Hi, My machine joined AD - I can get attributes with ldapsearch as aduser (and as local root):
alongina@victoria:~$ ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y GSSAPI -b 'ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk' '(&(objectClass=computer)(name=victoria))' SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk> with scope subtree # filter: (&(objectClass=computer)(name=victoria)) # requesting: ALL # with pagedResults control: size=1000 # # VICTORIA, Linux computers, ADResources, nat.c.sdu.dk dn: CN=VICTORIA,OU=Linux computers,OU=ADResources,DC=nat,DC=c,DC=sdu,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: VICTORIA distinguishedName: CN=VICTORIA,OU=Linux computers,OU=ADResources,DC=nat,DC=c,D C=sdu,DC=dk instanceType: 4 whenCreated: 20121107151527.0Z whenChanged: 20121108100744.0Z uSNCreated: 22665166 uSNChanged: 22700883 name: VICTORIA objectGUID:: Np8rYg/Jxka041fkPw1blA== userAccountControl: 4096 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 129967763011945002 lastLogoff: 0 lastLogon: 129968428368941751 localPolicyFlags: 0 pwdLastSet: 129968428370191767 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAANYoCGg16WjOCi6YoUC4AAA== accountExpires: 9223372036854775807 logonCount: 1 sAMAccountName: VICTORIA$ sAMAccountType: 805306369 dNSHostName: victoria.nat.c.sdu.dk servicePrincipalName: host/victoria.nat.c.sdu.dk servicePrincipalName: host/victoria objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=c,DC=sdu,DC=dk isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 129968428370187304 msDS-SupportedEncryptionTypes: 28 # search result search: 4 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQAAAAFAgEABAA= pagedresults: cookie= # numResponses: 2 # numEntries: 1 The /etc/krb5.keytab : alongina@victoria:~$ sudo klist -e -k [sudo] password for alongina: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 7 [email protected] (arcfour-hmac) 7 [email protected] (aes128-cts-hmac-sha1-96) 7 [email protected] (aes256-cts-hmac-sha1-96) 7 host/[email protected] (arcfour-hmac) 7 host/[email protected] (aes128-cts-hmac-sha1-96) 7 host/[email protected] (aes256-cts-hmac-sha1-96) 7 host/[email protected] (arcfour-hmac) 7 host/[email protected] (aes128-cts-hmac-sha1-96) 7 host/[email protected] (aes256-cts-hmac-sha1-96) Does it make difference victoria$<-->VICTORIA$ ??? Because in AD : sSAMAccountName VICTORIA$ I can't make kinit using keytab: alongina@victoria:~$ kinit -k -t /etc/krb5.keytab [email protected] kinit: Client not found in Kerberos database while getting initial credentials alongina@victoria:~$ kinit -k -t /etc/krb5.keytab host/[email protected] kinit: Client not found in Kerberos database while getting initial credentials alongina@victoria:~$ kinit -k -t /etc/krb5.keytab victoria$ kinit: Generic preauthentication failure while getting initial credentials alongina@victoria:~$ kinit -k -t /etc/krb5.keytab 'victoria$' kinit: Generic preauthentication failure while getting initial credentials I use msktutils for joining AD Longina -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jakub Hrozek Sent: 8. november 2012 10:54 To: [email protected] Subject: Re: [SSSD-users] startup problem/port status 0 On Tue, Nov 06, 2012 at 02:16:26PM +0000, Longina Przybyszewska wrote: > Hi again, > Thanks a lot for guiding me so far :) > > I have got sssd-1.9.2 package from Timo, Ubuntu sssd package maintainer for > Ubuntu Quantal. > > SSSD is configured against AD as auth/id - provider > > sssd.conf > > [sssd] > debug_level = 0x1310 > config_file_version = 2 > services = nss, pam > domains = nat.c.sdu.dk > > [nss] > filter_groups = root > filter_users = root > > [pam] > > [domain/nat.c.sdu.dk] > > debug_level = 0x1310 > > enumerate = False > min_id = 1000 > max_id = 20000 > > auth_provider = ad > id_provider = ad > access_provider = ad > chpass_provider = ad > > ad_server = nat.c.sdu.dk > ad_hostname = testina4$.nat.c.sdu.dk > ad_domain = nat.c.sdu.dk > > > From log: > (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] > [be_resolve_server_process] (0x0200): Found address for server > nat.c.sdu.dk: [10.144.5.18] TTL 455 (Tue Nov 6 13:42:35 2012) > [sssd[be[nat.c.sdu.dk]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: > gssapi, user: testina4$ (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] > [fo_set_port_status] (0x0100): Marking port 0 of server 'nat.c.sdu.dk' as > 'not working (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' > (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] > (0x1000): Status of server 'nat.c.sdu.dk' is 'name resolved' > (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] > (0x1000): Port status of port 0 for server 'nat.c.sdu.dk' is 'not working' > (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] > [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue > Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [acctinfo_callback] > (0x0100): Request processed. Returned 1,11,Offline (Tue Nov 6 > 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [remove_krb5_info_files] > (0x0200): Could not remove > [/var/lib/sss/pubconf/kpasswdinfo.NAT.C.SDU.DK], [2][No such file or > directory > There is not all the information in the log, raising the debug_level might provide more info, but I think the problem is in the kinit. Can you kinit as the principal specified in the ad_hostname and then ldapsearch the directory? Are you sure about the principal in ad_hostname? I think it is typically HOST$@DOMAIN, your principal doesn't contain the at-sign. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
