On Thu, May 6, 2021 at 2:56 PM Paweł Szafer <psza...@gmail.com> wrote: > > Hello, > > Today morning I had a bad surprise. Suddenly I cannot login anymore to my PC. > My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working after > update, last login occurred around 7pm 05.05.2021, today 7am 06.05.2021 > cannot login anymore) > Maybe you have any idea what's wrong. > What I see in sssd logs: > > 2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0100): Executing > sasl bind mech: GSS-SPNEGO, user: PCNAME$ > (2021-05-06 9:49:26): [be[domain.name]] [ad_sasl_log] (0x0040): SASL: No > worthy mechs found > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0020): > ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method] > (2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0080): Extended > failure message: [SASL(-4): no mechanism available: No worthy mechs found] > (2021-05-06 9:49:26): [be[domain.name]] [sdap_cli_connect_recv] (0x0040): > Unable to establish connection [1432158227]: Authentication Failed > (2021-05-06 9:49:26): [be[domain.name]] [fo_set_port_status] (0x0100): > Marking port 389 of server 'dc1.domain.name' as 'not working' > > I tried to rejoin domain with > > krb5.conf > > allow_weak_crypto = true > permitted_enctypes = aes rc4 > > then with commands: > > KRB5_TRACE=/dev/stdout kinit -V adu...@ad.example.com. > kinit Administrator > net ads join -k > klist -ke > > Keytab looks like that: > > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:09 restrictedkrbhost/pcn...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 host/pcname.domain.n...@domain.name > (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 host/pcn...@domain.name (DEPRECATED:arcfour-hmac) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes256-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes128-cts-hmac-sha1-96) > 10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (DEPRECATED:arcfour-hmac) > > Both kinit and ldapsearch are working properly.
I think `kinit` can't be used for a test as it uses different protocol. Does SASL bind work with ldapsearch? I'm not sure what is used as a sasl lib, probably 'cyrus-sasl*'. Are those packages up to date on your machine? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
