-----Original Message----- From: Sumit Bose [mailto:[email protected]] Sent: Monday, February 22, 2016 8:35 AM To: [email protected] Subject: [SSSD-users] Re: Problem with case sensitivity in Keytab
> As Patrice already mentioned the upper-case HOST/... is an issue in adcli > which is fixed in recent version of adcli, see > https://bugs.freedesktop.org/show_bug.cgi?id=84749 for details. Glad to see it's fixed, though Redhat currently only has version 0.7.5-4 in Satellite for RHEL 7 and was built on 01-Jan-14, so this may exist in 7 still, I'm not Linux savvy enough to know/find out. I do see that RHEL 6's version, 0.8.0-1, was built on 17-Dec-15, but is not in my EPEL Server 6 channel. I checked on some of my hosts and they are indeed running 0.7.3 still. I talked to our Satellite admin and he reminded me that we curate patches in our Satellite on a three-month schedule to allow large clusters of systems to remain patch consistent and provide enough time for them all to patch together. Satellite last updated 01-Dec-15, so just missed getting 0.8.0. It's due to sync again next Tuesday on 01-Mar-16, so I should have 0.8.0 on everything RHEL 6 before too long. > The lower-case version 'host/...' should be always used. I try to avoid > saying that this is the right or correct version, becasue it is just an > convention. According > to the related RFCs Kerberos is case-sensitive which means that 'HOST/...' > and 'host/...' are different principals from the Kerberos point of view. When > a service > is kerberized the client and the server side programs of the service must use > the same principal and must not only use the same service name but the same > case as well. Some services like ssh ('host/...') or ldap ('ldap/...') use > lower-case service names while other services like dns ('DNS/...') or http > ('HTTP/...') use upper-case service name. That's consistent with what I observed. > That said the lower-case 'host/...' is mentioned in the Kerberos RFC >4120 in section 1.3 (http://tools.ietf.org/html/rfc4120#section-1.3). >Although it is only a "might be derived from" I think it is a quite strong >recommendation to use (host/...) for services to access the host directly like >telnet and >ssh. > >Btw, if you switch to a newer version of adcli which uses host/... you might >need to removed the host with 'adcli delete-computer ...' first. >The reason is that AD treats Kerberos mostly case-insensitive (in contrast to >the RFC) and might not recognise that the new version of adcli might want to >change the principal to lower-case and keep using the upper-case version. That's true, AD won't let you put two principals in the servicePrincipalName attribute because it considers them the same principal and complains that one with that name already exists. Adcli join will however increment the msDS-KeyVersionNumber attribute and remove all of the existing principals on the AD object and then add them back with whatever options you set, if you just do the join again, no delete required. On Linux, it will increment the knvo in the keytab so that it stays in step with the AD object attribute, and just add new principals to the keytab. I found myself with principals in my keytab at one point duplicated, one set had 'host/' the other had 'HOST/'. Adcli delete-computer may clean up the keytab for you too, I've not tried it though. Todd > > Todd > > -----Original Message----- > From: Lukas Slebodnik [mailto:[email protected]] > Sent: Monday, February 22, 2016 5:07 AM > To: End-user discussions about the System Security Services Daemon > <[email protected]> > Subject: [SSSD-users] Re: Problem with case sensitivity in Keytab > > On (22/02/16 11:48), Sumit Bose wrote: > >On Mon, Feb 22, 2016 at 09:41:47AM +0000, John Hodrien wrote: > >> On Mon, 22 Feb 2016, Patrice Peterson wrote: > >> > >> >Hey list, > >> > > >> >I have joined a CentOS 7 host to an AD domain using a fairly new > >> >version of adcli (one of the versions that has this [0] bug fixed). > >> >In its keytab, this host has a service principal of the form > >> >'host/fqdn@REALM' (i.e. lowercase). > >> >User lookups with SSSD don't work, and the SSSD log says "Client > >> >'host/fdqn@REALM' not found in Kerberos database. Unable to create > >> >GSSAPI-encrypted LDAP connection." > >> > > >> >However, if I use the 'old' adcli to join the node and create the > >> >keytab, it creates a service principal of the form > >> >'HOST/fqdn@REALM'. With this keytab, I can do username lookups just fine. > >> > > >> >Should this be considered a bug? Is there a way to make service > >> >principal lookups w/SSSD case insensitive? I would like to keep > >> >the lower-case principal names in my keytabs, because OpenSSH > >> >GSSAPI auth only works with those. > >> > > >> >Thanks for any pointers! > >> > >> SSSD with a normal AD joined machine would use the SHORTHOST$@REALM > >> entry, not any of the others. That one's the only one that's a > >> userPrincipal by default (although you can choose *one* additional > >> userPrincipal if you require). > >> > >> You can test this on the command line as it's the only one kinit -k > >> will work > >> with: > >> > >> # These work > >> kinit -k SHORTHOST$ kinit -k SHORTHOST$\@DS.LEEDS.AC.UK > >> > >> # These do not work > >> kinit -k host/fqdn > >> kinit -k host/fqdn\@DS.LEEDS.AC.UK > >> > >> So I'm not entirely sold on your diagnosis being correct. > > > >I agree with John here. Can you share your sssd.conf? > > > And also sssd domain log file and (*_child.log) > https://fedorahosted.org/sssd/wiki/Troubleshooting > > LS > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] > ed.org _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] > ed.org _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
