Hi again, Thanks a lot for guiding me so far :)
I have got sssd-1.9.2 package from Timo, Ubuntu sssd package maintainer for Ubuntu Quantal.
SSSD is configured against AD as auth/id - provider
sssd.conf
[sssd] debug_level = 0x1310 config_file_version = 2 services = nss, pam domains = nat.c.sdu.dk
[nss] filter_groups = root filter_users = root
[pam]
[domain/nat.c.sdu.dk]
debug_level = 0x1310
enumerate = False min_id = 1000 max_id = 20000
auth_provider = ad id_provider = ad access_provider = ad chpass_provider = ad
ad_server = nat.c.sdu.dk ad_hostname = testina4$.nat.c.sdu.dk ad_domain = nat.c.sdu.dk
From log: (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x0200): Found address for server nat.c.sdu.dk: [10.144.5.18] TTL 455 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: testina4$ (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'nat.c.sdu.dk' as 'not working (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status of server 'nat.c.sdu.dk' is 'name resolved' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] (0x1000): Port status of port 0 for server 'nat.c.sdu.dk' is 'not working' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.NAT.C.SDU.DK], [2][No such file or directory
----- The error "port status of port 0 .." is not working - jumps out.
Testina4 is my linux host, joined to the AD by msktutils application - but maybe it hasn't get enough permissions granted to make a query in domain??? root@testina4:/etc/sssd# klist -e -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 13 testina4$@NAT.C.SDU.DK (arcfour-hmac) 13 testina4$@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 13 testina4$@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96) 14 testina4$@NAT.C.SDU.DK (arcfour-hmac) 14 testina4$@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 14 testina4$@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96) 14 host/testina4@NAT.C.SDU.DK (arcfour-hmac) 14 host/testina4@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 14 host/testina4@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96) 9 testina4$@NAT.C.SDU.DK (arcfour-hmac) 9 testina4$@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 9 testina4$@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96)
I can get object data for 'testina4' and AD 'imadatestuser' from command line run from 'testina4' (after I run kinit as AD adminuser) :
ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y GSSAPI -b 'ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk' '(&(objectClass=computer)(name=testina4))'
# extended LDIF # # LDAPv3 # base <ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk> with scope subtree # filter: (&(objectClass=computer)(name=testina4)) # requesting: ALL # with pagedResults control: size=1000 #
# testina4, Linux computers, ADResources, nat.c.sdu.dk dn: CN=testina4,OU=Linux computers,OU=ADResources,DC=nat,DC=c,DC=sdu,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: testina4 distinguishedName: CN=testina4,OU=Linux computers,OU=ADResources,DC=nat,DC=c,D C=sdu,DC=dk instanceType: 4 whenCreated: 20121019130319.0Z whenChanged: 20121105144001.0Z uSNCreated: 158837247 uSNChanged: 161473679 name: testina4 objectGUID:: os+KTql470WRz9dZ/6U3Tw== userAccountControl: 4096 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 129959868084813523 lastLogoff: 0 lastLogon: 129966788793794911 localPolicyFlags: 0 pwdLastSet: 129959870279509463 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAANYoCGg16WjOCi6YoRy4AAA== accountExpires: 9223372036854775807 logonCount: 42 sAMAccountName: testina4$ sAMAccountType: 805306369 dNSHostName: testina4.nat.c.sdu.dk servicePrincipalName: host/testina4 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=c,DC=sdu,DC=dk isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 129966000010645525 msDS-SupportedEncryptionTypes: 28
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQAAAAFAgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
alongina@testina4:~$ ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y GSSAPI -b 'ou=ADusers,dc=nat,dc=c,dc=sdu,dc=dk' '(&(objectClass=person)(sAMAccountName=imadatestuser))' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) alongina@testina4:~$ kinit Password for alongina@NAT.C.SDU.DK: alongina@testina4:~$ ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y GSSAPI -b 'ou=ADusers,dc=nat,dc=c,dc=sdu,dc=dk' '(&(objectClass=person)(sAMAccountName=imadatestuser))' SASL/GSSAPI authentication started SASL username: alongina@NAT.C.SDU.DK SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=ADusers,dc=nat,dc=c,dc=sdu,dc=dk> with scope subtree # filter: (&(objectClass=person)(sAMAccountName=imadatestuser)) # requesting: ALL # with pagedResults control: size=1000 #
# IMADAtest Testesen, Odense, Institut for Matematik og Datalogi, ADUsers, na t.c.sdu.dk dn: CN=IMADAtest Testesen,OU=Odense,OU=Institut for Matematik og Datalogi,OU=A DUsers,DC=nat,DC=c,DC=sdu,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IMADAtest Testesen sn: Testesen l: Odense M title: Professor postalCode: 5230 givenName: IMADAtest distinguishedName: CN=IMADAtest Testesen,OU=Odense,OU=Institut for Matematik o g Datalogi,OU=ADUsers,DC=nat,DC=c,DC=sdu,DC=dk instanceType: 4 whenCreated: 20091005131413.0Z whenChanged: 20121019141347.0Z displayName: IMADAtest Testesen uSNCreated: 20103944 memberOf:: Q049Y29tbW9uX3VzZXJzLE9VPUbDpmxsZXMsT1U9SW5zdGl0dXR0ZXIsT1U9QURHcm9 1cHMsREM9bmF0LERDPWMsREM9c2R1LERDPWRr memberOf:: Q049bmF0LWxlY3R1cmVzLE9VPUbDpmxsZXMsT1U9SW5zdGl0dXR0ZXIsT1U9QURHcm9 1cHMsREM9bmF0LERDPWMsREM9c2R1LERDPWRr memberOf: CN=Imada-terminal-users,OU=Institut for Matematik og Datalogi (IMADA ),OU=Institutter,OU=ADGroups,DC=nat,DC=c,DC=sdu,DC=dk uSNChanged: 117297654 department: Institut for Matematik og Datalogi name: IMADAtest Testesen objectGUID:: xevmnsllekOUPs5dy6xBUw== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 homeDirectory: \sdu-data0.c.sdu.dk\staff\imadatestuser homeDrive: M: badPasswordTime: 129951292226925867 lastLogoff: 0 lastLogon: 129951296097614099 logonHours:: //////////////////////////// pwdLastSet: 129951295698649008 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAANYoCGg16WjOCi6YolSgAAA== accountExpires: 0 logonCount: 1 sAMAccountName: imadatestuser sAMAccountType: 805306368 userPrincipalName: imadatestuser@nat.c.sdu.dk objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=c,DC=sdu,DC=dk dSCorePropagationData: 20121026084647.0Z dSCorePropagationData: 20120525083005.0Z dSCorePropagationData: 20120328164019.0Z dSCorePropagationData: 20111214110440.0Z dSCorePropagationData: 16010714223649.0Z lastLogonTimestamp: 129951296097540185 unixHomeDirectory: /home/imadatestuser
# search result search: 4 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQAAAAFAgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
Longina
-----Original Message----- From: Stephen Gallagher [mailto:sgallagh@redhat.com] Sent: 26. oktober 2012 15:22 To: End-user discussions about the System Security Services Daemon Cc: Longina Przybyszewska; Timo Aaltonen Subject: Re: [SSSD-users] startup problem
On Fri 26 Oct 2012 09:15:16 AM EDT, Longina Przybyszewska wrote:
I have compiled 1.9.2 version and installed in the /usr/local/
This way the other programs cant' use the new libraries
The preferable way would be installing in the same places as native package would do.
The native version In Ubuntu-quantal is 1.9.1 so the worse case would be event. regular upgrade to 1.9.2 some day.
What are the relevant install options to 'configure' ?
SSSD has some pieces that *must* be in the standard locations or it will not function properly. These are the nss_sss.so.2 NSS libraries and the pam_sss.so PAM library.
If you are not familiar with packaging, you might have better luck coordinating with Timo Aaltonen, the Ubuntu/Debian maintainer for SSSD. I believe he keeps an Ubuntu PPA with the latest bits somewhere.
CCing him on the conversation.
On Tue, Nov 06, 2012 at 02:16:26PM +0000, Longina Przybyszewska wrote:
Hi again, Thanks a lot for guiding me so far :)
I have got sssd-1.9.2 package from Timo, Ubuntu sssd package maintainer for Ubuntu Quantal.
SSSD is configured against AD as auth/id - provider
sssd.conf
[sssd] debug_level = 0x1310 config_file_version = 2 services = nss, pam domains = nat.c.sdu.dk
[nss] filter_groups = root filter_users = root
[pam]
[domain/nat.c.sdu.dk]
debug_level = 0x1310
enumerate = False min_id = 1000 max_id = 20000
auth_provider = ad id_provider = ad access_provider = ad chpass_provider = ad
ad_server = nat.c.sdu.dk ad_hostname = testina4$.nat.c.sdu.dk ad_domain = nat.c.sdu.dk
From log: (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x0200): Found address for server nat.c.sdu.dk: [10.144.5.18] TTL 455 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: testina4$ (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'nat.c.sdu.dk' as 'not working (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status of server 'nat.c.sdu.dk' is 'name resolved' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] (0x1000): Port status of port 0 for server 'nat.c.sdu.dk' is 'not working' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.NAT.C.SDU.DK], [2][No such file or directory
There is not all the information in the log, raising the debug_level might provide more info, but I think the problem is in the kinit.
Can you kinit as the principal specified in the ad_hostname and then ldapsearch the directory?
Are you sure about the principal in ad_hostname? I think it is typically HOST$@DOMAIN, your principal doesn't contain the at-sign.
Hi, My machine joined AD - I can get attributes with ldapsearch as aduser (and as local root):
alongina@victoria:~$ ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y GSSAPI -b 'ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk' '(&(objectClass=computer)(name=victoria))' SASL/GSSAPI authentication started SASL username: alongina@NAT.C.SDU.DK SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk> with scope subtree # filter: (&(objectClass=computer)(name=victoria)) # requesting: ALL # with pagedResults control: size=1000 #
# VICTORIA, Linux computers, ADResources, nat.c.sdu.dk dn: CN=VICTORIA,OU=Linux computers,OU=ADResources,DC=nat,DC=c,DC=sdu,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: VICTORIA distinguishedName: CN=VICTORIA,OU=Linux computers,OU=ADResources,DC=nat,DC=c,D C=sdu,DC=dk instanceType: 4 whenCreated: 20121107151527.0Z whenChanged: 20121108100744.0Z uSNCreated: 22665166 uSNChanged: 22700883 name: VICTORIA objectGUID:: Np8rYg/Jxka041fkPw1blA== userAccountControl: 4096 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 129967763011945002 lastLogoff: 0 lastLogon: 129968428368941751 localPolicyFlags: 0 pwdLastSet: 129968428370191767 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAANYoCGg16WjOCi6YoUC4AAA== accountExpires: 9223372036854775807 logonCount: 1 sAMAccountName: VICTORIA$ sAMAccountType: 805306369 dNSHostName: victoria.nat.c.sdu.dk servicePrincipalName: host/victoria.nat.c.sdu.dk servicePrincipalName: host/victoria objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=c,DC=sdu,DC=dk isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 129968428370187304 msDS-SupportedEncryptionTypes: 28
# search result search: 4 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQAAAAFAgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
The /etc/krb5.keytab : alongina@victoria:~$ sudo klist -e -k [sudo] password for alongina: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 7 victoria$@NAT.C.SDU.DK (arcfour-hmac) 7 victoria$@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 7 victoria$@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96) 7 host/victoria@NAT.C.SDU.DK (arcfour-hmac) 7 host/victoria@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 7 host/victoria@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96) 7 host/victoria.nat.c.sdu.dk@NAT.C.SDU.DK (arcfour-hmac) 7 host/victoria.nat.c.sdu.dk@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 7 host/victoria.nat.c.sdu.dk@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96)
Does it make difference victoria$<-->VICTORIA$ ??? Because in AD : sSAMAccountName VICTORIA$
I can't make kinit using keytab:
alongina@victoria:~$ kinit -k -t /etc/krb5.keytab victoria$@NAT.C.SDU.DK kinit: Client not found in Kerberos database while getting initial credentials alongina@victoria:~$ kinit -k -t /etc/krb5.keytab host/victoria@NAT.C.SDU.DK kinit: Client not found in Kerberos database while getting initial credentials alongina@victoria:~$ kinit -k -t /etc/krb5.keytab victoria$ kinit: Generic preauthentication failure while getting initial credentials alongina@victoria:~$ kinit -k -t /etc/krb5.keytab 'victoria$' kinit: Generic preauthentication failure while getting initial credentials
I use msktutils for joining AD Longina
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 8. november 2012 10:54 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] startup problem/port status 0
On Tue, Nov 06, 2012 at 02:16:26PM +0000, Longina Przybyszewska wrote:
Hi again, Thanks a lot for guiding me so far :)
I have got sssd-1.9.2 package from Timo, Ubuntu sssd package maintainer for Ubuntu Quantal.
SSSD is configured against AD as auth/id - provider
sssd.conf
[sssd] debug_level = 0x1310 config_file_version = 2 services = nss, pam domains = nat.c.sdu.dk
[nss] filter_groups = root filter_users = root
[pam]
[domain/nat.c.sdu.dk]
debug_level = 0x1310
enumerate = False min_id = 1000 max_id = 20000
auth_provider = ad id_provider = ad access_provider = ad chpass_provider = ad
ad_server = nat.c.sdu.dk ad_hostname = testina4$.nat.c.sdu.dk ad_domain = nat.c.sdu.dk
From log: (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x0200): Found address for server nat.c.sdu.dk: [10.144.5.18] TTL 455 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: testina4$ (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'nat.c.sdu.dk' as 'not working (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status of server 'nat.c.sdu.dk' is 'name resolved' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] (0x1000): Port status of port 0 for server 'nat.c.sdu.dk' is 'not working' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.NAT.C.SDU.DK], [2][No such file or directory
There is not all the information in the log, raising the debug_level might provide more info, but I think the problem is in the kinit.
Can you kinit as the principal specified in the ad_hostname and then ldapsearch the directory?
Are you sure about the principal in ad_hostname? I think it is typically HOST$@DOMAIN, your principal doesn't contain the at-sign. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi again, I deleted computer from AD and joined again with some changes:
Now , computer: hostname = victoria.nat.c.sdu.dk
IN AD: ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y GSSAPI -b 'ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk' '(&(objectClass=computer)(name=victoria))' SASL/GSSAPI authentication started SASL username: VICTORIA$@NAT.C.SDU.DK SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk> with scope subtree # filter: (&(objectClass=computer)(name=victoria)) # requesting: ALL # with pagedResults control: size=1000 #
# VICTORIA, Linux computers, ADResources, nat.c.sdu.dk dn: CN=VICTORIA,OU=Linux computers,OU=ADResources,DC=nat,DC=c,DC=sdu,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: VICTORIA distinguishedName: CN=VICTORIA,OU=Linux computers,OU=ADResources,DC=nat,DC=c,D C=sdu,DC=dk instanceType: 4 whenCreated: 20121108142304.0Z whenChanged: 20121108143127.0Z uSNCreated: 120398572 uSNChanged: 120399833 name: VICTORIA objectGUID:: yJFvBzDHyUWRHBrfdFdiUg== userAccountControl: 4096 badPwdCount: 1 codePage: 0 countryCode: 0 badPasswordTime: 129968615052158722 lastLogoff: 0 lastLogon: 129968586876815634 localPolicyFlags: 0 pwdLastSet: 129968586878690610 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAANYoCGg16WjOCi6YoZzMAAA== accountExpires: 9223372036854775807 logonCount: 2 sAMAccountName: VICTORIA$ sAMAccountType: 805306369 dNSHostName: victoria.nat.c.sdu.dk servicePrincipalName: host/victoria.nat.c.sdu.dk objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=c,DC=sdu,DC=dk isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 129968583496702650 msDS-SupportedEncryptionTypes: 28
# search result search: 4 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQAAAAFAgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
My keytab: root@victoria:/home/alongina# klist -e -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 7 victoria$@NAT.C.SDU.DK (arcfour-hmac) 7 victoria$@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 7 victoria$@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96) 7 host/victoria@NAT.C.SDU.DK (arcfour-hmac) 7 host/victoria@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 7 host/victoria@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96) 3 VICTORIA$@NAT.C.SDU.DK (arcfour-hmac) 3 VICTORIA$@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 3 VICTORIA$@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96) 3 host/victoria.nat.c.sdu.dk@NAT.C.SDU.DK (arcfour-hmac) 3 host/victoria.nat.c.sdu.dk@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 3 host/victoria.nat.c.sdu.dk@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96) 4 VICTORIA$@NAT.C.SDU.DK (arcfour-hmac) 4 VICTORIA$@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 4 VICTORIA$@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96) 4 host/victoria.nat.c.sdu.dk@NAT.C.SDU.DK (arcfour-hmac) 4 host/victoria.nat.c.sdu.dk@NAT.C.SDU.DK (aes128-cts-hmac-sha1-96) 4 host/victoria.nat.c.sdu.dk@NAT.C.SDU.DK (aes256-cts-hmac-sha1-96) ..................
root@victoria:/home/alongina# kinit -k -t /etc/krb5.keytab 'VICTORIA$' root@victoria:/home/alongina# kinit -k -t /etc/krb5.keytab 'VICTORIA$@NAT.C.SDU.DK' root@victoria:/home/alongina# kinit -k -t /etc/krb5.keytab 'victoria$@NAT.C.SDU.DK' kinit: Preauthentication failed while getting initial credentials ....................... command: getent passwd imadatestuser@NAT.C.SDU.DK
doesn't work
in /var/log/ssd/ldap_child.log ................ Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): total buffer size: 37 (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): realm_str size: 12 (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): got realm_str: NAT.C.SDU.DK (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): princ_str size: 9 (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): got princ_str: victoria$ (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [victoria$@NAT.C.SDU.DK] (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Thu Nov 8 16:16:25 2012) [[sssd[ldap_child[3928]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed (Thu Nov 8 16:16:25 2012) [[sssd[ldap_child[3928]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed] .......................
In /etc/sssd/sssd.conf
...... Ad_hostname = VICTORIA$@NAT.C.SDU.DK ...... IT is obviously confusing about principal names...
Longina
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 8. november 2012 10:54 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] startup problem/port status 0
On Tue, Nov 06, 2012 at 02:16:26PM +0000, Longina Przybyszewska wrote:
Hi again, Thanks a lot for guiding me so far :)
I have got sssd-1.9.2 package from Timo, Ubuntu sssd package maintainer for Ubuntu Quantal.
SSSD is configured against AD as auth/id - provider
sssd.conf
[sssd] debug_level = 0x1310 config_file_version = 2 services = nss, pam domains = nat.c.sdu.dk
[nss] filter_groups = root filter_users = root
[pam]
[domain/nat.c.sdu.dk]
debug_level = 0x1310
enumerate = False min_id = 1000 max_id = 20000
auth_provider = ad id_provider = ad access_provider = ad chpass_provider = ad
ad_server = nat.c.sdu.dk ad_hostname = testina4$.nat.c.sdu.dk ad_domain = nat.c.sdu.dk
From log: (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x0200): Found address for server nat.c.sdu.dk: [10.144.5.18] TTL 455 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: testina4$ (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'nat.c.sdu.dk' as 'not working (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status of server 'nat.c.sdu.dk' is 'name resolved' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] (0x1000): Port status of port 0 for server 'nat.c.sdu.dk' is 'not working' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.NAT.C.SDU.DK], [2][No such file or directory
There is not all the information in the log, raising the debug_level might provide more info, but I think the problem is in the kinit.
Can you kinit as the principal specified in the ad_hostname and then ldapsearch the directory?
Are you sure about the principal in ad_hostname? I think it is typically HOST$@DOMAIN, your principal doesn't contain the at-sign. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Nov 08, 2012 at 03:38:47PM +0000, Longina Przybyszewska wrote:
In /etc/sssd/sssd.conf
...... Ad_hostname = VICTORIA$@NAT.C.SDU.DK ......
It should be "ad_hostname" (note the capital A) and it's only useful for specifying the machine hostname in case the output of hostname command wouldn't reflect the real host name..
Does it work if you set:
ad_hostname = VICTORIA$ krb5_realm = NAT.C.SDU.DK
(VICTORIA$@NAT.C.SDU.DK was the one that worked for you, right?)
If it doesn't, can you raise debugging in the domain section, restart the sssd, try again and look for lines that mention "ldap_child" ? You would see the principal used there.
IT is obviously confusing about principal names...
Longina
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 8. november 2012 10:54 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] startup problem/port status 0
On Tue, Nov 06, 2012 at 02:16:26PM +0000, Longina Przybyszewska wrote:
Hi again, Thanks a lot for guiding me so far :)
I have got sssd-1.9.2 package from Timo, Ubuntu sssd package maintainer for Ubuntu Quantal.
SSSD is configured against AD as auth/id - provider
sssd.conf
[sssd] debug_level = 0x1310 config_file_version = 2 services = nss, pam domains = nat.c.sdu.dk
[nss] filter_groups = root filter_users = root
[pam]
[domain/nat.c.sdu.dk]
debug_level = 0x1310
enumerate = False min_id = 1000 max_id = 20000
auth_provider = ad id_provider = ad access_provider = ad chpass_provider = ad
ad_server = nat.c.sdu.dk ad_hostname = testina4$.nat.c.sdu.dk ad_domain = nat.c.sdu.dk
From log: (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x0200): Found address for server nat.c.sdu.dk: [10.144.5.18] TTL 455 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: testina4$ (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'nat.c.sdu.dk' as 'not working (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status of server 'nat.c.sdu.dk' is 'name resolved' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] (0x1000): Port status of port 0 for server 'nat.c.sdu.dk' is 'not working' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.NAT.C.SDU.DK], [2][No such file or directory
There is not all the information in the log, raising the debug_level might provide more info, but I think the problem is in the kinit.
Can you kinit as the principal specified in the ad_hostname and then ldapsearch the directory?
Are you sure about the principal in ad_hostname? I think it is typically HOST$@DOMAIN, your principal doesn't contain the at-sign. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org