On Thu, Nov 28, 2013 at 08:54:40AM +0000, [email protected] wrote: > Hi All, > I'm after some help tracking this problem down. I am seeing > this from a few different OSes all with the same AD realm: CentOS 6.4, SLES > 11SP3 and opensuse 13.1 all of which run sssd 1.9.x and SLES 11 SP2 running > sssd 1.5.11. The ldap side of things seems to be working OK as getent passwd > is returning what I expect. The kerberos side of things is not, although > kinit as a user works: > > client:/var/log/sssd # kinit user > Password for [email protected]: > client:/var/log/sssd # > > It looks like the realm is being truncated somehow so DOM.COMPANY.COM is > getting truncated to COMPANY.COM for the kerberos lookups. I see this in the > krb5_child.log file:
My wild guess it that the userPrincipalName LDAP attribute in your AD contains something like '[email protected]'. If this attribute is found SSSD prefers the content over a generated principal (given user name + configured realm). To avoid this you can set ldap_user_principal in sssd.conf to a non-existing attribute name, e.g. ldap_user_principal = blablabla Nevertheless the principal from userPrincipalName should in general work as well (at least with recent versions of SSSD). You have to switch on enterprise principals and canonicalization and set 'dns_lookup_kdc = true' in krb5.conf. HTH bye, Sumit > > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [main] (0x0400): > krb5_child started. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer] > (0x1000): total buffer size: [104] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer] > (0x0100): cmd [241] uid [67657] gid [67657] validate [false] offline [false] > UPN [[email protected]] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_67657_XXXXXX] keytab: [/etc/krb5.keytab] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] > (0x0400): Will perform online auth > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] > [sss_child_set_krb5_tracing] (0x0100): krb5 tracing is not available > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] > (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] > (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] > [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] > [sss_krb5_get_init_creds_opt_set_canonicalize] (0x0040): Kerberos principal > canonicalization > is not available! > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [krb5_child_setup] > (0x0100): Not using FAST. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] > [sss_krb5_get_init_creds_opt_set_expire_callback] (0x0200): > krb5_get_init_creds_opt_set_expi > re_callback not available. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [COMPANY.COM] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [get_and_save_tgt] > (0x0020): 977: [-1765328230][Cannot find KDC for requested realm] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [kerr_handle_error] > (0x0020): 1030: [-1765328230][Cannot find KDC for requested realm] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] > [prepare_response_message] (0x0400): Building response for result > [-1765328230] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [pack_response_packet] > (0x2000): response packet size: [48] > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [sendresponse] > (0x4000): Response sent. > (Thu Nov 28 18:17:38 2013) [[sssd[krb5_child[24911]]]] [main] (0x0400): > krb5_child completed successfully > > sssd.conf: > [sssd] > config_file_version = 2 > debug_level = 10 > reconnection_retries = 3 > sbus_timeout = 30 > services = nss,pam > domains = DOM.COMPANY.COM > > [nss] > filter_groups = root > filter_users = root > reconnection_retries = 3 > > [pam] > reconnection_retries = 3 > debug_level = 10 > offline_credentials_expiration = 3 > > [domain/DOM.COMPANY.COM] > debug_level = 10 > filter_groups = root > filter_users = root > description = LDAP domain with AD server > cache_credentials = false > enumerate = false > min_id = 65537 > ldap_uri = ldap://dc1.dom.comany.com > ldap_sasl_mech = GSSAPI > ldap_krb5_keytab = /etc/krb5.keytab > ldap_sasl_authid = [email protected] > ldap_search_base = dc=dom,dc=company,dc=com > ldap_schema = rfc2307bis > id_provider = ldap > ldap_user_search_base = ou=People,dc=dom,dc=company,dc=com > ldap_group_search_base = ou=Groups,dc=dom,dc=company,dc=com > ldap_group_name = msSFU30Name > ldap_group_nesting_level = 5 > ldap_user_object_class = user > ldap_user_home_directory = unixHomeDirectory > ldap_user_principal = userPrincipalName > ldap_group_object_class = group > ldap_force_upper_case_realm = true > auth_provider = krb5 > krb5_realm = DOM.COMPANY.COM > krb5_server = dc.dom.company.com > > > krb5.conf: > [libdefaults] > clockskew = 300 > default_realm = DOM.COMPANY.COM > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 > default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 > preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC > > [realms] > DOM.COMPANY.COM = { > default_domain = dom.company.com > admin_server = dc1.dom.company.com > kpasswd_server = dc1.dom.company.com > kdc = dc1.dom.company.com > } > > [domain_realm] > .dom.company.com = DOM.COMPANY.COM > dom.company.com = DOM.COMPANY.COM > > [logging] > default = SYSLOG:NOTICE:DAEMON > > [appdefaults] > pam = { > ticket_lifetime = 1d > renew_lifetime = 1d > forwardable = true > debug = true > krb4_convert = false > } > > _______________________________________________ > sssd-devel mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
