Am Thu, May 06, 2021 at 09:59:45AM +0200 schrieb Paweł Szafer: > Hello, > > Today morning I had a bad surprise. Suddenly I cannot login anymore to my > PC. > My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working > after update, last login occurred around 7pm 05.05.2021, today 7am
Hi, is the cyrus-sasl-gssapi package still installed? > 06.05.2021 cannot login anymore) > Maybe you have any idea what's wrong. > What I see in sssd logs: > > 2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0100): > Executing sasl bind mech: GSS-SPNEGO, user: PCNAME$ > (2021-05-06 9:49:26): [be[domain.name]] [ad_sasl_log] (0x0040): SASL: No > worthy mechs found > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0020): > ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method] > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0080): > Extended failure message: [SASL(-4): no mechanism available: No worthy > mechs found] > (2021-05-06 9:49:26): [be[domain.name]] [sdap_cli_connect_recv] (0x0040): > Unable to establish connection [1432158227]: Authentication Failed > (2021-05-06 9:49:26): [be[domain.name]] [fo_set_port_status] (0x0100): > Marking port 389 of server 'dc1.domain.name' as 'not working' > > I tried to rejoin domain with > > krb5.conf > > allow_weak_crypto = true > permitted_enctypes = aes rc4 > > then with commands: > > KRB5_TRACE=/dev/stdout kinit -V adu...@ad.example.com. > kinit Administrator > net ads join -k > klist -ke > > Keytab looks like that: > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (DEPRECATED:arcfour-hmac) > > Both kinit and ldapsearch are working properly. Did you try ldapsearch with the '-Y GSS-SPNEGO' option? bye, Sumit > Thanks for help! > > > > ----- > Pawel > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
