Ok, I see that it’s probably not supported:
https://pagure.io/SSSD/sssd/issue/2078
right?
Ondrej
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
Sent: Monday, July 30, 2018 10:45 AM
To: End-user discussions about the System Security Services Daemon
<sssd-users@lists.fedorahosted.org>
Subject: [SSSD-users] sssd connecting to two AD domains
Hi all,
I have a machine joined to AD domain “mydomain.com” and there is also domain
“mydomain2.com”. The two are connected with full two way trust.
SSSD can happily recognize users from “mydomain.com”, but fails with users from
“mydomain2.com” - sssd complains that:
(Mon Jul 30 08:26:38 2018) [sssd[be[adesto]]] [get_port_status] (0x1000): Port
status of port 389 for server 'server.mydomain2.com' is 'not working'
(Mon Jul 30 08:26:38 2018) [sssd[be[adesto]]] [get_port_status] (0x0080): SSSD
is unable to complete the full connection request, this internal status does
not necessarily indicate network port issues.
But I can connect to that server with ldapsearch just fine (using a TGT
obtained with kinit –k hostname$).
Earlier in the logs I spotted that SSSD is trying to obtain TGT with a wrong
principal “host/hostname@REALM” instead of “hostname$@REALM”:
(Mon Jul 30 08:32:34 2018) [sssd[be[adesto]]] [sdap_get_tgt_recv] (0x0400):
Child responded: 14 [Client 'host/hostn...@mydomain.com' not found in Kerberos
database], expired on [0]
(Mon Jul 30 08:32:34 2018) [sssd[be[adesto]]] [sdap_kinit_done] (0x0100): Could
not get TGT: 14 [Bad address]
(Mon Jul 30 08:32:34 2018) [sssd[be[adesto]]] [sdap_cli_kinit_done] (0x0400):
Cannot get a TGT: ret [1432158226](Authentication Failed)
I am wondering why is SSSD trying now, all of sudden, to obtain a TGT using
wrong principal?
Using RHEL-7.
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential
and is designated solely for the attention of the intended recipient(s). If you
are not an intended recipient, you must not use, disclose, copy, distribute or
retain this e-mail or any part thereof. If you have received this e-mail in
error, please notify the sender by return e-mail and delete all copies of this
e-mail from your computer system(s). Please direct any additional queries to:
communicati...@s3group.com<mailto:communicati...@s3group.com>. Thank You.
Silicon and Software Systems Limited (S3 Group). Registered in Ireland no.
378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
-----
The information contained in this e-mail and in any attachments is confidential
and is designated solely for the attention of the intended recipient(s). If you
are not an intended recipient, you must not use, disclose, copy, distribute or
retain this e-mail or any part thereof. If you have received this e-mail in
error, please notify the sender by return e-mail and delete all copies of this
e-mail from your computer system(s). Please direct any additional queries to:
communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3
Group). Registered in Ireland no. 378073. Registered Office: South County
Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/5AR2PPJ3ARQDVDTLPWPLN5PSB75HVO6V/