[SSSD-users] Re: SSSD kerberos problem in multiple AD domains

2018-03-12 Thread Sumit Bose 
On Mon, Mar 05, 2018 at 04:24:50PM +0100, Roger Martensson wrote:
>  I've always used a fully qualified hostname. My example was a cleanup
> version and I was to lazy to write subdomain1.example.com.
> 
> I've set ad_hostname to the correct hostname. Your question made me take a
> look into other settings and I noticed that the servers hostname had a
> different domain name. But still hade the same problems as before.
> 
> Increading debug_level created an amazing amount of rows.  :)
> 
> This is my clean up log.
> [[sssd[krb5_child[1926 [validate_tgt] (0x2000): Keytab entry with the
> realm of the credential not found in keytab. Using the last entry.
> 
> [[sssd[krb5_child[1926 [validate_tgt] (0x0020): TGT failed verification
> using key for [RestrictedKrbHost/mycli...@subdomain1.example.com].

ok, so you dropped subdomain1.example.com here as well?

To investigate further the debug logs with debug_level=9 in the
[domain/..] section are needed which e.g. will tell which DC send the
'Server not found in Kerberos database' error code. Feel free to send
the log directly to me if you do not want to share it on the list.

bye,
Sumit

> [[sssd[krb5_child[1926 [get_and_save_tgt] (0x0020): 1581:
> [-1765328377][Server not found in Kerberos database]
> [[sssd[krb5_child[1926 [map_krb5_error] (0x0020): 1657:
> [-1765328377][Server not found in Kerberos database]
> [[sssd[krb5_child[1926 [k5c_send_data] (0x0200): Received error code
> 1432158209
> 
> This is when trying to login using SSH with use...@subdomain2.example.com.
> With use...@subdomain1.example.com it works.
> 
> [[sssd[krb5_child[2135 [validate_tgt] (0x0400): TGT verified using key
> for [MYCLIENT$@DOMAIN1.EXAMPLE.COM].
> 
> 
> 2018-03-05 16:18 GMT+01:00 Roger Martensson :
> 
> > I've always used a fully qualified hostname. My example was a cleanup
> > version and I was to lazy to write subdomain1.example.com.
> >
> > I've set ad_hostname to the correct hostname. Your question made me take a
> > look into other settings and I noticed that the servers hostname had a
> > different domain name. But still hade the same problems as before.
> >
> > Increading debug_level created an amazing amount of rows.  :)
> >
> > This is my clean up log.
> >
> >
> > 2018-03-05 15:35 GMT+01:00 Sumit Bose :
> >
> >> On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote:
> >> > On 03/05/2018 08:25 AM, Roger Martensson wrote:
> >> > > Sorry about that.. Bleeping send-button-shortcut.
> >> > >
> >> > > Let me continue.
> >> > >
> >> > > Command I use to test: ssh userid@subdomain2@localhost
> >> > >
> >> > > The krb5_child.log contains these error messages:
> >> > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting
> >> kinit
> >> > > for realm [SUBDOMAIN1]
> >> > > [[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000):
> >> > > exp_time: [5621224]
> >> > > [[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with
> >> the
> >> > > realm of the credential not found in keytab. Using the last entry.
> >> > > [[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed
> >> verification
> >> > > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1].
> >> > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581:
> >> > > [-1765328377][Server not found in Kerberos database]
> >> > > [[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657:
> >> > > [-1765328377][Server not found in Kerberos database]
> >> > >
> >> > > I can get it to work using 'krb5_validate = false' but that disables
> >> some
> >> > > nice security measure.
> >> > >
> >> > > So.. Anyone that can help me back on track? AKA What did I do wrong
> >> this
> >> > > time?
> >> >
> >> > Can you make sure your hostname is fully-qualified?
> >> >
> >> > If it is not currently then you will need to leave the domain, make
> >> sure the
> >> > /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the
> >> > domain.
> >>
> >> If validation still fails after joining with the fully qualified name
> >> please run SSSD with debug_level=9 in the [domain/...] section. This
> >> will add the full Kerberos trace output to the krb5_child.log files
> >> which will help to identify which step during validation fails.
> >>
> >> bye,
> >> Sumit
> >>
> >> >
> >> > -Justin
> >> >
> >> > >
> >> > >
> >> > >
> >> > > 2018-03-05 14:13 GMT+01:00 Roger Martensson <
> >> roger.martens...@gmail.com>:
> >> > >
> >> > > > Hi!
> >> > > >
> >> > > > It's me again with multiple domain problems. :)
> >> > > >
> >> > > > I have once again problems with multiple domain. This time with
> >> login.
> >> > > > Maybe some one of you could explain to me what I did wrong this
> >> time.
> >> > > >
> >> > > > OS: Ubuntu 17.10
> >> > > > SSSD: 1.15.3
> >> > > >
> >> > > > Domain setup. two subdomain both connected to the same parent
> >> domain Both
> >> > > > subdomains contains users. Most of them only

[SSSD-users] Re: SSSD kerberos problem in multiple AD domains

2018-03-05 Thread Roger Martensson 
 I've always used a fully qualified hostname. My example was a cleanup
version and I was to lazy to write subdomain1.example.com.

I've set ad_hostname to the correct hostname. Your question made me take a
look into other settings and I noticed that the servers hostname had a
different domain name. But still hade the same problems as before.

Increading debug_level created an amazing amount of rows.  :)

This is my clean up log.
[[sssd[krb5_child[1926 [validate_tgt] (0x2000): Keytab entry with the
realm of the credential not found in keytab. Using the last entry.

[[sssd[krb5_child[1926 [validate_tgt] (0x0020): TGT failed verification
using key for [RestrictedKrbHost/mycli...@subdomain1.example.com].
[[sssd[krb5_child[1926 [get_and_save_tgt] (0x0020): 1581:
[-1765328377][Server not found in Kerberos database]
[[sssd[krb5_child[1926 [map_krb5_error] (0x0020): 1657:
[-1765328377][Server not found in Kerberos database]
[[sssd[krb5_child[1926 [k5c_send_data] (0x0200): Received error code
1432158209

This is when trying to login using SSH with use...@subdomain2.example.com.
With use...@subdomain1.example.com it works.

[[sssd[krb5_child[2135 [validate_tgt] (0x0400): TGT verified using key
for [MYCLIENT$@DOMAIN1.EXAMPLE.COM].


2018-03-05 16:18 GMT+01:00 Roger Martensson :

> I've always used a fully qualified hostname. My example was a cleanup
> version and I was to lazy to write subdomain1.example.com.
>
> I've set ad_hostname to the correct hostname. Your question made me take a
> look into other settings and I noticed that the servers hostname had a
> different domain name. But still hade the same problems as before.
>
> Increading debug_level created an amazing amount of rows.  :)
>
> This is my clean up log.
>
>
> 2018-03-05 15:35 GMT+01:00 Sumit Bose :
>
>> On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote:
>> > On 03/05/2018 08:25 AM, Roger Martensson wrote:
>> > > Sorry about that.. Bleeping send-button-shortcut.
>> > >
>> > > Let me continue.
>> > >
>> > > Command I use to test: ssh userid@subdomain2@localhost
>> > >
>> > > The krb5_child.log contains these error messages:
>> > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting
>> kinit
>> > > for realm [SUBDOMAIN1]
>> > > [[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000):
>> > > exp_time: [5621224]
>> > > [[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with
>> the
>> > > realm of the credential not found in keytab. Using the last entry.
>> > > [[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed
>> verification
>> > > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1].
>> > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581:
>> > > [-1765328377][Server not found in Kerberos database]
>> > > [[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657:
>> > > [-1765328377][Server not found in Kerberos database]
>> > >
>> > > I can get it to work using 'krb5_validate = false' but that disables
>> some
>> > > nice security measure.
>> > >
>> > > So.. Anyone that can help me back on track? AKA What did I do wrong
>> this
>> > > time?
>> >
>> > Can you make sure your hostname is fully-qualified?
>> >
>> > If it is not currently then you will need to leave the domain, make
>> sure the
>> > /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the
>> > domain.
>>
>> If validation still fails after joining with the fully qualified name
>> please run SSSD with debug_level=9 in the [domain/...] section. This
>> will add the full Kerberos trace output to the krb5_child.log files
>> which will help to identify which step during validation fails.
>>
>> bye,
>> Sumit
>>
>> >
>> > -Justin
>> >
>> > >
>> > >
>> > >
>> > > 2018-03-05 14:13 GMT+01:00 Roger Martensson <
>> roger.martens...@gmail.com>:
>> > >
>> > > > Hi!
>> > > >
>> > > > It's me again with multiple domain problems. :)
>> > > >
>> > > > I have once again problems with multiple domain. This time with
>> login.
>> > > > Maybe some one of you could explain to me what I did wrong this
>> time.
>> > > >
>> > > > OS: Ubuntu 17.10
>> > > > SSSD: 1.15.3
>> > > >
>> > > > Domain setup. two subdomain both connected to the same parent
>> domain Both
>> > > > subdomains contains users. Most of them only contains one domain
>> but some
>> > > > is found in both.
>> > > >
>> > > > Client is connected to subdomain1. I can login with a user on
>> subdomain 1.
>> > > > When login in to subdomain2 (both using 'su-with-password-prompt'
>> and
>> > > > 'ssh-to-localhost') I get a System Error 4.
>> > > >
>> > > > The log krb_child.log (which sssd_domain.log points to) I see these
>> logs.
>> > > > (altered some names)
>> > > >
>> > > >
>> > >
>> > >
>> > >
>> > > ___
>> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> > > To unsubscribe send an email to sssd-users-leave@lists.fedorah
>>

[SSSD-users] Re: SSSD kerberos problem in multiple AD domains

2018-03-05 Thread Roger Martensson 
I've always used a fully qualified hostname. My example was a cleanup
version and I was to lazy to write subdomain1.example.com.

I've set ad_hostname to the correct hostname. Your question made me take a
look into other settings and I noticed that the servers hostname had a
different domain name. But still hade the same problems as before.

Increading debug_level created an amazing amount of rows.  :)

This is my clean up log.


2018-03-05 15:35 GMT+01:00 Sumit Bose :

> On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote:
> > On 03/05/2018 08:25 AM, Roger Martensson wrote:
> > > Sorry about that.. Bleeping send-button-shortcut.
> > >
> > > Let me continue.
> > >
> > > Command I use to test: ssh userid@subdomain2@localhost
> > >
> > > The krb5_child.log contains these error messages:
> > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting
> kinit
> > > for realm [SUBDOMAIN1]
> > > [[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000):
> > > exp_time: [5621224]
> > > [[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with
> the
> > > realm of the credential not found in keytab. Using the last entry.
> > > [[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed
> verification
> > > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1].
> > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581:
> > > [-1765328377][Server not found in Kerberos database]
> > > [[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657:
> > > [-1765328377][Server not found in Kerberos database]
> > >
> > > I can get it to work using 'krb5_validate = false' but that disables
> some
> > > nice security measure.
> > >
> > > So.. Anyone that can help me back on track? AKA What did I do wrong
> this
> > > time?
> >
> > Can you make sure your hostname is fully-qualified?
> >
> > If it is not currently then you will need to leave the domain, make sure
> the
> > /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the
> > domain.
>
> If validation still fails after joining with the fully qualified name
> please run SSSD with debug_level=9 in the [domain/...] section. This
> will add the full Kerberos trace output to the krb5_child.log files
> which will help to identify which step during validation fails.
>
> bye,
> Sumit
>
> >
> > -Justin
> >
> > >
> > >
> > >
> > > 2018-03-05 14:13 GMT+01:00 Roger Martensson <
> roger.martens...@gmail.com>:
> > >
> > > > Hi!
> > > >
> > > > It's me again with multiple domain problems. :)
> > > >
> > > > I have once again problems with multiple domain. This time with
> login.
> > > > Maybe some one of you could explain to me what I did wrong this time.
> > > >
> > > > OS: Ubuntu 17.10
> > > > SSSD: 1.15.3
> > > >
> > > > Domain setup. two subdomain both connected to the same parent domain
> Both
> > > > subdomains contains users. Most of them only contains one domain but
> some
> > > > is found in both.
> > > >
> > > > Client is connected to subdomain1. I can login with a user on
> subdomain 1.
> > > > When login in to subdomain2 (both using 'su-with-password-prompt' and
> > > > 'ssh-to-localhost') I get a System Error 4.
> > > >
> > > > The log krb_child.log (which sssd_domain.log points to) I see these
> logs.
> > > > (altered some names)
> > > >
> > > >
> > >
> > >
> > >
> > > ___
> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-leave@lists.
> fedorahosted.org
> > >
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: SSSD kerberos problem in multiple AD domains

2018-03-05 Thread Sumit Bose 
On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote:
> On 03/05/2018 08:25 AM, Roger Martensson wrote:
> > Sorry about that.. Bleeping send-button-shortcut.
> > 
> > Let me continue.
> > 
> > Command I use to test: ssh userid@subdomain2@localhost
> > 
> > The krb5_child.log contains these error messages:
> > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting kinit
> > for realm [SUBDOMAIN1]
> > [[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000):
> > exp_time: [5621224]
> > [[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with the
> > realm of the credential not found in keytab. Using the last entry.
> > [[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed verification
> > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1].
> > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581:
> > [-1765328377][Server not found in Kerberos database]
> > [[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657:
> > [-1765328377][Server not found in Kerberos database]
> > 
> > I can get it to work using 'krb5_validate = false' but that disables some
> > nice security measure.
> > 
> > So.. Anyone that can help me back on track? AKA What did I do wrong this
> > time?
> 
> Can you make sure your hostname is fully-qualified?
> 
> If it is not currently then you will need to leave the domain, make sure the
> /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the
> domain.

If validation still fails after joining with the fully qualified name
please run SSSD with debug_level=9 in the [domain/...] section. This
will add the full Kerberos trace output to the krb5_child.log files
which will help to identify which step during validation fails.

bye,
Sumit

> 
> -Justin
> 
> > 
> > 
> > 
> > 2018-03-05 14:13 GMT+01:00 Roger Martensson :
> > 
> > > Hi!
> > > 
> > > It's me again with multiple domain problems. :)
> > > 
> > > I have once again problems with multiple domain. This time with login.
> > > Maybe some one of you could explain to me what I did wrong this time.
> > > 
> > > OS: Ubuntu 17.10
> > > SSSD: 1.15.3
> > > 
> > > Domain setup. two subdomain both connected to the same parent domain Both
> > > subdomains contains users. Most of them only contains one domain but some
> > > is found in both.
> > > 
> > > Client is connected to subdomain1. I can login with a user on subdomain 1.
> > > When login in to subdomain2 (both using 'su-with-password-prompt' and
> > > 'ssh-to-localhost') I get a System Error 4.
> > > 
> > > The log krb_child.log (which sssd_domain.log points to) I see these logs.
> > > (altered some names)
> > > 
> > > 
> > 
> > 
> > 
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > 
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: SSSD kerberos problem in multiple AD domains

2018-03-05 Thread Justin Stephenson 

On 03/05/2018 08:25 AM, Roger Martensson wrote:

Sorry about that.. Bleeping send-button-shortcut.

Let me continue.

Command I use to test: ssh userid@subdomain2@localhost

The krb5_child.log contains these error messages:
[[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting kinit
for realm [SUBDOMAIN1]
[[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000):
exp_time: [5621224]
[[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with the
realm of the credential not found in keytab. Using the last entry.
[[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed verification
using key for [RestrictedKrbHost/myclient@SUBDOMAIN1].
[[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581:
[-1765328377][Server not found in Kerberos database]
[[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657:
[-1765328377][Server not found in Kerberos database]

I can get it to work using 'krb5_validate = false' but that disables some
nice security measure.

So.. Anyone that can help me back on track? AKA What did I do wrong this
time?


Can you make sure your hostname is fully-qualified?

If it is not currently then you will need to leave the domain, make sure 
the /etc/krb5.keytab is removed, set the fully-qualified name and rejoin 
the domain.


-Justin





2018-03-05 14:13 GMT+01:00 Roger Martensson :


Hi!

It's me again with multiple domain problems. :)

I have once again problems with multiple domain. This time with login.
Maybe some one of you could explain to me what I did wrong this time.

OS: Ubuntu 17.10
SSSD: 1.15.3

Domain setup. two subdomain both connected to the same parent domain Both
subdomains contains users. Most of them only contains one domain but some
is found in both.

Client is connected to subdomain1. I can login with a user on subdomain 1.
When login in to subdomain2 (both using 'su-with-password-prompt' and
'ssh-to-localhost') I get a System Error 4.

The log krb_child.log (which sssd_domain.log points to) I see these logs.
(altered some names)






___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org


___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: SSSD kerberos problem in multiple AD domains

2018-03-05 Thread Roger Martensson 
Sorry about that.. Bleeping send-button-shortcut.

Let me continue.

Command I use to test: ssh userid@subdomain2@localhost

The krb5_child.log contains these error messages:
[[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting kinit
for realm [SUBDOMAIN1]
[[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000):
exp_time: [5621224]
[[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with the
realm of the credential not found in keytab. Using the last entry.
[[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed verification
using key for [RestrictedKrbHost/myclient@SUBDOMAIN1].
[[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581:
[-1765328377][Server not found in Kerberos database]
[[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657:
[-1765328377][Server not found in Kerberos database]

I can get it to work using 'krb5_validate = false' but that disables some
nice security measure.

So.. Anyone that can help me back on track? AKA What did I do wrong this
time?



2018-03-05 14:13 GMT+01:00 Roger Martensson :

> Hi!
>
> It's me again with multiple domain problems. :)
>
> I have once again problems with multiple domain. This time with login.
> Maybe some one of you could explain to me what I did wrong this time.
>
> OS: Ubuntu 17.10
> SSSD: 1.15.3
>
> Domain setup. two subdomain both connected to the same parent domain Both
> subdomains contains users. Most of them only contains one domain but some
> is found in both.
>
> Client is connected to subdomain1. I can login with a user on subdomain 1.
> When login in to subdomain2 (both using 'su-with-password-prompt' and
> 'ssh-to-localhost') I get a System Error 4.
>
> The log krb_child.log (which sssd_domain.log points to) I see these logs.
> (altered some names)
>
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org