[SSSD-users] Re: Can SSSD query users from a domain different than the one computer has joined?

Thu, 29 Jun 2017 12:53:22 -0700 

On 06/29/2017 10:15 AM, Abhijit Tikekar wrote:



Hi,

Attached are the logs files, all taken for the same auth attempt.


In the krb5_child.log you can see:


(Thu Jun 29 08:49:23 2017) [[sssd[krb5_child[2358]]]] [validate_tgt] 
(0x0020): TGT failed verification using key for 
[host/[email protected]].
(Thu Jun 29 08:49:23 2017) [[sssd[krb5_child[2358]]]] [get_and_save_tgt] 
(0x0020): 1240: [-1765328154][Key version number for principal in key 
table is incorrect]
(Thu Jun 29 08:49:23 2017) [[sssd[krb5_child[2358]]]] [map_krb5_error] 
(0x0020): 1301: [-1765328154][Key version number for principal in key 
table is incorrect]



The error message here points to a kvno mismatch for the principal in 
the keytab used to validation and the KDC.


You can try debugging further with:

  # kdestroy -A
  # kinit [email protected]
  # KRB5_TRACE=/dev/stdout kvno 'host/[email protected]'


As a guess it could be a problem with invalid entries in the keytab from 
repeated join attempts, a quick solution in this situation would be to 
try leaving the domain, remove the /etc/krb5.keytab, and join the domain 
again.



Note the validation is what failed here, validation can be disabled 
temporarily but for testing purpose only because it should be enabled 
for security.


       krb5_validate (boolean)

           Verify with the help of krb5_keytab that the TGT obtained 
has not been spoofed. The keytab is checked for entries sequentially, 
and the first entry with a matching realm is used for validation. If no 
entry matches the realm, the last entry in the keytab is used. This 
process can be used to validate environments using cross-realm trust by 
placing the appropriate keytab entry as the last entry or the only entry 
in the keytab file.


Kind regards,
Justin Stephenson





Also, if this is due to a timeout, is there any setting to control that?


Thanks,

~ Abhi











_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]


_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to