On Mon, Jan 26, 2015 at 10:26:14PM +0100, Koen de Boeve wrote: > Hi Sumit, > > If I try just kinit -k , I get: > [root@lnx01 sssd]# kinit -k > kinit: Client 'host/[email protected]' not found in Kerberos > database while getting initial credentials > [root@lnx01 sssd]# host lnx01.glxtmp.com > lnx01.glxtmp.com has address 10.0.234.100 > [root@lnx01 sssd]# host 10.0.234.100 > 100.234.0.10.in-addr.arpa domain name pointer lnx01.glxtmp.com. > same for any combination like: > > kinit -k lnx01 or kinit -k lnx01.glxtmp.com > > if I try kinit -k LNX01$ > it works.
ah, sorry, I should have mentioned that with AD you have to give the principal with the $ in it explicitly. > > [root@lnx01 ~]# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_WnzXbeg > Default principal: [email protected] > > Valid starting Expires Service principal > 01/26/2015 22:00:01 01/27/2015 08:00:01 krbtgt/[email protected] > renew until 02/02/2015 22:00:01 > [root@lnx01 ~]# smbclient -k \\\\win-leje3vd828k.glxtmp.com\\SYSVOL > OS=[Windows Server 2012 Standard Evaluation 9200] Server=[Windows Server > 2012 Standard Evaluation 6.2] > smb: \> ls > . D 0 Sun Jan 25 20:24:14 2015 > .. D 0 Sun Jan 25 20:24:14 2015 > GLXTMP.COM D 0 Sun Jan 25 20:24:14 2015 > > 40607 blocks of size 1048576. 28261 blocks available > smb: \> cd GLXTMP.COM\ > smb: \GLXTMP.COM\> ls > . D 0 Sun Jan 25 20:26:38 2015 > .. D 0 Sun Jan 25 20:26:38 2015 > DfsrPrivate DHS 0 Sun Jan 25 20:26:38 2015 > Policies D 0 Sun Jan 25 21:18:44 2015 > scripts D 0 Sun Jan 25 20:24:14 2015 > > 40607 blocks of size 1048576. 28261 blocks available > smb: \GLXTMP.COM\> cd Policies\ > smb: \GLXTMP.COM\Policies\> ls > . D 0 Sun Jan 25 21:18:44 2015 > .. D 0 Sun Jan 25 21:18:44 2015 > {31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sun Jan 25 > 20:24:36 2015 > {6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sun Jan 25 > 20:24:36 2015 > {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} D 0 Sun Jan 25 > 21:18:44 2015 > > 40607 blocks of size 1048576. 28261 blocks available > smb: \GLXTMP.COM\Policies\> cd {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} > smb: \GLXTMP.COM\Policies\{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}\> ls > . D 0 Sun Jan 25 21:18:44 2015 > .. D 0 Sun Jan 25 21:18:44 2015 > GPT.INI A 59 Sun Jan 25 21:21:57 2015 > Machine D 0 Sun Jan 25 21:19:03 2015 > User D 0 Sun Jan 25 21:18:44 2015 > > 40607 blocks of size 1048576. 28261 blocks available > smb: \GLXTMP.COM\Policies\{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}\> get > GPT.INI > getting file > \GLXTMP.COM\Policies\{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}\GPT.INI of size > 59 as GPT.INI (57.6 KiloBytes/sec) (average 57.6 KiloBytes/sec) ok, so with proper authentication everything is working as expected. I guess Kerberos authentication fails and libsmbclient tries to continue without authentication as guest and gets access denied. I'll try to reproduce, maybe this is relates to the recent changes to allow SSSD to run as non-root user. Is your sssd_be process running as root or as a different user? bye, Sumit _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
