I've come across the same issue in the last two weeks. here are the details of my situation and how I worked around it.
I'm trying to design an agnostic way to join both RHEL 6 and RHEL 7 to AD and have settled on adcli because it's available for both, realmd isn't for 6. In doing so I also wanted to Kerberize SSH and fought with it for quite some time until I discovered OpenSSH's proclivity to want lowercase 'host/...' in the principal. This is what I found. It all came down to the case of the word 'host' in the principals it creates in both the AD object and the keytab on the Linux host. Adcli by default will create principals in the keytab and on the AD object itself with uppercase 'HOST/...' but that effectively disables SSH, if I did nothing else but change the case of the word 'host' in the AD object to be lowercase and match the case in the keytab I could get SSH and AD lookups to work. I finally ended up playing with adcli command line options and found that I could have adcli create the principal in lowercase in both the keytab and the AD object by adding " --service-name=host" as an option. Name lookups work and SSH works, and I don't have to do anything special after the join to align principals. I'm not sure what the consequences of a lowercase 'host/...' in a Kerberos principal is, but this lets everything I need right now work for me. I wondered if this was a bug or not, but I finally decided that because adcli creates the principals consistently, it's really SSH's issue not working with uppercase 'HOST/...' in principals that's the problem. Todd -----Original Message----- From: Lukas Slebodnik [mailto:[email protected]] Sent: Monday, February 22, 2016 5:07 AM To: End-user discussions about the System Security Services Daemon <[email protected]> Subject: [SSSD-users] Re: Problem with case sensitivity in Keytab On (22/02/16 11:48), Sumit Bose wrote: >On Mon, Feb 22, 2016 at 09:41:47AM +0000, John Hodrien wrote: >> On Mon, 22 Feb 2016, Patrice Peterson wrote: >> >> >Hey list, >> > >> >I have joined a CentOS 7 host to an AD domain using a fairly new >> >version of adcli (one of the versions that has this [0] bug fixed). >> >In its keytab, this host has a service principal of the form >> >'host/fqdn@REALM' (i.e. lowercase). >> >User lookups with SSSD don't work, and the SSSD log says "Client >> >'host/fdqn@REALM' not found in Kerberos database. Unable to create >> >GSSAPI-encrypted LDAP connection." >> > >> >However, if I use the 'old' adcli to join the node and create the >> >keytab, it creates a service principal of the form >> >'HOST/fqdn@REALM'. With this keytab, I can do username lookups just fine. >> > >> >Should this be considered a bug? Is there a way to make service >> >principal lookups w/SSSD case insensitive? I would like to keep the >> >lower-case principal names in my keytabs, because OpenSSH GSSAPI >> >auth only works with those. >> > >> >Thanks for any pointers! >> >> SSSD with a normal AD joined machine would use the SHORTHOST$@REALM >> entry, not any of the others. That one's the only one that's a >> userPrincipal by default (although you can choose *one* additional >> userPrincipal if you require). >> >> You can test this on the command line as it's the only one kinit -k >> will work >> with: >> >> # These work >> kinit -k SHORTHOST$ kinit -k SHORTHOST$\@DS.LEEDS.AC.UK >> >> # These do not work >> kinit -k host/fqdn >> kinit -k host/fqdn\@DS.LEEDS.AC.UK >> >> So I'm not entirely sold on your diagnosis being correct. > >I agree with John here. Can you share your sssd.conf? > And also sssd domain log file and (*_child.log) https://fedorahosted.org/sssd/wiki/Troubleshooting LS _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
