On Wed, Jun 07, 2017 at 11:33:55AM +0000, Tallinn von Estonia wrote: > So here are the three logfiles as a gzipped tar-ball. > I did some cleanup for data protection purposes: > 1. Where the certificate used was listed as a base64-encoded string I > replaced it with ... and some trailing bytes of the string.2. I replaced the > real realm and domain used with the word "realm" where the realm appeared in > lowercase and "REALM" where the realm appeared in upper case. In sssd.conf > the domain and the realm are the same and given in upper case. > The subject name of the certificate used for the tests was "CN=bernd, > UID=<number>". Obviously one can't deduce the domain or realm of the user > from the subject given in the certificate. The ldap-entry of the user does > not contain the domain or the kerberos principal name either, the principal > name is found as a subject alt name extension in the certificate only (which > is included in the ldap-entry of the user). > I have probably have to change something here, may it be including the > kerberos principal name in the ldap entry of the user or in the subject name > of the certificate or some totally different kind of magic. > > Thank you in advance for any help here. > Tallinn
Thank you for the logs. The backend in the offline case returned (Wed Jun 7 11:19:02 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (Systemfehler)][REALM] Can you send me the content of the domain log around this timestamp as well and the krb5_child.log? Feel free the send them to me directly if you prefer to not share the content on the list. bye, Sumit > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
