Hello! I put the pac option in the sssd config which seemed to help in the logs and in the long run. Although taking a look at the domain logs I have this. The main issue with "Server not found in kerberos databse" was remediated by setting dyndns_update = false being that we are not using dyndns.
Here are the logs when dyndns is set to false. ***DOMAIN LOGS*** (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [orderly_shutdown] (0x0010): SIGTERM: killing children (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [orderly_shutdown] (0x0040): Shutting down (status = 0)(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [server_setup] (0x0040): Starting with debug level = 0x0070 (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [fo_resolve_service_send] (0x0020): No available servers for service 'sd_domain.com' (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_get_slave_domain_connect_done] (0x0020): Unable to connect to LDAP [5]: Input/output error (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_subdomains_refresh_done] (0x0040): Unable to get subdomains [5]: Input/output error (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [be_ptask_done] (0x0040): Task [Subdomains Refresh]: failed with [5]: Input/output error (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_get_slave_domain_connect_done] (0x0020): Unable to connect to LDAP [5]: Input/output error (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_subdomains_refresh_done] (0x0040): Unable to get subdomains [5]: Input/output error ***LDAP_CHILD LOGS*** (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [EXAMPLE.DOMAIN.COM] (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [MYSERVER$@EXAMPLE.DOMAIN.COM] (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018940: Getting initial credentials for MYSERVER$@EXAMPLE.DOMAIN.COM (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018941: Unrecognized enctype name in default_tkt_enctypes: des-cbc-crc (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018942: Unrecognized enctype name in default_tkt_enctypes: des-cbc-md5 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018943: Looked up etypes in keytab: rc4-hmac, aes256-cts (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018945: Sending unauthenticated request (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018946: Sending request (205 bytes) to EXAMPLE.DOMAIN.COM (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018947: Sending initial UDP request to dgram 192.172.2.5:88 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018948: Received answer (228 bytes) from dgram 192.172.2.5:88 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018949: Response was from master KDC (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018950: Received error from KDC: -1765328359/Additional pre-authentication required (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018953: Preauthenticating using KDC method data (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018954: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018955: Selected etype info: etype aes256-cts, salt "EXAMPLE.DOMAIN.COMhostmyserver.example.domain.com", params "" (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018956: Retrieving MYSERVER$@EXAMPLE.DOMAIN.COM from MEMORY:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Success (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018957: AS key obtained for encrypted timestamp: aes256-cts/D0B6 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018959: Encrypted timestamp (for 1628777855.139844): plain 301AA011180F32303231303831323134313733355AA1050203022244, encrypted 7E3F423BDB4DC1D927079C7D0E47E4AF671FC5255391F8812547A862034C5F3BEF53F551A9544A3BB7CE65201DF22772A9B0A3A2440ED2E2 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018960: Preauth module encrypted_timestamp (2) (real) returned: 0/Success (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018961: Produced preauth for next request: PA-ENC-TIMESTAMP (2) (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018962: Sending request (285 bytes) to EXAMPLE.DOMAIN.COM (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018963: Sending initial UDP request to dgram 192.172.2.5:88 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018964: Received answer (104 bytes) from dgram 192.172.2.5:88 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018965: Response was from master KDC (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018966: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018967: Request or response is too big for UDP; retrying with TCP (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018968: Sending request (285 bytes) to EXAMPLE.DOMAIN.COM (tcp only) (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018969: Initiating TCP connection to stream 192.172.2.5:88 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018970: Sending TCP request to stream 192.172.2.5:88 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018971: Received answer (1627 bytes) from stream 192.172.2.5:88 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018972: Terminating TCP connection to stream 192.172.2.5:88 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018973: Response was from master KDC (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018974: Processing preauth types: PA-ETYPE-INFO2 (19) (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018975: Selected etype info: etype aes256-cts, salt "EXAMPLE.DOMAIN.COMhostmyserver.example.domain.com", params "" (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018976: Produced preauth for next request: (empty) (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018977: AS key determined by preauth: aes256-cts/D0B6 (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018978: Decrypted AS reply; session key is: aes256-cts/D18C (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018979: FAST negotiation: unavailable (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9] (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018980: Initializing FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9 with default princ MYSERVER$@EXAMPLE.DOMAIN.COM (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018981: Storing MYSERVER$@EXAMPLE.DOMAIN.COM -> krbtgt/example.domain....@example.domain.com in FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9 (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): credentials stored (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): Renaming [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9] to [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM] (2021-08-12 10:17:35): [ldap_child[4054178]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9] (2021-08-12 10:17:35): [ldap_child[4054178]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9] (2021-08-12 10:17:35): [ldap_child[4054178]] [prepare_response] (0x0400): Building response for result [0] (2021-08-12 10:17:35): [ldap_child[4054178]] [pack_buffer] (0x2000): response size: 64 (2021-08-12 10:17:35): [ldap_child[4054178]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [44] msg [FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM] (2021-08-12 10:17:35): [ldap_child[4054178]] [main] (0x0400): ldap_child completed successfully (2021-08-12 10:32:12): [ldap_child[4057811]] [main] (0x0020): ldap_child_get_tgt_sync failed. (2021-08-12 10:32:12): [ldap_child[4057812]] [ldap_child_get_tgt_sync] (0x0040): krb5_get_init_creds_keytab() failed: -1765328378 (2021-08-12 10:32:12): [ldap_child[4057812]] [ldap_child_get_tgt_sync] (0x0010): Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/example.cc.cc....@example.domain.com' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. (2021-08-12 10:32:12): [ldap_child[4057812]] [main] (0x0020): ldap_child_get_tgt_sync failed. Thank you! Jovan _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
