Am Tue, Aug 10, 2021 at 03:49:34PM -0400 schrieb Jovan Quinones-Morales: > Hello! > > I am looking at some errors that I have been seeing in some logs specific > to but not limited to RHEL/CentOS 7.x 8.x and Rocky 8.x (SSSD version > - sssd-2.4.0-9.el8_4.1.x86_64). All systems are attached to a Windows > Active Directory domain using 'adcli'. > > The configuration works as expected and seems to see no major problems. > Although it does cause some unnecessary noise in the logs. Which prompted > me to look at it a little further. > > All the logs show the errors that are happening. FYI: Servers are part of a > forest and it does look like rdns = false. > > Here are all the logs related to the error (If I am missing anything > please let me know and I will add it in there ASAP! Some logs are > compressed as it repeats itself over and over again. > > ****Command Used: journalctl -p 4**** > > Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972536]][2972536]: > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > Client 'host/example.cc.cc....@example.domain.com' not found in Kerberos > database. Unable to create GSSAPI-encrypted LDAP connection. > Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972537]][2972537]: > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > Client 'host/example.cc.cc....@example.domain.com' not found in Kerberos > database. Unable to create GSSAPI-encrypted LDAP connection. > Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972538]][2972538]: > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > Client 'host/example.cc.cc....@example.domain.com' not found in Kerberos > database. Unable to create GSSAPI-encrypted LDAP connection. > Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972539]][2972539]: > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > Client 'host/example.cc.cc....@example.domain.com' not found in Kerberos > database. Unable to create GSSAPI-encrypted LDAP connection. > Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972540]][2972540]: > Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: > Client 'host/example.cc.cc....@example.domain.com' not found in Kerberos > database. Unable to create GSSAPI-encrypted LDAP connection.
Hi, currently I have no idea what makes ldap_child requesting a ticket for 'host/example.cc.cc....@example.domain.com'. The default for the AD provider would be 'MYSERVER$@EXAMPLE.DOMAIN.COM' which you also set explicitly with the ldap_sasl_authid option. Can you send the full domain logs as well? This might help to identify what 'host/example.cc.cc....@example.domain.com' is used. > > ****Command Used: journalctl -u sssd**** > > Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI > error: Major = Unspecified GSS failure. Minor code may provide more > information, Minor = Server not found in Kerberos database. > Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI > error: Major = Unspecified GSS failure. Minor code may provide more > information, Minor = Server not found in Kerberos database. > Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI > error: Major = Unspecified GSS failure. Minor code may provide more > information, Minor = Server not found in Kerberos database. > Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI > error: Major = Unspecified GSS failure. Minor code may provide more > information, Minor = Server not found in Kerberos database. > Aug 09 14:40:52 EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1 > Aug 09 14:40:52 EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1 > Aug 09 14:40:52 EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1 > > ****KEYTAB**** > > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 MYSERVER$@EXAMPLE.DOMAIN.COM > 2 MYSERVER$@EXAMPLE.DOMAIN.COM > 2 host/myser...@example.domain.com > 2 host/myser...@example.domain.com > 2 host/example.cc.cc....@example.domain.com > 2 host/example.cc.cc....@example.domain.com > 2 RestrictedKrbHost/myser...@example.domain.com > 2 RestrictedKrbHost/myser...@example.domain.com > 2 RestrictedKrbHost/example.cc.cc....@example.domain.com > 2 RestrictedKrbHost/example.cc.cc....@example.domain.com > > ****KRB5_CHILD.LOG**** > > (2021-08-10 13:59:37): [krb5_child[3051214]] [sss_send_pac] (0x0040): > sss_pac_make_request failed [-1][2]. > (2021-08-10 13:59:37): [krb5_child[3051214]] [validate_tgt] (0x0040): > sss_send_pac failed, group membership for user with principal [someuser1\@ > example.domain....@example.domain.com] might not be correct. > (2021-08-10 14:24:43): [krb5_child[3061023]] [sss_send_pac] (0x0040): > sss_pac_make_request failed [-1][2]. > (2021-08-10 14:24:43): [krb5_child[3061023]] [validate_tgt] (0x0040): > sss_send_pac failed, group membership for user with principal [someuser1\@ > example.domain....@example.domain.com] might not be correct. Most probably the PAC responder is not running. It is not enabled by default with the AD provide because there are other means to determine group-memberships as well. If you add 'pac' to the 'services' option in sssd.conf this message should go away. But you can ignore this message as well, iirc we increased the debug level for this messages in more recent versions of SSSD. HTH bye, Sumit > > ****LDAP_CHILD.LOG**** > > (2021-08-10 14:28:33): [ldap_child[3063821]] [ldap_child_get_tgt_sync] > (0x0040): krb5_get_init_creds_keytab() failed: -1765328378 > (2021-08-10 14:28:33): [ldap_child[3063821]] [ldap_child_get_tgt_sync] > (0x0010): Failed to initialize credentials using keytab > [MEMORY:/etc/krb5.keytab]: Client 'host/example.cc.cc....@example.domain.com' > not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP > connection. > (2021-08-10 14:28:33): [ldap_child[3063821]] [main] (0x0020): > ldap_child_get_tgt_sync failed. > (2021-08-10 14:28:33): [ldap_child[3063822]] [ldap_child_get_tgt_sync] > (0x0040): krb5_get_init_creds_keytab() failed: -1765328378 > (2021-08-10 14:28:33): [ldap_child[3063822]] [ldap_child_get_tgt_sync] > (0x0010): Failed to initialize credentials using keytab > [MEMORY:/etc/krb5.keytab]: Client 'host/example.cc.cc....@example.domain.com' > not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP > connection. > (2021-08-10 14:28:33): [ldap_child[3063822]] [main] (0x0020): > ldap_child_get_tgt_sync failed. > > ****SSSD.CONF**** > > [sssd] > domains = EXAMPLE.domain.com > config_file_version = 2 > services = nss, pam > > [domain/EXAMPLE.domain.com] > ad_domain = EXAMPLE.domain.com > ad_enable_gc = false > krb5_realm = EXAMPLE.DOMAIN.COM > krb5_lifetime = 10h > subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout > ignore_group_members = true > ldap_purge_cache_timeout = 0 > realmd_tags = joined-with-adcli, manages-system > cache_credentials = false > id_provider = ad > krb5_store_password_if_offline = true > default_shell = /bin/bash > ldap_id_mapping = true > ldap_sasl_authid = MYSERVER$@EXAMPLE.DOMAIN.COM > ldap_use_tokengroups = true > use_fully_qualified_names = false > fallback_homedir = /home/%d/%u > access_provider = simple > Simple_allow_groups = linux_admins > simple_allow_users = someuser1, someuser2, someuser3 > > Thank you so much for your help! > > -- > *Jovan Quinones-Morales* > Linux Operating Systems Analyst > VCU Infrastructure Services <https://www.ucc.vcu.edu/> > Technology Services Department > 804.828.4810 > quinones...@vcu.edu > > <https://adminmicro2.questionpro.com/?t_340030260=Jovan%20Quinones-Morales&u_65977055=351791134> > *Don't be a phishing victim -- VCU and other reputable organisations will > never use email to request that you reply with your password, social > security number or confidential personal information. For more details, > visit > **https://ts.vcu.edu/about-us/information-security/common-questions/what-is-phishing > <https://ts.vcu.edu/about-us/information-security/common-questions/what-is-phishing>* > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
