OK, that could have been DC replication at play, said error has gone away and I can see AD users, phew.
John On 7 May 2015 at 14:37, John Beranek <[email protected]> wrote: > Although perhaps I spoke too soon. sssd starts up but throws log entries: > > May 7 14:36:04 paixlab-rhel67 [sssd[ldap_child[24887]]]: Failed to > initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. > May 7 14:36:04 paixlab-rhel67 [sssd[ldap_child[24887]]]: > Preauthentication failed > > John > > On 7 May 2015 at 14:34, John Beranek <[email protected]> wrote: > >> Sumit, many thanks - you hit the nail on the head! My smb.conf was >> missing the line: >> >> kerberos method = secrets and keytab >> >> so had not created the keytab. Added the line, rejoined and sssd starts >> as expected. >> >> Cheers, >> >> John >> >> On 7 May 2015 at 11:45, Sumit Bose <[email protected]> wrote: >> >>> On Thu, May 07, 2015 at 11:35:21AM +0100, John Beranek wrote: >>> > Hi all, >>> > >>> > I've just built a RHEL 6.7 Beta VM to test the new SSSD release, and >>> have >>> > come across a strange issue. >>> > >>> > I can successfully kinit and join our AD domain with "net ads join -k" >>> but >>> > sssd won't start. The logs contain: >>> >>> you have to make sure that net ads join really creates a keytab. Please >>> check 'kerberos method' in the smb.conf man page. By default the keys >>> are written only to samba's internal secrets.tdb. >>> >>> As an alternative you might want to consider using the realm command to >>> join the AD domain. >>> >>> HTH >>> >>> bye, >>> Sumit >>> >>> > >>> > [ad_set_ad_id_options] (0x0100): Option krb5_realm set to EXAMPLE.COM >>> > [sdap_set_sasl_options] (0x0100): Will look for >>> > [email protected] in default keytab >>> > [select_principal_from_keytab] (0x0200): trying to select the most >>> > appropriate principal from keytab >>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. >>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. >>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. >>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. >>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. >>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. >>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed. >>> > [select_principal_from_keytab] (0x0080): No suitable principal found in >>> > keytab >>> > [select_principal_from_keytab] (0x0010): Failed to read keytab >>> [default]: >>> > No such file or directory >>> > [ad_set_ad_id_options] (0x0040): Cannot set the SASL-related options >>> > [load_backend_module] (0x0010): Error (2) in module (ad) initialization >>> > (sssm_ad_id_init)! >>> > [be_process_init] (0x0010): fatal error initializing data providers >>> > >>> > Had a little feedback from Lukas, who suggested I ran "klist -kt". This >>> > gives: >>> > >>> > # klist -kt >>> > Keytab name: FILE:/etc/krb5.keytab >>> > klist: No such file or directory while starting keytab scan >>> > >>> > Any ideas? >>> > >>> > John >>> > >>> > -- >>> > John Beranek To generalise is to be an idiot. >>> > http://redux.org.uk/ -- William Blake >>> >>> > _______________________________________________ >>> > sssd-users mailing list >>> > [email protected] >>> > https://lists.fedorahosted.org/mailman/listinfo/sssd-users >>> >>> _______________________________________________ >>> sssd-users mailing list >>> [email protected] >>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users >>> >> >> >> >> -- >> John Beranek To generalise is to be an idiot. >> http://redux.org.uk/ -- William Blake >> >> > > > -- > John Beranek To generalise is to be an idiot. > http://redux.org.uk/ -- William Blake > > -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
