On Tue, Feb 5, 2019 at 3:35 PM Jeremy Monnet <jmon...@gmail.com> wrote: > > Hello, > > On Tue, Feb 5, 2019 at 10:29 AM Jakub Hrozek <jhro...@redhat.com> wrote: > > > > > Now, everything is OK with the main domain, AFAIK, I can login, sudo > > > based on groups, etc. But for the child domain, most work, I can id a > > > user@child (that resolves the user and the groups associated), I can > > > "su - user@child" from root, BUT I can not login with that user@child. > > > Sanitized logs follow : > > > > > > > It's hard to say from the trimmed log, but I assume this happens during > > the TGT validation phase? If yes, then you could work around that > > temporarily by setting: > > krb5_validate = false > > in the domain section, but please read the sssd-krb5 manual page to see > > what security implications this have > > I have tried that, and yes, it works. Though because of the security > implications I would rather set it up without it... > > > > kvno RestrictedKrbHost/ubu...@example.com > kvno: Server not found in Kerberos database while getting credentials > for RestrictedKrbHost/ubu...@example.com > > > > > > Is the principal really lower-case and shortname? I would have expected > > either lower-case FQDN or an upper-case shortname.. > > > I am not sure precisely what to look for principals... >
I followed that lead, and found that no SPN were registered at all in the AD object. I edited it with ADSI, and could login with all domains... I looked at other objects an dit seems none have had the same SPN registered, and I don't know at all how the object is created (other that it is created when I "realm" the server). I will look at it a bit ! Jérémy _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org