[SSSD-users] Re: [External] - Re: How to authenticate machine with Kerberos to Active Directory?
Wes, In addition, make sure all your DNS entries are correct. Forward and reverse. Cannot find host in Kerberos database can arise from: 1. missing entry in your /etc/krb5.conf file (James spoke to this clearly) 2. missing machine account in AD, (unlikely, because your AD join succeeded) 3. missing DNS entries or 4. not able to determine your AD domain (kerberos realm) from your DNS domain. (unlikely, because your AD join succeeded). Spike On Thu, Jul 30, 2020 at 11:18 AM Wesley Taylor wrote: > Sorry I asked this question in the wrong place, but thank you for the > awesome > answer James! > > > Public Content > > -Original Message- > From: James Ralston > Sent: Wednesday, July 29, 2020 11:05 PM > To: End-user discussions about the System Security Services Daemon > > Subject: [External] - [SSSD-users] Re: How to authenticate machine with > Kerberos to Active Directory? > > CAUTION: This email originated from outside of the organization. Do not > click > links or open attachments unless you recognize the sender and know the > content > is safe. > > > On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor > wrote: > > > I have a program I am trying to set up which tries to authenticate > > with the principal host\machine-FQDN@REALM using Kerberos. > > > > However, when I run kinit -k, the machine isn't found in the Kerberos > > database. > > "kinit -k" (with no arguments) defaults to attempting to obtain a TGT for > (e.g.) host/mymachine.example@example.org, which only works if you > set > userPrincipalName to host/mymachine.example@example.org > when you joined the host to Active Directory. > > Running "kinit -k MYMACHINE\$" (that is, using the value of the > sAMAccountName > attribute as the argument to "kinit -k") should always work. > > > From what I have read, SSSD is responsible for being the glue between > > MIT Kerberos (what Linux uses) and Microsoft Kerberos (which Active > > Directory uses). > > This has nothing to do with sssd; it's all about setting userPrincipalName > correctly when you join the host to AD if you want "kinit -k" (with no > arguments) to work. > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org To > unsubscribe > send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > > https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2Fdata=02%7C01%7C%7Cfc44b59ef54b4f35311508d8344620e5%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7C0%7C637316823113865460sdata=9uYFM8UBNAY2btttsNdOcxVHn4HoPsq16EGZIT8%2BzxA%3Dreserved=0 > List Guidelines: > > https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelinesdata=02%7C01%7C%7Cfc44b59ef54b4f35311508d8344620e5%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7C0%7C637316823113865460sdata=u%2BYWfJajDCG%2F5GR1mt8kmKtzJPb1bcAr7bYSNrMNHzI%3Dreserved=0 > List Archives: > > https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.orgdata=02%7C01%7C%7Cfc44b59ef54b4f35311508d8344620e5%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7C0%7C637316823113865460sdata=%2FL0QIhBxCfu80Q4FO3SwWdXW0XYP6jo8GpIyoA1uBsw%3Dreserved=0 > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: offline auth and system upgrades
I tried the update today... and it worked fine, the cache worked like it was supposed to. I did pause at the point when I was prompted to reboot, and I ran 'id' and 'sudo', and checked that the cache file existed, everything was fine. I swear I've been doing upgrades every 6 months for 3 years and this is the first time it retained my creds. But hey, it works and that's what's important. Thanks again. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: offline auth and system upgrades
I did not know about that tool, that should save me a few steps. I was not looking forward to configuring the VPN under another user. Thanks! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: offline auth and system upgrades
If SSSD doesn't do it, then that seems likely. I'll try opening up a bug with the ubuntu maintainers after my next upgrade, when I have some more data. Thanks! ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: offline auth and system upgrades
On (29/07/20 15:27), xcor...@gmail.com wrote: >I've been using sssd + AD to do auth for a few years now. Offline >authentication is enabled and works normally. In that time I've upgraded my >Ubuntu laptop several times, and each time I noticed that after the update, I >cannot log in unless I'm on the corp network with direct access to AD. That >hasn't really been a problem until now. I'm working from home over vpn all the >time and don't have to option of going in to get on the corp network. > >I know the workaround is to use a local account, get on the VPN, authenticate >with my AD account and populate the cache, but IT doesn't like me creating >local users and it's a pain. I haven't tried the latest update yet (19.10 -> >20.04, sssd currently 2.2.0). > You can use `sss_seed` to add user to the cache even when you are offline. https://linux.die.net/man/8/sss_seed But you need to run as root. LS ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: [External] - Re: How to authenticate machine with Kerberos to Active Directory?
Sorry I asked this question in the wrong place, but thank you for the awesome answer James! Public Content -Original Message- From: James Ralston Sent: Wednesday, July 29, 2020 11:05 PM To: End-user discussions about the System Security Services Daemon Subject: [External] - [SSSD-users] Re: How to authenticate machine with Kerberos to Active Directory? CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Wed, Jul 29, 2020 at 8:24 PM Wesley Taylor wrote: > I have a program I am trying to set up which tries to authenticate > with the principal host\machine-FQDN@REALM using Kerberos. > > However, when I run kinit -k, the machine isn't found in the Kerberos > database. "kinit -k" (with no arguments) defaults to attempting to obtain a TGT for (e.g.) host/mymachine.example@example.org, which only works if you set userPrincipalName to host/mymachine.example@example.org when you joined the host to Active Directory. Running "kinit -k MYMACHINE\$" (that is, using the value of the sAMAccountName attribute as the argument to "kinit -k") should always work. > From what I have read, SSSD is responsible for being the glue between > MIT Kerberos (what Linux uses) and Microsoft Kerberos (which Active > Directory uses). This has nothing to do with sssd; it's all about setting userPrincipalName correctly when you join the host to AD if you want "kinit -k" (with no arguments) to work. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2Fdata=02%7C01%7C%7Cfc44b59ef54b4f35311508d8344620e5%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7C0%7C637316823113865460sdata=9uYFM8UBNAY2btttsNdOcxVHn4HoPsq16EGZIT8%2BzxA%3Dreserved=0 List Guidelines: https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelinesdata=02%7C01%7C%7Cfc44b59ef54b4f35311508d8344620e5%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7C0%7C637316823113865460sdata=u%2BYWfJajDCG%2F5GR1mt8kmKtzJPb1bcAr7bYSNrMNHzI%3Dreserved=0 List Archives: https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.orgdata=02%7C01%7C%7Cfc44b59ef54b4f35311508d8344620e5%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7C0%7C637316823113865460sdata=%2FL0QIhBxCfu80Q4FO3SwWdXW0XYP6jo8GpIyoA1uBsw%3Dreserved=0 smime.p7s Description: S/MIME cryptographic signature ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: offline auth and system upgrades
On 7/29/20 5:27 PM, xcor...@gmail.com wrote: I've been using sssd + AD to do auth for a few years now. Offline authentication is enabled and works normally. In that time I've upgraded my Ubuntu laptop several times, and each time I noticed that after the update, I cannot log in unless I'm on the corp network with direct access to AD. That hasn't really been a problem until now. I'm working from home over vpn all the time and don't have to option of going in to get on the corp network. I know the workaround is to use a local account, get on the VPN, authenticate with my AD account and populate the cache, but IT doesn't like me creating local users and it's a pain. I haven't tried the latest update yet (19.10 -> 20.04, sssd currently 2.2.0). Since something in the upgrade process is presumably destroying the cache, I was wondering if there's a "nice" way around this? Ubuntu upgrades for sssd seem like they're just upgrading sssd via apt, so I'm wondering why these major updates seem to operate differently from minor ones, and if that's intentional. SSSD itself certainly does not destroy any cached content during updates. We takes lots of care to keep the cache working. Even if we did some incompatible changes in the cache format we just update it first time SSSD is run and no data is thrown away. Is it possible that Ubuntu removes the old cache as part of the upgrade process? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org