I just figured it out. The problem was in my /etc/krb5. My encryption types listed are as follows:
default_tgs_enctypes = aes256-cts rc4-hmac des-cbc-crc des-cdc-md5 default_tkt_enctypes = aes256-cts rc4-hmac des-cbc-crc des-cdc-md5 permitted_enctypes = aes256-cts rc4-hmac des-cbc-crc des-cbc-md5 However my keytab did not have entries for aes256-cts. So I removed these entries for each of the above parameters, and it worked. Thanks! > Date: Fri, 07 Sep 2012 19:23:44 -0400 > From: Dmitri Pal <[email protected]> > To: [email protected] > Subject: Re: [SSSD-users] Kerberos principal > canonicalization is not > available! > Message-ID: <[email protected]> > Content-Type: text/plain; charset=UTF-8 > > On 09/07/2012 05:08 PM, John Thomas wrote: > > Hello, > > > > I am having problems trying to get SSSD to work with > RHEL 5 to authenticate against a Microsoft AD 2008. I > did a manual complile/install of Kerberos 1.9.4 to use with > SSSD 1.8.2., because I understand that the kerberos must be > greater than 1.7. A "getent passwd username" is > unsuccessful. This is the output is the > /var/log/sssd/ldap_child.log. > > > > > > > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [main] (0x0400): ldap_child > started. > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): total > buffer size: 67 > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): > realm_str size: 12 > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got > realm_str: REALM.COM > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): > princ_str size: 23 > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got > princ_str: [email protected] > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): > keytab_name size: 16 > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got > keytab_name: /etc/krb5.keytab > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): > lifetime: 86400 > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [ldap_child_get_tgt_sync] > (0x0100): Principal name is: [[email protected]] > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] > [sss_krb5_get_init_creds_opt_set_canonicalize] (0x0040): > Kerberos principal canonicalization is not available! > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [ldap_child_get_tgt_sync] > (0x0010): Failed to init credentials: Key table entry not > found > > (Fri Sep 7 16:49:39 2012) > [[sssd[ldap_child[9473]]]] [main] (0x0020): > ldap_child_get_tgt_sync failed. > > > > > > Haven't been able to figure out what is wrong so > far. Can someone help? > > > Please provide sssd.conf and krb5.conf files. > > Based on the information above the name of the host > principal did not > match the name of the principal in the keytab. > Did you provision host keytab from the KDC manually? Please > see what > host principals you have in the keytab and verify that it > matches the > host name of the system. > Also the host principal is usually "host/<host > FQDN>@<REALM IN CAPS>" > http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html > > It seems that the principal that has been looked up is > different but it > is sanitized to be sure what the issue is. > > > John > > > > > > _______________________________________________ > > sssd-users mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > ------------------------------ > > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > End of sssd-users Digest, Vol 5, Issue 4 > **************************************** > _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
