On Thu, 24 Nov 2011, Josh Geisser wrote: > Sorry was a bit too fast in replying: first you already documented the > verification steps (sorry), second I broke it again :) > > And I'm back in a state of confusion: > If the keytab is written and krb5.conf is good, I should be able to verify > this with "kinit", not?
Yes. > I re-setup that machine and wanted to rejoin it, so I removed it from the AD > via Users&Computer and a dead-body entry from the LDAP > (CN=pontus,CN=Computers,DC=example,DC=com). You can also do "net ads leave" from the machine itself. > Then I did a net ads join which succeeded with keytab generated: > # klist -kte > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- ----------------------------------------------------- > 2 11/24/11 23:48:24 host/pontus.example....@example.com (des-cbc-crc) > 2 11/24/11 23:48:25 host/pontus.example....@example.com (des-cbc-md5) > 2 11/24/11 23:48:25 host/pontus.example....@example.com (arcfour-hmac) > 2 11/24/11 23:48:25 host/pon...@example.com (des-cbc-crc) > 2 11/24/11 23:48:25 host/pon...@example.com (des-cbc-md5) > 2 11/24/11 23:48:25 host/pon...@example.com (arcfour-hmac) > 2 11/24/11 23:48:25 PONTUS$@EXAMPLE.COM (des-cbc-crc) > 2 11/24/11 23:48:25 PONTUS$@EXAMPLE.COM (des-cbc-md5) > 2 11/24/11 23:48:25 PONTUS$@EXAMPLE.COM (arcfour-hmac) Yep, looks normal. > But using this ticket now fails, in sssd and also with kinit, both with > 'cred. not found': > > # kinit -V -k -t /etc/krb5.keytab host/pontus.example....@example.com > Using default cache: /tmp/krb5cc_0 > Using principal: host/pontus.example....@example.com > Using keytab: /etc/krb5.keytab > kinit: Client 'host/pontus.example....@example.com' not found in Kerberos > database while getting initial credentials If you do a net ads join without any other parameters, the credential that'll work is the PONTUS$ cred, not the others. So "kinit -k PONTUS$" should work. > SSSD: (Thu Nov 24 23:54:03 2011) [[sssd[ldap_child[931]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > 'host/pon...@example.com' not found in Kerberos database > > Principal is listed in "klist", but not found by "kinit"? What did I do wrong > this time? Are you running 1.5 or 1.6? If you're running 1.6 I'd have expected this to work as long as you'd not specified which principal to use in your sssd.conf. If you're running 1.5, you should be specifying to use the PONTUS$ cred. Entries in the keytab can be userPrincipals or servicePrincipals. A service pricipal is basically a receptor, and you can't generate a TGT from it (which is what kinit does). When you join to AD to can control what userPrincipal is created. AFAIK HOSTNAME$ is always a user principal, but you can also make one other a user principal using createupn=blah. jh _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
