Hi all, I am configuring AD authentication by using SSSD+kerberos on our CentOS 6.7 cluster. The solution works fine so far except that we could not use ldap_access_filter.
Whenever I enabled ldap_access_filter (add filter to ldap_access_order), all SSH logins are denied. And the error messages are: ==> /var/log/sssd/ldap_child.log <== (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database (Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database (Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. But I believe the entry is in the keytab file already: [root@nerv-geofront ~]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 5 host/nerv-geofront.lo...@ad.example.edu.au (des-cbc-crc) 5 host/nerv-geofront.lo...@ad.example.edu.au (des-cbc-md5) 5 host/nerv-geofront.lo...@ad.example.edu.au (aes128-cts-hmac-sha1-96) 5 host/nerv-geofront.lo...@ad.example.edu.au (aes256-cts-hmac-sha1-96) 5 host/nerv-geofront.lo...@ad.example.edu.au (arcfour-hmac) 5 host/nerv-geofr...@ad.example.edu.au (des-cbc-crc) 5 host/nerv-geofr...@ad.example.edu.au (des-cbc-md5) 5 host/nerv-geofr...@ad.example.edu.au (aes128-cts-hmac-sha1-96) 5 host/nerv-geofr...@ad.example.edu.au (aes256-cts-hmac-sha1-96) 5 host/nerv-geofr...@ad.example.edu.au (arcfour-hmac) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-crc) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-md5) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96) 5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (arcfour-hmac) The error messages above appear only when I enabled ldap_access_filter, so I think this is related to the kerberos keytab. I am testing on sssd 1.12.4, samba 3.6.23. Any idea will be appreciated. Cheers, Derrick _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
