On (24/04/17 18:41), Sumit Bose wrote: >On Mon, Apr 24, 2017 at 12:22:02PM -0400, TomK wrote: >> On 4/21/2017 9:48 PM, TomK wrote: >> > Hey All, >> > >> > We are connecting a set of servers directly with AD. The AD computer >> > object is created for the host and is associated to a service account. >> > This service account works well with other hosts on the same domain. >> > >> > Since this is a direct SSSD to AD setup, we are using adcli to establish >> > a connection to AD. >> > adcli populates a /etc/krb5.keytab file with a number of entries including: >> > >> > * Added the entries to the keytab: >> > host/longhostname-host01.xyz.abc....@company.com: FILE:/etc/krb5.keytab >> > >> > and runs successfully, without errors, to completion. However when >> > starting up sssd, we see the following in the log files: >> > >> > . >> > . >> > >> > [[sssd[ldap_child[11774]]]] [main] (0x0400): ldap_child started. >> > [[sssd[ldap_child[11774]]]] [main] (0x2000): context initialized >> > [[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): total buffer size: 71 >> > [[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): realm_str size: 12 >> > [[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): got realm_str: >> > COMPANY.COM >> > [[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): princ_str size: 35 >> > [[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): got princ_str: >> > host/longhostname-host01.xyz.abc.co >> > [[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): keytab_name size: 0 >> > [[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): lifetime: 86400 >> > [[sssd[ldap_child[11774]]]] [unpack_buffer] (0x0200): Will run as [0][0]. >> > [[sssd[ldap_child[11774]]]] [privileged_krb5_setup] (0x2000): Kerberos >> > context initialized >> > [[sssd[ldap_child[11774]]]] [main] (0x2000): Kerberos context initialized >> > [[sssd[ldap_child[11774]]]] [become_user] (0x0200): Trying to become >> > user [0][0]. >> > [[sssd[ldap_child[11774]]]] [become_user] (0x0200): Already user [0]. >> > [[sssd[ldap_child[11774]]]] [main] (0x2000): Running as [0][0]. >> > [[sssd[ldap_child[11774]]]] [main] (0x2000): getting TGT sync >> > got princ_str: host/longhostname-host01.xyz.abc....@company.com >> > . >> > . >> > Principal name is: [host/longhostname-host01.xyz.abc....@company.com] >> > . >> > . >> > >> > followed by: >> > >> > [[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774] >> > 1492661662.219837: Looked up etypes in keytab: des-cbc-crc, des, >> > des-cbc-crc, rc4-hmac, aes128-cts, aes256-cts >> > [[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774] >> > 1492661662.219898: Sending request (224 bytes) to COMPANY.COM >> > [[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774] >> > 1492661662.220151: Initiating TCP connection to stream 1.2.3.4:88 >> > [[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774] >> > 1492661662.222555: Sending TCP request to stream 1.2.3.4:88 >> > [[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774] >> > 1492661662.226128: Received answer from stream 1.2.3.4:88 >> > [[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774] >> > 1492661662.226205: Response was from master KDC >> > [[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774] >> > 1492661662.226238: Received error from KDC: -1765328378/Client not found >> > in Kerberos database >> > >> > >> > Verified that the krb5.keytab has the principal and it matches exactly. >> > The OS is RHEL 6.7. Wondering if anyone ran into this and what could be >> > some of the problems that could be causing this? Do we need something >> > extra to be done on the AD side besides creating the computer object? >> > We'd take it from there to dig further since I realize I can't provide >> > all the details without first editing things out as I did above. >> > >> > >> >> Hey All, >> >> Solved the above by specifying the exact and ONLY keytab entries the AD >> server needed, short-hostn...@domain.com, (autogenerated entries from >> calling adcli were resulting in the above error message). Not sure why but >> an incorrect keytab entry was being picked up from the krb5.keytab file even >> though adcli was used to generate the krb5.keytab file. However now > >Which id_provider did use? The AD provider should pick the right keytab >entry be default. Should :-) https://pagure.io/SSSD/sssd/issue/3329
It works with single principal "short-hostname$@DOMAIN.COM" in keytab because sssd can fall back to any UPN with AD "*$". >As an alternative you can specify the right principal >with the ldap_sasl_authid option in the [domain/...] section of >sssd.conf (see man sssd-ldap for details). > +1 for workaround with ldap_sasl_authid LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org