subject:"\[SSSD\-users\] Re\: Problem with kinit"

[SSSD-users] Re: Problem with kinit

2018-07-23 Thread John Hearns

Jakub, thankyou for your reply.

> If your configuration is using id_provider=ad I would have expected sssd
to prefer the netbiosname$ principal,

Indeed. My reading of kinit is that it should take the first principal in
the list returned by klist. In my case thsi should be ibis$


# klist -k
  11 ibis$@NZWW.NZCORP.NET
  11 ibis$@NZWW.NZCORP.NET
  11 IBIS$@NZWW.NZCORP.NET
  11 IBIS$@NZWW.NZCORP.NET
  11 ibis$@NZWW.NZCORP.NET
  11 host/i...@nzww.nzcorp.net
  11 host/i...@nzww.nzcorp.net
  11 IBIS$@NZWW.NZCORP.NET
  11 host/i...@nzww.nzcorp.net



On 19 July 2018 at 11:09, Jakub Hrozek  wrote:

>
>
> > On 16 Jul 2018, at 11:48, John Hearns  wrote:
> >
> > I have had my head inside the ldap_child.c source code all morning.
> > I am getting these errors logged:
> >
> > [ldap_child_get_tgt_sync] (0x0100): Using keytab
> [MEMORY:/etc/krb5.keytab]
> > [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client
> 'host/
> > i...@nzww.nzcorp.net' not found in Kerberos database
>
> This is expected, in AD the host/fqdn principal cannot be used to get a
> TGT. As you can see below, you are using the netbiosname$@realm principal
> to kinit which works fine.
>
> If your configuration is using id_provider=ad I would have expected sssd
> to prefer the netbiosname$ principal, but if the selection fails or you are
> using the ldap provider, you can help sssd with the ldap_sasl_authid
> parameter.
>
> >
> > However the dialy ksktutil cron job I have running completes OK, and
> msktutil --auto-update tells me the machine password was renewed two days
> ago.
> >
> > Here is what happens when I run kinit from the command line.
> > My workstation is called ibis.  Please someone hit me with a clue stick.
> >
> > # kinit -k
> > kinit: Client 'host/i...@nzww.nzcorp.net' not found in Kerberos
> database while getting initial credentials
> >
> > # kinit -V -k ibis$
> > Using default cache: /tmp/krb5cc_0
> > Using principal: ibis$@NZWW.NZCORP.NET
> > Authenticated to Kerberos v5
> >
> > # kinit -V -k IBIS\$@NZWW.NZCORP.NET
> > Using default cache: /tmp/krb5cc_0
> > Using principal: IBIS$@NZWW.NZCORP.NET
> > Authenticated to Kerberos v5
> >
> >
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/4DY3TSRSJBV5AU2P3CQH2UHH7GHXLOLV/
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@
> lists.fedorahosted.org/message/BPEL355LXLAJ4ZI7UVSFHJ5ZG6CUJIWI/
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/JMD7PMTGOQAGYKXDANGWFI72X3I6S3DY/

[SSSD-users] Re: Problem with kinit

2018-07-19 Thread Jakub Hrozek



> On 16 Jul 2018, at 11:48, John Hearns  wrote:
> 
> I have had my head inside the ldap_child.c source code all morning.
> I am getting these errors logged:
> 
> [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/
> i...@nzww.nzcorp.net' not found in Kerberos database

This is expected, in AD the host/fqdn principal cannot be used to get a TGT. As 
you can see below, you are using the netbiosname$@realm principal to kinit 
which works fine.

If your configuration is using id_provider=ad I would have expected sssd to 
prefer the netbiosname$ principal, but if the selection fails or you are using 
the ldap provider, you can help sssd with the ldap_sasl_authid parameter.

> 
> However the dialy ksktutil cron job I have running completes OK, and msktutil 
> --auto-update tells me the machine password was renewed two days ago.
> 
> Here is what happens when I run kinit from the command line.
> My workstation is called ibis.  Please someone hit me with a clue stick.
> 
> # kinit -k
> kinit: Client 'host/i...@nzww.nzcorp.net' not found in Kerberos database 
> while getting initial credentials
> 
> # kinit -V -k ibis$
> Using default cache: /tmp/krb5cc_0
> Using principal: ibis$@NZWW.NZCORP.NET
> Authenticated to Kerberos v5
> 
> # kinit -V -k IBIS\$@NZWW.NZCORP.NET
> Using default cache: /tmp/krb5cc_0
> Using principal: IBIS$@NZWW.NZCORP.NET
> Authenticated to Kerberos v5
> 
> 
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/4DY3TSRSJBV5AU2P3CQH2UHH7GHXLOLV/
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/BPEL355LXLAJ4ZI7UVSFHJ5ZG6CUJIWI/

[SSSD-users] Re: Problem with kinit

[SSSD-users] Re: Problem with kinit

2 matches

Site Navigation

Mail list logo

Footer information