Hi, I had to add
ldap_sasl_mech=GSSAPI to domain part of my sssd.conf But honestly I don't understand why SPNEGO is not working, any ideas? czw., 6 maj 2021 o 09:59 Paweł Szafer <psza...@gmail.com> napisał(a): > Hello, > > Today morning I had a bad surprise. Suddenly I cannot login anymore to my > PC. > My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working > after update, last login occurred around 7pm 05.05.2021, today 7am > 06.05.2021 cannot login anymore) > Maybe you have any idea what's wrong. > What I see in sssd logs: > > 2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0100): > Executing sasl bind mech: GSS-SPNEGO, user: PCNAME$ > (2021-05-06 9:49:26): [be[domain.name]] [ad_sasl_log] (0x0040): SASL: No > worthy mechs found > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0020): > ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method] > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0080): > Extended failure message: [SASL(-4): no mechanism available: No worthy > mechs found] > (2021-05-06 9:49:26): [be[domain.name]] [sdap_cli_connect_recv] > (0x0040): Unable to establish connection [1432158227]: Authentication Failed > (2021-05-06 9:49:26): [be[domain.name]] [fo_set_port_status] (0x0100): > Marking port 389 of server 'dc1.domain.name' as 'not working' > > I tried to rejoin domain with > > krb5.conf > > allow_weak_crypto = true > permitted_enctypes = aes rc4 > > then with commands: > > KRB5_TRACE=/dev/stdout kinit -V adu...@ad.example.com. > kinit Administrator > net ads join -k > klist -ke > > Keytab looks like that: > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcn...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (DEPRECATED:arcfour-hmac) > > Both kinit and ldapsearch are working properly. > Thanks for help! > > > > ----- > Pawel > >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
