[SSSD-users] Re: SSSD kerberos problem in multiple AD domains
On Mon, Mar 05, 2018 at 04:24:50PM +0100, Roger Martensson wrote: > I've always used a fully qualified hostname. My example was a cleanup > version and I was to lazy to write subdomain1.example.com. > > I've set ad_hostname to the correct hostname. Your question made me take a > look into other settings and I noticed that the servers hostname had a > different domain name. But still hade the same problems as before. > > Increading debug_level created an amazing amount of rows. :) > > This is my clean up log. > [[sssd[krb5_child[1926 [validate_tgt] (0x2000): Keytab entry with the > realm of the credential not found in keytab. Using the last entry. > > [[sssd[krb5_child[1926 [validate_tgt] (0x0020): TGT failed verification > using key for [RestrictedKrbHost/mycli...@subdomain1.example.com]. ok, so you dropped subdomain1.example.com here as well? To investigate further the debug logs with debug_level=9 in the [domain/..] section are needed which e.g. will tell which DC send the 'Server not found in Kerberos database' error code. Feel free to send the log directly to me if you do not want to share it on the list. bye, Sumit > [[sssd[krb5_child[1926 [get_and_save_tgt] (0x0020): 1581: > [-1765328377][Server not found in Kerberos database] > [[sssd[krb5_child[1926 [map_krb5_error] (0x0020): 1657: > [-1765328377][Server not found in Kerberos database] > [[sssd[krb5_child[1926 [k5c_send_data] (0x0200): Received error code > 1432158209 > > This is when trying to login using SSH with use...@subdomain2.example.com. > With use...@subdomain1.example.com it works. > > [[sssd[krb5_child[2135 [validate_tgt] (0x0400): TGT verified using key > for [MYCLIENT$@DOMAIN1.EXAMPLE.COM]. > > > 2018-03-05 16:18 GMT+01:00 Roger Martensson: > > > I've always used a fully qualified hostname. My example was a cleanup > > version and I was to lazy to write subdomain1.example.com. > > > > I've set ad_hostname to the correct hostname. Your question made me take a > > look into other settings and I noticed that the servers hostname had a > > different domain name. But still hade the same problems as before. > > > > Increading debug_level created an amazing amount of rows. :) > > > > This is my clean up log. > > > > > > 2018-03-05 15:35 GMT+01:00 Sumit Bose : > > > >> On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote: > >> > On 03/05/2018 08:25 AM, Roger Martensson wrote: > >> > > Sorry about that.. Bleeping send-button-shortcut. > >> > > > >> > > Let me continue. > >> > > > >> > > Command I use to test: ssh userid@subdomain2@localhost > >> > > > >> > > The krb5_child.log contains these error messages: > >> > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting > >> kinit > >> > > for realm [SUBDOMAIN1] > >> > > [[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000): > >> > > exp_time: [5621224] > >> > > [[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with > >> the > >> > > realm of the credential not found in keytab. Using the last entry. > >> > > [[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed > >> verification > >> > > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1]. > >> > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581: > >> > > [-1765328377][Server not found in Kerberos database] > >> > > [[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657: > >> > > [-1765328377][Server not found in Kerberos database] > >> > > > >> > > I can get it to work using 'krb5_validate = false' but that disables > >> some > >> > > nice security measure. > >> > > > >> > > So.. Anyone that can help me back on track? AKA What did I do wrong > >> this > >> > > time? > >> > > >> > Can you make sure your hostname is fully-qualified? > >> > > >> > If it is not currently then you will need to leave the domain, make > >> sure the > >> > /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the > >> > domain. > >> > >> If validation still fails after joining with the fully qualified name > >> please run SSSD with debug_level=9 in the [domain/...] section. This > >> will add the full Kerberos trace output to the krb5_child.log files > >> which will help to identify which step during validation fails. > >> > >> bye, > >> Sumit > >> > >> > > >> > -Justin > >> > > >> > > > >> > > > >> > > > >> > > 2018-03-05 14:13 GMT+01:00 Roger Martensson < > >> roger.martens...@gmail.com>: > >> > > > >> > > > Hi! > >> > > > > >> > > > It's me again with multiple domain problems. :) > >> > > > > >> > > > I have once again problems with multiple domain. This time with > >> login. > >> > > > Maybe some one of you could explain to me what I did wrong this > >> time. > >> > > > > >> > > > OS: Ubuntu 17.10 > >> > > > SSSD: 1.15.3 > >> > > > > >> > > > Domain setup. two subdomain both connected to the same parent > >> domain Both > >> > > > subdomains contains users. Most of them only
[SSSD-users] Re: SSSD kerberos problem in multiple AD domains
I've always used a fully qualified hostname. My example was a cleanup version and I was to lazy to write subdomain1.example.com. I've set ad_hostname to the correct hostname. Your question made me take a look into other settings and I noticed that the servers hostname had a different domain name. But still hade the same problems as before. Increading debug_level created an amazing amount of rows. :) This is my clean up log. [[sssd[krb5_child[1926 [validate_tgt] (0x2000): Keytab entry with the realm of the credential not found in keytab. Using the last entry. [[sssd[krb5_child[1926 [validate_tgt] (0x0020): TGT failed verification using key for [RestrictedKrbHost/mycli...@subdomain1.example.com]. [[sssd[krb5_child[1926 [get_and_save_tgt] (0x0020): 1581: [-1765328377][Server not found in Kerberos database] [[sssd[krb5_child[1926 [map_krb5_error] (0x0020): 1657: [-1765328377][Server not found in Kerberos database] [[sssd[krb5_child[1926 [k5c_send_data] (0x0200): Received error code 1432158209 This is when trying to login using SSH with use...@subdomain2.example.com. With use...@subdomain1.example.com it works. [[sssd[krb5_child[2135 [validate_tgt] (0x0400): TGT verified using key for [MYCLIENT$@DOMAIN1.EXAMPLE.COM]. 2018-03-05 16:18 GMT+01:00 Roger Martensson: > I've always used a fully qualified hostname. My example was a cleanup > version and I was to lazy to write subdomain1.example.com. > > I've set ad_hostname to the correct hostname. Your question made me take a > look into other settings and I noticed that the servers hostname had a > different domain name. But still hade the same problems as before. > > Increading debug_level created an amazing amount of rows. :) > > This is my clean up log. > > > 2018-03-05 15:35 GMT+01:00 Sumit Bose : > >> On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote: >> > On 03/05/2018 08:25 AM, Roger Martensson wrote: >> > > Sorry about that.. Bleeping send-button-shortcut. >> > > >> > > Let me continue. >> > > >> > > Command I use to test: ssh userid@subdomain2@localhost >> > > >> > > The krb5_child.log contains these error messages: >> > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting >> kinit >> > > for realm [SUBDOMAIN1] >> > > [[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000): >> > > exp_time: [5621224] >> > > [[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with >> the >> > > realm of the credential not found in keytab. Using the last entry. >> > > [[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed >> verification >> > > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1]. >> > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581: >> > > [-1765328377][Server not found in Kerberos database] >> > > [[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657: >> > > [-1765328377][Server not found in Kerberos database] >> > > >> > > I can get it to work using 'krb5_validate = false' but that disables >> some >> > > nice security measure. >> > > >> > > So.. Anyone that can help me back on track? AKA What did I do wrong >> this >> > > time? >> > >> > Can you make sure your hostname is fully-qualified? >> > >> > If it is not currently then you will need to leave the domain, make >> sure the >> > /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the >> > domain. >> >> If validation still fails after joining with the fully qualified name >> please run SSSD with debug_level=9 in the [domain/...] section. This >> will add the full Kerberos trace output to the krb5_child.log files >> which will help to identify which step during validation fails. >> >> bye, >> Sumit >> >> > >> > -Justin >> > >> > > >> > > >> > > >> > > 2018-03-05 14:13 GMT+01:00 Roger Martensson < >> roger.martens...@gmail.com>: >> > > >> > > > Hi! >> > > > >> > > > It's me again with multiple domain problems. :) >> > > > >> > > > I have once again problems with multiple domain. This time with >> login. >> > > > Maybe some one of you could explain to me what I did wrong this >> time. >> > > > >> > > > OS: Ubuntu 17.10 >> > > > SSSD: 1.15.3 >> > > > >> > > > Domain setup. two subdomain both connected to the same parent >> domain Both >> > > > subdomains contains users. Most of them only contains one domain >> but some >> > > > is found in both. >> > > > >> > > > Client is connected to subdomain1. I can login with a user on >> subdomain 1. >> > > > When login in to subdomain2 (both using 'su-with-password-prompt' >> and >> > > > 'ssh-to-localhost') I get a System Error 4. >> > > > >> > > > The log krb_child.log (which sssd_domain.log points to) I see these >> logs. >> > > > (altered some names) >> > > > >> > > > >> > > >> > > >> > > >> > > ___ >> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> > > To unsubscribe send an email to sssd-users-leave@lists.fedorah >>
[SSSD-users] Re: SSSD kerberos problem in multiple AD domains
I've always used a fully qualified hostname. My example was a cleanup version and I was to lazy to write subdomain1.example.com. I've set ad_hostname to the correct hostname. Your question made me take a look into other settings and I noticed that the servers hostname had a different domain name. But still hade the same problems as before. Increading debug_level created an amazing amount of rows. :) This is my clean up log. 2018-03-05 15:35 GMT+01:00 Sumit Bose: > On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote: > > On 03/05/2018 08:25 AM, Roger Martensson wrote: > > > Sorry about that.. Bleeping send-button-shortcut. > > > > > > Let me continue. > > > > > > Command I use to test: ssh userid@subdomain2@localhost > > > > > > The krb5_child.log contains these error messages: > > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting > kinit > > > for realm [SUBDOMAIN1] > > > [[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000): > > > exp_time: [5621224] > > > [[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with > the > > > realm of the credential not found in keytab. Using the last entry. > > > [[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed > verification > > > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1]. > > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581: > > > [-1765328377][Server not found in Kerberos database] > > > [[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657: > > > [-1765328377][Server not found in Kerberos database] > > > > > > I can get it to work using 'krb5_validate = false' but that disables > some > > > nice security measure. > > > > > > So.. Anyone that can help me back on track? AKA What did I do wrong > this > > > time? > > > > Can you make sure your hostname is fully-qualified? > > > > If it is not currently then you will need to leave the domain, make sure > the > > /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the > > domain. > > If validation still fails after joining with the fully qualified name > please run SSSD with debug_level=9 in the [domain/...] section. This > will add the full Kerberos trace output to the krb5_child.log files > which will help to identify which step during validation fails. > > bye, > Sumit > > > > > -Justin > > > > > > > > > > > > > > 2018-03-05 14:13 GMT+01:00 Roger Martensson < > roger.martens...@gmail.com>: > > > > > > > Hi! > > > > > > > > It's me again with multiple domain problems. :) > > > > > > > > I have once again problems with multiple domain. This time with > login. > > > > Maybe some one of you could explain to me what I did wrong this time. > > > > > > > > OS: Ubuntu 17.10 > > > > SSSD: 1.15.3 > > > > > > > > Domain setup. two subdomain both connected to the same parent domain > Both > > > > subdomains contains users. Most of them only contains one domain but > some > > > > is found in both. > > > > > > > > Client is connected to subdomain1. I can login with a user on > subdomain 1. > > > > When login in to subdomain2 (both using 'su-with-password-prompt' and > > > > 'ssh-to-localhost') I get a System Error 4. > > > > > > > > The log krb_child.log (which sssd_domain.log points to) I see these > logs. > > > > (altered some names) > > > > > > > > > > > > > > > > > > > > ___ > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > > To unsubscribe send an email to sssd-users-leave@lists. > fedorahosted.org > > > > > ___ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: SSSD kerberos problem in multiple AD domains
On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote: > On 03/05/2018 08:25 AM, Roger Martensson wrote: > > Sorry about that.. Bleeping send-button-shortcut. > > > > Let me continue. > > > > Command I use to test: ssh userid@subdomain2@localhost > > > > The krb5_child.log contains these error messages: > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting kinit > > for realm [SUBDOMAIN1] > > [[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000): > > exp_time: [5621224] > > [[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with the > > realm of the credential not found in keytab. Using the last entry. > > [[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed verification > > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1]. > > [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581: > > [-1765328377][Server not found in Kerberos database] > > [[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657: > > [-1765328377][Server not found in Kerberos database] > > > > I can get it to work using 'krb5_validate = false' but that disables some > > nice security measure. > > > > So.. Anyone that can help me back on track? AKA What did I do wrong this > > time? > > Can you make sure your hostname is fully-qualified? > > If it is not currently then you will need to leave the domain, make sure the > /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the > domain. If validation still fails after joining with the fully qualified name please run SSSD with debug_level=9 in the [domain/...] section. This will add the full Kerberos trace output to the krb5_child.log files which will help to identify which step during validation fails. bye, Sumit > > -Justin > > > > > > > > > 2018-03-05 14:13 GMT+01:00 Roger Martensson: > > > > > Hi! > > > > > > It's me again with multiple domain problems. :) > > > > > > I have once again problems with multiple domain. This time with login. > > > Maybe some one of you could explain to me what I did wrong this time. > > > > > > OS: Ubuntu 17.10 > > > SSSD: 1.15.3 > > > > > > Domain setup. two subdomain both connected to the same parent domain Both > > > subdomains contains users. Most of them only contains one domain but some > > > is found in both. > > > > > > Client is connected to subdomain1. I can login with a user on subdomain 1. > > > When login in to subdomain2 (both using 'su-with-password-prompt' and > > > 'ssh-to-localhost') I get a System Error 4. > > > > > > The log krb_child.log (which sssd_domain.log points to) I see these logs. > > > (altered some names) > > > > > > > > > > > > > > ___ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: SSSD kerberos problem in multiple AD domains
On 03/05/2018 08:25 AM, Roger Martensson wrote: Sorry about that.. Bleeping send-button-shortcut. Let me continue. Command I use to test: ssh userid@subdomain2@localhost The krb5_child.log contains these error messages: [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting kinit for realm [SUBDOMAIN1] [[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000): exp_time: [5621224] [[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with the realm of the credential not found in keytab. Using the last entry. [[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed verification using key for [RestrictedKrbHost/myclient@SUBDOMAIN1]. [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581: [-1765328377][Server not found in Kerberos database] [[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657: [-1765328377][Server not found in Kerberos database] I can get it to work using 'krb5_validate = false' but that disables some nice security measure. So.. Anyone that can help me back on track? AKA What did I do wrong this time? Can you make sure your hostname is fully-qualified? If it is not currently then you will need to leave the domain, make sure the /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the domain. -Justin 2018-03-05 14:13 GMT+01:00 Roger Martensson: Hi! It's me again with multiple domain problems. :) I have once again problems with multiple domain. This time with login. Maybe some one of you could explain to me what I did wrong this time. OS: Ubuntu 17.10 SSSD: 1.15.3 Domain setup. two subdomain both connected to the same parent domain Both subdomains contains users. Most of them only contains one domain but some is found in both. Client is connected to subdomain1. I can login with a user on subdomain 1. When login in to subdomain2 (both using 'su-with-password-prompt' and 'ssh-to-localhost') I get a System Error 4. The log krb_child.log (which sssd_domain.log points to) I see these logs. (altered some names) ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: SSSD kerberos problem in multiple AD domains
Sorry about that.. Bleeping send-button-shortcut. Let me continue. Command I use to test: ssh userid@subdomain2@localhost The krb5_child.log contains these error messages: [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting kinit for realm [SUBDOMAIN1] [[sssd[krb5_child[5720 [sss_krb5_expire_callback_func] (0x2000): exp_time: [5621224] [[sssd[krb5_child[5720 [validate_tgt] (0x2000): Keytab entry with the realm of the credential not found in keytab. Using the last entry. [[sssd[krb5_child[5720 [validate_tgt] (0x0020): TGT failed verification using key for [RestrictedKrbHost/myclient@SUBDOMAIN1]. [[sssd[krb5_child[5720 [get_and_save_tgt] (0x0020): 1581: [-1765328377][Server not found in Kerberos database] [[sssd[krb5_child[5720 [map_krb5_error] (0x0020): 1657: [-1765328377][Server not found in Kerberos database] I can get it to work using 'krb5_validate = false' but that disables some nice security measure. So.. Anyone that can help me back on track? AKA What did I do wrong this time? 2018-03-05 14:13 GMT+01:00 Roger Martensson: > Hi! > > It's me again with multiple domain problems. :) > > I have once again problems with multiple domain. This time with login. > Maybe some one of you could explain to me what I did wrong this time. > > OS: Ubuntu 17.10 > SSSD: 1.15.3 > > Domain setup. two subdomain both connected to the same parent domain Both > subdomains contains users. Most of them only contains one domain but some > is found in both. > > Client is connected to subdomain1. I can login with a user on subdomain 1. > When login in to subdomain2 (both using 'su-with-password-prompt' and > 'ssh-to-localhost') I get a System Error 4. > > The log krb_child.log (which sssd_domain.log points to) I see these logs. > (altered some names) > > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org