Quoting Sumit Bose <sb...@redhat.com> on Tue, Dec 13 09:51: > > hmm, in theory the attribute should be filled during the join with > values matching the keytab entry. You can try to add the entries > manually. Here at least 'RestrictedKrbHost/phys-adtest' and > 'RestrictedKrbHost/phys-adtest.tou.t3.ucdavis.edu' should be added. > > You can check if it is working or not without SSSD by calling: > > kinit adu...@t3.ucdavis.edu
This works before and after the change to servicePrincipalName in AD. klist shows a good service principal. > kvno RestrictedKrbHost/phys-adt...@tou.t3.ucdavis.edu Before I updated AD to add the entries to servicePrincipalName this failed with: root@phys-adtest:~# kvno RestrictedKrbHost/phys-adt...@tou.t3.ucdavis.edu kvno: Server not found in Kerberos database while getting credentials for RestrictedKrbHost/phys-adt...@tou.t3.ucdavis.edu After I updated servicePrincipalName this succeeds(!) with: root@phys-adtest:~# kvno RestrictedKrbHost/phys-adt...@tou.t3.ucdavis.edu RestrictedKrbHost/phys-adt...@tou.t3.ucdavis.edu: kvno = 3 So, looking over the verbose output to how we joined the domain (realm -v join tou.t3.ucdavis.edu -U metro-0oment...@tou.t3.ucdavis.edu) I see an error when it tried to set servicePrincipalName (full output attached): ! Couldn't set service principals on computer account CN=phys-adtest,OU=METRO-OU-AdminPCS,OU=METRO-OU-Computers,OU=METRO,OU=DEPARTMENTS,DC=tou,DC=T3,DC=UCDAVIS,DC=EDU: 00002083: AtrErr: DSID-03151785, #1: 0: 00002083: DSID-03151785, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName) It seems likely this is because we have to pre-stage the computer object in AD in order to place it in a folder/location where we have write privileges. Does anyone know of a workaround that doesn't involve us manually editing servicePrincipalName after the fact? Thanks everyone for the help! -- Omen Wild Systems Administrator Metro Cluster
root@phys-adtest:~# realm -v join tou.t3.ucdavis.edu -U metro-0oment...@tou.t3.ucdavis.edu * Resolving: _ldap._tcp.tou.t3.ucdavis.edu * Performing LDAP DSE lookup on: 128.120.43.175 * Performing LDAP DSE lookup on: 128.120.43.174 * Successfully discovered: tou.T3.UCDAVIS.EDU Password for metro-0oment...@tou.t3.ucdavis.edu: * Unconditionally checking packages * Resolving required packages * LANG=C /usr/sbin/adcli join --verbose --domain tou.T3.UCDAVIS.EDU --domain-realm TOU.T3.UCDAVIS.EDU --domain-controller 128.120.43.175 --login-type user --login-user metro-0oment...@tou.t3.ucdavis.edu --stdin-password * Using domain name: tou.T3.UCDAVIS.EDU * Calculated computer account name from fqdn: PHYS-ADTEST * Using domain realm: tou.T3.UCDAVIS.EDU * Sending netlogon pings to domain controller: cldap://128.120.43.175 * Received NetLogon info from: TOUDC3C.tou.T3.UCDAVIS.EDU * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-WUUhHu/krb5.d/adcli-krb5-conf-UMQa9O * Authenticated as user: metro-0oment...@tou.t3.ucdavis.edu * Looked up short domain name: TOU * Using fully qualified name: phys-adtest * Using domain name: tou.T3.UCDAVIS.EDU * Using computer account name: PHYS-ADTEST * Using domain realm: tou.T3.UCDAVIS.EDU * Calculated computer account name from fqdn: PHYS-ADTEST * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for PHYS-ADTEST$ at: CN=phys-adtest,OU=METRO-OU-AdminPCS,OU=METRO-OU-Computers,OU=METRO,OU=DEPARTMENTS,DC=tou,DC=T3,DC=UCDAVIS,DC=EDU * Set computer password * Retrieved kvno '3' for computer account in directory: CN=phys-adtest,OU=METRO-OU-AdminPCS,OU=METRO-OU-Computers,OU=METRO,OU=DEPARTMENTS,DC=tou,DC=T3,DC=UCDAVIS,DC=EDU * Modifying computer account: dNSHostName * Modifying computer account: userAccountControl * Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack * Modifying computer account: userPrincipalName ! Couldn't set service principals on computer account CN=phys-adtest,OU=METRO-OU-AdminPCS,OU=METRO-OU-Computers,OU=METRO,OU=DEPARTMENTS,DC=tou,DC=T3,DC=UCDAVIS,DC=EDU: 00002083: AtrErr: DSID-03151785, #1: 0: 00002083: DSID-03151785, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName) * Discovered which keytab salt to use * Added the entries to the keytab: PHYS-ADTEST$@TOU.T3.UCDAVIS.EDU: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/phys-adt...@tou.t3.ucdavis.edu: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/phys-adt...@tou.t3.ucdavis.edu: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/phys-adt...@tou.t3.ucdavis.edu: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/phys-adt...@tou.t3.ucdavis.edu: FILE:/etc/krb5.keytab * /usr/sbin/update-rc.d sssd enable update-rc.d: error: cannot find a LSB script for sssd * /usr/sbin/service sssd restart * Successfully enrolled machine in realm
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
