Received answer (317 bytes) from stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393085: Terminating TCP connection to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393086: Response was from master KDC (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393087: Decoding FAST response (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393088: TGS request result: -1765328377/Server not found in Kerberos database (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393089: Destroying ccache MEMORY:xwkvpg9
Do you have any idea why the server is not found in the child domain ? Could that be because the wrong server principal may be used ?
Thanks for your help !
Jeremy
On Thu, Jan 31, 2019 at 04:27:02PM +0100, Jeremy Monnet wrote:
Hello,
I never fixed issues I had last year https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... but I did made a new test on a brand new ubuntu up to date, and the result is far better, though everything is not working.
As a reminder, I have an AD with a parent and a child domain, let's say example.com and child.example.com. For the new server I set up, I used system provided utilities realm join example.com -U 'user@EXAMPLE.COM' which pretty much generates
root@ubuntu:/var/log/sssd# cat /etc/sssd/sssd.conf [sssd] domains = example.com config_file_version = 2 services = nss, pam [domain/example.com] ad_domain = example.com krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u@%d debug_level=9 access_provider = ad
Now, everything is OK with the main domain, AFAIK, I can login, sudo based on groups, etc. But for the child domain, most work, I can id a user@child (that resolves the user and the groups associated), I can "su - user@child" from root, BUT I can not login with that user@child. Sanitized logs follow :
sssd_example.com.log (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [get_server_status] (0x1000): Status of server '<ad>' is 'working' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad>' is 'working' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [get_server_status] (0x1000): Status of server '<ad>' is 'working' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [be_resolve_server_process] (0x0200): Found address for server <ad>: [IP] TTL 3600 (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://<ad>' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://<ad>' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_ivIwhy] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_ivIwhy] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [sss_domain_get_state] (0x1000): Domain child.example.com is Active (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [30303] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30303] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information
krb5_child.log (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393070: Sending TCP request to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393071: Received answer (317 bytes) from stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393072: Terminating TCP connection to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393073: Response was from master KDC (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393074: Decoding FAST response (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393075: TGS request result: -1765328377/Server not found in Kerberos database (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393076: Requesting tickets for RestrictedKrbHost/ubuntu@EXAMPLE.COM, referrals off
It's hard to say from the trimmed log, but I assume this happens during the TGT validation phase? If yes, then you could work around that temporarily by setting: krb5_validate = false in the domain section, but please read the sssd-krb5 manual page to see what security implications this have
Does it work to request this principal from the command line? kinit user@EXAMPLE.COM kvno RestrictedKrbHost/ubuntu@EXAMPLE.COM
Is the principal really lower-case and shortname? I would have expected either lower-case FQDN or an upper-case shortname..
What is in the file /var/lib/sss/pubconf/krb5.include.d/domain_realm_$domain?
(Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393077: Generated subkey for TGS request: rc4-hmac/1624 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393078: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393080: Encoding request body and padata into FAST request (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393081: Sending request (1719 bytes) to EXAMPLE.COM (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393082: Initiating TCP connection to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393083: Sending TCP request to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393084: Received answer (317 bytes) from stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393085: Terminating TCP connection to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393086: Response was from master KDC (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393087: Decoding FAST response (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393088: TGS request result: -1765328377/Server not found in Kerberos database (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393089: Destroying ccache MEMORY:xwkvpg9
Do you have any idea why the server is not found in the child domain ? Could that be because the wrong server principal may be used ?
Thanks for your help !
Jeremy _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hello,
On Tue, Feb 5, 2019 at 10:29 AM Jakub Hrozek jhrozek@redhat.com wrote:
Now, everything is OK with the main domain, AFAIK, I can login, sudo based on groups, etc. But for the child domain, most work, I can id a user@child (that resolves the user and the groups associated), I can "su - user@child" from root, BUT I can not login with that user@child. Sanitized logs follow :
It's hard to say from the trimmed log, but I assume this happens during the TGT validation phase? If yes, then you could work around that temporarily by setting: krb5_validate = false in the domain section, but please read the sssd-krb5 manual page to see what security implications this have
I have tried that, and yes, it works. Though because of the security implications I would rather set it up without it...
Does it work to request this principal from the command line? kinit user@EXAMPLE.COM
I have tried that with my AD user, and yes I receive no error and return code is 0
kvno RestrictedKrbHost/ubuntu@EXAMPLE.COM
kvno: Server not found in Kerberos database while getting credentials for RestrictedKrbHost/UBUNTU@EXAMPLE.COM
Is the principal really lower-case and shortname? I would have expected either lower-case FQDN or an upper-case shortname..
root@ubuntu:~# kvno ubuntu ubuntu@EXAMPLE.COM: kvno = 2
I am not sure precisely what to look for principals...
root@ubuntu:~# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 UBUNTU$@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 UBUNTU$@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 UBUNTU$@EXAMPLE.COM (des3-cbc-sha1) 2 UBUNTU$@EXAMPLE.COM (arcfour-hmac) 2 UBUNTU$@EXAMPLE.COM (des-cbc-md5) 2 UBUNTU$@EXAMPLE.COM (des-cbc-crc) 2 host/UBUNTU@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 host/UBUNTU@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 host/UBUNTU@EXAMPLE.COM (des3-cbc-sha1) 2 host/UBUNTU@EXAMPLE.COM (arcfour-hmac) 2 host/UBUNTU@EXAMPLE.COM (des-cbc-md5) 2 host/UBUNTU@EXAMPLE.COM (des-cbc-crc) 2 host/ubuntu@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 host/ubuntu@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 host/ubuntu@EXAMPLE.COM (des3-cbc-sha1) 2 host/ubuntu@EXAMPLE.COM (arcfour-hmac) 2 host/ubuntu@EXAMPLE.COM (des-cbc-md5) 2 host/ubuntu@EXAMPLE.COM (des-cbc-crc) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (des3-cbc-sha1) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (arcfour-hmac) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (des-cbc-md5) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (des-cbc-crc) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (des3-cbc-sha1) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (arcfour-hmac) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (des-cbc-md5) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (des-cbc-crc)
None of these are ok with kvno except 'UBUNTU$@EXAMPLE.COM'
root@ubuntu:~# kvno ubuntu ubuntu@EXAMPLE.COM: kvno = 2 root@ubuntu:~# kvno ubuntu@EXAMPLE.COM ubuntu@EXAMPLE.COM: kvno = 2 root@ubuntu:~# kvno UBUNTU UBUNTU@EXAMPLE.COM: kvno = 2 root@ubuntu:~# kvno UBUNTU@EXAMPLE.COM UBUNTU@EXAMPLE.COM: kvno = 2 root@ubuntu:~# kvno UBUNTU@example.com kvno: KDC reply did not match expectations while getting credentials for UBUNTU@example.com
What is in the file /var/lib/sss/pubconf/krb5.include.d/domain_realm_$domain?
[domain_realm] .child.example.com = CHILD.EXAMPLE.COM child.example.com = CHILD.EXAMPLE.COM [capaths] CHILD.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM } EXAMPLE.COM = { CHILD.EXAMPLE.COM = EXAMPLE.COM }
Thanks for youe time !
Jeremy
On Tue, Feb 5, 2019 at 3:35 PM Jeremy Monnet jmonnet@gmail.com wrote:
Hello,
On Tue, Feb 5, 2019 at 10:29 AM Jakub Hrozek jhrozek@redhat.com wrote:
Now, everything is OK with the main domain, AFAIK, I can login, sudo based on groups, etc. But for the child domain, most work, I can id a user@child (that resolves the user and the groups associated), I can "su - user@child" from root, BUT I can not login with that user@child. Sanitized logs follow :
It's hard to say from the trimmed log, but I assume this happens during the TGT validation phase? If yes, then you could work around that temporarily by setting: krb5_validate = false in the domain section, but please read the sssd-krb5 manual page to see what security implications this have
I have tried that, and yes, it works. Though because of the security implications I would rather set it up without it...
kvno RestrictedKrbHost/ubuntu@EXAMPLE.COMkvno: Server not found in Kerberos database while getting credentials for RestrictedKrbHost/UBUNTU@EXAMPLE.COM
Is the principal really lower-case and shortname? I would have expected either lower-case FQDN or an upper-case shortname..
I am not sure precisely what to look for principals...
I followed that lead, and found that no SPN were registered at all in the AD object. I edited it with ADSI, and could login with all domains...
I looked at other objects an dit seems none have had the same SPN registered, and I don't know at all how the object is created (other that it is created when I "realm" the server). I will look at it a bit !
Jérémy
On Tue, Feb 05, 2019 at 04:29:23PM +0100, Jeremy Monnet wrote:
On Tue, Feb 5, 2019 at 3:35 PM Jeremy Monnet jmonnet@gmail.com wrote:
Hello,
On Tue, Feb 5, 2019 at 10:29 AM Jakub Hrozek jhrozek@redhat.com wrote:
Now, everything is OK with the main domain, AFAIK, I can login, sudo based on groups, etc. But for the child domain, most work, I can id a user@child (that resolves the user and the groups associated), I can "su - user@child" from root, BUT I can not login with that user@child. Sanitized logs follow :
It's hard to say from the trimmed log, but I assume this happens during the TGT validation phase? If yes, then you could work around that temporarily by setting: krb5_validate = false in the domain section, but please read the sssd-krb5 manual page to see what security implications this have
I have tried that, and yes, it works. Though because of the security implications I would rather set it up without it...
kvno RestrictedKrbHost/ubuntu@EXAMPLE.COMkvno: Server not found in Kerberos database while getting credentials for RestrictedKrbHost/UBUNTU@EXAMPLE.COM
Is the principal really lower-case and shortname? I would have expected either lower-case FQDN or an upper-case shortname..
I am not sure precisely what to look for principals...
I followed that lead, and found that no SPN were registered at all in the AD object. I edited it with ADSI, and could login with all domains...
I looked at other objects an dit seems none have had the same SPN registered, and I don't know at all how the object is created (other that it is created when I "realm" the server). I will look at it a bit !
There is an issue if realmd uses adcli to join the domain if 'hostname' only returns the short name and not the fully-qualified DNS name. In this case adcli tries to add the same SPN twice which causes an error and as a result no SPN is added.
HTH
bye, Sumit
Jérémy _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, Feb 8, 2019 at 10:20 AM Sumit Bose sbose@redhat.com wrote:
I looked at other objects an dit seems none have had the same SPN registered, and I don't know at all how the object is created (other that it is created when I "realm" the server). I will look at it a bit !
There is an issue if realmd uses adcli to join the domain if 'hostname' only returns the short name and not the fully-qualified DNS name. In this case adcli tries to add the same SPN twice which causes an error and as a result no SPN is added.
That would perfectly be it ! Do you think you could include that remark in https://docs.pagure.org/SSSD.sssd/users/ad_provider.html#client-configuratio... ?
Regards,
Jeremy
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Jeremy Monnet -
Sumit Bose