On Thu, Nov 28, 2013 at 08:54:40AM +0000, [email protected] wrote: > Hi All, > I'm after some help tracking this problem down. I am seeing > this from a few different OSes all with the same AD realm: CentOS 6.4, SLES > 11SP3 and opensuse 13.1 all of which run sssd 1.9.x and SLES 11 SP2 running > sssd 1.5.11. The ldap side of things seems to be working OK as getent passwd > is returning what I expect. The kerberos side of things is not, although > kinit as a user works: > > client:/var/log/sssd # kinit user > Password for [email protected]: > client:/var/log/sssd # > > It looks like the realm is being truncated somehow so DOM.COMPANY.COM is > getting truncated to COMPANY.COM for the kerberos lookups. I see this in the > krb5_child.log file: > > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [main] (0x0400): > krb5_child started. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer] > (0x1000): total buffer size: [104] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer] > (0x0100): cmd [241] uid [67657] gid [67657] validate [false] offline [false] > UPN [[email protected]] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_67657_XXXXXX] keytab: [/etc/krb5.keytab] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] > (0x0400): Will perform online auth > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] > [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] > (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] > (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] > [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] > [sss_krb5_get_init_creds_opt_set_canonicalize] (0x0040): Kerberos principal > canonicalization > is not available! > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] > (0x0100): Not using FAST. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] > [sss_krb5_get_init_creds_opt_set_expire_callback] (0x0200): > krb5_get_init_creds_opt_set_expi > re_callback not available. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [COMPANY.COM] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [get_and_save_tgt] > (0x0020): 977: [-1765328230][Cannot find KDC for requested realm] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [kerr_handle_error] > (0x0020): 1030: [-1765328230][Cannot find KDC for requested realm] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] > [prepare_response_message] (0x0400): Building response for result > [-1765328230] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [pack_response_packet] > (0x2000): response packet size: [48] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [sendresponse] > (0x4000): Response sent. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [main] (0x0400): > krb5_child completed successfully
Can you check what is the content of userPrincipalName attribute of the user or the user principal in AD? _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
