Hello, I never fixed issues I had last year https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/5XUJLUVI5JZILZKDK5DRHK7PSQNIZZBD/ but I did made a new test on a brand new ubuntu up to date, and the result is far better, though everything is not working.
As a reminder, I have an AD with a parent and a child domain, let's say example.com and child.example.com. For the new server I set up, I used system provided utilities realm join example.com -U 'u...@example.com' which pretty much generates root@ubuntu:/var/log/sssd# cat /etc/sssd/sssd.conf [sssd] domains = example.com config_file_version = 2 services = nss, pam [domain/example.com] ad_domain = example.com krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u@%d debug_level=9 access_provider = ad Now, everything is OK with the main domain, AFAIK, I can login, sudo based on groups, etc. But for the child domain, most work, I can id a user@child (that resolves the user and the groups associated), I can "su - user@child" from root, BUT I can not login with that user@child. Sanitized logs follow : sssd_example.com.log (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [get_server_status] (0x1000): Status of server '<ad>' is 'working' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad>' is 'working' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [get_server_status] (0x1000): Status of server '<ad>' is 'working' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [be_resolve_server_process] (0x0200): Found address for server <ad>: [IP] TTL 3600 (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://<ad>' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://<ad>' (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_ivIwhy] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_ivIwhy] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [sss_domain_get_state] (0x1000): Domain child.example.com is Active (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [30303] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [30303] (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Jan 31 16:05:24 2019) [sssd[be[example.com]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information krb5_child.log (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393070: Sending TCP request to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393071: Received answer (317 bytes) from stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393072: Terminating TCP connection to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393073: Response was from master KDC (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393074: Decoding FAST response (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393075: TGS request result: -1765328377/Server not found in Kerberos database (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393076: Requesting tickets for RestrictedKrbHost/ubu...@example.com, referrals off (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393077: Generated subkey for TGS request: rc4-hmac/1624 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393078: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393080: Encoding request body and padata into FAST request (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393081: Sending request (1719 bytes) to EXAMPLE.COM (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393082: Initiating TCP connection to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393083: Sending TCP request to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393084: Received answer (317 bytes) from stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393085: Terminating TCP connection to stream <IP>:88 (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393086: Response was from master KDC (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393087: Decoding FAST response (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393088: TGS request result: -1765328377/Server not found in Kerberos database (Thu Jan 31 16:05:24 2019) [[sssd[krb5_child[30303]]]] [sss_child_krb5_trace_cb] (0x4000): [30303] 1548947124.393089: Destroying ccache MEMORY:xwkvpg9 Do you have any idea why the server is not found in the child domain ? Could that be because the wrong server principal may be used ? Thanks for your help ! Jeremy _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
