Jakub, thankyou for your reply.
> If your configuration is using id_provider=ad I would have expected sssd
to prefer the netbiosname$ principal,
Indeed. My reading of kinit is that it should take the first principal in
the list returned by klist. In my case thsi should be ibis$
# klist -k
11 ibis$@NZWW.NZCORP.NET
11 ibis$@NZWW.NZCORP.NET
11 IBIS$@NZWW.NZCORP.NET
11 IBIS$@NZWW.NZCORP.NET
11 ibis$@NZWW.NZCORP.NET
11 host/i...@nzww.nzcorp.net
11 host/i...@nzww.nzcorp.net
11 IBIS$@NZWW.NZCORP.NET
11 host/i...@nzww.nzcorp.net
On 19 July 2018 at 11:09, Jakub Hrozek wrote:
>
>
> > On 16 Jul 2018, at 11:48, John Hearns wrote:
> >
> > I have had my head inside the ldap_child.c source code all morning.
> > I am getting these errors logged:
> >
> > [ldap_child_get_tgt_sync] (0x0100): Using keytab
> [MEMORY:/etc/krb5.keytab]
> > [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client
> 'host/
> > i...@nzww.nzcorp.net' not found in Kerberos database
>
> This is expected, in AD the host/fqdn principal cannot be used to get a
> TGT. As you can see below, you are using the netbiosname$@realm principal
> to kinit which works fine.
>
> If your configuration is using id_provider=ad I would have expected sssd
> to prefer the netbiosname$ principal, but if the selection fails or you are
> using the ldap provider, you can help sssd with the ldap_sasl_authid
> parameter.
>
> >
> > However the dialy ksktutil cron job I have running completes OK, and
> msktutil --auto-update tells me the machine password was renewed two days
> ago.
> >
> > Here is what happens when I run kinit from the command line.
> > My workstation is called ibis. Please someone hit me with a clue stick.
> >
> > # kinit -k
> > kinit: Client 'host/i...@nzww.nzcorp.net' not found in Kerberos
> database while getting initial credentials
> >
> > # kinit -V -k ibis$
> > Using default cache: /tmp/krb5cc_0
> > Using principal: ibis$@NZWW.NZCORP.NET
> > Authenticated to Kerberos v5
> >
> > # kinit -V -k IBIS\$@NZWW.NZCORP.NET
> > Using default cache: /tmp/krb5cc_0
> > Using principal: IBIS$@NZWW.NZCORP.NET
> > Authenticated to Kerberos v5
> >
> >
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/4DY3TSRSJBV5AU2P3CQH2UHH7GHXLOLV/
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/BPEL355LXLAJ4ZI7UVSFHJ5ZG6CUJIWI/
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/JMD7PMTGOQAGYKXDANGWFI72X3I6S3DY/