Sumit Bose wrote:
>  Am I being stupid (again?)  Obviously the krb5_validate=false setting needs
>  to be fixed. Just not sure if I should work on a fix within 4.2 or move to
>  4.4 and see if it gets resolved as part of other changes.


The validation issue might have different reasons. One might be
https://fedorahosted.org/sssd/ticket/3103  where SSSD creates a wrong
Kerberos configuration snippet. Fixes are available for sssd-1.13 and
later. But there might be other reasons as well.

If you don't mind please send the krb5_child.log with debug_level=10
covering an authentication attempt with 'krb5_validate = true' and the
content of /var/lib/sss/pubconf/krb5.include.d/domain_realm_your_domain.

Thanks Sumit,

Info you requested is attached. These logs are from a client machine. I confirmed that I could not authenticate with krb5_validate = True and that I could authenticate when I switched krb5_validate=false. I set the value to "True", turned up debug logging to 10 and then stopped SSSD service after my 3 login tries to try to constrain the log volume.

Still ended up with 1200+ lines in krb5_child.log though

Here is the info you requested (sanitized)

URL to krb5_child.log since it is pretty lengthy:
-------------------------------------------------------------
http://chrisdag.me/krb5_child.log.txt


And we actually had 2 domain_realm* files which is I think due to our difference in DNS for client hostnames vs DNS for the IPA server: Our CAPATH info does look like that SSSD issue you mentioned (ticket 3103) ...


This is domain_realm_companyaws_org:
------------------------------------------------------
[domain_realm]
.COMPANY.ORG = COMPANY.ORG
COMPANY.ORG = COMPANY.ORG
.EAME.COMPANY.ORG = EAME.COMPANY.ORG
EAME.COMPANY.ORG = EAME.COMPANY.ORG
.APAC.COMPANY.ORG = APAC.COMPANY.ORG
APAC.COMPANY.ORG = APAC.COMPANY.ORG
.LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
.NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
[capaths]
COMPANY.ORG = {
  COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
  COMPANY.ORG = COMPANY.ORG
}
EAME.COMPANY.ORG = {
  COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
  EAME.COMPANY.ORG = COMPANY.ORG
}
APAC.COMPANY.ORG = {
  COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
  APAC.COMPANY.ORG = COMPANY.ORG
}
LATAM.COMPANY.ORG = {
  COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
  LATAM.COMPANY.ORG = COMPANY.ORG
}
NAFTA.COMPANY.ORG = {
  COMPANYAWS.ORG = COMPANY.ORG
}
COMPANYAWS.ORG = {
  NAFTA.COMPANY.ORG = COMPANY.ORG
}




And this is domain_realm_companyidm_org:
------------------------------------------------------------
[domain_realm]
.COMPANY.ORG = COMPANY.ORG
COMPANY.ORG = COMPANY.ORG
.EAME.COMPANY.ORG = EAME.COMPANY.ORG
EAME.COMPANY.ORG = EAME.COMPANY.ORG
.APAC.COMPANY.ORG = APAC.COMPANY.ORG
APAC.COMPANY.ORG = APAC.COMPANY.ORG
.LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
.NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
[capaths]
COMPANYAWS.ORG = {
  COMPANYIDM.ORG = COMPANYAWS.ORG
}
COMPANYIDM.ORG = {
  COMPANYAWS.ORG = COMPANYAWS.ORG
}
COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
  COMPANY.ORG = COMPANY.ORG
}
EAME.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
  EAME.COMPANY.ORG = COMPANY.ORG
}
APAC.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
  APAC.COMPANY.ORG = COMPANY.ORG
}
LATAM.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
  LATAM.COMPANY.ORG = COMPANY.ORG
}
NAFTA.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
COMPANYIDM.ORG = {
  NAFTA.COMPANY.ORG = COMPANY.ORG
}





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
  • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
    • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
      • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
        • ... Sumit Bose
          • ... Chris Dagdigian
          • ... Chris Dagdigian
          • ... Chris Dagdigian
            • ... Sumit Bose
              • ... Chris Dagdigian
                • ... Sumit Bose
                • ... Chris Dagdigian
                • ... Sumit Bose

Reply via email to