On Fri, Aug 12, 2016 at 12:14:00PM -0700, Robert Moulton wrote:
> Jakub Hrozek wrote on 8/12/16 12:59 AM:
> > On Thu, Aug 11, 2016 at 03:08:35PM -0700, Robert Moulton wrote:
> > > On a CentOS 6 system we recently implemented sssd auth against an AD
> > > domain
> > > (Samba 4 AD, specifically). The system messages log often shows flurries
> > > of
> > > these GSSAPI errors:
> > >
> > > sssd[be[notarealdomain.com]]: GSSAPI Error: Invalid token was supplied
> > > (Token header is malformed or corrupt)
> >
> > I'm sorry, I've never seen this error. But what you can do is to kinit
> > with the keytab using KRB5_TRACE=/dev/stderr and then search the AD
> > DC/Samba DC with -Y GSSAPI (again prepending KRB5_TRACE=/dev/stderr) and
> > see if more helpful errors appear.
>
> Thanks for the suggestion Jakub. I tried that. A preauth error was reported,
> along with a response-size error, but no corresponding sssd messages showed
> up in the system log. Are those errors or anything else in the output
> possibly meaningful in this case? The output:
>
> $ KRB5_TRACE=/dev/stderr kinit
> [14527] 1471027291.50378: Getting initial credentials for
> [email protected]
Watch out, here you authenticate as your principal, but SSSD
authenticates as the machine. You can see the machine principals stored
in the keytab with:
kinit -k
and normally SSSD uses the 'netbios principal' which looks like the
short version of the hostname with a dollar sign at the end. Can you try
that one?
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]
