On (22/02/16 11:48), Sumit Bose wrote: >On Mon, Feb 22, 2016 at 09:41:47AM +0000, John Hodrien wrote: >> On Mon, 22 Feb 2016, Patrice Peterson wrote: >> >> >Hey list, >> > >> >I have joined a CentOS 7 host to an AD domain using a fairly new version of >> >adcli (one of the versions that has this [0] bug fixed). In its keytab, this >> >host has a service principal of the form 'host/fqdn@REALM' (i.e. lowercase). >> >User lookups with SSSD don't work, and the SSSD log says "Client >> >'host/fdqn@REALM' not found in Kerberos database. Unable to create >> >GSSAPI-encrypted LDAP connection." >> > >> >However, if I use the 'old' adcli to join the node and create the keytab, it >> >creates a service principal of the form 'HOST/fqdn@REALM'. With this keytab, >> >I can do username lookups just fine. >> > >> >Should this be considered a bug? Is there a way to make service principal >> >lookups w/SSSD case insensitive? I would like to keep the lower-case >> >principal names in my keytabs, because OpenSSH GSSAPI auth only works with >> >those. >> > >> >Thanks for any pointers! >> >> SSSD with a normal AD joined machine would use the SHORTHOST$@REALM entry, >> not >> any of the others. That one's the only one that's a userPrincipal by default >> (although you can choose *one* additional userPrincipal if you require). >> >> You can test this on the command line as it's the only one kinit -k will work >> with: >> >> # These work >> kinit -k SHORTHOST$ kinit -k SHORTHOST$\@DS.LEEDS.AC.UK >> >> # These do not work >> kinit -k host/fqdn >> kinit -k host/fqdn\@DS.LEEDS.AC.UK >> >> So I'm not entirely sold on your diagnosis being correct. > >I agree with John here. Can you share your sssd.conf? > And also sssd domain log file and (*_child.log) https://fedorahosted.org/sssd/wiki/Troubleshooting
LS _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
