I've always used a fully qualified hostname. My example was a cleanup version and I was to lazy to write subdomain1.example.com.
I've set ad_hostname to the correct hostname. Your question made me take a look into other settings and I noticed that the servers hostname had a different domain name. But still hade the same problems as before. Increading debug_level created an amazing amount of rows. :) This is my clean up log. [[sssd[krb5_child[1926]]]] [validate_tgt] (0x2000): Keytab entry with the realm of the credential not found in keytab. Using the last entry. [[sssd[krb5_child[1926]]]] [validate_tgt] (0x0020): TGT failed verification using key for [RestrictedKrbHost/mycli...@subdomain1.example.com]. [[sssd[krb5_child[1926]]]] [get_and_save_tgt] (0x0020): 1581: [-1765328377][Server not found in Kerberos database] [[sssd[krb5_child[1926]]]] [map_krb5_error] (0x0020): 1657: [-1765328377][Server not found in Kerberos database] [[sssd[krb5_child[1926]]]] [k5c_send_data] (0x0200): Received error code 1432158209 This is when trying to login using SSH with use...@subdomain2.example.com. With use...@subdomain1.example.com it works. [[sssd[krb5_child[2135]]]] [validate_tgt] (0x0400): TGT verified using key for [MYCLIENT$@DOMAIN1.EXAMPLE.COM]. 2018-03-05 16:18 GMT+01:00 Roger Martensson <roger.martens...@gmail.com>: > I've always used a fully qualified hostname. My example was a cleanup > version and I was to lazy to write subdomain1.example.com. > > I've set ad_hostname to the correct hostname. Your question made me take a > look into other settings and I noticed that the servers hostname had a > different domain name. But still hade the same problems as before. > > Increading debug_level created an amazing amount of rows. :) > > This is my clean up log. > > > 2018-03-05 15:35 GMT+01:00 Sumit Bose <sb...@redhat.com>: > >> On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote: >> > On 03/05/2018 08:25 AM, Roger Martensson wrote: >> > > Sorry about that.. Bleeping send-button-shortcut. >> > > >> > > Let me continue. >> > > >> > > Command I use to test: ssh userid@subdomain2@localhost >> > > >> > > The krb5_child.log contains these error messages: >> > > [[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0400): Attempting >> kinit >> > > for realm [SUBDOMAIN1] >> > > [[sssd[krb5_child[5720]]]] [sss_krb5_expire_callback_func] (0x2000): >> > > exp_time: [5621224] >> > > [[sssd[krb5_child[5720]]]] [validate_tgt] (0x2000): Keytab entry with >> the >> > > realm of the credential not found in keytab. Using the last entry. >> > > [[sssd[krb5_child[5720]]]] [validate_tgt] (0x0020): TGT failed >> verification >> > > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1]. >> > > [[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0020): 1581: >> > > [-1765328377][Server not found in Kerberos database] >> > > [[sssd[krb5_child[5720]]]] [map_krb5_error] (0x0020): 1657: >> > > [-1765328377][Server not found in Kerberos database] >> > > >> > > I can get it to work using 'krb5_validate = false' but that disables >> some >> > > nice security measure. >> > > >> > > So.. Anyone that can help me back on track? AKA What did I do wrong >> this >> > > time? >> > >> > Can you make sure your hostname is fully-qualified? >> > >> > If it is not currently then you will need to leave the domain, make >> sure the >> > /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the >> > domain. >> >> If validation still fails after joining with the fully qualified name >> please run SSSD with debug_level=9 in the [domain/...] section. This >> will add the full Kerberos trace output to the krb5_child.log files >> which will help to identify which step during validation fails. >> >> bye, >> Sumit >> >> > >> > -Justin >> > >> > > >> > > >> > > >> > > 2018-03-05 14:13 GMT+01:00 Roger Martensson < >> roger.martens...@gmail.com>: >> > > >> > > > Hi! >> > > > >> > > > It's me again with multiple domain problems. :) >> > > > >> > > > I have once again problems with multiple domain. This time with >> login. >> > > > Maybe some one of you could explain to me what I did wrong this >> time. >> > > > >> > > > OS: Ubuntu 17.10 >> > > > SSSD: 1.15.3 >> > > > >> > > > Domain setup. two subdomain both connected to the same parent >> domain Both >> > > > subdomains contains users. Most of them only contains one domain >> but some >> > > > is found in both. >> > > > >> > > > Client is connected to subdomain1. I can login with a user on >> subdomain 1. >> > > > When login in to subdomain2 (both using 'su-with-password-prompt' >> and >> > > > 'ssh-to-localhost') I get a System Error 4. >> > > > >> > > > The log krb_child.log (which sssd_domain.log points to) I see these >> logs. >> > > > (altered some names) >> > > > >> > > > >> > > >> > > >> > > >> > > _______________________________________________ >> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> > > To unsubscribe send an email to sssd-users-leave@lists.fedorah >> osted.org >> > > >> > _______________________________________________ >> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> > >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
