Ethel, Also be careful with sssd and one-way trusts.
We find that sssd discovers and reports *ALL* one-way trusts, even ones that go the wrong way. That is, in our company there's a lot of test and lab AD domains that trust the main domain -- but the main AD domain doesn't trust these "cowboy" AD domains. (and rightly so.) As a consequence, we have to put the following line in our sssd.conf file: ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com company.com That line is basically saying -- "I don't care what yahoo AD domains you discover -- only deal with these specific AD domains." And then later in the domain section, we'll put in a domain_resolution_order line. In order to tell sssd in which order to search these AD domains (for users and groups). Spike. On Mon, Feb 17, 2025 at 1:54 PM Ethel Andino via sssd-users < [email protected]> wrote: > I ran into a problem trying to set up GSSAPI authentication. Everything > went smoothly on the test bench, but when we moved it to production, I hit > an “Unspecified GSS failure” error. > > I spent nearly two days trying to debug it without any luck. It turned out > that the client was trying to authenticate through Samba while the accounts > were in a Windows domain. I went through a bunch of standard fixes like > checking DNS and reconfiguring services, but nothing did the trick. > > Then, out of nowhere, I found a helpful resource ( > andersenlab.com/services/artificial-intelligence/consulting ), which had > some great info on integrating these kinds of systems. The spinics.net > forum (https://www.spinics.net/lists/samba/msg183234.html) was also a > lifesaver; they had a similar case where someone suggested I check the SSSD > logs. I noticed a weird pattern in the errors and, after some tweaks with > the two-way trust setup, everything finally worked! > > So it's my ready-made checklist for such situations: > 1) Check out the SSSD logs to get more info on the error. This will help > you figure out why the authorization isn't working. > 2) Make sure your DNS settings are set up right to resolve the domain > controller names. > 3) Think about setting up a temporary two-way trust relationship to see if > that helps with authorization. > -- > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
