On Mon, Feb 22, 2016 at 08:04:42PM -0000, Patrice Peterson wrote: > Hi, thanks for replying! > > While you're correct in that neither of the SPNs work, I can literally not do > username lookups unless I have a SPN that starts with HOST/. > > I just tried the following: > > 1. Using older adcli (which by default produces HOST/ SPNs) to re-join the > host -> lookups are not working > 2. Using newer adcli (which produces host/) to re-join the host -> lookups > are not working, client exhibits error described in my initial e-mail > 3. Using newer adcli to re-join, but add the > "--user-principal=HOST/fqdn@REALM" option so that *both* SPNs are in the > keytab) -> lookups are working
Please note that the principal you give with the --user-principal option is not a SPN (service principal name) but a UPN (user principal names). Only UPNs can be used to get a Kerberos TGT, i.e. can be used with kinit. As you can see form the logs SSSD tries to use host/[email protected] to get a TGT. Since AD handles principal case-insensitive HOST/[email protected] will work as well as long as it is defined as UPN (I would expect that it will work the same if you use '--user-principal=host/fqdn@REALM'. In general the default UPN is NetBIOSName$@REALM and SSSD will use it if a matching entry is in the keytab. But there are some restrictions to the NetBIOS name, e.g. only 15 characters are allowed and only a few special characters. Do you have and entry '...$@REALM' in the keytab? Does the name before the $ match the first part of the fully qualified host name of the client or is it truncated or special characters removed? You you have a '...$@REALM' entry in the keytab which differs somehow from the hostname you can try to add this principal to sssd.conf with ldap_sasl_authid = NetBIOSName$@REALM where NetBIOSName$@REALM matches the entry in the keytab to tell SSSD to use this principal for kinit. HTH bye, Sumit > > Every time, I made sure to stop SSSD before making any modifications, deleted > /var/lib/sss/{db,mc}/*, and restarted SSSD afterwards. I will try to up the > debug level and see what I can find, and I'll post my logfiles in reply to > another mail in this thread. > > In any case, thanks for telling me about kinit -k <NETBIOSname>! > > -Patrice > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
