I just figured it out. The problem was in my /etc/krb5. My encryption types listed are as follows:

default_tgs_enctypes = aes256-cts rc4-hmac des-cbc-crc des-cdc-md5 default_tkt_enctypes = aes256-cts rc4-hmac des-cbc-crc des-cdc-md5 permitted_enctypes = aes256-cts rc4-hmac des-cbc-crc des-cbc-md5

However my keytab did not have entries for aes256-cts. So I removed these entries for each of the above parameters, and it worked.

Thanks!

Date: Fri, 07 Sep 2012 19:23:44 -0400 From: Dmitri Pal dpal@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Kerberos principal canonicalization is not     available! Message-ID: 504A8200.7000704@redhat.com Content-Type: text/plain; charset=UTF-8

On 09/07/2012 05:08 PM, John Thomas wrote:

...

Hello,

I am having problems trying to get SSSD to work with

RHEL 5 to authenticate against a Microsoft AD 2008.  I did a manual complile/install of Kerberos 1.9.4 to use with SSSD 1.8.2., because I understand that the kerberos must be greater than 1.7.  A "getent passwd username" is unsuccessful.  This is the output is the /var/log/sssd/ldap_child.log.

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [main] (0x0400): ldap_child started.

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): total buffer size: 67

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): realm_str size: 12

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got realm_str: REALM.COM

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): princ_str size: 23

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got princ_str: HOSTNAME$@REALM.COM

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): keytab_name size: 16

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got keytab_name: /etc/krb5.keytab

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): lifetime: 86400

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [HOSTNAME$@REALM.COM]

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [sss_krb5_get_init_creds_opt_set_canonicalize] (0x0040): Kerberos principal canonicalization is not available!

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Key table entry not found

...

(Fri Sep  7 16:49:39 2012)

[[sssd[ldap_child[9473]]]] [main] (0x0020): ldap_child_get_tgt_sync failed.

...

Haven't been able to figure out what is wrong so

far.  Can someone help?

...

Please provide sssd.conf and krb5.conf files.

Based on the information above the name of the host principal did not match the name of the principal in the keytab. Did you provision host keytab from the KDC manually? Please see what host principals you have in the keytab and verify that it matches the host name of the system. Also the host principal is usually "host/<host FQDN>@<REALM IN CAPS>" http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerb...

It seems that the principal that has been looked up is different but it is sanitized to be sure what the issue is.

...

John

---

sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

-- Thank you, Dmitri Pal

Sr. Engineering Manager for IdM portfolio Red Hat Inc.

---

Looking to carve out IT costs? www.redhat.com/carveoutcosts/

---

---

sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

End of sssd-users Digest, Vol 5, Issue 4

---