[SSSD-users] Re: Can't login to AD in SSSD 2.4.2 / Arch Linux
Am Thu, May 06, 2021 at 05:09:47PM +0200 schrieb Paweł Szafer: > Hi, > > I had to add > > ldap_sasl_mech=GSSAPI > > to domain part of my sssd.conf > But honestly I don't understand why SPNEGO is not working, any ideas? Hi, if it was working before it looks like SPNEGO support got lost on your client. You should check the configure and build logs of the krb5 and sasl packages if you see any issues related to SPNEGO. Especially during the configure run of cyrus-sasl you should see a 'for SPNEGO support in GSSAPI libraries' message. HTH bye, Sumit > > > czw., 6 maj 2021 o 09:59 Paweł Szafer napisał(a): > > > Hello, > > > > Today morning I had a bad surprise. Suddenly I cannot login anymore to my > > PC. > > My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working > > after update, last login occurred around 7pm 05.05.2021, today 7am > > 06.05.2021 cannot login anymore) > > Maybe you have any idea what's wrong. > > What I see in sssd logs: > > > > 2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0100): > > Executing sasl bind mech: GSS-SPNEGO, user: PCNAME$ > > (2021-05-06 9:49:26): [be[domain.name]] [ad_sasl_log] (0x0040): SASL: No > > worthy mechs found > > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0020): > > ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method] > > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0080): > > Extended failure message: [SASL(-4): no mechanism available: No worthy > > mechs found] > > (2021-05-06 9:49:26): [be[domain.name]] [sdap_cli_connect_recv] > > (0x0040): Unable to establish connection [1432158227]: Authentication Failed > > (2021-05-06 9:49:26): [be[domain.name]] [fo_set_port_status] (0x0100): > > Marking port 389 of server 'dc1.domain.name' as 'not working' > > > > I tried to rejoin domain with > > > > krb5.conf > > > > allow_weak_crypto = true > > permitted_enctypes = aes rc4 > > > > then with commands: > > > > KRB5_TRACE=/dev/stdout kinit -V adu...@ad.example.com. > > kinit Administrator > > net ads join -k > > klist -ke > > > > Keytab looks like that: > > > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > > (aes256-cts-hmac-sha1-96) > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > > (aes256-cts-hmac-sha1-96) > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > > (aes128-cts-hmac-sha1-96) > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > > (aes128-cts-hmac-sha1-96) > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > > (DEPRECATED:arcfour-hmac) > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > > (DEPRECATED:arcfour-hmac) > > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > > (aes256-cts-hmac-sha1-96) > > 10 06.05.2021 09:49:10 host/pcn...@domain.name > > (aes256-cts-hmac-sha1-96) > > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > > (aes128-cts-hmac-sha1-96) > > 10 06.05.2021 09:49:10 host/pcn...@domain.name > > (aes128-cts-hmac-sha1-96) > > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > > (DEPRECATED:arcfour-hmac) > > 10 06.05.2021 09:49:10 host/pcn...@domain.name > > (DEPRECATED:arcfour-hmac) > > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes256-cts-hmac-sha1-96) > > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes128-cts-hmac-sha1-96) > > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (DEPRECATED:arcfour-hmac) > > > > Both kinit and ldapsearch are working properly. > > Thanks for help! > > > > > > > > - > > Pawel > > > > > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD-users] Re: Can't login to AD in SSSD 2.4.2 / Arch Linux
On Thu, May 6, 2021 at 2:56 PM Paweł Szafer wrote: > > Hello, > > Today morning I had a bad surprise. Suddenly I cannot login anymore to my PC. > My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working after > update, last login occurred around 7pm 05.05.2021, today 7am 06.05.2021 > cannot login anymore) > Maybe you have any idea what's wrong. > What I see in sssd logs: > > 2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0100): Executing > sasl bind mech: GSS-SPNEGO, user: PCNAME$ > (2021-05-06 9:49:26): [be[domain.name]] [ad_sasl_log] (0x0040): SASL: No > worthy mechs found > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0020): > ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method] > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0080): Extended > failure message: [SASL(-4): no mechanism available: No worthy mechs found] > (2021-05-06 9:49:26): [be[domain.name]] [sdap_cli_connect_recv] (0x0040): > Unable to establish connection [1432158227]: Authentication Failed > (2021-05-06 9:49:26): [be[domain.name]] [fo_set_port_status] (0x0100): > Marking port 389 of server 'dc1.domain.name' as 'not working' > > I tried to rejoin domain with > > krb5.conf > > allow_weak_crypto = true > permitted_enctypes = aes rc4 > > then with commands: > > KRB5_TRACE=/dev/stdout kinit -V adu...@ad.example.com. > kinit Administrator > net ads join -k > klist -ke > > Keytab looks like that: > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (DEPRECATED:arcfour-hmac) > > Both kinit and ldapsearch are working properly. I think `kinit` can't be used for a test as it uses different protocol. Does SASL bind work with ldapsearch? I'm not sure what is used as a sasl lib, probably 'cyrus-sasl*'. Are those packages up to date on your machine? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD-users] Re: Can't login to AD in SSSD 2.4.2 / Arch Linux
Hi, I had to add ldap_sasl_mech=GSSAPI to domain part of my sssd.conf But honestly I don't understand why SPNEGO is not working, any ideas? czw., 6 maj 2021 o 09:59 Paweł Szafer napisał(a): > Hello, > > Today morning I had a bad surprise. Suddenly I cannot login anymore to my > PC. > My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working > after update, last login occurred around 7pm 05.05.2021, today 7am > 06.05.2021 cannot login anymore) > Maybe you have any idea what's wrong. > What I see in sssd logs: > > 2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0100): > Executing sasl bind mech: GSS-SPNEGO, user: PCNAME$ > (2021-05-06 9:49:26): [be[domain.name]] [ad_sasl_log] (0x0040): SASL: No > worthy mechs found > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0020): > ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method] > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0080): > Extended failure message: [SASL(-4): no mechanism available: No worthy > mechs found] > (2021-05-06 9:49:26): [be[domain.name]] [sdap_cli_connect_recv] > (0x0040): Unable to establish connection [1432158227]: Authentication Failed > (2021-05-06 9:49:26): [be[domain.name]] [fo_set_port_status] (0x0100): > Marking port 389 of server 'dc1.domain.name' as 'not working' > > I tried to rejoin domain with > > krb5.conf > > allow_weak_crypto = true > permitted_enctypes = aes rc4 > > then with commands: > > KRB5_TRACE=/dev/stdout kinit -V adu...@ad.example.com. > kinit Administrator > net ads join -k > klist -ke > > Keytab looks like that: > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcn...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (DEPRECATED:arcfour-hmac) > > Both kinit and ldapsearch are working properly. > Thanks for help! > > > > - > Pawel > > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD-users] Re: Can't login to AD in SSSD 2.4.2 / Arch Linux
Am Thu, May 06, 2021 at 09:59:45AM +0200 schrieb Paweł Szafer: > Hello, > > Today morning I had a bad surprise. Suddenly I cannot login anymore to my > PC. > My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working > after update, last login occurred around 7pm 05.05.2021, today 7am Hi, is the cyrus-sasl-gssapi package still installed? > 06.05.2021 cannot login anymore) > Maybe you have any idea what's wrong. > What I see in sssd logs: > > 2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0100): > Executing sasl bind mech: GSS-SPNEGO, user: PCNAME$ > (2021-05-06 9:49:26): [be[domain.name]] [ad_sasl_log] (0x0040): SASL: No > worthy mechs found > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0020): > ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method] > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0080): > Extended failure message: [SASL(-4): no mechanism available: No worthy > mechs found] > (2021-05-06 9:49:26): [be[domain.name]] [sdap_cli_connect_recv] (0x0040): > Unable to establish connection [1432158227]: Authentication Failed > (2021-05-06 9:49:26): [be[domain.name]] [fo_set_port_status] (0x0100): > Marking port 389 of server 'dc1.domain.name' as 'not working' > > I tried to rejoin domain with > > krb5.conf > > allow_weak_crypto = true > permitted_enctypes = aes rc4 > > then with commands: > > KRB5_TRACE=/dev/stdout kinit -V adu...@ad.example.com. > kinit Administrator > net ads join -k > klist -ke > > Keytab looks like that: > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (DEPRECATED:arcfour-hmac) > > Both kinit and ldapsearch are working properly. Did you try ldapsearch with the '-Y GSS-SPNEGO' option? bye, Sumit > Thanks for help! > > > > - > Pawel > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure