Hi again, I deleted computer from AD and joined again with some changes: Now , computer: hostname = victoria.nat.c.sdu.dk
IN AD: ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y GSSAPI -b 'ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk' '(&(objectClass=computer)(name=victoria))' SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk> with scope subtree # filter: (&(objectClass=computer)(name=victoria)) # requesting: ALL # with pagedResults control: size=1000 # # VICTORIA, Linux computers, ADResources, nat.c.sdu.dk dn: CN=VICTORIA,OU=Linux computers,OU=ADResources,DC=nat,DC=c,DC=sdu,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: VICTORIA distinguishedName: CN=VICTORIA,OU=Linux computers,OU=ADResources,DC=nat,DC=c,D C=sdu,DC=dk instanceType: 4 whenCreated: 20121108142304.0Z whenChanged: 20121108143127.0Z uSNCreated: 120398572 uSNChanged: 120399833 name: VICTORIA objectGUID:: yJFvBzDHyUWRHBrfdFdiUg== userAccountControl: 4096 badPwdCount: 1 codePage: 0 countryCode: 0 badPasswordTime: 129968615052158722 lastLogoff: 0 lastLogon: 129968586876815634 localPolicyFlags: 0 pwdLastSet: 129968586878690610 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAANYoCGg16WjOCi6YoZzMAAA== accountExpires: 9223372036854775807 logonCount: 2 sAMAccountName: VICTORIA$ sAMAccountType: 805306369 dNSHostName: victoria.nat.c.sdu.dk servicePrincipalName: host/victoria.nat.c.sdu.dk objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=c,DC=sdu,DC=dk isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 129968583496702650 msDS-SupportedEncryptionTypes: 28 # search result search: 4 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQAAAAFAgEABAA= pagedresults: cookie= # numResponses: 2 # numEntries: 1 My keytab: root@victoria:/home/alongina# klist -e -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 7 [email protected] (arcfour-hmac) 7 [email protected] (aes128-cts-hmac-sha1-96) 7 [email protected] (aes256-cts-hmac-sha1-96) 7 host/[email protected] (arcfour-hmac) 7 host/[email protected] (aes128-cts-hmac-sha1-96) 7 host/[email protected] (aes256-cts-hmac-sha1-96) 3 [email protected] (arcfour-hmac) 3 [email protected] (aes128-cts-hmac-sha1-96) 3 [email protected] (aes256-cts-hmac-sha1-96) 3 host/[email protected] (arcfour-hmac) 3 host/[email protected] (aes128-cts-hmac-sha1-96) 3 host/[email protected] (aes256-cts-hmac-sha1-96) 4 [email protected] (arcfour-hmac) 4 [email protected] (aes128-cts-hmac-sha1-96) 4 [email protected] (aes256-cts-hmac-sha1-96) 4 host/[email protected] (arcfour-hmac) 4 host/[email protected] (aes128-cts-hmac-sha1-96) 4 host/[email protected] (aes256-cts-hmac-sha1-96) .................. root@victoria:/home/alongina# kinit -k -t /etc/krb5.keytab 'VICTORIA$' root@victoria:/home/alongina# kinit -k -t /etc/krb5.keytab '[email protected]' root@victoria:/home/alongina# kinit -k -t /etc/krb5.keytab '[email protected]' kinit: Preauthentication failed while getting initial credentials ....................... command: getent passwd [email protected] doesn't work in /var/log/ssd/ldap_child.log ................ Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): total buffer size: 37 (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): realm_str size: 12 (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): got realm_str: NAT.C.SDU.DK (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): princ_str size: 9 (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): got princ_str: victoria$ (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [[email protected]] (Thu Nov 8 16:16:24 2012) [[sssd[ldap_child[3928]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Thu Nov 8 16:16:25 2012) [[sssd[ldap_child[3928]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed (Thu Nov 8 16:16:25 2012) [[sssd[ldap_child[3928]]]] [pack_buffer] (0x1000): result [14] krberr [-1765328360] msgsize [24] msg [Preauthentication failed] ....................... In /etc/sssd/sssd.conf ...... Ad_hostname = [email protected] ...... IT is obviously confusing about principal names... Longina -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jakub Hrozek Sent: 8. november 2012 10:54 To: [email protected] Subject: Re: [SSSD-users] startup problem/port status 0 On Tue, Nov 06, 2012 at 02:16:26PM +0000, Longina Przybyszewska wrote: > Hi again, > Thanks a lot for guiding me so far :) > > I have got sssd-1.9.2 package from Timo, Ubuntu sssd package maintainer for > Ubuntu Quantal. > > SSSD is configured against AD as auth/id - provider > > sssd.conf > > [sssd] > debug_level = 0x1310 > config_file_version = 2 > services = nss, pam > domains = nat.c.sdu.dk > > [nss] > filter_groups = root > filter_users = root > > [pam] > > [domain/nat.c.sdu.dk] > > debug_level = 0x1310 > > enumerate = False > min_id = 1000 > max_id = 20000 > > auth_provider = ad > id_provider = ad > access_provider = ad > chpass_provider = ad > > ad_server = nat.c.sdu.dk > ad_hostname = testina4$.nat.c.sdu.dk > ad_domain = nat.c.sdu.dk > > > From log: > (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] > [be_resolve_server_process] (0x0200): Found address for server > nat.c.sdu.dk: [10.144.5.18] TTL 455 (Tue Nov 6 13:42:35 2012) > [sssd[be[nat.c.sdu.dk]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: > gssapi, user: testina4$ (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] > [fo_set_port_status] (0x0100): Marking port 0 of server 'nat.c.sdu.dk' as > 'not working (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' > (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] > (0x1000): Status of server 'nat.c.sdu.dk' is 'name resolved' > (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] > (0x1000): Port status of port 0 for server 'nat.c.sdu.dk' is 'not working' > (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] > [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue > Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [acctinfo_callback] > (0x0100): Request processed. Returned 1,11,Offline (Tue Nov 6 > 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [remove_krb5_info_files] > (0x0200): Could not remove > [/var/lib/sss/pubconf/kpasswdinfo.NAT.C.SDU.DK], [2][No such file or > directory > There is not all the information in the log, raising the debug_level might provide more info, but I think the problem is in the kinit. Can you kinit as the principal specified in the ad_hostname and then ldapsearch the directory? Are you sure about the principal in ad_hostname? I think it is typically HOST$@DOMAIN, your principal doesn't contain the at-sign. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
