Hi All,
I'm after some help tracking this problem down. I am seeing
this from a few different OSes all with the same AD realm: CentOS 6.4, SLES
11SP3 and opensuse 13.1 all of which run sssd 1.9.x and SLES 11 SP2 running
sssd 1.5.11. The ldap side of things seems to be working OK as getent passwd is
returning what I expect. The kerberos side of things is not, although kinit as
a user works:
client:/var/log/sssd # kinit user
Password for [email protected]:
client:/var/log/sssd #
It looks like the realm is being truncated somehow so DOM.COMPANY.COM is
getting truncated to COMPANY.COM for the kerberos lookups. I see this in the
krb5_child.log file:
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [main] (0x0400):
krb5_child started.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer]
(0x1000): total buffer size: [104]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer]
(0x0100): cmd [241] uid [67657] gid [67657] validate [false] offline [false]
UPN [[email protected]]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_67657_XXXXXX] keytab: [/etc/krb5.keytab]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup]
(0x0400): Will perform online auth
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]]
[sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup]
(0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup]
(0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_set_canonicalize]
(0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]]
[sss_krb5_get_init_creds_opt_set_canonicalize] (0x0040): Kerberos principal
canonicalization
is not available!
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup]
(0x0100): Not using FAST.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]]
[sss_krb5_get_init_creds_opt_set_expire_callback] (0x0200):
krb5_get_init_creds_opt_set_expi
re_callback not available.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [COMPANY.COM]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [get_and_save_tgt]
(0x0020): 977: [-1765328230][Cannot find KDC for requested realm]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [kerr_handle_error]
(0x0020): 1030: [-1765328230][Cannot find KDC for requested realm]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]]
[prepare_response_message] (0x0400): Building response for result [-1765328230]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [pack_response_packet]
(0x2000): response packet size: [48]
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [sendresponse] (0x4000):
Response sent.
(Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [main] (0x0400):
krb5_child completed successfully
sssd.conf:
[sssd]
config_file_version = 2
debug_level = 10
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam
domains = DOM.COMPANY.COM
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
debug_level = 10
offline_credentials_expiration = 3
[domain/DOM.COMPANY.COM]
debug_level = 10
filter_groups = root
filter_users = root
description = LDAP domain with AD server
cache_credentials = false
enumerate = false
min_id = 65537
ldap_uri = ldap://dc1.dom.comany.com
ldap_sasl_mech = GSSAPI
ldap_krb5_keytab = /etc/krb5.keytab
ldap_sasl_authid = [email protected]
ldap_search_base = dc=dom,dc=company,dc=com
ldap_schema = rfc2307bis
id_provider = ldap
ldap_user_search_base = ou=People,dc=dom,dc=company,dc=com
ldap_group_search_base = ou=Groups,dc=dom,dc=company,dc=com
ldap_group_name = msSFU30Name
ldap_group_nesting_level = 5
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_force_upper_case_realm = true
auth_provider = krb5
krb5_realm = DOM.COMPANY.COM
krb5_server = dc.dom.company.com
krb5.conf:
[libdefaults]
clockskew = 300
default_realm = DOM.COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
[realms]
DOM.COMPANY.COM = {
default_domain = dom.company.com
admin_server = dc1.dom.company.com
kpasswd_server = dc1.dom.company.com
kdc = dc1.dom.company.com
}
[domain_realm]
.dom.company.com = DOM.COMPANY.COM
dom.company.com = DOM.COMPANY.COM
[logging]
default = SYSLOG:NOTICE:DAEMON
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
debug = true
krb4_convert = false
}
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
