On (19/09/16 05:38), klin...@gmail.com wrote:
>Hi all,
>
>I am configuring AD authentication by using SSSD+kerberos on our CentOS 6.7 
>cluster. The solution works fine so far except that we could not use 
>ldap_access_filter.
>
>Whenever I enabled ldap_access_filter (add filter to ldap_access_order), all 
>SSH logins are denied. And the error messages are:
>
>==> /var/log/sssd/ldap_child.log <==
>(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] 
>[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
>'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
>(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12437]]]] [main] (0x0020): 
>ldap_child_get_tgt_sync failed.
>(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] 
>[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
>'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
>(Mon Sep 19 15:00:53 2016) [[sssd[ldap_child[12438]]]] [main] (0x0020): 
>ldap_child_get_tgt_sync failed.
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] 
>[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
>'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12501]]]] [main] (0x0020): 
>ldap_child_get_tgt_sync failed.
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] 
>[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
>'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12502]]]] [main] (0x0020): 
>ldap_child_get_tgt_sync failed.
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] 
>[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 
>'host/nerv-geofront.lo...@ad.example.edu.au' not found in Kerberos database
>(Mon Sep 19 15:02:45 2016) [[sssd[ldap_child[12503]]]] [main] (0x0020): 
>ldap_child_get_tgt_sync failed.
>
>But I believe the entry is in the keytab file already:
>
>[root@nerv-geofront ~]# klist -ke
>Keytab name: FILE:/etc/krb5.keytab
>KVNO Principal
>---- --------------------------------------------------------------------------
>   5 host/nerv-geofront.lo...@ad.example.edu.au (des-cbc-crc)
>   5 host/nerv-geofront.lo...@ad.example.edu.au (des-cbc-md5)
>   5 host/nerv-geofront.lo...@ad.example.edu.au (aes128-cts-hmac-sha1-96)
>   5 host/nerv-geofront.lo...@ad.example.edu.au (aes256-cts-hmac-sha1-96)
>   5 host/nerv-geofront.lo...@ad.example.edu.au (arcfour-hmac)
>   5 host/nerv-geofr...@ad.example.edu.au (des-cbc-crc)
>   5 host/nerv-geofr...@ad.example.edu.au (des-cbc-md5)
>   5 host/nerv-geofr...@ad.example.edu.au (aes128-cts-hmac-sha1-96)
>   5 host/nerv-geofr...@ad.example.edu.au (aes256-cts-hmac-sha1-96)
>   5 host/nerv-geofr...@ad.example.edu.au (arcfour-hmac)
>   5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-crc)
>   5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (des-cbc-md5)
>   5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes128-cts-hmac-sha1-96)
>   5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (aes256-cts-hmac-sha1-96)
>   5 NERV-GEOFRONT$@AD.EXAMPLE.EDU.AU (arcfour-hmac)
>
>The error messages above appear only when I enabled ldap_access_filter, so I 
>think this is related to the kerberos keytab.
>
>I am testing on sssd 1.12.4, samba 3.6.23.
>
Can you reproduce on CentOS 6.8? There is sssd 1.13.x.

BTW is there a reason for using ldap_access_filter.
Try to look into simple acces provider (man sssd-simple)

LS
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to